hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Model 'gets'.

Browse Source
This commit is contained in:
Geoffrey White
2020-02-13 10:15:20 +00:00
parent 8dcd46f9e7
commit e683f6113d
5 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cpp/ql/src/semmle/code/cpp/models/Models.qll
View File

@@ -1,6 +1,7 @@
private import implementations.Allocation private import implementations.Allocation
private import implementations.Deallocation private import implementations.Deallocation
private import implementations.Fread private import implementations.Fread
private import implementations.Gets
private import implementations.IdentityFunction private import implementations.IdentityFunction
private import implementations.Inet private import implementations.Inet
private import implementations.Memcpy private import implementations.Memcpy

43
cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll Normal file
View File

@@ -0,0 +1,43 @@
import semmle.code.cpp.models.interfaces.DataFlow
import semmle.code.cpp.models.interfaces.Taint
import semmle.code.cpp.models.interfaces.ArrayFunction
import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.SideEffect
/**
* The standard functions `gets` and `fgets`.
*/
class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, AliasFunction, SideEffectFunction {
GetsFunction() {
exists(string name | name = getName() |
name = "gets" or // gets(str)
name = "fgets" // fgets(str, num, stream)
)
}
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
input.isParameter(0) and
output.isReturnValue()
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
input.isParameterDeref(2) and
output.isParameterDeref(0)
}
override predicate parameterNeverEscapes(int index) { index = 2 }
override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
override predicate parameterIsAlwaysReturned(int index) { index = 0 }
override predicate hasOnlySpecificReadSideEffects() { any() }
override predicate hasOnlySpecificWriteSideEffects() { any() }
override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
i = 0 and
buffer = true and
mustWrite = true
}
}

2
cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected
View File

@@ -10,4 +10,6 @@
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only | | test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
| test.cpp:87:12:87:15 | call to gets | test.cpp:87:2:87:8 | pointer | AST only | | test.cpp:87:12:87:15 | call to gets | test.cpp:87:2:87:8 | pointer | AST only |
| test.cpp:87:17:87:22 | buffer | test.cpp:84:7:84:12 | buffer | AST only | | test.cpp:87:17:87:22 | buffer | test.cpp:84:7:84:12 | buffer | AST only |
| test.cpp:87:17:87:22 | buffer | test.cpp:85:8:85:14 | pointer | IR only |
| test.cpp:87:17:87:22 | buffer | test.cpp:87:12:87:15 | call to gets | IR only |
| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion | IR only | | test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion | IR only |

2
cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected
View File

@@ -43,5 +43,7 @@
| test.cpp:87:12:87:15 | call to gets | test.cpp:85:8:85:14 | pointer | | | test.cpp:87:12:87:15 | call to gets | test.cpp:85:8:85:14 | pointer | |
| test.cpp:87:12:87:15 | call to gets | test.cpp:87:12:87:15 | call to gets | | | test.cpp:87:12:87:15 | call to gets | test.cpp:87:12:87:15 | call to gets | |
| test.cpp:87:17:87:22 | buffer | test.cpp:80:18:80:18 | s | | | test.cpp:87:17:87:22 | buffer | test.cpp:80:18:80:18 | s | |
| test.cpp:87:17:87:22 | buffer | test.cpp:85:8:85:14 | pointer | |
| test.cpp:87:17:87:22 | buffer | test.cpp:87:12:87:15 | call to gets | |
| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion | | | test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion | |
| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | buffer | | | test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | buffer | |

2
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
View File

@@ -1,5 +1,7 @@
| funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread | | funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
| funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets | | funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets | | funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
| funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets | | funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets | | funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |