Geoffrey White
18890c4a77
C++: Use isAdditionalBarrier in the SqlTainted query.
2021-01-05 11:33:39 +00:00
Geoffrey White
01b204ea30
C++: Add a test case with a tainted integer.
2021-01-04 15:35:18 +00:00
Geoffrey White
7a3f9c7895
C++: Add a test (cleaned up) that was previously in the internal repo.
2021-01-04 15:35:18 +00:00
Mathias Vorreiter Pedersen
77aa9615c0
C++: Accept test changes in paths.
2020-12-22 09:14:55 +01:00
Mathias Vorreiter Pedersen
f5e4725642
C++: Propagate flow from instruction's to non-exact operands for arrays and unions, and accept test changes.
2020-12-18 13:54:34 +01:00
Robert Marsh
275d75295c
Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt
...
Fix test conflict
2020-11-12 13:28:10 -08:00
Robert Marsh
04ad94d1cc
C++: model taint from pointers to aliased buffers
2020-11-09 13:52:08 -08:00
Robert Marsh
afbeca0d54
C++: Accept test outputs
2020-11-09 13:24:31 -08:00
Robert Marsh
95ed5465de
C++: improve handling of function arguments in DTT
2020-11-09 13:02:06 -08:00
Robert Marsh
fbe857d1fa
C++: require that other operands be predictable
...
This brings back a constraint that was lost when switching
DefaultTaintTracking to use a TaintTracking::Configuration
2020-11-09 13:00:55 -08:00
Robert Marsh
7d79be71d1
C++: taint tracking conf in DefaultTaintTracking
...
Switch from using additional flow steps with a DataFlow::Configuration
in DefaultTaintTracking to using a TaintTracking::Configuration. This
makes future improvements to TaintTracking::Configuration reflected in
DefaultTaintTracking without further effort. It also removes the
predictability constraint in DefaultTaintTracking, which increases the
number of results, with both new true positives and new false positives.
Those may need to be addressed on a per-query basis.
There are some additional regressions from losing pointer/object
conflation for arguments. Those can be worked around by adding that
conflation to TaintTracking::Configuration until precise indirect
parameter flow is ready.
2020-11-09 13:00:55 -08:00
Mathias Vorreiter Pedersen
3c2fb5a93f
Merge branch 'main' into interleave-op-instr-field-flow
2020-11-09 09:58:19 +01:00
Mathias Vorreiter Pedersen
177f94368e
C++: Respond to review comments and accept test changes.
2020-10-30 15:59:39 +01:00
Mathias Vorreiter Pedersen
f3f9a044e0
C++: Accept more tests.
2020-10-29 13:55:45 +01:00
Dave Bartolomeo
5a6cd4aca9
Fix test expectations for new nodes and edges in path queries
2020-10-28 14:47:42 -04:00
Geoffrey White
a372578571
C++: Move the SizeCheck*.ql tests to the standard location.
2020-10-20 16:02:54 +01:00
Mathias Vorreiter Pedersen
e95aefe0b2
C++: Now that PrimaryArgumentNode is an OperandNode we want a specialized toString on it
2020-10-05 15:13:33 +02:00
Mathias Vorreiter Pedersen
d162c3d8c6
C++: Accept more test changes
2020-10-05 14:29:57 +02:00
Mathias Vorreiter Pedersen
072e1967c1
C++: Accept more tests
2020-10-02 15:51:29 +02:00
Mathias Vorreiter Pedersen
73cd5ceb80
C++: Accept tests. Due to the removal of overlap between the reads steps there are fewer repeated edges in path explanations.
2020-09-21 14:17:49 +02:00
Jonas Jensen
c67605f15c
Merge pull request #4230 from MathiasVP/mathiasvp/array-field-flow
...
C++: Replace `field -> object` taint rule with `ArrayContent` dataflow
2020-09-18 10:56:51 +02:00
Mathias Vorreiter Pedersen
3520b86771
C++: Accept test changes.
2020-09-16 14:51:11 +02:00
Mathias Vorreiter Pedersen
7b456d6162
Merge branch 'main' into mathiasvp/array-field-flow
2020-09-16 10:45:31 +02:00
Mathias Vorreiter Pedersen
3005f252ca
C++: Fix annotation
2020-09-15 13:34:50 +02:00
Mathias Vorreiter Pedersen
0ba72c6685
C++: Accept changes.
2020-09-15 12:49:22 +02:00
Geoffrey White
6ca9c449af
C++: Add a test demonstrating the recent regression.
2020-09-14 17:55:20 +01:00
Geoffrey White
22097a9e13
C++: Add some CWE-190 tests I had lying around.
2020-09-14 14:39:02 +01:00
Mathias Vorreiter Pedersen
9659afdf09
C++: Accept more test changes
2020-09-08 22:25:33 +02:00
Jonas Jensen
fd0937eb01
C++: Accept improved IntegerOverflowTainted test
2020-08-18 16:47:29 +02:00
Mathias Vorreiter Pedersen
edc33b6516
C++: Add getOutputParameterIndex override to UserDefinedFormattingFunction and accept test changes
2020-07-15 14:46:08 +02:00
Mathias Vorreiter Pedersen
d711c22cd2
C++: Add testcase demonstrating lost query results
2020-07-15 14:42:45 +02:00
Geoffrey White
91b9b78c48
C++: Add a test case for CWE-114 involving pointers and references.
2020-06-10 14:09:46 +01:00
Jonas Jensen
ad292d8fb6
C++: Accept one more test change from last commit
2020-06-03 14:51:05 +02:00
Jonas Jensen
5f0d283212
Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args
...
The conflicts came from how `this` is now a parameter but not a
`Parameter` on `master`.
Conflicts:
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
cpp/ql/test/library-tests/dataflow/fields/ir-flow.expected
cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
2020-06-02 15:35:02 +02:00
Mathias Vorreiter Pedersen
bd97fe627c
Merge branch 'master' into remove-field-conflation-from-ir-fieldflow
2020-05-27 17:08:19 +02:00
Jonas Jensen
bc09720704
Merge pull request #3479 from geoffw0/fp2762
...
C++: Allow equality to block taint (security taint tracking)
2020-05-25 15:11:10 +02:00
Mathias Vorreiter Pedersen
617ef32464
C++: Remove [FALSE POSITIVE] annotations
2020-05-21 02:22:57 +02:00
Mathias Vorreiter Pedersen
3c167125e5
C++: Accept test output
2020-05-20 18:18:34 +02:00
Geoffrey White
9babd5dc10
C++: Another positive effect of the change.
2020-05-20 12:49:01 +01:00
Jonas Jensen
486f06ab18
C++: Simplify field conflation test
...
It turned out the `memcpy` step was not even necessary.
2020-05-19 14:12:11 +02:00
Geoffrey White
edd09f09cd
C++: Add test cases where several specific values are permitted.
2020-05-15 17:01:23 +01:00
Geoffrey White
48f3db3fbe
Merge branch 'master' into fp2762
2020-05-15 09:55:30 +01:00
Geoffrey White
4a6021fb61
C++: Allow equality checking to block taint flow.
2020-05-14 18:32:38 +01:00
Jonas Jensen
a380dc113f
C++: Test field conflation with array in struct
2020-05-14 16:29:39 +02:00
Geoffrey White
754d7f0be8
C++: More test cases for TaintedAllocationSize.
2020-05-14 15:23:31 +01:00
Jonas Jensen
1018eaff09
Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args
...
Conflicts:
cpp/ql/test/library-tests/dataflow/fields/ir-flow.expected
2020-05-13 12:05:58 +02:00
Jonas Jensen
3a89f43cd6
Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args
...
Conflicts:
cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
2020-05-11 14:44:17 +02:00
Jonas Jensen
bebd5ae36b
C++: Call qualifiers are passed by reference
...
After #3382 changed the escape analysis to model qualifiers as escaping,
there was an imbalance in the SSA library, where `addressTakenVariable`
excludes variables from SSA analysis if they have their address taken
but are _not_ passed by reference. This showed up as a missing result in
`TOCTOUFilesystemRace.ql`, demonstrated with a test case in #3432 .
This commit changes the definition of "pass by reference" to include
call qualifiers, which allows SSA modeling of variables that have member
function calls on them.
2020-05-11 09:39:48 +02:00
Geoffrey White
bff97d9fe5
C++: Effect of #3382 .
2020-05-07 19:06:05 +01:00
Geoffrey White
6499197087
C++: Add a test of TOCTOUFilesystemRace.ql.
2020-05-07 19:03:32 +01:00
