hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11716 from jketema/rewrite-cgi-xss

Browse Source 
C++: Rewrite `cpp/cgi-xss` to not use default taint tracking
This commit is contained in:
Jeroen Ketema
2023-10-09 11:26:14 +02:00
committed by GitHub
parent a1d417d8b6 b6132d2a0f
commit f7bd801e00
2 changed files with 19 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
View File

@@ -13,15 +13,13 @@
import cpp import cpp
import semmle.code.cpp.commons.Environment import semmle.code.cpp.commons.Environment
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl import semmle.code.cpp.ir.dataflow.TaintTracking
import TaintedWithPath import semmle.code.cpp.ir.IR
import Flow::PathGraph
/** A call that prints its arguments to `stdout`. */ /** A call that prints its arguments to `stdout`. */
class PrintStdoutCall extends FunctionCall { class PrintStdoutCall extends FunctionCall {
PrintStdoutCall() { PrintStdoutCall() { this.getTarget().hasGlobalOrStdName(["puts", "printf"]) }
this.getTarget().hasGlobalOrStdName("puts") or
this.getTarget().hasGlobalOrStdName("printf")
}
} }
/** A read of the QUERY_STRING environment variable */ /** A read of the QUERY_STRING environment variable */
@@ -29,19 +27,23 @@ class QueryString extends EnvironmentRead {
QueryString() { this.getEnvironmentVariable() = "QUERY_STRING" } QueryString() { this.getEnvironmentVariable() = "QUERY_STRING" }
} }
class Configuration extends TaintTrackingConfiguration { module Config implements DataFlow::ConfigSig {
override predicate isSource(Expr source) { source instanceof QueryString } predicate isSource(DataFlow::Node node) { node.asExpr() instanceof QueryString }
override predicate isSink(Element tainted) { predicate isSink(DataFlow::Node node) {
exists(PrintStdoutCall call | call.getAnArgument() = tainted) exists(PrintStdoutCall call | call.getAnArgument() = node.asExpr())
} }
override predicate isBarrier(Expr e) { predicate isBarrier(DataFlow::Node node) {
super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType node.asExpr().getUnspecifiedType() instanceof IntegralType
} }
} }
from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode module Flow = TaintTracking::Global<Config>;
where taintedWithPath(query, printedArg, sourceNode, sinkNode)
select printedArg, sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.", query, from QueryString query, Flow::PathNode sourceNode, Flow::PathNode sinkNode
"this query data" where
Flow::flowPath(sourceNode, sinkNode) and
query = sourceNode.getNode().asExpr()
select sinkNode.getNode(), sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.",
query, "this query data"

9
cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
View File

@@ -1,26 +1,19 @@
edges edges
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query | | search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query | | search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query | | search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query | | search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
| search.c:55:17:55:25 | raw_query | search.c:14:24:14:28 | query | | search.c:55:17:55:25 | raw_query | search.c:14:24:14:28 | query |
| search.c:57:17:57:25 | raw_query | search.c:22:24:22:28 | query | | search.c:57:17:57:25 | raw_query | search.c:22:24:22:28 | query |
subpaths
nodes nodes
| search.c:14:24:14:28 | query | semmle.label | query | | search.c:14:24:14:28 | query | semmle.label | query |
| search.c:17:8:17:12 | query | semmle.label | query | | search.c:17:8:17:12 | query | semmle.label | query |
| search.c:17:8:17:12 | query | semmle.label | query |
| search.c:22:24:22:28 | query | semmle.label | query | | search.c:22:24:22:28 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query | | search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv | | search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:55:17:55:25 | raw_query | semmle.label | raw_query | | search.c:55:17:55:25 | raw_query | semmle.label | raw_query |
| search.c:57:17:57:25 | raw_query | semmle.label | raw_query | | search.c:57:17:57:25 | raw_query | semmle.label | raw_query |
subpaths
#select #select
| search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data | | search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
| search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data | | search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |