hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix the FP.

Browse Source
This commit is contained in:
Geoffrey White
2022-02-24 10:16:00 +00:00
parent 326dfa5bc2
commit c16302be13
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
View File

@@ -57,7 +57,12 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node src) {
// Sources are strings containing an HTTP URL not in a private domain.
src.asExpr() instanceof HttpStringLiteral
src.asExpr() instanceof HttpStringLiteral and
// block taint starting at `strstr`, which is likely testing an existing URL, rather than constructing an HTTP URL.
not exists(FunctionCall fc |
fc.getTarget().getName() = ["strstr", "strcasestr"] and
fc.getAnArgument() = src.asExpr()
)
}
override predicate isSink(DataFlow::Node sink) {

5
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
View File

@@ -7,8 +7,6 @@ edges
| test.cpp:40:11:40:17 | access to array | test.cpp:11:26:11:28 | url |
| test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer |
| test.cpp:49:11:49:16 | buffer | test.cpp:11:26:11:28 | url |
| test.cpp:81:21:81:29 | http:// | test.cpp:86:11:86:13 | ptr |
| test.cpp:86:11:86:13 | ptr | test.cpp:11:26:11:28 | url |
nodes
| test.cpp:11:26:11:28 | url | semmle.label | url |
| test.cpp:15:30:15:32 | url | semmle.label | url |
@@ -19,12 +17,9 @@ nodes
| test.cpp:40:11:40:17 | access to array | semmle.label | access to array |
| test.cpp:46:18:46:26 | http:// | semmle.label | http:// |
| test.cpp:49:11:49:16 | buffer | semmle.label | buffer |
| test.cpp:81:21:81:29 | http:// | semmle.label | http:// |
| test.cpp:86:11:86:13 | ptr | semmle.label | ptr |
subpaths
#select
| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:81:21:81:29 | http:// | test.cpp:81:21:81:29 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |

2
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp
View File

@@ -78,7 +78,7 @@ void test3(char *url)
ptr = strstr(url, "https://");
if (!ptr)
{
ptr = strstr(url, "http://"); // GOOD (we are not constructing the URL) [FALSE POSITIVE]
ptr = strstr(url, "http://"); // GOOD (we are not constructing the URL)
}
if (ptr)