From e0798b29da1e2c87d77e1e19169a9c5d01eebdb3 Mon Sep 17 00:00:00 2001 From: amammad Date: Tue, 4 Jul 2023 18:28:00 +1000 Subject: [PATCH] stash: change sinks to zip handles and sources to the zip handle initializers --- .../DecompressionBombsLibMiniz.ql | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsLibMiniz.ql b/cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsLibMiniz.ql index 9f694b07cdd..e0310704af2 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsLibMiniz.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsLibMiniz.ql @@ -21,6 +21,7 @@ import semmle.code.cpp.security.FlowSources private class PointerVar extends VariableAccess { PointerVar() { this.getType() instanceof PointerType } } + /** * A unsigned char Variable is used in Flow source */ @@ -56,6 +57,18 @@ private class MzUncompress extends Function { MzUncompress() { this.hasGlobalName(["uncompress", "mz_uncompress", "mz_uncompress2"]) } } +/** + * A `zip handle` is used in Flow source + */ +private class MzZip extends Function { + MzZip() { + this.hasGlobalName([ + "mz_zip_reader_open", "mz_zip_reader_open_file", "mz_zip_reader_open_file_in_memory", + "mz_zip_reader_open_buffer", "mz_zip_reader_entry_open" + ]) + } +} + /** * The `mz_inflate` functions are used in Flow Sink */ @@ -138,6 +151,9 @@ module MinizTaintConfig implements DataFlow::StateConfigSig { source.asDefiningArgument() = any(Call call | call.getTarget() instanceof MzInflateInit).getArgument(0) and state = "inflate" + or + source.asDefiningArgument() = any(Call call | call.getTarget() instanceof MzZip).getArgument(0) and + state = "" } predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {