mirror of
https://github.com/github/codeql.git
synced 2026-06-22 13:21:10 +02:00
35 lines
1.4 KiB
Plaintext
35 lines
1.4 KiB
Plaintext
/**
|
|
* Provides an abstract class for accurate taint modeling of library
|
|
* functions when source code is not available. To use this QL library,
|
|
* create a QL class extending `TaintFunction` with a characteristic predicate
|
|
* that selects the function or set of functions you are modeling. Within that
|
|
* class, override the predicates provided by `TaintFunction` to match the flow
|
|
* within that function.
|
|
*/
|
|
|
|
import semmle.code.cpp.Function
|
|
import FunctionInputsAndOutputs
|
|
import semmle.code.cpp.models.Models
|
|
import PartialFlow
|
|
|
|
/**
|
|
* A library function for which a taint-tracking library should propagate taint
|
|
* from a parameter or qualifier to an output buffer, return value, or qualifier.
|
|
*
|
|
* An expression is tainted if it could be influenced by an attacker to have
|
|
* an unusual value.
|
|
*
|
|
* Note that this does not include direct copying of values; that is covered by
|
|
* DataFlowModel.qll. If a value is sometimes copied in full, and sometimes
|
|
* altered (for example copying a string with `strncpy`), this is also considered
|
|
* data flow.
|
|
*/
|
|
abstract class TaintFunction extends PartialFlowFunction {
|
|
/**
|
|
* Holds if data passed into the argument, qualifier, or buffer represented by
|
|
* `input` influences the return value or buffer represented by `output`
|
|
*/
|
|
pragma[nomagic]
|
|
abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output);
|
|
}
|