mirror of
https://github.com/github/codeql.git
synced 2025-12-17 17:23:36 +01:00
27 lines
852 B
Plaintext
27 lines
852 B
Plaintext
import cpp
|
|
import semmle.code.cpp.dataflow.new.DataFlow
|
|
|
|
class GetenvSource extends DataFlow::Node {
|
|
GetenvSource() { this.asIndirectExpr(1).(FunctionCall).getTarget().hasGlobalName("getenv") }
|
|
}
|
|
|
|
module GetenvToGethostbynameConfig implements DataFlow::ConfigSig {
|
|
predicate isSource(DataFlow::Node source) { source instanceof GetenvSource }
|
|
|
|
predicate isSink(DataFlow::Node sink) {
|
|
exists(FunctionCall fc |
|
|
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
|
fc.getTarget().hasName("gethostbyname")
|
|
)
|
|
}
|
|
}
|
|
|
|
module GetenvToGethostbynameFlow = DataFlow::Global<GetenvToGethostbynameConfig>;
|
|
|
|
from Expr getenv, FunctionCall fc, DataFlow::Node source, DataFlow::Node sink
|
|
where
|
|
source.asIndirectExpr(1) = getenv and
|
|
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
|
GetenvToGethostbynameFlow::flow(source, sink)
|
|
select getenv, fc
|