Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 37c9217

Browse files
Robert MarshRobert Marsh
Robert Marsh
authored and
Robert Marsh
committed
C++: exclude int/string conversion in ExecTainted
1 parent 5e265f4 commit 37c9217

2 files changed

Lines changed: 7 additions & 11 deletions

File tree

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -43,11 +43,7 @@ predicate interestingConcatenation(DataFlow::Node fst, DataFlow::Node snd) {
4343
snd.asDefiningArgument() = call.getOutputArgument(false) and
4444
literal = call.getFormat() and
4545
not literal.getConvSpecOffset(index) = 0 and
46-
(
47-
literal.getConversionType(index) instanceof CharPointerType
48-
or
49-
literal.getConversionType(index).(PointerType).getBaseType() instanceof Wchar_t
50-
)
46+
literal.getConversionChar(index) = ["s", "S"]
5147
)
5248
or
5349
// strcat and friends
@@ -81,6 +77,12 @@ class TaintToConcatenationConfiguration extends TaintTracking::Configuration {
8177
override predicate isSink(DataFlow::Node sink) {
8278
interestingConcatenation(sink, _)
8379
}
80+
81+
override predicate isSanitizer(DataFlow::Node node) {
82+
node.asInstruction().getResultType() instanceof IntegralType
83+
or
84+
node.asInstruction().getResultType() instanceof FloatingPointType
85+
}
8486
}
8587

8688
class ExecTaintConfiguration extends TaintTracking::Configuration {

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,6 @@ edges
130130
| test.cpp:160:9:160:12 | fread output argument | test.cpp:165:24:165:24 | x |
131131
| test.cpp:160:9:160:12 | fread output argument | test.cpp:166:44:166:48 | array to pointer conversion |
132132
| test.cpp:160:9:160:12 | fread output argument | test.cpp:166:44:166:48 | temp2 indirection |
133-
| test.cpp:160:9:160:12 | fread output argument | test.cpp:166:44:166:48 | temp2 indirection |
134133
| test.cpp:160:9:160:12 | fread output argument | test.cpp:168:10:168:16 | (const char *)... |
135134
| test.cpp:160:9:160:12 | fread output argument | test.cpp:168:10:168:16 | command indirection |
136135
| test.cpp:162:11:162:14 | call to atoi | test.cpp:162:11:162:14 | Store |
@@ -140,16 +139,13 @@ edges
140139
| test.cpp:162:11:162:14 | call to atoi | test.cpp:168:10:168:16 | (const char *)... |
141140
| test.cpp:162:11:162:14 | call to atoi | test.cpp:168:10:168:16 | command indirection |
142141
| test.cpp:166:13:166:19 | sprintf output argument | test.cpp:168:10:168:16 | command indirection |
143-
| test.cpp:166:44:166:48 | temp2 indirection | test.cpp:166:13:166:19 | sprintf output argument |
144-
| test.cpp:166:44:166:48 | temp2 indirection | test.cpp:166:13:166:19 | sprintf output argument |
145142
#select
146143
| test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
147144
| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:47:21:47:26 | call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
148145
| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:62:9:62:16 | fread output argument | user input (String read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
149146
| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:82:9:82:16 | fread output argument | user input (String read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
150147
| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:91:9:91:16 | fread output argument | user input (String read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
151148
| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:140:9:140:11 | fread output argument | user input (String read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
152-
| test.cpp:168:10:168:16 | command | test.cpp:160:9:160:12 | fread output argument | test.cpp:168:10:168:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:160:9:160:12 | fread output argument | user input (String read by fread) | test.cpp:166:13:166:19 | sprintf output argument | sprintf output argument |
153149
nodes
154150
| test.cpp:16:20:16:23 | argv | semmle.label | argv |
155151
| test.cpp:16:20:16:23 | argv | semmle.label | argv |
@@ -327,7 +323,6 @@ nodes
327323
| test.cpp:160:9:160:12 | (void *)... | semmle.label | (void *)... |
328324
| test.cpp:160:9:160:12 | array to pointer conversion | semmle.label | array to pointer conversion |
329325
| test.cpp:160:9:160:12 | fread output argument | semmle.label | fread output argument |
330-
| test.cpp:160:9:160:12 | fread output argument | semmle.label | fread output argument |
331326
| test.cpp:160:9:160:12 | temp | semmle.label | temp |
332327
| test.cpp:160:9:160:12 | temp indirection | semmle.label | temp indirection |
333328
| test.cpp:162:11:162:14 | Store | semmle.label | Store |
@@ -339,7 +334,6 @@ nodes
339334
| test.cpp:166:13:166:19 | sprintf output argument | semmle.label | sprintf output argument |
340335
| test.cpp:166:44:166:48 | array to pointer conversion | semmle.label | array to pointer conversion |
341336
| test.cpp:166:44:166:48 | temp2 indirection | semmle.label | temp2 indirection |
342-
| test.cpp:166:44:166:48 | temp2 indirection | semmle.label | temp2 indirection |
343337
| test.cpp:168:10:168:16 | (const char *)... | semmle.label | (const char *)... |
344338
| test.cpp:168:10:168:16 | command indirection | semmle.label | command indirection |
345339
| test.cpp:168:10:168:16 | command indirection | semmle.label | command indirection |

0 commit comments

Comments
 (0)