hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Use SideEffectFunction (instead of ArrayFunction) to define DefaultSafeExternalAPIFunction.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2020-11-26 11:02:47 +01:00
parent c595baf1e3
commit b02ac7f523
2 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll
View File

@@ -3,7 +3,7 @@
*/
private import cpp
private import semmle.code.cpp.models.implementations.Pure
private import semmle.code.cpp.models.interfaces.SideEffect
/**
* A `Function` that is considered a "safe" external API from a security perspective.
@@ -13,7 +13,12 @@ abstract class SafeExternalAPIFunction extends Function { }
/** The default set of "safe" external APIs. */
private class DefaultSafeExternalAPIFunction extends SafeExternalAPIFunction {
DefaultSafeExternalAPIFunction() {
this instanceof ArrayFunction and
not this.(ArrayFunction).hasArrayOutput(_)
// If a function does not write to any of its arguments, we consider it safe to
// pass untrusted data to it. This means that string functions such as `strcmp`
// and `strlen`, as well as memory functions such as `memcmp`, are considered safe.
exists(SideEffectFunction model | model = this |
model.hasOnlySpecificWriteSideEffects() and
not model.hasSpecificWriteSideEffect(_, _, _)
)
}
}

11
cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll
View File

@@ -3,7 +3,7 @@
*/
private import cpp
private import semmle.code.cpp.models.implementations.Pure
private import semmle.code.cpp.models.interfaces.SideEffect
/**
* A `Function` that is considered a "safe" external API from a security perspective.
@@ -13,7 +13,12 @@ abstract class SafeExternalAPIFunction extends Function { }
/** The default set of "safe" external APIs. */
private class DefaultSafeExternalAPIFunction extends SafeExternalAPIFunction {
DefaultSafeExternalAPIFunction() {
this instanceof ArrayFunction and
not this.(ArrayFunction).hasArrayOutput(_)
// If a function does not write to any of its arguments, we consider it safe to
// pass untrusted data to it. This means that string functions such as `strcmp`
// and `strlen`, as well as memory functions such as `memcmp`, are considered safe.
exists(SideEffectFunction model | model = this |
model.hasOnlySpecificWriteSideEffects() and
not model.hasSpecificWriteSideEffect(_, _, _)
)
}
}