hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Switch back to IR taint.

Browse Source
This commit is contained in:
Geoffrey White
2022-01-26 15:34:26 +00:00
parent e4a3e9ee23
commit d9a2347178
1 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
View File

@@ -12,31 +12,39 @@
*/
import cpp
import semmle.code.cpp.security.BufferWrite
import semmle.code.cpp.security.BufferWrite as BufferWrite
import semmle.code.cpp.security.SensitiveExprs
import semmle.code.cpp.security.Security
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.ir.dataflow.TaintTracking
import DataFlow::PathGraph
Expr exprForNode(DataFlow::Node n) {
n = DataFlow::exprNode(result)
or
// (similar to DefaultTaintTracking's `getNodeForExpr`)
n = DataFlow::definitionByReferenceNodeFromArgument(result) and
not argv(result.(VariableAccess).getTarget())
}
/**
* Taint flow from user input to a buffer write.
*/
class ToBufferConfiguration extends TaintTracking::Configuration {
ToBufferConfiguration() { this = "ToBufferConfiguration" }
override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
override predicate isSource(DataFlow::Node source) { isUserInput(exprForNode(source), _) }
override predicate isSink(DataFlow::Node sink) {
exists(BufferWrite w | w.getASource() = sink.asExpr())
exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
}
}
from
ToBufferConfiguration config, BufferWrite w, Expr taintSource, DataFlow::PathNode sourceNode,
ToBufferConfiguration config, BufferWrite::BufferWrite w, Expr taintSource, DataFlow::PathNode sourceNode,
DataFlow::PathNode sinkNode, string taintCause, SensitiveExpr dest
where
config.hasFlowPath(sourceNode, sinkNode) and
taintSource = sourceNode.getNode().asExpr() and
taintSource = exprForNode(sourceNode.getNode()) and
w.getASource() = sinkNode.getNode().asExpr() and
isUserInput(taintSource, taintCause) and
dest = w.getDest()