hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,611 Commits 1,673 Branches 157 Tags
ea4c2e432100cb15e4ad5448d02c36153a6f9f95
Commit Graph

84 Commits

Author SHA1 Message Date
Jonas Jensen
76e194c8be C++: Fix struct field conflation in IR data flow 
The virtual-dispatch code for globals was missing any relationship
between the union field access and the global variable, which meant it
propagated function-pointer flow between any two fields of a global
struct. This resulted in false positives from
`cpp/tainted-format-string` on projects using SDL, such as
WohlSoft/PGE-Project.

In addition to fixing that bug, this commit also brings the code up to
date with the new style of modeling flow through global variables:
`DataFlow::Node.asVariable()`.
 2020-05-18 16:24:22 +02:00
Jonas Jensen
f2402c5abb C++: Test virtual dispatch field conflation 
This test demonstrates that IR data flow conflates unrelated fields of a
global struct-typed variable and that this bug is not present in the old
AST-based implementation of `semmle.code.cpp.security.TaintTracking`.
 2020-05-18 15:37:22 +02:00
Jonas Jensen
cc00f0f584 C++: Move identical declarations to shared.h file 
This cleans up the test results, which were confusing because functions
like `sink` had multiple locations.

There are some additional results now involving casts to `const char *`
because previously it varied whether `sink` used `const`, and now it
always does.
 2020-05-18 10:42:52 +02:00
Jonas Jensen
a380dc113f C++: Test field conflation with array in struct 2020-05-14 16:29:39 +02:00
Jonas Jensen
3cd377e299 C++: Fixup forgotten test annotation 
This should have been removed in 038bea2f52.
 2020-05-14 15:57:47 +02:00
Jonas Jensen
038bea2f52 C++: Add type check to prevent field conflation 2020-05-13 09:25:24 +02:00
Jonas Jensen
250e12a323 C++: Demonstrate new field conflation 2020-05-13 09:24:36 +02:00
Jonas Jensen
3a89f43cd6 Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args 
Conflicts:
	cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
	cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
	cpp/ql/test/library-tests/dataflow/dataflow-tests/test_ir.expected
 2020-05-11 14:44:17 +02:00
Robert Marsh
c38ccaaab6 Merge branch 'master' into rdmarsh/cpp/ir-flow-through-outparams 2020-04-08 12:32:35 -07:00
Jonas Jensen
e37aab5002 C++: Suppress FieldAddressInstruction taint 
See code comment. This fixes false positives on openjdk/jdk.
 2020-04-06 16:14:26 +02:00
Jonas Jensen
3b76509159 C++: Test DefaultTaintTracking field conflation 2020-04-06 16:13:41 +02:00
Robert Marsh
d1d19a7446 Merge branch 'master' into rdmarsh/cpp/ir-flow-through-outparams 
Update test expectations
 2020-02-07 12:24:05 -08:00
Robert Marsh
692207472a Merge branch 'master' into rdmarsh/cpp/ir-flow-through-outparams 2020-02-06 11:42:30 -08:00
Jonas Jensen
a0e2d59c01 C++: Add tests for global-var support 2020-02-05 16:31:13 +01:00
Robert Marsh
677f0f090a Merge branch 'master' into rdmarsh/cpp/ir-flow-through-outparams 2020-02-03 13:06:35 -08:00
Robert Marsh
3bfcf0bf46 Merge branch 'master' into connect-ir-dataflow-models 2020-02-03 11:06:45 -08:00
Jonas Jensen
e2da98ae24 C++: Accept autoformat and test changes 2020-01-31 20:58:53 +01:00
Robert Marsh
83d611de11 C++: don't conflate pointers in data flow 2020-01-30 16:18:24 -08:00
Robert Marsh
71d87be773 C++: add flow through partial loads in DTT 2020-01-29 17:51:42 -08:00
Robert Marsh
37570c7750 Merge pull request #2676 from jbj/dataflow-partial-chi 
C++: data flow through partial chi operands where type is known
 2020-01-29 13:44:06 -05:00
Jonas Jensen
0436caecdc C++: Always use the old library for the diff test 
This change ensures that the diff test will show the difference between
the old and the new library even after we switch the default
implementation of `security.TaintTracking` to be the new one.
 2020-01-29 16:03:35 +01:00
Jonas Jensen
02cb8e9cc7 Merge remote-tracking branch 'upstream/master' into dataflow-partial-chi 
Conflicts:
	cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
 2020-01-29 13:03:40 +01:00
Mathias Vorreiter Pedersen
c1091a03d0 C++: Accept output 2020-01-28 17:38:35 +01:00
Mathias Vorreiter Pedersen
928b0c50d2 C++: Add test demonstrating false negative when using dynamic_cast 2020-01-28 17:31:53 +01:00
Mathias Vorreiter Pedersen
287af2bdec C++: Fix annotations in testcase file 2020-01-28 13:51:36 +01:00
Mathias Vorreiter Pedersen
611d9553dd C++: Fix formatting 2020-01-28 10:22:33 +01:00
Mathias Vorreiter Pedersen
130911ad44 C++: Accept new output in already existing test 2020-01-28 10:00:52 +01:00
Mathias Vorreiter Pedersen
fd79e7991d C++: Add tests demonstrating differences between AST virtual dispatch analysis and IR virtual dispatch analysis 2020-01-28 10:00:21 +01:00
Jonas Jensen
0e3ed2dfa6 C++: Remove test for unrelated issue 
The issue for that test is being tested and fixed on PR #2686. Adding a
test here will cause a semantic merge conflict.
 2020-01-27 14:25:28 +01:00
Jonas Jensen
7376daf16e C++: Some data flow through partial chi operands 2020-01-22 17:14:32 +01:00
Jonas Jensen
6cdca29aa6 C++: Flow through read side effects 
Until we have better tracking of indirections, these flow rules conflate
pointers and their contents.
 2020-01-22 13:27:10 +01:00
Jonas Jensen
2aaf41a0d8 C++: Test lack of flow through read side effect 2020-01-22 13:27:10 +01:00
Jonas Jensen
6d46e4d946 C++: Wire up models to DefaultTaintTracking 
This adds support for arg-to-arg and arg-to-return taint.
 2020-01-21 12:04:45 +01:00
Jonas Jensen
fa00e96ba8 C++: Test IR taint through library functions 2020-01-21 12:03:43 +01:00