hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Repair 'cpp/non-constant-format' in preparation for IR-based use-use dataflow.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2022-10-14 15:26:25 +02:00
parent 134cc6291c
commit e7b0536896
2 changed files with 42 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
View File

@@ -55,14 +55,20 @@ predicate underscoreMacro(Expr e) {
/**
* Holds if `t` cannot hold a character array, directly or indirectly.
*/
predicate cannotContainString(Type t) {
t.getUnspecifiedType() instanceof BuiltInType
or
t.getUnspecifiedType() instanceof IntegralOrEnumType
predicate cannotContainString(Type t, boolean isIndirect) {
isIndirect = false and
(
t.getUnspecifiedType() instanceof BuiltInType or
t.getUnspecifiedType() instanceof IntegralOrEnumType
)
}
predicate isNonConst(DataFlow::Node node) {
exists(Expr e | e = node.asExpr() |
predicate isNonConst(DataFlow::Node node, boolean isIndirect) {
exists(Expr e |
e = node.asExpr() and isIndirect = false
or
e = node.asIndirectExpr() and isIndirect = true
|
exists(FunctionCall fc | fc = e |
not (
whitelistFunction(fc.getTarget(), _) or
@@ -106,22 +112,28 @@ predicate isNonConst(DataFlow::Node node) {
)
)
or
node instanceof DataFlow::DefinitionByReferenceNode
node instanceof DataFlow::DefinitionByReferenceNode and
isIndirect = true
}
pragma[noinline]
predicate isSanitizerNode(DataFlow::Node node) {
underscoreMacro(node.asExpr())
or
cannotContainString(node.getType())
not exists(node.asIndirectExpr()) and
not exists(node.asDefiningArgument()) and
cannotContainString(node.getType(), false)
}
class NonConstFlow extends TaintTracking::Configuration {
NonConstFlow() { this = "NonConstFlow" }
override predicate isSource(DataFlow::Node source) {
isNonConst(source) and
not cannotContainString(source.getType())
exists(boolean isIndirect, Type t |
isNonConst(source, isIndirect) and
t = source.getType() and
not cannotContainString(t, isIndirect)
)
}
override predicate isSink(DataFlow::Node sink) {

21
cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected
View File

@@ -1 +1,20 @@
Timeout (5m0s) in DataFlowUtil#47741e1f::simpleLocalFlowStep#2#ff
| NonConstantFormat.c:30:10:30:16 | access to array | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| NonConstantFormat.c:41:9:41:27 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| nested.cpp:21:23:21:26 | fmt0 | The format string argument to snprintf should be constant to prevent security issues and other potential errors. |
| nested.cpp:79:32:79:38 | call to get_fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
| nested.cpp:87:18:87:20 | fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
| test.cpp:56:12:56:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:59:12:59:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:60:12:60:26 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:61:12:61:17 | + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:62:12:62:18 | * ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:63:12:63:18 | & ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:64:12:64:39 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:66:10:66:35 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:69:12:69:20 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:81:12:81:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:92:12:92:18 | ++ ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:99:12:99:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:109:12:109:24 | new[] | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:114:12:114:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:129:20:129:26 | access to array | The format string argument to sprintf should be constant to prevent security issues and other potential errors. |