hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Update queries to use DataFlow::ConfigSig

Browse Source
This commit is contained in:
Jeroen Ketema
2023-03-07 10:15:11 +01:00
parent 47930f94e2
commit 9ec479a2a0
2 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -19,7 +19,7 @@ import semmle.code.cpp.security.FunctionWithWrappers
import semmle.code.cpp.security.FlowSources
import semmle.code.cpp.ir.IR
import semmle.code.cpp.ir.dataflow.TaintTracking
import DataFlow::PathGraph
import TaintedPath::PathGraph
/**
* A function for opening a file.
@@ -70,18 +70,16 @@ predicate hasUpperBoundsCheck(Variable var) {
)
}
class TaintedPathConfiguration extends TaintTracking::Configuration {
TaintedPathConfiguration() { this = "TaintedPathConfiguration" }
module TaintedPathConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
override predicate isSink(DataFlow::Node node) {
predicate isSink(DataFlow::Node node) {
exists(FileFunction fileFunction |
fileFunction.outermostWrapperFunctionCall(node.asIndirectArgument(), _)
)
}
override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType
or
exists(LoadInstruction load, Variable checkedVar |
@@ -92,13 +90,15 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
}
}
module TaintedPath = TaintTracking::Make<TaintedPathConfiguration>;
from
FileFunction fileFunction, Expr taintedArg, FlowSource taintSource, TaintedPathConfiguration cfg,
DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string callChain
FileFunction fileFunction, Expr taintedArg, FlowSource taintSource,
TaintedPath::PathNode sourceNode, TaintedPath::PathNode sinkNode, string callChain
where
taintedArg = sinkNode.getNode().asIndirectArgument() and
fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
cfg.hasFlowPath(sourceNode, sinkNode) and
TaintedPath::hasFlowPath(sourceNode, sinkNode) and
taintSource = sourceNode.getNode()
select taintedArg, sourceNode, sinkNode,
"This argument to a file access function is derived from $@ and then passed to " + callChain + ".",

20
cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
View File

@@ -19,7 +19,7 @@ import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.ir.IR
import semmle.code.cpp.controlflow.IRGuards
import semmle.code.cpp.security.FlowSources
import DataFlow::PathGraph
import TaintedAllocationSize::PathGraph
/**
* Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
@@ -54,14 +54,12 @@ predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Va
predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
TaintedAllocationSizeConfiguration() { this = "TaintedAllocationSizeConfiguration" }
module TaintedAllocationSizeConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
override predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
predicate isSink(DataFlow::Node sink) { allocSink(_, sink) }
override predicate isSink(DataFlow::Node sink) { allocSink(_, sink) }
override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
exists(Expr e | e = node.asExpr() |
// There can be two separate reasons for `convertedExprMightOverflow` not holding:
// 1. `e` really cannot overflow.
@@ -97,12 +95,14 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
}
}
module TaintedAllocationSize = TaintTracking::Make<TaintedAllocationSizeConfiguration>;
from
Expr alloc, DataFlow::PathNode source, DataFlow::PathNode sink, string taintCause,
TaintedAllocationSizeConfiguration conf
Expr alloc, TaintedAllocationSize::PathNode source, TaintedAllocationSize::PathNode sink,
string taintCause
where
isFlowSource(source.getNode(), taintCause) and
conf.hasFlowPath(source, sink) and
TaintedAllocationSize::hasFlowPath(source, sink) and
allocSink(alloc, sink.getNode())
select alloc, source, sink, "This allocation size is derived from $@ and might overflow.",
source.getNode(), "user input (" + taintCause + ")"