From 9ec479a2a0e39bd4bb97d24277bf34f417c128fe Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 7 Mar 2023 10:15:11 +0100 Subject: [PATCH] C++: Update queries to use `DataFlow::ConfigSig` --- .../src/Security/CWE/CWE-022/TaintedPath.ql | 20 +++++++++---------- .../CWE/CWE-190/TaintedAllocationSize.ql | 20 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql index d94241b749e..e66a717b846 100644 --- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -19,7 +19,7 @@ import semmle.code.cpp.security.FunctionWithWrappers import semmle.code.cpp.security.FlowSources import semmle.code.cpp.ir.IR import semmle.code.cpp.ir.dataflow.TaintTracking -import DataFlow::PathGraph +import TaintedPath::PathGraph /** * A function for opening a file. @@ -70,18 +70,16 @@ predicate hasUpperBoundsCheck(Variable var) { ) } -class TaintedPathConfiguration extends TaintTracking::Configuration { - TaintedPathConfiguration() { this = "TaintedPathConfiguration" } +module TaintedPathConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { node instanceof FlowSource } - override predicate isSource(DataFlow::Node node) { node instanceof FlowSource } - - override predicate isSink(DataFlow::Node node) { + predicate isSink(DataFlow::Node node) { exists(FileFunction fileFunction | fileFunction.outermostWrapperFunctionCall(node.asIndirectArgument(), _) ) } - override predicate isSanitizer(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType or exists(LoadInstruction load, Variable checkedVar | @@ -92,13 +90,15 @@ class TaintedPathConfiguration extends TaintTracking::Configuration { } } +module TaintedPath = TaintTracking::Make; + from - FileFunction fileFunction, Expr taintedArg, FlowSource taintSource, TaintedPathConfiguration cfg, - DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string callChain + FileFunction fileFunction, Expr taintedArg, FlowSource taintSource, + TaintedPath::PathNode sourceNode, TaintedPath::PathNode sinkNode, string callChain where taintedArg = sinkNode.getNode().asIndirectArgument() and fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and - cfg.hasFlowPath(sourceNode, sinkNode) and + TaintedPath::hasFlowPath(sourceNode, sinkNode) and taintSource = sourceNode.getNode() select taintedArg, sourceNode, sinkNode, "This argument to a file access function is derived from $@ and then passed to " + callChain + ".", diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql index f05b0408164..45e26985256 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql @@ -19,7 +19,7 @@ import semmle.code.cpp.ir.dataflow.TaintTracking import semmle.code.cpp.ir.IR import semmle.code.cpp.controlflow.IRGuards import semmle.code.cpp.security.FlowSources -import DataFlow::PathGraph +import TaintedAllocationSize::PathGraph /** * Holds if `alloc` is an allocation, and `tainted` is a child of it that is a @@ -54,14 +54,12 @@ predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Va predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() } -class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration { - TaintedAllocationSizeConfiguration() { this = "TaintedAllocationSizeConfiguration" } +module TaintedAllocationSizeConfiguration implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { isFlowSource(source, _) } - override predicate isSource(DataFlow::Node source) { isFlowSource(source, _) } + predicate isSink(DataFlow::Node sink) { allocSink(_, sink) } - override predicate isSink(DataFlow::Node sink) { allocSink(_, sink) } - - override predicate isSanitizer(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { exists(Expr e | e = node.asExpr() | // There can be two separate reasons for `convertedExprMightOverflow` not holding: // 1. `e` really cannot overflow. @@ -97,12 +95,14 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration { } } +module TaintedAllocationSize = TaintTracking::Make; + from - Expr alloc, DataFlow::PathNode source, DataFlow::PathNode sink, string taintCause, - TaintedAllocationSizeConfiguration conf + Expr alloc, TaintedAllocationSize::PathNode source, TaintedAllocationSize::PathNode sink, + string taintCause where isFlowSource(source.getNode(), taintCause) and - conf.hasFlowPath(source, sink) and + TaintedAllocationSize::hasFlowPath(source, sink) and allocSink(alloc, sink.getNode()) select alloc, source, sink, "This allocation size is derived from $@ and might overflow.", source.getNode(), "user input (" + taintCause + ")"