update test files, add one more additional flow step for inflate function, fix gzopen additional flow step thanks to @jketema

2026-04-25 00:35:20 +02:00 · 2024-07-30 17:49:34 +02:00
parent 6f8eec2bf9
commit f97b1039cd
4 changed files with 26 additions and 34 deletions
--- a/cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs.ql
+++ b/cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs.ql
@@ -22,12 +22,13 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node sink) {
    exists(FunctionCall fc, DecompressionFunction f | fc.getTarget() = f |
-      fc.getArgument(f.getArchiveParameterIndex()) = sink.asExpr()
+      fc.getArgument(f.getArchiveParameterIndex()) = sink.asExpr() 
    )
  }

  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(DecompressionFlowStep f).isAdditionalFlowStep(node1, node2)
+    any(DecompressionFlowStep f).isAdditionalFlowStep(node1, node2) or
+    nextInAdditionalFlowStep(node1, node2)
  }
 }

--- a/cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibGzopen.qll
+++ b/cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibGzopen.qll
@@ -37,7 +37,7 @@ class GzGetsFunction extends DecompressionFunction {
 class GzReadFunction extends DecompressionFunction {
  GzReadFunction() { this.hasGlobalName("gzread") }

-  override int getArchiveParameterIndex() { result = 1 }
+  override int getArchiveParameterIndex() { result = 0 }
 }

 /**
@@ -66,7 +66,7 @@ class GzopenFunction extends DecompressionFlowStep {

  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    exists(FunctionCall fc | fc.getTarget() = this |
-      node1.asExpr() = fc.getArgument(0) and
+      node1.asIndirectExpr() = fc.getArgument(0) and
      node2.asExpr() = fc
    )
  }
--- a/cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibInflator.qll
+++ b/cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibInflator.qll
@@ -10,12 +10,27 @@ import DecompressionBomb
 /**
 * The `inflate` and `inflateSync` functions are used in flow sink.
 *
- * `inflate(z_streamp strm, int flush)`
+ * `inflate(z_stream strm, int flush)`
 *
- * `inflateSync(z_streamp strm)`
+ * `inflateSync(z_stream strm)`
 */
 class InflateFunction extends DecompressionFunction {
  InflateFunction() { this.hasGlobalName(["inflate", "inflateSync"]) }

  override int getArchiveParameterIndex() { result = 0 }
 }
+
+/**
+ * The `next_in` member of a `z_stream` variable is used in flow steps.
+ */
+predicate nextInAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(Variable nextInVar, VariableAccess zStreamAccess |
+    nextInVar.getDeclaringType().hasName("z_stream") and
+    nextInVar.hasName("next_in") and
+    zStreamAccess.getType().hasName("z_stream")
+  |
+    nextInVar.getAnAccess().getQualifier().(VariableAccess).getTarget() = zStreamAccess.getTarget() and
+    node1.asIndirectExpr() = nextInVar.getAnAssignedValue() and
+    node2.asExpr() = zStreamAccess
+  )
+}