hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
77,098 Commits 1,671 Branches 157 Tags
66737402c20fc83b3d3a654dcccf4b26c901b100
Commit Graph

3303 Commits

Author SHA1 Message Date
Mathias Vorreiter Pedersen
499ab0892f C++: Currently, to catch flow in an example such as: 
```cpp
char* source();
void sink(const char*);
int sprintf(char *, const char *, ...);

void call_sprintf(char* path, char* data) {
        sprintf(path, "%s", "abc"); // (1)
        sprintf(path, "%s", data); // (2)
}

void foo() {
        char path[10];
        call_sprintf(path, source()); // (3)
        sink(path);
}
```
we identify that the `*path [post update]` node at `// (2)` is a
`ReturnNodeExt` and since `*data` flows to that node flow will be carried
out to `*path [post update]` at // (3) and thus reach `sink(path)`.

The reason `*path [post update]` at `// 2` is recognized as a `ReturnNodeExt`
is because it satisfies the following condition (which is identified by the
shared dataflow library):
There is flow from the parameter node `*path` to the pre-update node of the
post-update node `*path [post update]` at `// (2)`.

However, when we start recognizing that the call to `sprintf(path, ...)` at
`// (1)` overrides the value of `*path` and no longer provide use-use flow out
of `*path` the `*path [post update]` node at `// (2)` is no longer recognized
as a `ReturnNodeExt` (because it doesn't satisfy the above criteria).

Thus, we need to identify the flow above without relying on the dataflow
library's summary mechanism. That is, instead of relying on the dataflow
library's mechanism to summarize the `*data -> *path` flow for `call_sprintf`
we need to:
- Ensure that the write to `*path` at `// (2)` is recognized as the "final"
write to the parameter, and
- Ensure that there's flow out of that parameter and back to
`*path [post update]` at `// (3)`.

Luckiky, we do all of this already to support flow out of writes to parameters
that don't have post-update nodes. For example, in something like:
```cpp
void set(int* x, int y) {
  *x = y;
}

void test() {
  int x;
  set(&x, source());
  sink(x);
}
```
So in order to make the original example work, all we need to do is to remove
the restrictions on this mechanism so that the same mechanism that makes the
above example work also makes the original example work!
 2024-02-16 13:09:45 +01:00
Mathias Vorreiter Pedersen
7e9bf2a880 C++: Add a model for 'partial updating' and extend models appropriately. 2024-02-16 12:56:19 +01:00
Mathias Vorreiter Pedersen
24a63ae94d C++: Block flow by default. 2024-02-16 12:56:19 +01:00
Mathias Vorreiter Pedersen
c19ed4c17e Merge pull request #15626 from MathiasVP/fix-constness-checking 
C++: Don't strip specifiers away in `TFinalParameterUse`
 2024-02-16 10:09:43 +01:00
Jeroen Ketema
da3ff4813f Merge pull request #15612 from jketema/destructors4a 
C++: Support `constexpr if` in the IR
 2024-02-15 17:29:56 +01:00
Mathias Vorreiter Pedersen
532e8dac45 C++: Don't strip specifiers in 'TFinalParameterUse'. 2024-02-15 14:08:12 +01:00
Jeroen Ketema
33413129a5 C++: For unnamed local variable declaration entries consider the name of the variable 2024-02-14 15:03:04 +01:00
Jeroen Ketema
46bc311111 C++: Support constexpr if in the IR 2024-02-14 13:37:56 +01:00
Jeroen Ketema
caf09e0735 C++: Update IR comment that no longer applies 2024-02-13 21:30:58 +01:00
Jeroen Ketema
b3aea0f893 C++: Do not print the qualifier of OverloadedPointerDereferenceExpr twice in PrintAST 2024-02-13 21:29:21 +01:00
Robert Marsh
7e23ccd383 Merge branch 'main' into rdmarsh2/cpp/ir-synthetic-destructors 2024-02-13 15:45:51 +00:00
Robert Marsh
128bc99f90 C++: delete some FIXMEs that turned out fine 2024-02-13 15:34:36 +00:00
Mathias Vorreiter Pedersen
fb4bd53ec5 Revert "Merge pull request #15528 from MathiasVP/flow-barrier-interface" 
This reverts commit c5dc88345d, reversing
changes made to 781486172e.
 2024-02-13 13:42:58 +00:00
Mathias Vorreiter Pedersen
cb7fe16ced Revert "Merge pull request #15537 from MathiasVP/swap-also-clears-first-argument" 
This reverts commit 23677b23c2, reversing
changes made to c5dc88345d.
 2024-02-13 13:42:58 +00:00
Robert Marsh
b9785ea7b2 C++: autoformat 2024-02-13 01:07:41 +00:00
Robert Marsh
f791b0ebbf C++: Model for smart pointer destructors 2024-02-13 01:00:46 +00:00
Robert Marsh
b6cf64cff3 C++: simplify TranslatedBlock::getLastChild 2024-02-13 00:46:53 +00:00
Robert Marsh
7d8872bb99 C++: Fix for multiple for-loop variables with destructors 2024-02-13 00:40:19 +00:00
Robert Marsh
b94c4a6e1b C++: fix for destructor of while-loop condition 2024-02-13 00:13:22 +00:00
Mathias Vorreiter Pedersen
70c7c1a5e7 C++: Add flow from the fill character to the output pointer. 2024-02-12 16:51:16 +00:00
Robert Marsh
d1160f86e1 C++: Autoformat for named destructors in IR 2024-02-09 22:35:12 +00:00
Geoffrey White
8bdb67cc15 C++: Allow member variables to be picked as input nodes. 2024-02-09 14:24:37 +00:00
Mathias Vorreiter Pedersen
4728cf5a12 C++: Allow the 'x' in 'x = source()' to be marked as a sink in MaD. 2024-02-09 14:07:48 +00:00
Mathias Vorreiter Pedersen
3719e10ce8 C++: Add a case for global or namespace variables in 'interpretElement0'. 2024-02-09 13:27:32 +00:00
Mathias Vorreiter Pedersen
52a1d905f1 C++: Qualified import of 'cpp' to make the file compile. 2024-02-09 13:25:17 +00:00
Anders Schack-Mulligen
566351a49a Merge pull request #15549 from aschackmull/dataflow/empty-provenance 
Dataflow: Add empty provenance column to PathGraph.
 2024-02-09 12:58:09 +01:00
Mathias Vorreiter Pedersen
a42c845b32 Merge pull request #15559 from MathiasVP/fix-constness-type 
C++: Don't strip specifiers in `Node.getType`
 2024-02-09 11:00:13 +00:00
Mathias Vorreiter Pedersen
dd3d70134c C++: Undo a change that wasn't actually necessary. 2024-02-09 10:28:24 +00:00
Anders Schack-Mulligen
b7d4a6926f Dataflow: Add empty provenance column to PathGraph. 2024-02-09 11:27:30 +01:00
Mathias Vorreiter Pedersen
f7d1544ccf C++: Fix Code Scanning errors. 2024-02-08 17:01:07 +00:00
Mathias Vorreiter Pedersen
1dfddaf9ab C++: Also mark indirections of glvalue instructions as glvalue nodes. 2024-02-08 16:52:09 +00:00
Mathias Vorreiter Pedersen
4d01a93107 C++: Use 'getUnderlyingType' instead of 'getUnspecifiedType'. 2024-02-08 16:49:15 +00:00
Dave Bartolomeo
92bd550c55 Merge pull request #15531 from github/post-release-prep/codeql-cli-2.16.2 
Post-release preparation for codeql-cli-2.16.2
 2024-02-08 05:58:17 -08:00
Robert Marsh
174966164d Merge branch 'main' into rdmarsh2/cpp/ir-synthetic-destructors 2024-02-07 18:25:12 +00:00
Geoffrey White
a354ab84e9 C++: More robust InterpretNode.asCall. 2024-02-07 18:00:57 +00:00
Geoffrey White
e98485df7f Update cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll 
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2024-02-07 17:53:22 +00:00
Mathias Vorreiter Pedersen
ebefcb8d35 Merge pull request #15513 from microsoft/50-model-gettext-family-of-string-operations 
Added model for gettext variants.
 2024-02-07 15:48:16 +00:00
Mathias Vorreiter Pedersen
0ee3c9987f Merge pull request #15539 from MathiasVP/fix-ir-gen-for-conditional-decl-expr-without-var-access 
C++: Fix IR generation when `ConditionDeclExpr` does not have an immediate `VariableAccess`
 2024-02-07 15:19:16 +00:00
Mathias Vorreiter Pedersen
edc7903c69 C++: Add a predicate for getting the 0'th child of a 'ConditionDeclExpr' without casting it to a 'VariableAccess' and use it in IR generation. 2024-02-07 11:45:13 +00:00
Mathias Vorreiter Pedersen
4b046ad670 C++: Also clear the 0'th argument of 'swap'. 2024-02-07 10:31:18 +00:00
Mathias Vorreiter Pedersen
c5dc88345d Merge pull request #15528 from MathiasVP/flow-barrier-interface 
C++: Add an interface for models to block flow
 2024-02-07 09:58:08 +00:00
github-actions[bot]
b5139078d0 Post-release preparation for codeql-cli-2.16.2 2024-02-06 19:22:35 +00:00
Geoffrey White
f6b412e1c9 C++: Use hasQualifiedName. 2024-02-06 17:48:42 +00:00
Geoffrey White
d1e040e27c C++: Bug fix for subclasses. 2024-02-06 17:45:14 +00:00
Mathias Vorreiter Pedersen
7948911415 C++: Delete dead code. 2024-02-06 17:38:22 +00:00
Geoffrey White
a9b2876b71 C++: Delete commented out code. 2024-02-06 17:34:15 +00:00
Geoffrey White
66d8943c08 C++: Minor bug fix. 2024-02-06 17:20:14 +00:00
Geoffrey White
25200b47ea C++: Implement the namespace field. 2024-02-06 16:35:48 +00:00
Mathias Vorreiter Pedersen
f7fe84adb4 C++: Add change note. 2024-02-06 16:23:59 +00:00
Mathias Vorreiter Pedersen
359b6e14c6 C++: Block flow out of 'swap'. 2024-02-06 16:15:21 +00:00