C++: rename and add description to hasFlowSource

2025-12-20 10:46:30 +01:00 · 2020-04-20 11:04:41 -07:00
parent e6630a8fba
commit d0bb5ad4e2
4 changed files with 24 additions and 7 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
@@ -13,7 +13,8 @@ class Fread extends AliasFunction, RemoteFlowFunction {

  override predicate parameterIsAlwaysReturned(int n) { none() }

-  override predicate hasFlowSource(FunctionOutput output) {
-    output.isParameterDeref(0)
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "String read by " + this.getName()
  }
 }
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
@@ -44,7 +44,8 @@ class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, Alias
    mustWrite = true
  }

-  override predicate hasFlowSource(FunctionOutput output) {
-    output.isParameterDeref(0)
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "String read by " + this.getName()
  }
 }
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -14,5 +14,8 @@ import semmle.code.cpp.models.Models
 * A library function which returns data read from a network connection.
 */
 abstract class RemoteFlowFunction extends Function {
-  abstract predicate hasFlowSource(FunctionOutput output);
+  /**
+   * Holds if remote data described by `description` flows from `output` of a call to this function.
+   */
+  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
 }
--- a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
@@ -9,26 +9,38 @@ import semmle.code.cpp.models.interfaces.FlowSource

 /** A data flow source of remote user input. */
 abstract class RemoteFlowSource extends DataFlow::Node {
+  /** Gets a string that describes the type of this remote flow source. */
+  abstract string getSourceType();
 }

 private class TaintedReturnSource extends RemoteFlowSource {
+  string sourceType;
  TaintedReturnSource() {
    exists(RemoteFlowFunction func, CallInstruction instr, FunctionOutput output |
      asInstruction() = instr and
      instr.getStaticCallTarget() = func and
-      func.hasFlowSource(output) and
+      func.hasRemoteFlowSource(output, sourceType) and
      output.isReturnValue()
    )
  }
+
+  override string getSourceType() {
+    result = sourceType
+  }
 }

 private class TaintedParameterSource extends RemoteFlowSource {
+  string sourceType;
  TaintedParameterSource() {
    exists(RemoteFlowFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
      asInstruction() = instr and
      instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
-      func.hasFlowSource(output) and
+      func.hasRemoteFlowSource(output, sourceType) and
      output.isParameterDeref(instr.getIndex())
    )
  }
+
+  override string getSourceType() {
+    result = sourceType
+  }
 }