Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 4075f69

Browse files
jketemajketema
committed
C++: Make cpp/path-injection work with use-use dataflow
1 parent 973aad5 commit 4075f69

4 files changed

Lines changed: 39 additions & 13 deletions

File tree

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -47,16 +47,6 @@ class FileFunction extends FunctionWithWrappers {
4747
override predicate interestingArg(int arg) { arg = 0 }
4848
}
4949

50-
Expr asSinkExpr(DataFlow::Node node) {
51-
result =
52-
node.asOperand()
53-
.(SideEffectOperand)
54-
.getUse()
55-
.(ReadSideEffectInstruction)
56-
.getArgumentDef()
57-
.getUnconvertedResultExpression()
58-
}
59-
6050
/**
6151
* Holds for a variable that has any kind of upper-bound check anywhere in the program.
6252
* This is biased towards being inclusive and being a coarse overapproximation because
@@ -87,7 +77,7 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
8777

8878
override predicate isSink(DataFlow::Node node) {
8979
exists(FileFunction fileFunction |
90-
fileFunction.outermostWrapperFunctionCall(asSinkExpr(node), _)
80+
fileFunction.outermostWrapperFunctionCall(node.asIndirectArgument(), _)
9181
)
9282
}
9383

@@ -108,7 +98,7 @@ from
10898
FileFunction fileFunction, Expr taintedArg, FlowSource taintSource, TaintedPathConfiguration cfg,
10999
DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string callChain
110100
where
111-
taintedArg = asSinkExpr(sinkNode.getNode()) and
101+
taintedArg = sinkNode.getNode().asIndirectArgument() and
112102
fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
113103
cfg.hasFlowPath(sourceNode, sinkNode) and
114104
taintSource = sourceNode.getNode()

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
11
edges
2+
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | Convert indirection |
23
nodes
4+
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
5+
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | Convert indirection | semmle.label | Convert indirection |
36
subpaths
47
#select
8+
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,36 @@
11
edges
2+
| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | Convert indirection |
3+
| test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection |
4+
| test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection |
5+
| test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection |
6+
| test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection |
7+
| test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | Convert indirection |
8+
| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | Convert indirection |
9+
| test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection |
10+
| test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection |
211
nodes
12+
| test.c:9:23:9:26 | argv | semmle.label | argv |
13+
| test.c:9:23:9:26 | argv indirection | semmle.label | argv indirection |
14+
| test.c:9:23:9:26 | argv indirection | semmle.label | argv indirection |
15+
| test.c:17:11:17:18 | Convert indirection | semmle.label | Convert indirection |
16+
| test.c:31:22:31:25 | argv indirection | semmle.label | argv indirection |
17+
| test.c:31:22:31:25 | argv indirection | semmle.label | argv indirection |
18+
| test.c:32:11:32:18 | Convert indirection | semmle.label | Convert indirection |
19+
| test.c:37:17:37:24 | scanf output argument | semmle.label | scanf output argument |
20+
| test.c:38:11:38:18 | Convert indirection | semmle.label | Convert indirection |
21+
| test.c:43:17:43:24 | scanf output argument | semmle.label | scanf output argument |
22+
| test.c:44:11:44:18 | Convert indirection | semmle.label | Convert indirection |
23+
| test.c:57:10:57:13 | argv indirection | semmle.label | argv indirection |
24+
| test.c:57:10:57:13 | argv indirection | semmle.label | argv indirection |
25+
| test.c:57:10:57:16 | access to array indirection | semmle.label | access to array indirection |
326
subpaths
427
#select
28+
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (a command-line argument) |
29+
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv indirection | user input (a command-line argument) |
30+
| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv indirection | test.c:17:11:17:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv indirection | user input (a command-line argument) |
31+
| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv indirection | user input (a command-line argument) |
32+
| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv indirection | test.c:32:11:32:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv indirection | user input (a command-line argument) |
33+
| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | scanf output argument | user input (value read by scanf) |
34+
| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | Convert indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | scanf output argument | user input (value read by scanf) |
35+
| test.c:57:10:57:16 | access to array | test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:57:10:57:13 | argv indirection | user input (a command-line argument) |
36+
| test.c:57:10:57:16 | access to array | test.c:57:10:57:13 | argv indirection | test.c:57:10:57:16 | access to array indirection | This argument to a file access function is derived from $@ and then passed to read(fileName), which calls fopen(filename). | test.c:57:10:57:13 | argv indirection | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/test.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ int main(int argc, char** argv) {
5454

5555
{
5656
void read(const char *fileName);
57-
read(argv[1]); // BAD [NOT DETECTED]
57+
read(argv[1]); // BAD
5858
}
5959
}
6060

0 commit comments

Comments
 (0)