hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20066 from MathiasVP/dont-summarize-function-pointer-calls

Browse Source 
C++: Don't wrap calls through function pointers in `FunctionWithWrappers`
This commit is contained in:
Mathias Vorreiter Pedersen
2025-07-16 14:57:14 +01:00
committed by GitHub
parent 200d46f5c7 8b953e4f22
commit a9fb49a2c3
3 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/change-notes/2025-07-16-FunctionWithWrappers.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.

9
cpp/ql/lib/semmle/code/cpp/security/FunctionWithWrappers.qll
View File

@@ -17,7 +17,6 @@
import cpp
import PrintfLike
private import semmle.code.cpp.ir.dataflow.ResolveCall
bindingset[index]
private string toCause(Function func, int index) {
@@ -37,9 +36,9 @@ private predicate wrapperFunctionStep(
not target.isVirtual() and
not source.isVirtual() and
source.hasDefinition() and
exists(Call call, Expr arg, Parameter sourceParam |
exists(FunctionCall call, Expr arg, Parameter sourceParam |
// there is a 'call' to 'target' with argument 'arg' at index 'targetParamIndex'
target = resolveCall(call) and
target = call.getTarget() and
arg = call.getArgument(targetParamIndex) and
// 'call' is enclosed in 'source'
source = call.getEnclosingFunction() and
@@ -154,8 +153,8 @@ abstract class FunctionWithWrappers extends Function {
* Whether 'arg' is an argument in a call to an outermost wrapper function of 'this' function.
*/
predicate outermostWrapperFunctionCall(Expr arg, string callChain) {
exists(Function targetFunc, Call call, int argIndex |
targetFunc = resolveCall(call) and
exists(Function targetFunc, FunctionCall call, int argIndex |
targetFunc = call.getTarget() and
this.wrapperFunction(targetFunc, argIndex, callChain) and
(
exists(Function sourceFunc | sourceFunc = call.getEnclosingFunction() |

4
cpp/ql/src/change-notes/2025-07-16-FunctionWithWrappers.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Due to changes in the `FunctionWithWrappers` library (`semmle.code.cpp.security.FunctionWithWrappers`) the primary alert location generated by the queries `cpp/path-injection`, `cpp/sql-injection`, `cpp/tainted-format-string`, and `cpp/command-line-injection` may have changed.