Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 509a349

Browse files
author
Robert Marsh
committed
C++: support new subpaths predicate in ExecTainted
1 parent 09ef8f6 commit 509a349

2 files changed

Lines changed: 17 additions & 12 deletions

File tree

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,6 @@ predicate interestingConcatenation(DataFlow::Node fst, DataFlow::Node snd) {
6666
)
6767
}
6868

69-
// TODO: maybe we can drop this?
7069
class TaintToConcatenationConfiguration extends TaintTracking::Configuration {
7170
TaintToConcatenationConfiguration() { this = "TaintToConcatenationConfiguration" }
7271

@@ -135,6 +134,10 @@ module StitchedPathGraph {
135134
)
136135
}
137136

137+
DataFlow::PathNode getPathNode1() { this = TPathNode1(result) }
138+
139+
DataFlow2::PathNode getPathNode2() { this = TPathNode2(result) }
140+
138141
predicate hasLocationInfo(
139142
string filepath, int startline, int startcolumn, int endline, int endcolumn
140143
) {
@@ -183,6 +186,18 @@ module StitchedPathGraph {
183186
DataFlow2::PathGraph::nodes(n, key, val)
184187
)
185188
}
189+
190+
query predicate subpaths(
191+
MergedPathNode arg, MergedPathNode par, MergedPathNode ret, MergedPathNode out
192+
) {
193+
// just forward subpaths from the underlying libraries. This might be slightly awkward when
194+
// the concatenation is deep in a call chain.
195+
DataFlow::PathGraph::subpaths(arg.getPathNode1(), par.getPathNode1(), ret.getPathNode1(),
196+
out.getPathNode1())
197+
or
198+
DataFlow2::PathGraph::subpaths(arg.getPathNode2(), par.getPathNode2(), ret.getPathNode2(),
199+
out.getPathNode2())
200+
}
186201
}
187202

188203
import StitchedPathGraph

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ edges
1414
| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
1515
| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
1616
| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
17-
| test.cpp:31:13:31:20 | sprintf output argument | test.cpp:32:12:32:19 | command2 indirection |
1817
| test.cpp:38:17:38:22 | call to getenv | test.cpp:38:17:38:22 | Store |
1918
| test.cpp:38:17:38:22 | call to getenv | test.cpp:41:20:41:24 | (const char *)... |
2019
| test.cpp:38:17:38:22 | call to getenv | test.cpp:41:20:41:24 | envCC |
@@ -46,7 +45,6 @@ edges
4645
| test.cpp:71:9:71:15 | fread output argument | test.cpp:73:11:73:17 | command indirection |
4746
| test.cpp:71:9:71:15 | fread output argument | test.cpp:74:10:74:16 | (const char *)... |
4847
| test.cpp:71:9:71:15 | fread output argument | test.cpp:74:10:74:16 | command indirection |
49-
| test.cpp:73:11:73:17 | strncat output argument | test.cpp:74:10:74:16 | command indirection |
5048
| test.cpp:82:9:82:16 | (void *)... | test.cpp:82:9:82:16 | filename indirection |
5149
| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | (const char *)... |
5250
| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | filename indirection |
@@ -150,9 +148,6 @@ edges
150148
| test.cpp:162:11:162:14 | call to atoi | test.cpp:166:44:166:48 | temp2 indirection |
151149
| test.cpp:162:11:162:14 | call to atoi | test.cpp:168:10:168:16 | (const char *)... |
152150
| test.cpp:162:11:162:14 | call to atoi | test.cpp:168:10:168:16 | command indirection |
153-
| test.cpp:166:13:166:19 | sprintf output argument | test.cpp:168:10:168:16 | command indirection |
154-
| test.cpp:166:44:166:48 | temp2 indirection | test.cpp:166:13:166:19 | sprintf output argument |
155-
| test.cpp:166:44:166:48 | temp2 indirection | test.cpp:166:13:166:19 | sprintf output argument |
156151
nodes
157152
| test.cpp:16:20:16:23 | argv | semmle.label | argv |
158153
| test.cpp:16:20:16:23 | argv | semmle.label | argv |
@@ -169,8 +164,6 @@ nodes
169164
| test.cpp:29:45:29:52 | (const char *)... | semmle.label | (const char *)... |
170165
| test.cpp:29:45:29:52 | userName | semmle.label | userName |
171166
| test.cpp:29:45:29:52 | userName indirection | semmle.label | userName indirection |
172-
| test.cpp:31:13:31:20 | sprintf output argument | semmle.label | sprintf output argument |
173-
| test.cpp:32:12:32:19 | command2 indirection | semmle.label | command2 indirection |
174167
| test.cpp:38:17:38:22 | Store | semmle.label | Store |
175168
| test.cpp:38:17:38:22 | call to getenv | semmle.label | call to getenv |
176169
| test.cpp:38:17:38:22 | call to getenv | semmle.label | call to getenv |
@@ -210,10 +203,8 @@ nodes
210203
| test.cpp:71:9:71:15 | fread output argument | semmle.label | fread output argument |
211204
| test.cpp:73:11:73:17 | array to pointer conversion | semmle.label | array to pointer conversion |
212205
| test.cpp:73:11:73:17 | command indirection | semmle.label | command indirection |
213-
| test.cpp:73:11:73:17 | strncat output argument | semmle.label | strncat output argument |
214206
| test.cpp:74:10:74:16 | (const char *)... | semmle.label | (const char *)... |
215207
| test.cpp:74:10:74:16 | command indirection | semmle.label | command indirection |
216-
| test.cpp:74:10:74:16 | command indirection | semmle.label | command indirection |
217208
| test.cpp:82:9:82:16 | (void *)... | semmle.label | (void *)... |
218209
| test.cpp:82:9:82:16 | (void *)... | semmle.label | (void *)... |
219210
| test.cpp:82:9:82:16 | array to pointer conversion | semmle.label | array to pointer conversion |
@@ -338,12 +329,11 @@ nodes
338329
| test.cpp:162:16:162:19 | array to pointer conversion | semmle.label | array to pointer conversion |
339330
| test.cpp:162:16:162:19 | temp indirection | semmle.label | temp indirection |
340331
| test.cpp:165:24:165:24 | x | semmle.label | x |
341-
| test.cpp:166:13:166:19 | sprintf output argument | semmle.label | sprintf output argument |
342332
| test.cpp:166:44:166:48 | array to pointer conversion | semmle.label | array to pointer conversion |
343333
| test.cpp:166:44:166:48 | temp2 indirection | semmle.label | temp2 indirection |
344334
| test.cpp:168:10:168:16 | (const char *)... | semmle.label | (const char *)... |
345335
| test.cpp:168:10:168:16 | command indirection | semmle.label | command indirection |
346-
| test.cpp:168:10:168:16 | command indirection | semmle.label | command indirection |
336+
subpaths
347337
#select
348338
| test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
349339
| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:47:21:47:26 | call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |

0 commit comments

Comments
 (0)