hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 23:26:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea175b2a9ff083fa5c4ba08036d3fc6c8b50b774
codeql/csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
Tom Hvitved b2f99dbbc7 C#: Teach data flow library about CFG splitting 
Data flow nodes for expressions do not take CFG splitting into account. Example:

```
if (b)
    x = tainted;
x = x.ToLower();
if (!b)
    Use(x);
```

Flow is incorrectly reported from `tainted` to `x` in `Use(x)`, because the step
from `tainted` to `x.ToLower()` throws away the information that `b = true`.

The solution is to remember the splitting in data flow expression nodes, that is,
to represent the exact control flow node instead of just the expression. With that
we get flow from `tainted` to `[b = true] x.ToLower()`, but not from `tainted` to
`[b = false] x.ToLower()`.

The data flow API remains unchanged, but in order for analyses to fully benefit from
CFG splitting, sanitizers in particular should be CFG-based instead of expression-based:

```
if (b)
   x = tainted;
   if (IsInvalid(x))
       return;
Use(x);
```

If the call to `IsInvalid()` is a sanitizer, then defining an expression node to be
a sanitizer using `GuardedExpr` will be too conservative (`x` in `Use(x)` is in fact
not guarded). However, `[b = true] x` in `[b = true] Use(x)` is guarded, and to help
defining guard-based sanitizers, the class `GuardedDataFlowNode` has been introduced.
2019-01-16 10:39:27 +01:00

57 lines
3.7 KiB
Plaintext
Raw Blame History

| Capture.cs:12:19:12:24 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 |
| Capture.cs:30:19:30:24 | access to local variable sink29 |
| Capture.cs:60:15:60:20 | access to local variable sink30 |
| Capture.cs:72:15:72:20 | access to local variable sink31 |
| Capture.cs:81:15:81:20 | access to local variable sink32 |
| Capture.cs:109:15:109:20 | access to local variable sink33 |
| Capture.cs:121:15:121:20 | access to local variable sink34 |
| Capture.cs:130:15:130:20 | access to local variable sink35 |
| Capture.cs:137:15:137:20 | access to local variable sink36 |
| Capture.cs:145:15:145:20 | access to local variable sink37 |
| Capture.cs:171:15:171:20 | access to local variable sink38 |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
| GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 |
| GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 |
| GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 |
| GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 |
| GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 |
| GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 |
| GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 |
| GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 |
| GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 |
| GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 |
| GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 |
| GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
Reference in New Issue View Git Blame Copy Permalink