diff --git a/ql/src/experimental/CWE-369/DivideByZero.ql b/ql/src/experimental/CWE-369/DivideByZero.ql index 23cbd206578..314f2f8a9a1 100644 --- a/ql/src/experimental/CWE-369/DivideByZero.ql +++ b/ql/src/experimental/CWE-369/DivideByZero.ql @@ -15,20 +15,23 @@ import DataFlow::PathGraph import semmle.go.dataflow.internal.TaintTrackingUtil class DivideByZeroSanitizeGuard extends DataFlow::BarrierGuard { + + DivideByZeroSanitizeGuard() { + this.(DataFlow::EqualityTestNode).getAnOperand().getNumericValue() = 0 or + this.(DataFlow::RelationalComparisonNode).getAnOperand().getNumericValue() = 0 + } + override predicate checks(Expr e, boolean branch) { - exists( - DataFlow::Node zero, DataFlow::Node checked, DataFlow::EqualityTestNode eqNode, - DataFlow::RelationalComparisonNode compNode - | - zero.getNumericValue() = 0 and - ( - checked.getType().getUnderlyingType() instanceof IntegerType - ) and - ( - this.(DataFlow::EqualityTestNode).eq(branch.booleanNot(), checked, zero) or - this.(RelationalComparisonNode).leq(branch.booleanNot(), checked, zero, 0) + exists(DataFlow::Node zero, DataFlow::Node checked + | + zero.getNumericValue() = 0 and + e = checked.asExpr() and + checked.getType().getUnderlyingType() instanceof IntegerType and + ( + this.(DataFlow::EqualityTestNode).eq(branch.booleanNot(), checked, zero) or + this.(DataFlow::RelationalComparisonNode).leq(branch.booleanNot(), checked, zero, 0) + ) ) - ) } } @@ -40,9 +43,7 @@ class DivideByZeroCheckConfig extends TaintTracking::Configuration { override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { exists(Function f | ( - f.hasQualifiedName() = "Atoi" or - f.hasQualifiedName() = "ParseInt" or - f.hasQualifiedName() = "ParseUint" + f.hasQualifiedName("strconv", ["Atoi", "ParseInt", "ParseUint", "ParseFloat"]) ) and node1 = f.getACall().getArgument(0) and node2 = f.getACall().getResult(0)