Merge pull request #3479 from geoffw0/fp2762

C++: Allow equality to block taint (security taint tracking)
2026-04-30 11:15:13 +02:00 · 2020-05-25 15:11:10 +02:00
parent 3d58e6f7af 9babd5dc10
commit bc09720704
6 changed files with 156 additions and 2 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -68,6 +68,26 @@ edges
 | test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:10:237:19 | (size_t)... |
 | test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
 | test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
+| test.cpp:241:2:241:32 | Chi | test.cpp:279:17:279:20 | get_size output argument |
+| test.cpp:241:2:241:32 | Chi | test.cpp:295:18:295:21 | get_size output argument |
+| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi |
+| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi |
+| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
+| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
+| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
 nodes
 | field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
 | field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
@@ -140,6 +160,32 @@ nodes
 | test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
 | test.cpp:235:11:235:20 | (size_t)... | semmle.label | (size_t)... |
 | test.cpp:237:10:237:19 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:241:2:241:32 | Chi | semmle.label | Chi |
+| test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv |
+| test.cpp:249:20:249:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:279:17:279:20 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:295:18:295:21 | get_size output argument | semmle.label | get_size output argument |
+| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:301:19:301:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:309:19:309:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
 #select
 | field_conflation.c:20:3:20:8 | call to malloc | field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:20:13:20:13 | x | This allocation size is derived from $@ and might overflow | field_conflation.c:12:22:12:27 | call to getenv | user input (getenv) |
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -155,3 +201,8 @@ nodes
 | test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
+| test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
+| test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
+| test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
+| test.cpp:305:4:305:9 | call to malloc | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:301:19:301:24 | call to getenv | user input (getenv) |
+| test.cpp:314:3:314:8 | call to malloc | test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:309:19:309:24 | call to getenv | user input (getenv) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -236,3 +236,81 @@ void more_cases() {
 	my_func(100); // GOOD
 	my_func(local_size); // GOOD
 }
+
+bool get_size(int &out_size) {
+	out_size = atoi(getenv("USER"));
+	
+	return true;
+}
+
+void equality_cases() {
+	{
+		int size1 = atoi(getenv("USER"));
+		int size2 = atoi(getenv("USER"));
+
+		if (size1 == 100)
+		{
+			malloc(size2 * sizeof(int)); // BAD
+		}
+		if (size2 == 100)
+		{
+			malloc(size2 * sizeof(int)); // GOOD
+		}
+	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size != 100)
+			return;
+
+		malloc(size * sizeof(int)); // GOOD
+	}
+	{
+		int size;
+
+		if ((get_size(size)) && (size == 100))
+		{
+			malloc(size * sizeof(int)); // GOOD
+		}
+	}
+	{
+		int size;
+
+		if ((get_size(size)) && (size != 100))
+		{
+			malloc(size * sizeof(int)); // BAD
+		}
+	}
+	{
+		int size;
+
+		if ((!get_size(size)) || (size != 100))
+			return;
+
+		malloc(size * sizeof(int)); // GOOD
+	}
+	{
+		int size;
+
+		if ((!get_size(size)) || (size == 100))
+			return;
+
+		malloc(size * sizeof(int)); // BAD
+	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if ((size == 50) || (size == 100))
+		{
+			malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+		}
+	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size != 50 && size != 100)
+			return;
+
+		malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+	}
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
@@ -5,5 +5,4 @@
 | test.c:63:3:63:5 | sc8 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:62:9:62:16 | - ... | Extreme value |
 | test.c:75:3:75:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
 | test.c:76:3:76:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
-| test.c:114:9:114:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:108:17:108:23 | 2147483647 | Extreme value |
 | test.c:124:9:124:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:118:17:118:23 | 2147483647 | Extreme value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
@@ -111,7 +111,7 @@ void test_guards3(int cond) {

 	if (x != 0) return;

-	return x + 1; // GOOD [FALSE POSITIVE]
+	return x + 1; // GOOD
 }

 void test_guards4(int cond) {