C++: Fix failing test and accept test cases.

2026-04-25 00:35:20 +02:00 · 2023-11-13 15:57:22 +00:00
parent 834b07e6ad
commit cc6268339b
2 changed files with 31 additions and 4 deletions
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -60,9 +60,14 @@ predicate unboundedWriteSource(Expr e, BufferWrite bw) {

 predicate isSource(FS::FlowSource source, string sourceType) { source.getSourceType() = sourceType }

-predicate isSink(DataFlow::Node sink, BufferWrite bw) {
-  unboundedWriteSource(sink.asIndirectExpr(), bw)
-  or
+/**
+ * Holds if `bw` is a `BufferWrite` that reads from `stdin`. In such cases the
+ * sink is the outgoing argument that is written to.
+ *
+ * By factoring these cases out into this predicate we can place an out barrier
+ * on exactly these sinks in `Config`.
+ */
+predicate isSinkFromStdIn(DataFlow::Node sink, BufferWrite bw) {
  // `gets` and `scanf` reads from stdin so there's no real input.
  // The `BufferWrite` library models this as the call itself being
  // the source. In this case we mark the output argument as being
@@ -72,6 +77,12 @@ predicate isSink(DataFlow::Node sink, BufferWrite bw) {
  unboundedWriteSource(sink.asDefiningArgument(), bw)
 }

+predicate isSink(DataFlow::Node sink, BufferWrite bw) {
+  unboundedWriteSource(sink.asIndirectExpr(), bw)
+  or
+  isSinkFromStdIn(sink, bw)
+}
+
 predicate lessThanOrEqual(IRGuardCondition g, Expr e, boolean branch) {
  exists(Operand left |
    g.comparesLt(left, _, _, true, branch) or
@@ -86,7 +97,7 @@ module Config implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node sink) { isSink(sink, _) }

-  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+  predicate isBarrierOut(DataFlow::Node node) { isSinkFromStdIn(node, _) }

  predicate isBarrier(DataFlow::Node node) {
    // Block flow if the node is guarded by any <, <= or = operations.
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
@@ -2,15 +2,31 @@ edges
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:10:20:10:23 | argv indirection |
 | main.cpp:10:20:10:23 | argv indirection | tests.cpp:631:32:631:35 | argv indirection |
 | tests.cpp:613:19:613:24 | source indirection | tests.cpp:615:17:615:22 | source indirection |
+| tests.cpp:622:19:622:24 | source indirection | tests.cpp:625:2:625:16 | ... = ... indirection |
+| tests.cpp:625:2:625:16 | ... = ... indirection | tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] |
+| tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] | tests.cpp:628:14:628:14 | s indirection [home indirection] |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:14:628:19 | home indirection |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:16:628:19 | home indirection |
+| tests.cpp:628:16:628:19 | home indirection | tests.cpp:628:14:628:19 | home indirection |
 | tests.cpp:631:32:631:35 | argv indirection | tests.cpp:656:9:656:15 | access to array indirection |
+| tests.cpp:631:32:631:35 | argv indirection | tests.cpp:657:9:657:15 | access to array indirection |
 | tests.cpp:656:9:656:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | tests.cpp:622:19:622:24 | source indirection |
 nodes
 | main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
 | main.cpp:10:20:10:23 | argv indirection | semmle.label | argv indirection |
 | tests.cpp:613:19:613:24 | source indirection | semmle.label | source indirection |
 | tests.cpp:615:17:615:22 | source indirection | semmle.label | source indirection |
+| tests.cpp:622:19:622:24 | source indirection | semmle.label | source indirection |
+| tests.cpp:625:2:625:16 | ... = ... indirection | semmle.label | ... = ... indirection |
+| tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] | semmle.label | s indirection [post update] [home indirection] |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | semmle.label | s indirection [home indirection] |
+| tests.cpp:628:14:628:19 | home indirection | semmle.label | home indirection |
+| tests.cpp:628:16:628:19 | home indirection | semmle.label | home indirection |
 | tests.cpp:631:32:631:35 | argv indirection | semmle.label | argv indirection |
 | tests.cpp:656:9:656:15 | access to array indirection | semmle.label | access to array indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | semmle.label | access to array indirection |
 subpaths
 #select
 | tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:615:17:615:22 | source indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |
+| tests.cpp:628:2:628:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:628:14:628:19 | home indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |