1+ <!DOCTYPE qhelp PUBLIC
2+ "-//Semmle//qhelp//EN"
3+ "qhelp.dtd">
4+ <qhelp >
5+ <overview >
6+ <p >Using unsanitized untrusted data in an external API can cause a variety of security issues. This query reports
7+ external APIs that use untrusted data. The results are not filtered, so you can audit all examples.
8+ The query provides data for security reviews of the application and you can also use it to identify external APIs
9+ that should be modeled as either taint steps, or sinks for specific problems.</p >
10+
11+ <p >An external API is defined as a call to a function that is not defined in the source code, and is not modeled
12+ as a taint step in the default taint library. External APIs may be from the
13+ C++ standard library, third-party dependencies or from internal dependencies. The query reports uses of
14+ untrusted data in either the qualifier or as one of the arguments of external APIs.</p >
15+
16+ </overview >
17+ <recommendation >
18+
19+ <p >For each result:</p >
20+
21+ <ul >
22+ <li >If the result highlights a known sink, confirm that the result is reported by the relevant query, or
23+ that the result is a false positive because this data is sanitized.</li >
24+ <li >If the result highlights an unknown sink for a problem, then add modeling for the sink to the relevant query,
25+ and confirm that the result is either found, or is safe due to appropriate sanitization.</li >
26+ <li >If the result represents a call to an external API that transfers taint, add the appropriate modeling, and
27+ re-run the query to determine what new results have appeared due to this additional modeling.</li >
28+ </ul >
29+
30+ <p >Otherwise, the result is likely uninteresting. Custom versions of this query can extend the <code >SafeExternalAPIFunction</code >
31+ class to exclude known safe external APIs from future analysis.</p >
32+
33+ </recommendation >
34+ <example >
35+
36+ <p >In this first example, input is read from <code >fgets</code > and then ultimately used in a call to the
37+ <code >fputs</code > external API:</p >
38+
39+ <sample src =" ExternalAPISinkExample.cpp"
40+
41+ <p >This is an XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled,
42+ and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to
43+ some existing sanitization.</p >
44+
45+ <p >In this second example, again a request parameter is read from <code >fgets</code >.</p >
46+
47+ <sample src =" ExternalAPITaintStepExample.cpp"
48+
49+ <p >If the query reported the call to <code >strcat</code > on line 9, this would suggest that this external API is
50+ not currently modeled as a taint step in the taint tracking library. The next step would be to model this as a taint step, then
51+ re-run the query to determine what additional results might be found. In this example, it seems likely that <code >buffer</code >
52+ will be executed as an SQL query, potentially leading to an SQL injection vulnerability.</p >
53+
54+ <p >Note that both examples are correctly handled by the standard taint tracking library and XSS query.</p >
55+ </example >
56+ <references >
57+
58+ </references >
59+ </qhelp >
0 commit comments