hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cs/assembly-prefix
codeql/cpp/ql/test/library-tests/dataflow/fields/complex.cpp
Jonas Jensen d3a6ae5657 C++: Support nested field flow 
This is the C/C++ side of PR #1766.
2019-09-03 08:50:15 +02:00

73 lines
1.4 KiB
C++
Raw Permalink Blame History

namespace Complex
{
class Foo
{
int a_;
int b_;
public:
int a() { return a_; }
int b() { return b_; }
void setA(int a) { a_ = a; }
void setB(int b) { b_ = b; }
Foo(int a, int b) : a_(a), b_(b){};
};
class Bar
{
public:
Foo f;
Bar() : f(0, 0) {}
};
int user_input()
{
return 42;
}
void sink(int x)
{
}
void bar(Bar &b)
{
// The library correctly finds that the four `user_input` sources can make it
// to the `sink` calls, but it also finds some source/sink combinations that
// are impossible. Those false positives here are a consequence of how the
// shared data flow library overapproximates field flow. The library only
// tracks the head (`f`) and the length (2) of the field access path, and
// then it tracks that both `a_` and `b_` have followed `f` in _some_ access
// path somewhere in the search. That makes the library conclude that there
// could be flow to `b.f.a_` even when the flow was actually to `b.f.b_`.
sink(b.f.a()); // flow [FALSE POSITIVE through `b2.f.setB` and `b3.f.setB`]
sink(b.f.b()); // flow [FALSE POSITIVE through `b1.f.setA` and `b3.f.setA`]
}
void foo()
{
Bar b1;
Bar b2;
Bar b3;
Bar b4;
b1.f.setA(user_input());
b2.f.setB(user_input());
b3.f.setA(user_input());
b3.f.setB(user_input());
// Only a() should alert
bar(b1);
// Only b() should alert
bar(b2);
// Both a() and b() should alert
bar(b3);
// Nothing should alert
bar(b4);
}
}; // namespace Complex
Reference in New Issue View Git Blame Copy Permalink