hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-31 04:38:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21585 from github/copilot/convert-models-to-yml

Browse Source 
C++: Convert remaining CSV models to .model.yml and remove CSV model infrastructure
This commit is contained in:
Owen Mansel-Chan
2026-03-27 20:48:34 +00:00
committed by GitHub
parent 8fc914f636 c07a814515
commit a8b52acaa9
26 changed files with 585 additions and 764 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

22
cpp/ql/lib/ext/ZMQ.model.yml Normal file
View File

@@ -0,0 +1,22 @@
# ZeroMQ networking library models
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "zmq_recv", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "zmq_recvmsg", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "zmq_msg_recv", "", "", "Argument[*0]", "remote", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: sinkModel
data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
- ["", "", False, "zmq_send", "", "", "Argument[*1]", "remote-sink", "manual"]
- ["", "", False, "zmq_sendmsg", "", "", "Argument[*1]", "remote-sink", "manual"]
- ["", "", False, "zmq_msg_send", "", "", "Argument[*0]", "remote-sink", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["", "", False, "zmq_msg_init_data", "", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
- ["", "", False, "zmq_msg_data", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]

19
cpp/ql/lib/ext/getc.model.yml Normal file
View File

@@ -0,0 +1,19 @@
# Models for getc and similar character-reading functions
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "getc", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "getwc", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "_getc_nolock", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "_getwc_nolock", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "getch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getch_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwch_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "getchar", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "getwchar", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getchar_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwchar_nolock", "", "", "ReturnValue", "local", "manual"]

160
cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
View File

@@ -1,9 +1,10 @@
/**
* INTERNAL use only. This is an experimental API subject to change without notice.
*
* Provides classes and predicates for dealing with flow models specified in CSV format.
* Provides classes and predicates for dealing with flow models specified
* in data extension files.
*
* The CSV specification has the following columns:
* The extensible relations have the following columns:
* - Sources:
* `namespace; type; subtypes; name; signature; ext; output; kind`
* - Sinks:
@@ -104,117 +105,9 @@ private import internal.FlowSummaryImpl::Private
private import internal.FlowSummaryImpl::Private::External
private import internal.ExternalFlowExtensions::Extensions as Extensions
private import codeql.mad.ModelValidation as SharedModelVal
private import codeql.util.Unit
private import codeql.mad.static.ModelsAsData as SharedMaD
/**
* A unit class for adding additional source model rows.
*
* Extend this class to add additional source definitions.
*/
class SourceModelCsv extends Unit {
/** Holds if `row` specifies a source definition. */
abstract predicate row(string row);
}
/**
* A unit class for adding additional sink model rows.
*
* Extend this class to add additional sink definitions.
*/
class SinkModelCsv extends Unit {
/** Holds if `row` specifies a sink definition. */
abstract predicate row(string row);
}
/**
* A unit class for adding additional summary model rows.
*
* Extend this class to add additional flow summary definitions.
*/
class SummaryModelCsv extends Unit {
/** Holds if `row` specifies a summary definition. */
abstract predicate row(string row);
}
/** Holds if `row` is a source model. */
predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
/** Holds if `row` is a sink model. */
predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
/** Holds if `row` is a summary model. */
predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
private module MadInput implements SharedMaD::InputSig {
/** Holds if a source model exists for the given parameters. */
predicate additionalSourceModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind, string provenance, string model
) {
exists(string row |
sourceModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = output and
row.splitAt(";", 7) = kind
) and
provenance = "manual" and
model = ""
}
/** Holds if a sink model exists for the given parameters. */
predicate additionalSinkModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind, string provenance, string model
) {
exists(string row |
sinkModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = kind
) and
provenance = "manual" and
model = ""
}
/**
* Holds if a summary model exists for the given parameters.
*
* This predicate does not expand `@` to `*`s.
*/
predicate additionalSummaryModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind, string provenance, string model
) {
exists(string row |
summaryModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = output and
row.splitAt(";", 8) = kind
) and
provenance = "manual" and
model = ""
}
string namespaceSegmentSeparator() { result = "::" }
}
@@ -250,8 +143,8 @@ predicate summaryModel(
)
}
/** Provides a query predicate to check the CSV data for validation errors. */
module CsvValidation {
/** Provides a query predicate to check the data for validation errors. */
module ModelValidation {
private string getInvalidModelInput() {
exists(string pred, AccessPath input, string part |
sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
@@ -294,40 +187,6 @@ module CsvValidation {
private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
private string getInvalidModelSubtype() {
exists(string pred, string row |
sourceModel(row) and pred = "source"
or
sinkModel(row) and pred = "sink"
or
summaryModel(row) and pred = "summary"
|
exists(string b |
b = row.splitAt(";", 2) and
not b = ["true", "false"] and
result = "Invalid boolean \"" + b + "\" in " + pred + " model."
)
)
}
private string getInvalidModelColumnCount() {
exists(string pred, string row, int expect |
sourceModel(row) and expect = 8 and pred = "source"
or
sinkModel(row) and expect = 8 and pred = "sink"
or
summaryModel(row) and expect = 9 and pred = "summary"
|
exists(int cols |
cols = 1 + max(int n | exists(row.splitAt(";", n))) and
cols != expect and
result =
"Wrong number of columns in " + pred + " model row, expected " + expect + ", got " + cols +
"."
)
)
}
private string getInvalidModelSignature() {
exists(string pred, string namespace, string type, string name, string signature, string ext |
sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
@@ -366,13 +225,12 @@ module CsvValidation {
)
}
/** Holds if some row in a CSV-based flow model appears to contain typos. */
/** Holds if some row in a MaD flow model appears to contain typos. */
query predicate invalidModelRow(string msg) {
msg =
[
getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind(),
getIncorrectConstructorSummaryOutput()
KindVal::getInvalidModelKind(), getIncorrectConstructorSummaryOutput()
]
}
}
@@ -1026,7 +884,7 @@ private module Cached {
}
/**
* Holds if `node` is specified as a source with the given kind in a CSV flow
* Holds if `node` is specified as a source with the given kind in a MaD flow
* model.
*/
cached
@@ -1037,7 +895,7 @@ private module Cached {
}
/**
* Holds if `node` is specified as a sink with the given kind in a CSV flow
* Holds if `node` is specified as a sink with the given kind in a MaD flow
* model.
*/
cached

1
cpp/ql/lib/semmle/code/cpp/models/Models.qll
View File

@@ -48,7 +48,6 @@ private import implementations.SqLite3
private import implementations.PostgreSql
private import implementations.System
private import implementations.StructuredExceptionHandling
private import implementations.ZMQ
private import implementations.Win32CommandExecution
private import implementations.CA2AEX
private import implementations.CComBSTR

18
cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
View File

@@ -112,21 +112,3 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
}
/**
* A model for `getc` and similar functions that are flow sources.
*/
private class GetcSource extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;getc;;;ReturnValue;remote", ";;false;getwc;;;ReturnValue;remote",
";;false;_getc_nolock;;;ReturnValue;remote", ";;false;_getwc_nolock;;;ReturnValue;remote",
";;false;getch;;;ReturnValue;local", ";;false;_getch;;;ReturnValue;local",
";;false;_getwch;;;ReturnValue;local", ";;false;_getch_nolock;;;ReturnValue;local",
";;false;_getwch_nolock;;;ReturnValue;local", ";;false;getchar;;;ReturnValue;local",
";;false;getwchar;;;ReturnValue;local", ";;false;_getchar_nolock;;;ReturnValue;local",
";;false;_getwchar_nolock;;;ReturnValue;local",
]
}
}

45
cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll
View File

@@ -1,45 +0,0 @@
/**
* Provides implementation classes modeling the ZeroMQ networking library.
*/
import semmle.code.cpp.models.interfaces.FlowSource
/**
* Remote flow sources.
*/
private class ZmqSource extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_recv;;;Argument[*1];remote", ";;false;zmq_recvmsg;;;Argument[*1];remote",
";;false;zmq_msg_recv;;;Argument[*0];remote",
]
}
}
/**
* Remote flow sinks.
*/
private class ZmqSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_send;;;Argument[*1];remote-sink",
";;false;zmq_sendmsg;;;Argument[*1];remote-sink",
";;false;zmq_msg_send;;;Argument[*0];remote-sink",
]
}
}
/**
* Flow steps.
*/
private class ZmqSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_msg_init_data;;;Argument[*1];Argument[*0];taint",
";;false;zmq_msg_data;;;Argument[*0];ReturnValue[*];taint",
]
}
}

2
cpp/ql/test/library-tests/dataflow/external-models/validatemodels.ql
View File

@@ -1,2 +1,2 @@
import cpp
import semmle.code.cpp.dataflow.ExternalFlow::CsvValidation
import semmle.code.cpp.dataflow.ExternalFlow::ModelValidation

20
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.ql
View File

@@ -1,20 +0,0 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
string describe(DataFlow::Node n) {
n instanceof ParameterNode and result = "ParameterNode"
or
n instanceof PostUpdateNode and result = "PostUpdateNode"
or
n instanceof ArgumentNode and result = "ArgumentNode"
or
n instanceof ReturnNode and result = "ReturnNode"
or
n instanceof OutNode and result = "OutNode"
}
from FlowSummaryNode n
select n, concat(describe(n), ", "), concat(n.getSummarizedCallable().toString(), ", "),
concat(n.getEnclosingCallable().toString(), ", ")

267
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.expected
View File

@@ -1,267 +0,0 @@
summaryCalls
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
summarizedCallables
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:471:5:471:17 | receive_array |
sourceCallables
| tests.cpp:3:5:3:10 | source |
| tests.cpp:4:6:4:14 | sourcePtr |
| tests.cpp:5:6:5:19 | sourceIndirect |
| tests.cpp:6:6:6:9 | sink |
| tests.cpp:6:15:6:17 | val |
| tests.cpp:7:6:7:9 | sink |
| tests.cpp:7:16:7:18 | ptr |
| tests.cpp:11:5:11:18 | localMadSource |
| tests.cpp:12:5:12:19 | remoteMadSource |
| tests.cpp:13:5:13:14 | notASource |
| tests.cpp:14:5:14:22 | localMadSourceVoid |
| tests.cpp:15:5:15:25 | localMadSourceHasBody |
| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
| tests.cpp:18:39:18:39 | x |
| tests.cpp:18:47:18:47 | y |
| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
| tests.cpp:19:39:19:39 | x |
| tests.cpp:19:47:19:47 | y |
| tests.cpp:20:5:20:22 | remoteMadSourceVar |
| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
| tests.cpp:31:6:31:19 | localMadSource |
| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
| tests.cpp:35:6:35:17 | test_sources |
| tests.cpp:50:6:50:6 | v |
| tests.cpp:51:7:51:16 | v_indirect |
| tests.cpp:52:6:52:13 | v_direct |
| tests.cpp:63:6:63:6 | a |
| tests.cpp:63:9:63:9 | b |
| tests.cpp:63:12:63:12 | c |
| tests.cpp:63:15:63:15 | d |
| tests.cpp:75:6:75:6 | e |
| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
| tests.cpp:85:32:85:32 | x |
| tests.cpp:92:6:92:16 | madSinkArg0 |
| tests.cpp:92:22:92:22 | x |
| tests.cpp:93:6:93:13 | notASink |
| tests.cpp:93:19:93:19 | x |
| tests.cpp:94:6:94:16 | madSinkArg1 |
| tests.cpp:94:22:94:22 | x |
| tests.cpp:94:29:94:29 | y |
| tests.cpp:95:6:95:17 | madSinkArg01 |
| tests.cpp:95:23:95:23 | x |
| tests.cpp:95:30:95:30 | y |
| tests.cpp:95:37:95:37 | z |
| tests.cpp:96:6:96:17 | madSinkArg02 |
| tests.cpp:96:23:96:23 | x |
| tests.cpp:96:30:96:30 | y |
| tests.cpp:96:37:96:37 | z |
| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
| tests.cpp:97:31:97:31 | x |
| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
| tests.cpp:98:38:98:38 | x |
| tests.cpp:99:5:99:14 | madSinkVar |
| tests.cpp:100:6:100:23 | madSinkVarIndirect |
| tests.cpp:102:6:102:15 | test_sinks |
| tests.cpp:116:6:116:6 | a |
| tests.cpp:117:7:117:11 | a_ptr |
| tests.cpp:132:6:132:18 | madSinkParam0 |
| tests.cpp:132:24:132:24 | x |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:18 | MyContainer |
| tests.cpp:139:6:139:10 | value |
| tests.cpp:140:6:140:11 | value2 |
| tests.cpp:141:7:141:9 | ptr |
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:144:25:144:25 | x |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:145:34:145:34 | x |
| tests.cpp:146:5:146:15 | notASummary |
| tests.cpp:146:21:146:21 | x |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:147:34:147:34 | x |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:148:34:148:34 | x |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:149:41:149:41 | x |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:150:37:150:37 | x |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:151:32:151:32 | x |
| tests.cpp:151:40:151:40 | y |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:152:47:152:47 | x |
| tests.cpp:152:55:152:55 | y |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:153:25:153:25 | a |
| tests.cpp:153:33:153:33 | b |
| tests.cpp:153:40:153:40 | c |
| tests.cpp:153:47:153:47 | d |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:154:20:154:20 | a |
| tests.cpp:154:28:154:28 | b |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:155:34:155:34 | a |
| tests.cpp:155:41:155:41 | b |
| tests.cpp:155:48:155:48 | c |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:160:38:160:39 | mc |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:161:47:161:48 | mc |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:162:46:162:47 | mc |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:163:38:163:38 | x |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:164:47:164:47 | x |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:165:46:165:46 | x |
| tests.cpp:167:13:167:30 | madFieldToFieldVar |
| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
| tests.cpp:171:6:171:19 | test_summaries |
| tests.cpp:174:6:174:6 | a |
| tests.cpp:174:9:174:9 | b |
| tests.cpp:174:12:174:12 | c |
| tests.cpp:174:15:174:15 | d |
| tests.cpp:174:18:174:18 | e |
| tests.cpp:175:7:175:11 | a_ptr |
| tests.cpp:218:14:218:16 | mc1 |
| tests.cpp:218:19:218:21 | mc2 |
| tests.cpp:237:15:237:18 | rtn1 |
| tests.cpp:240:14:240:17 | rtn2 |
| tests.cpp:241:7:241:14 | rtn2_ptr |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:13 | MyClass |
| tests.cpp:270:6:270:26 | memberRemoteMadSource |
| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
| tests.cpp:271:46:271:46 | x |
| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
| tests.cpp:273:7:273:21 | qualifierSource |
| tests.cpp:274:7:274:26 | qualifierFieldSource |
| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
| tests.cpp:277:29:277:29 | x |
| tests.cpp:278:6:278:21 | memberMadSinkVar |
| tests.cpp:279:7:279:19 | qualifierSink |
| tests.cpp:280:7:280:23 | qualifierArg0Sink |
| tests.cpp:280:29:280:29 | x |
| tests.cpp:281:7:281:24 | qualifierFieldSink |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:284:25:284:25 | x |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:286:6:286:16 | notASummary |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:287:26:287:26 | x |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:290:6:290:8 | val |
| tests.cpp:293:7:293:7 | MyDerivedClass |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:20 | MyDerivedClass |
| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
| tests.cpp:296:6:296:21 | subtypeNonSource |
| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
| tests.cpp:300:9:300:15 | source2 |
| tests.cpp:301:6:301:9 | sink |
| tests.cpp:301:19:301:20 | mc |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:14 | MyClass |
| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
| tests.cpp:307:39:307:39 | x |
| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
| tests.cpp:308:52:308:52 | x |
| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:317:22:317:28 | source3 |
| tests.cpp:319:6:319:23 | test_class_members |
| tests.cpp:320:10:320:11 | mc |
| tests.cpp:320:14:320:16 | mc2 |
| tests.cpp:320:19:320:21 | mc3 |
| tests.cpp:320:24:320:26 | mc4 |
| tests.cpp:320:29:320:31 | mc5 |
| tests.cpp:320:34:320:36 | mc6 |
| tests.cpp:320:39:320:41 | mc7 |
| tests.cpp:320:44:320:46 | mc8 |
| tests.cpp:320:49:320:51 | mc9 |
| tests.cpp:320:54:320:57 | mc10 |
| tests.cpp:320:60:320:63 | mc11 |
| tests.cpp:321:11:321:13 | ptr |
| tests.cpp:321:17:321:23 | mc4_ptr |
| tests.cpp:322:17:322:19 | mdc |
| tests.cpp:323:23:323:25 | mnc |
| tests.cpp:323:28:323:31 | mnc2 |
| tests.cpp:324:24:324:31 | mnc2_ptr |
| tests.cpp:330:6:330:6 | a |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:14 | intPair |
| tests.cpp:430:6:430:10 | first |
| tests.cpp:431:6:431:11 | second |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:434:37:434:43 | fun_ptr |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:46:435:52 | fun_ptr |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:436:34:436:40 | fun_ptr |
| tests.cpp:436:53:436:57 | value |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:437:45:437:51 | fun_ptr |
| tests.cpp:437:64:437:68 | value |
| tests.cpp:439:5:439:14 | getTainted |
| tests.cpp:440:6:440:13 | useValue |
| tests.cpp:440:19:440:19 | x |
| tests.cpp:441:6:441:17 | dontUseValue |
| tests.cpp:441:23:441:23 | x |
| tests.cpp:443:6:443:27 | test_function_pointers |
| tests.cpp:456:19:456:19 | X |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
| tests.cpp:458:12:458:15 | Type |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
| tests.cpp:463:6:463:6 | x |
| tests.cpp:464:36:464:36 | s |
| tests.cpp:465:6:465:6 | y |
| tests.cpp:469:7:469:9 | INT |
| tests.cpp:471:5:471:17 | receive_array |
| tests.cpp:471:23:471:23 | a |
| tests.cpp:473:6:473:23 | test_receive_array |
| tests.cpp:474:6:474:6 | x |
| tests.cpp:475:6:475:10 | array |
| tests.cpp:476:6:476:6 | y |

9
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.ql
View File

@@ -1,9 +0,0 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
query predicate summaryCalls(SummaryCall c) { any() }
query predicate summarizedCallables(SummarizedCallable c) { any() }
query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }

29
cpp/ql/test/library-tests/dataflow/models-as-data/consistency.expected
View File

@@ -1,29 +0,0 @@
uniqueEnclosingCallable
uniqueCallEnclosingCallable
uniqueType
uniqueNodeLocation
missingLocation
uniqueNodeToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
uniquePostUpdate
postIsInSameCallable
reverseRead
argHasPostUpdate
postWithInFlow
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox
identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel

2
cpp/ql/test/library-tests/dataflow/models-as-data/consistency.ql
View File

@@ -1,2 +0,0 @@
import testModels
import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency

0
cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.expected
View File

18
cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.ql
View File

@@ -1,18 +0,0 @@
import utils.test.InlineExpectationsTest
import testModels
module InterpretElementTest implements TestSig {
string getARelevantTag() { result = "interpretElement" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element e |
e = interpretElement(_, _, _, _, _, _) and
location = e.getLocation() and
element = e.toString() and
tag = "interpretElement" and
value = ""
)
}
}
import MakeTest<InterpretElementTest>

0
cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected
View File

32
cpp/ql/test/library-tests/dataflow/models-as-data/taint.ql
View File

@@ -1,32 +0,0 @@
import utils.test.dataflow.FlowTestCommon
import testModels
module IRTest {
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.TaintTracking
/** Common data flow configuration to be used by tests. */
module TestAllocationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof FlowSource
or
source.asExpr().(FunctionCall).getTarget().getName() =
["source", "source2", "source3", "sourcePtr"]
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "test-sink")
or
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
}
import MakeTest<IRFlowTest<IRTest::IRFlow>>

298
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected → cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected
View File

@@ -1,3 +1,301 @@
uniqueEnclosingCallable
uniqueCallEnclosingCallable
uniqueType
uniqueNodeLocation
missingLocation
uniqueNodeToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
uniquePostUpdate
postIsInSameCallable
reverseRead
argHasPostUpdate
postWithInFlow
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox
identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
testFailures
summaryCalls
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
summarizedCallables
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:471:5:471:17 | receive_array |
sourceCallables
| tests.cpp:3:5:3:10 | source |
| tests.cpp:4:6:4:14 | sourcePtr |
| tests.cpp:5:6:5:19 | sourceIndirect |
| tests.cpp:6:6:6:9 | sink |
| tests.cpp:6:15:6:17 | val |
| tests.cpp:7:6:7:9 | sink |
| tests.cpp:7:16:7:18 | ptr |
| tests.cpp:11:5:11:18 | localMadSource |
| tests.cpp:12:5:12:19 | remoteMadSource |
| tests.cpp:13:5:13:14 | notASource |
| tests.cpp:14:5:14:22 | localMadSourceVoid |
| tests.cpp:15:5:15:25 | localMadSourceHasBody |
| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
| tests.cpp:18:39:18:39 | x |
| tests.cpp:18:47:18:47 | y |
| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
| tests.cpp:19:39:19:39 | x |
| tests.cpp:19:47:19:47 | y |
| tests.cpp:20:5:20:22 | remoteMadSourceVar |
| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
| tests.cpp:31:6:31:19 | localMadSource |
| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
| tests.cpp:35:6:35:17 | test_sources |
| tests.cpp:50:6:50:6 | v |
| tests.cpp:51:7:51:16 | v_indirect |
| tests.cpp:52:6:52:13 | v_direct |
| tests.cpp:63:6:63:6 | a |
| tests.cpp:63:9:63:9 | b |
| tests.cpp:63:12:63:12 | c |
| tests.cpp:63:15:63:15 | d |
| tests.cpp:75:6:75:6 | e |
| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
| tests.cpp:85:32:85:32 | x |
| tests.cpp:92:6:92:16 | madSinkArg0 |
| tests.cpp:92:22:92:22 | x |
| tests.cpp:93:6:93:13 | notASink |
| tests.cpp:93:19:93:19 | x |
| tests.cpp:94:6:94:16 | madSinkArg1 |
| tests.cpp:94:22:94:22 | x |
| tests.cpp:94:29:94:29 | y |
| tests.cpp:95:6:95:17 | madSinkArg01 |
| tests.cpp:95:23:95:23 | x |
| tests.cpp:95:30:95:30 | y |
| tests.cpp:95:37:95:37 | z |
| tests.cpp:96:6:96:17 | madSinkArg02 |
| tests.cpp:96:23:96:23 | x |
| tests.cpp:96:30:96:30 | y |
| tests.cpp:96:37:96:37 | z |
| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
| tests.cpp:97:31:97:31 | x |
| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
| tests.cpp:98:38:98:38 | x |
| tests.cpp:99:5:99:14 | madSinkVar |
| tests.cpp:100:6:100:23 | madSinkVarIndirect |
| tests.cpp:102:6:102:15 | test_sinks |
| tests.cpp:116:6:116:6 | a |
| tests.cpp:117:7:117:11 | a_ptr |
| tests.cpp:132:6:132:18 | madSinkParam0 |
| tests.cpp:132:24:132:24 | x |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:18 | MyContainer |
| tests.cpp:139:6:139:10 | value |
| tests.cpp:140:6:140:11 | value2 |
| tests.cpp:141:7:141:9 | ptr |
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:144:25:144:25 | x |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:145:34:145:34 | x |
| tests.cpp:146:5:146:15 | notASummary |
| tests.cpp:146:21:146:21 | x |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:147:34:147:34 | x |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:148:34:148:34 | x |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:149:41:149:41 | x |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:150:37:150:37 | x |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:151:32:151:32 | x |
| tests.cpp:151:40:151:40 | y |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:152:47:152:47 | x |
| tests.cpp:152:55:152:55 | y |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:153:25:153:25 | a |
| tests.cpp:153:33:153:33 | b |
| tests.cpp:153:40:153:40 | c |
| tests.cpp:153:47:153:47 | d |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:154:20:154:20 | a |
| tests.cpp:154:28:154:28 | b |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:155:34:155:34 | a |
| tests.cpp:155:41:155:41 | b |
| tests.cpp:155:48:155:48 | c |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:160:38:160:39 | mc |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:161:47:161:48 | mc |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:162:46:162:47 | mc |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:163:38:163:38 | x |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:164:47:164:47 | x |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:165:46:165:46 | x |
| tests.cpp:167:13:167:30 | madFieldToFieldVar |
| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
| tests.cpp:171:6:171:19 | test_summaries |
| tests.cpp:174:6:174:6 | a |
| tests.cpp:174:9:174:9 | b |
| tests.cpp:174:12:174:12 | c |
| tests.cpp:174:15:174:15 | d |
| tests.cpp:174:18:174:18 | e |
| tests.cpp:175:7:175:11 | a_ptr |
| tests.cpp:218:14:218:16 | mc1 |
| tests.cpp:218:19:218:21 | mc2 |
| tests.cpp:237:15:237:18 | rtn1 |
| tests.cpp:240:14:240:17 | rtn2 |
| tests.cpp:241:7:241:14 | rtn2_ptr |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:13 | MyClass |
| tests.cpp:270:6:270:26 | memberRemoteMadSource |
| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
| tests.cpp:271:46:271:46 | x |
| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
| tests.cpp:273:7:273:21 | qualifierSource |
| tests.cpp:274:7:274:26 | qualifierFieldSource |
| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
| tests.cpp:277:29:277:29 | x |
| tests.cpp:278:6:278:21 | memberMadSinkVar |
| tests.cpp:279:7:279:19 | qualifierSink |
| tests.cpp:280:7:280:23 | qualifierArg0Sink |
| tests.cpp:280:29:280:29 | x |
| tests.cpp:281:7:281:24 | qualifierFieldSink |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:284:25:284:25 | x |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:286:6:286:16 | notASummary |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:287:26:287:26 | x |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:290:6:290:8 | val |
| tests.cpp:293:7:293:7 | MyDerivedClass |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:20 | MyDerivedClass |
| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
| tests.cpp:296:6:296:21 | subtypeNonSource |
| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
| tests.cpp:300:9:300:15 | source2 |
| tests.cpp:301:6:301:9 | sink |
| tests.cpp:301:19:301:20 | mc |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:14 | MyClass |
| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
| tests.cpp:307:39:307:39 | x |
| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
| tests.cpp:308:52:308:52 | x |
| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:317:22:317:28 | source3 |
| tests.cpp:319:6:319:23 | test_class_members |
| tests.cpp:320:10:320:11 | mc |
| tests.cpp:320:14:320:16 | mc2 |
| tests.cpp:320:19:320:21 | mc3 |
| tests.cpp:320:24:320:26 | mc4 |
| tests.cpp:320:29:320:31 | mc5 |
| tests.cpp:320:34:320:36 | mc6 |
| tests.cpp:320:39:320:41 | mc7 |
| tests.cpp:320:44:320:46 | mc8 |
| tests.cpp:320:49:320:51 | mc9 |
| tests.cpp:320:54:320:57 | mc10 |
| tests.cpp:320:60:320:63 | mc11 |
| tests.cpp:321:11:321:13 | ptr |
| tests.cpp:321:17:321:23 | mc4_ptr |
| tests.cpp:322:17:322:19 | mdc |
| tests.cpp:323:23:323:25 | mnc |
| tests.cpp:323:28:323:31 | mnc2 |
| tests.cpp:324:24:324:31 | mnc2_ptr |
| tests.cpp:330:6:330:6 | a |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:14 | intPair |
| tests.cpp:430:6:430:10 | first |
| tests.cpp:431:6:431:11 | second |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:434:37:434:43 | fun_ptr |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:46:435:52 | fun_ptr |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:436:34:436:40 | fun_ptr |
| tests.cpp:436:53:436:57 | value |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:437:45:437:51 | fun_ptr |
| tests.cpp:437:64:437:68 | value |
| tests.cpp:439:5:439:14 | getTainted |
| tests.cpp:440:6:440:13 | useValue |
| tests.cpp:440:19:440:19 | x |
| tests.cpp:441:6:441:17 | dontUseValue |
| tests.cpp:441:23:441:23 | x |
| tests.cpp:443:6:443:27 | test_function_pointers |
| tests.cpp:456:19:456:19 | X |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
| tests.cpp:458:12:458:15 | Type |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
| tests.cpp:463:6:463:6 | x |
| tests.cpp:464:36:464:36 | s |
| tests.cpp:465:6:465:6 | y |
| tests.cpp:469:7:469:9 | INT |
| tests.cpp:471:5:471:17 | receive_array |
| tests.cpp:471:23:471:23 | a |
| tests.cpp:473:6:473:23 | test_receive_array |
| tests.cpp:474:6:474:6 | x |
| tests.cpp:475:6:475:10 | array |
| tests.cpp:476:6:476:6 | y |
flowSummaryNode
| tests.cpp:144:5:144:19 | [summary param] 0 in madArg0ToReturn | ParameterNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:144:5:144:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:145:6:145:28 | [summary param] 0 in madArg0ToReturnIndirect | ParameterNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |

84
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ext.yml Normal file
View File

@@ -0,0 +1,84 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "localMadSource", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "remoteMadSource", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "localMadSourceVoid", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "localMadSourceHasBody", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "remoteMadSourceIndirect", "", "", "ReturnValue[*]", "remote", "manual"]
- ["", "", False, "remoteMadSourceDoubleIndirect", "", "", "ReturnValue[**]", "remote", "manual"]
- ["", "", False, "remoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
- ["", "", False, "remoteMadSourceIndirectArg1", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "remoteMadSourceVar", "", "", "", "remote", "manual"]
- ["", "", False, "remoteMadSourceVarIndirect", "", "", "*", "remote", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
- ["", "", False, "remoteMadSourceParam0", "", "", "Parameter[0]", "remote", "manual"]
- ["MyNamespace", "", False, "namespaceLocalMadSource", "", "", "ReturnValue", "local", "manual"]
- ["MyNamespace", "", False, "namespaceLocalMadSourceVar", "", "", "", "local", "manual"]
- ["MyNamespace::MyNamespace2", "", False, "namespace2LocalMadSource", "", "", "ReturnValue", "local", "manual"]
- ["", "MyClass", True, "memberRemoteMadSource", "", "", "ReturnValue", "remote", "manual"]
- ["", "MyClass", True, "memberRemoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
- ["", "MyClass", True, "memberRemoteMadSourceVar", "", "", "", "remote", "manual"]
- ["", "MyClass", True, "subtypeRemoteMadSource1", "", "", "ReturnValue", "remote", "manual"]
- ["", "MyClass", False, "subtypeNonSource", "", "", "ReturnValue", "remote", "manual"] # the tests define this in MyDerivedClass, so it should *not* be recongized as a source
- ["", "MyClass", True, "qualifierSource", "", "", "Argument[-1]", "remote", "manual"]
- ["", "MyClass", True, "qualifierFieldSource", "", "", "Argument[-1].val", "remote", "manual"]
- ["", "MyDerivedClass", False, "subtypeRemoteMadSource2", "", "", "ReturnValue", "remote", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: sinkModel
data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
- ["", "", False, "madSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["", "", False, "madSinkArg1", "", "", "Argument[1]", "test-sink", "manual"]
- ["", "", False, "madSinkArg01", "", "", "Argument[0..1]", "test-sink", "manual"]
- ["", "", False, "madSinkArg02", "", "", "Argument[0,2]", "test-sink", "manual"]
- ["", "", False, "madSinkIndirectArg0", "", "", "Argument[*0]", "test-sink", "manual"]
- ["", "", False, "madSinkDoubleIndirectArg0", "", "", "Argument[**0]", "test-sink", "manual"]
- ["", "", False, "madSinkVar", "", "", "", "test-sink", "manual"]
- ["", "", False, "madSinkVarIndirect", "", "", "*", "test-sink", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
- ["", "", False, "madSinkParam0", "", "", "Parameter[0]", "test-sink", "manual"]
- ["", "MyClass", True, "memberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["", "MyClass", True, "memberMadSinkVar", "", "", "", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierSink", "", "", "Argument[-1]", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierArg0Sink", "", "", "Argument[-1..0]", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierFieldSink", "", "", "Argument[-1].val", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkVar", "", "", "", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkVar", "", "", "", "test-sink", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["", "", False, "madArg0ToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToReturnIndirect", "", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnValueFlow", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["", "", False, "madArg0IndirectToReturn", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0DoubleIndirectToReturn", "", "", "Argument[**0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0NotIndirectToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToArg1Indirect", "", "", "Argument[0]", "Argument[*1]", "taint", "manual"]
- ["", "", False, "madArg0IndirectToArg1Indirect", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
- ["", "", False, "madArgsComplex", "", "", "Argument[*0..1,2]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madAndImplementedComplex", "", "", "Argument[2]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArgsAny", "", "", "Argument", "ReturnValue", "taint", "manual"] # we can't express this source/sink correctly at present, "Argument" is not a valid input
- ["", "", False, "madArg0FieldToReturn", "", "", "Argument[0].Field[value]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0IndirectFieldToReturn", "", "", "Argument[*0].Field[value]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0FieldIndirectToReturn", "", "", "Argument[0].Field[*ptr]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToReturnField", "", "", "Argument[0]", "ReturnValue.Field[value]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnIndirectField", "", "", "Argument[0]", "ReturnValue[*].Field[value]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnFieldIndirect", "", "", "Argument[0]", "ReturnValue.Field[*ptr]", "taint", "manual"]
- ["", "", False, "madFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
- ["", "", False, "madFieldToIndirectFieldVar", "", "", "Field[value]", "Field[*ptr]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[*ptr]" is not a valid output
- ["", "", False, "madIndirectFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
- ["", "MyClass", True, "madArg0ToSelf", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
- ["", "MyClass", True, "madSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
- ["", "MyClass", True, "madArg0ToField", "", "", "Argument[0]", "Argument[-1].Field[val]", "taint", "manual"]
- ["", "MyClass", True, "madFieldToReturn", "", "", "Argument[-1].Field[val]", "ReturnValue", "taint", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMadSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madCallArg0ReturnToReturn", "", "", "Argument[0].ReturnValue", "ReturnValue", "value", "manual"]
- ["", "", False, "madCallArg0ReturnToReturnFirst", "", "", "Argument[0].ReturnValue", "ReturnValue.Field[first]", "value", "manual"]
- ["", "", False, "madCallArg0WithValue", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
- ["", "", False, "madCallReturnValueIgnoreFunction", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
- ["", "StructWithTypedefInParameter<T>", True, "parameter_ref_to_return_ref", "(const T &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
- ["", "", False, "receive_array", "(int[20])", "", "Argument[*0]", "ReturnValue", "taint", "manual"]

74
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ql Normal file
View File

@@ -0,0 +1,74 @@
import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency
import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
import semmle.code.cpp.security.FlowSources
import utils.test.dataflow.FlowTestCommon
module InterpretElementTest implements TestSig {
string getARelevantTag() { result = "interpretElement" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element e |
e = interpretElement(_, _, _, _, _, _) and
location = e.getLocation() and
element = e.toString() and
tag = "interpretElement" and
value = ""
)
}
}
query predicate summaryCalls(SummaryCall c) { any() }
query predicate summarizedCallables(SummarizedCallable c) { any() }
query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }
module IRTest {
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.TaintTracking
/** Common data flow configuration to be used by tests. */
module TestAllocationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof FlowSource
or
source.asExpr().(FunctionCall).getTarget().getName() =
["source", "source2", "source3", "sourcePtr"]
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "test-sink")
or
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
}
import MakeTest<MergeTests<IRFlowTest<IRTest::IRFlow>, InterpretElementTest>>
string describe(DataFlow::Node n) {
n instanceof ParameterNode and result = "ParameterNode"
or
n instanceof PostUpdateNode and result = "PostUpdateNode"
or
n instanceof ArgumentNode and result = "ArgumentNode"
or
n instanceof ReturnNode and result = "ReturnNode"
or
n instanceof OutNode and result = "OutNode"
}
query predicate flowSummaryNode(FlowSummaryNode n, string str1, string str2, string str3) {
str1 = concat(describe(n), ", ") and
str2 = concat(n.getSummarizedCallable().toString(), ", ") and
str3 = concat(n.getEnclosingCallable().toString(), ", ")
}

105
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
View File

@@ -1,105 +0,0 @@
import semmle.code.cpp.security.FlowSources
/**
* Models-as-data source models for this test.
*/
private class TestSources extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;localMadSource;;;ReturnValue;local",
";;false;remoteMadSource;;;ReturnValue;remote",
";;false;localMadSourceVoid;;;ReturnValue;local",
";;false;localMadSourceHasBody;;;ReturnValue;local",
";;false;remoteMadSourceIndirect;;;ReturnValue[*];remote",
";;false;remoteMadSourceDoubleIndirect;;;ReturnValue[**];remote",
";;false;remoteMadSourceIndirectArg0;;;Argument[*0];remote",
";;false;remoteMadSourceIndirectArg1;;;Argument[*1];remote",
";;false;remoteMadSourceVar;;;;remote",
";;false;remoteMadSourceVarIndirect;;;*;remote", // not correctly expressed
";;false;remoteMadSourceParam0;;;Parameter[0];remote",
"MyNamespace;;false;namespaceLocalMadSource;;;ReturnValue;local",
"MyNamespace;;false;namespaceLocalMadSourceVar;;;;local",
"MyNamespace::MyNamespace2;;false;namespace2LocalMadSource;;;ReturnValue;local",
";MyClass;true;memberRemoteMadSource;;;ReturnValue;remote",
";MyClass;true;memberRemoteMadSourceIndirectArg0;;;Argument[*0];remote",
";MyClass;true;memberRemoteMadSourceVar;;;;remote",
";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
";MyClass;true;qualifierSource;;;Argument[-1];remote",
";MyClass;true;qualifierFieldSource;;;Argument[-1].val;remote",
";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
]
}
}
/**
* Models-as-data sink models for this test.
*/
private class TestSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
";;false;madSinkArg0;;;Argument[0];test-sink",
";;false;madSinkArg1;;;Argument[1];test-sink",
";;false;madSinkArg01;;;Argument[0..1];test-sink",
";;false;madSinkArg02;;;Argument[0,2];test-sink",
";;false;madSinkIndirectArg0;;;Argument[*0];test-sink",
";;false;madSinkDoubleIndirectArg0;;;Argument[**0];test-sink",
";;false;madSinkVar;;;;test-sink",
";;false;madSinkVarIndirect;;;*;test-sink", // not correctly expressed
";;false;madSinkParam0;;;Parameter[0];test-sink",
";MyClass;true;memberMadSinkArg0;;;Argument[0];test-sink",
";MyClass;true;memberMadSinkVar;;;;test-sink",
";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
";MyClass;true;qualifierFieldSink;;;Argument[-1].val;test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkVar;;;;test-sink",
]
}
}
/**
* Models-as-data summary models for this test.
*/
private class TestSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
";;false;madArg0ToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToReturnIndirect;;;Argument[0];ReturnValue[*];taint",
";;false;madArg0ToReturnValueFlow;;;Argument[0];ReturnValue;value",
";;false;madArg0IndirectToReturn;;;Argument[*0];ReturnValue;taint",
";;false;madArg0DoubleIndirectToReturn;;;Argument[**0];ReturnValue;taint",
";;false;madArg0NotIndirectToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToArg1Indirect;;;Argument[0];Argument[*1];taint",
";;false;madArg0IndirectToArg1Indirect;;;Argument[*0];Argument[*1];taint",
";;false;madArgsComplex;;;Argument[*0..1,2];ReturnValue;taint",
";;false;madAndImplementedComplex;;;Argument[2];ReturnValue;taint",
";;false;madArgsAny;;;Argument;ReturnValue;taint", // (syntax not supported)
";;false;madArg0FieldToReturn;;;Argument[0].Field[value];ReturnValue;taint",
";;false;madArg0IndirectFieldToReturn;;;Argument[*0].Field[value];ReturnValue;taint",
";;false;madArg0FieldIndirectToReturn;;;Argument[0].Field[*ptr];ReturnValue;taint",
";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.Field[value];taint",
";;false;madArg0ToReturnIndirectField;;;Argument[0];ReturnValue[*].Field[value];taint",
";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.Field[*ptr];taint",
";;false;madFieldToFieldVar;;;Field[value];Field[value2];taint",
";;false;madFieldToIndirectFieldVar;;;Field[value];Field[*ptr];taint",
";;false;madIndirectFieldToFieldVar;;;;Field[value];Field[value2];taint", // not correctly expressed
";MyClass;true;madArg0ToSelf;;;Argument[0];Argument[-1];taint",
";MyClass;true;madSelfToReturn;;;Argument[-1];ReturnValue;taint",
";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].Field[val];taint",
";MyClass;true;madFieldToReturn;;;Argument[-1].Field[val];ReturnValue;taint",
"MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.Field[first];value",
";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
";;false;madCallReturnValueIgnoreFunction;;;Argument[1];ReturnValue;value",
";StructWithTypedefInParameter<T>;true;parameter_ref_to_return_ref;(const T &);;Argument[*0];ReturnValue[*];value",
";;false;receive_array;(int[20]);;Argument[*0];ReturnValue;taint"
]
}
}

61
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
View File

@@ -1,3 +1,24 @@
#select
| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
edges
| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 | provenance | |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 | provenance | |
@@ -12,16 +33,16 @@ edges
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance | |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance | |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | |
| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance | MaD:4 |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | Sink:MaD:2 |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:143:34:143:45 | *message_data | provenance | |
| tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:134:2:134:30 | *... = ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | Sink:MaD:3 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | Sink:MaD:1 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | Sink:MaD:3 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | Sink:MaD:1 |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | MaD:4 |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:26:15:26:20 | *call to getenv | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance | |
@@ -29,6 +50,11 @@ edges
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | provenance | |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | provenance | |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | provenance | |
models
| 1 | Sink: ; ; false; zmq_msg_send; ; ; Argument[*0]; remote-sink; manual |
| 2 | Sink: ; ; false; zmq_send; ; ; Argument[*1]; remote-sink; manual |
| 3 | Sink: ; ; false; zmq_sendmsg; ; ; Argument[*1]; remote-sink; manual |
| 4 | Summary: ; ; false; zmq_msg_init_data; ; ; Argument[*1]; Argument[*0]; taint; manual |
nodes
| tests2.cpp:50:13:50:19 | **global1 | semmle.label | **global1 |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | semmle.label | *call to mysql_get_client_info |
@@ -75,24 +101,3 @@ nodes
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | semmle.label | *pathbuf |
subpaths
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument |
#select
| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |

5
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.qlref
View File

@@ -1 +1,4 @@
Security/CWE/CWE-497/ExposedSystemData.ql
query: Security/CWE/CWE-497/ExposedSystemData.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

46
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
View File

@@ -47,7 +47,7 @@ int val();
// --- test cases ---
const char *global1 = mysql_get_client_info();
const char *global1 = mysql_get_client_info(); // $ Source
const char *global2 = "abc";
void test7()
@@ -55,15 +55,15 @@ void test7()
int sock = socket(val(), val(), val());
// tests for a strict implementation of CWE-497
std::cout << getenv("HOME"); // BAD: outputs HOME environment variable [NOT DETECTED]
std::cout << "PATH = " << getenv("PATH") << "."; // BAD: outputs PATH environment variable [NOT DETECTED]
std::cout << getenv("HOME"); // $ MISSING: Alert // outputs HOME environment variable
std::cout << "PATH = " << getenv("PATH") << "."; // $ MISSING: Alert // outputs PATH environment variable
std::cout << "PATHPATHPATH"; // GOOD: not system data
// tests for a more pragmatic implementation of CWE-497
send(sock, getenv("HOME"), val(), val()); // BAD
send(sock, getenv("PATH"), val(), val()); // BAD
send(sock, getenv("USERNAME"), val(), val()); // BAD
send(sock, getenv("APP_PASSWORD"), val(), val()); // BAD
send(sock, getenv("HOME"), val(), val()); // $ Alert
send(sock, getenv("PATH"), val(), val()); // $ Alert
send(sock, getenv("USERNAME"), val(), val()); // $ Alert
send(sock, getenv("APP_PASSWORD"), val(), val()); // $ Alert
send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information
send(sock, "HOME", val(), val()); // GOOD: not system data
send(sock, "PATH", val(), val()); // GOOD: not system data
@@ -75,11 +75,11 @@ void test7()
{
char buffer[256];
strcpy(buffer, mysql_get_client_info());
strcpy(buffer, mysql_get_client_info()); // $ Source
send(sock, mysql_get_client_info(), val(), val()); // BAD
send(sock, buffer, val(), val()); // BAD
send(sock, global1, val(), val()); // BAD
send(sock, mysql_get_client_info(), val(), val()); // $ Alert
send(sock, buffer, val(), val()); // $ Alert
send(sock, global1, val(), val()); // $ Alert
send(sock, global2, val(), val()); // GOOD: not system data
}
@@ -88,9 +88,9 @@ void test7()
const char *str1 = "123456";
const char *str2 = "abcdef";
mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val());
mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val()); // $ Source
send(sock, str1, val(), val()); // BAD
send(sock, str1, val(), val()); // $ Alert
send(sock, str2, val(), val()); // GOOD: not system data
}
@@ -98,17 +98,17 @@ void test7()
{
passwd *pw;
pw = getpwuid(val());
send(sock, pw->pw_passwd, val(), val()); // BAD
pw = getpwuid(val()); // $ Source
send(sock, pw->pw_passwd, val(), val()); // $ Alert
}
// tests for containers
{
container c1, c2;
c1.ptr = getenv("MY_SECRET_TOKEN");
c1.ptr = getenv("MY_SECRET_TOKEN"); // $ Source
c2.ptr = "";
send(sock, c1.ptr, val(), val()); // BAD
send(sock, c1.ptr, val(), val()); // $ Alert
send(sock, c2.ptr, val(), val()); // GOOD: not system data
}
}
@@ -131,20 +131,20 @@ void test_zmq(void *remoteSocket)
size_t message_len;
// prepare data
message_data = getenv("HOME");
message_data = getenv("HOME"); // $ Source
message_len = strlen(message_data) + 1;
// send as data
if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable
if (zmq_send(socket, message_data, message_len, 0) >= 0) { // $ Alert: outputs HOME environment variable
// ...
}
// send as message
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
}
@@ -152,10 +152,10 @@ void test_zmq(void *remoteSocket)
// send as message (alternative path)
if (zmq_msg_init_size(&message, message_len) == 0) {
memcpy(zmq_msg_data(&message), message_data, message_len);
if (zmq_sendmsg(remoteSocket,&message, message_len)) { // BAD: outputs HOME environment variable
if (zmq_sendmsg(remoteSocket,&message, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
}

20
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sockets.cpp
View File

@@ -23,7 +23,7 @@ void test_sockets1()
int sockfd;
sockaddr addr_remote;
char *msg = "Hello, world!";
char *path = getenv("PATH");
char *path = getenv("PATH"); // $ Source
// create socket
sockfd = socket(AF_INET, SOCK_STREAM, 0);
@@ -36,11 +36,11 @@ void test_sockets1()
// send something using 'send'
if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
// send something using 'write'
if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
// clean up
// ...
@@ -49,9 +49,9 @@ void test_sockets1()
int mksocket()
{
int fd;
fd = socket(AF_INET, SOCK_STREAM, 0);
return fd;
}
@@ -60,7 +60,7 @@ void test_sockets2()
int sockfd;
sockaddr addr_remote;
char *msg = "Hello, world!";
char *path = getenv("PATH");
char *path = getenv("PATH"); // $ Source
// create socket
sockfd = mksocket();
@@ -73,11 +73,11 @@ void test_sockets2()
// send something using 'send'
if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
// send something using 'write'
if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
// clean up
// ...

8
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sysconf.cpp
View File

@@ -21,7 +21,7 @@ void test_sc_1()
int value = sysconf(_SC_CHILD_MAX);
printf("_SC_CHILD_MAX = %i\n", _SC_CHILD_MAX); // GOOD
printf("_SC_CHILD_MAX = %i\n", value); // BAD [NOT DETECTED]
printf("_SC_CHILD_MAX = %i\n", value); // $ MISSING: Alert
}
void test_sc_2()
@@ -33,9 +33,9 @@ void test_sc_2()
pathbuf = (char *)malloc(n);
if (pathbuf != NULL)
{
confstr(_CS_PATH, pathbuf, n);
confstr(_CS_PATH, pathbuf, n); // $ Source
printf("path: %s", pathbuf); // BAD [NOT DETECTED]
write(get_fd(), pathbuf, strlen(pathbuf)); // BAD
printf("path: %s", pathbuf); // $ MISSING: Alert
write(get_fd(), pathbuf, strlen(pathbuf)); // $ Alert
}
}