hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add a test with an indirect source.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-02-03 16:59:54 +00:00
parent b53963a791
commit ae774a6b95
3 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
View File

@@ -105,6 +105,8 @@ postWithInFlow
| test.cpp:542:6:542:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:548:25:548:25 | x [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:552:25:552:25 | y [inner post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:562:5:562:13 | globalInt [post update] | PostUpdateNode should not be the target of local flow. |
| test.cpp:576:5:576:13 | globalInt [post update] | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition

26
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -552,3 +552,29 @@ void test_sink_then_source() {
sink_then_source_2(&y, y);
}
}
int* indirect_source();
namespace IndirectFlowThroughGlobals {
int* globalInt;
void taintGlobal() {
globalInt = indirect_source();
}
void f() {
sink(*globalInt); // $ ir=562:17 ir=576:17 // tainted or clean? Not sure.
taintGlobal();
sink(*globalInt); // $ ir=562:17 MISSING: ast=562:17 SPURIOUS: ir=576:17
}
void calledAfterTaint() {
sink(*globalInt); // $ ir=576:17 MISSING: ast=576:17 SPURIOUS: ir=562:17
}
void taintAndCall() {
globalInt = indirect_source();
calledAfterTaint();
sink(*globalInt); // $ ir=576:17 MISSING: ast=576:17 SPURIOUS: ir=562:17
}
}

4
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.ql
View File

@@ -24,6 +24,8 @@ module AstTest {
or
source.asParameter().getName().matches("source%")
or
source.asExpr().(FunctionCall).getTarget().getName() = "indirect_source"
or
source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")
or
// Track uninitialized variables
@@ -67,6 +69,8 @@ module IRTest {
override predicate isSource(DataFlow::Node source) {
source.asExpr().(FunctionCall).getTarget().getName() = "source"
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"
or
source.asParameter().getName().matches("source%")
or
source.(DataFlow::DefinitionByReferenceNode).getParameter().getName().matches("ref_source%")