mirror of
https://github.com/github/codeql.git
synced 2026-05-12 02:09:27 +02:00
29 lines
875 B
Plaintext
29 lines
875 B
Plaintext
import cpp
|
|
import semmle.code.cpp.security.Security
|
|
import semmle.code.cpp.security.TaintTrackingImpl as ASTTaintTracking
|
|
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
|
|
|
|
class SourceConfiguration extends IRDefaultTaintTracking::TaintedWithPath::TaintTrackingConfiguration {
|
|
override predicate isSink(Element e) { any() }
|
|
}
|
|
|
|
predicate astFlow(Expr source, Element sink) { ASTTaintTracking::tainted(source, sink) }
|
|
|
|
predicate irFlow(Expr source, Element sink) {
|
|
IRDefaultTaintTracking::TaintedWithPath::taintedWithPath(source, sink, _, _)
|
|
}
|
|
|
|
from Expr source, Element sink, string note
|
|
where
|
|
not sink instanceof Parameter and
|
|
(
|
|
astFlow(source, sink) and
|
|
not irFlow(source, sink) and
|
|
note = "AST only"
|
|
or
|
|
irFlow(source, sink) and
|
|
not astFlow(source, sink) and
|
|
note = "IR only"
|
|
)
|
|
select source, sink, note
|