Merge pull request #2491 from rdmarsh2/rdmarsh/cpp/ir-taintedIncludingGlobalVars

jbj · web-flow · commit 5cea452123e8 · 2019-12-16T11:00:34.000+01:00
C++: handle global vars in DefaultTaintTracking
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -1,6 +1,7 @@
 import cpp
 import semmle.code.cpp.security.Security
 private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.DataFlow2
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
 
@@ -29,20 +30,60 @@ private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
     instructionTaintStep(n1.asInstruction(), n2.asInstruction())
   }
 
-  override predicate isBarrier(DataFlow::Node node) {
-    exists(Variable checkedVar |
-      accessesVariable(node.asInstruction(), checkedVar) and
-      hasUpperBoundsCheck(checkedVar)
+  override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
+}
+
+private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
+  ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
+
+  override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(GlobalOrNamespaceVariable gv | writesVariable(sink.asInstruction(), gv))
+  }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    instructionTaintStep(n1.asInstruction(), n2.asInstruction())
+    or
+    exists(StoreInstruction i1, LoadInstruction i2, GlobalOrNamespaceVariable gv |
+      writesVariable(i1, gv) and
+      readsVariable(i2, gv) and
+      i1 = n1.asInstruction() and
+      i2 = n2.asInstruction()
     )
   }
+
+  override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
 }
 
-private predicate accessesVariable(CopyInstruction copy, Variable var) {
-  exists(VariableAddressInstruction va | va.getASTVariable() = var |
-    copy.(StoreInstruction).getDestinationAddress() = va
-    or
-    copy.(LoadInstruction).getSourceAddress() = va
-  )
+private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration {
+  FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(
+      ToGlobalVarTaintTrackingCfg other, DataFlow::Node prevSink, GlobalOrNamespaceVariable gv
+    |
+      other.hasFlowTo(prevSink) and
+      writesVariable(prevSink.asInstruction(), gv) and
+      readsVariable(source.asInstruction(), gv)
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { any() }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    instructionTaintStep(n1.asInstruction(), n2.asInstruction())
+  }
+
+  override predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
+}
+
+private predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getASTVariable() = var
+}
+
+private predicate writesVariable(StoreInstruction store, Variable var) {
+  store.getDestinationAddress().(VariableAddressInstruction).getASTVariable() = var
 }
 
 /**
@@ -62,6 +103,13 @@ private predicate hasUpperBoundsCheck(Variable var) {
   )
 }
 
+private predicate nodeIsBarrier(DataFlow::Node node) {
+  exists(Variable checkedVar |
+    readsVariable(node.asInstruction(), checkedVar) and
+    hasUpperBoundsCheck(checkedVar)
+  )
+}
+
 private predicate instructionTaintStep(Instruction i1, Instruction i2) {
   // Expressions computed from tainted data are also tainted
   i2 = any(CallInstruction call |
@@ -99,51 +147,73 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
   // addition expression.
 }
 
+private Element adjustedSink(DataFlow::Node sink) {
+  // TODO: is it more appropriate to use asConvertedExpr here and avoid
+  // `getConversion*`? Or will that cause us to miss some cases where there's
+  // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
+  // pretend there was flow to the converted `Expr` for the sake of
+  // compatibility.
+  sink.asExpr().getConversion*() = result
+  or
+  // For compatibility, send flow from arguments to parameters, even for
+  // functions with no body.
+  exists(FunctionCall call, int i |
+    sink.asExpr() = call.getArgument(i) and
+    result = resolveCall(call).getParameter(i)
+  )
+  or
+  // For compatibility, send flow into a `Variable` if there is flow to any
+  // Load or Store of that variable.
+  exists(CopyInstruction copy |
+    copy.getSourceValue() = sink.asInstruction() and
+    (
+      readsVariable(copy, result) or
+      writesVariable(copy, result)
+    ) and
+    not hasUpperBoundsCheck(result)
+  )
+  or
+  // For compatibility, send flow into a `NotExpr` even if it's part of a
+  // short-circuiting condition and thus might get skipped.
+  result.(NotExpr).getOperand() = sink.asExpr()
+}
+
 predicate tainted(Expr source, Element tainted) {
   exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
     cfg.hasFlow(DataFlow::exprNode(source), sink)
   |
-    // TODO: is it more appropriate to use asConvertedExpr here and avoid
-    // `getConversion*`? Or will that cause us to miss some cases where there's
-    // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
-    // pretend there was flow to the converted `Expr` for the sake of
-    // compatibility.
-    sink.asExpr().getConversion*() = tainted
-    or
-    // For compatibility, send flow from arguments to parameters, even for
-    // functions with no body.
-    exists(FunctionCall call, int i |
-      sink.asExpr() = call.getArgument(i) and
-      tainted = resolveCall(call).getParameter(i)
-    )
-    or
-    // For compatibility, send flow into a `Variable` if there is flow to any
-    // Load or Store of that variable.
-    exists(CopyInstruction copy |
-      copy.getSourceValue() = sink.asInstruction() and
-      accessesVariable(copy, tainted) and
-      not hasUpperBoundsCheck(tainted)
-    )
-    or
-    // For compatibility, send flow into a `NotExpr` even if it's part of a
-    // short-circuiting condition and thus might get skipped.
-    tainted.(NotExpr).getOperand() = sink.asExpr()
+    tainted = adjustedSink(sink)
   )
 }
 
 predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
   tainted(source, tainted) and
-  // TODO: Find a way to emulate how `security.TaintTracking` reports the last
-  // global variable that taint has passed through. Also make sure we emulate
-  // its behavior for interprocedural flow through globals.
   globalVar = ""
+  or
+  exists(
+    ToGlobalVarTaintTrackingCfg toCfg, FromGlobalVarTaintTrackingCfg fromCfg, DataFlow::Node store,
+    GlobalOrNamespaceVariable global, DataFlow::Node load, DataFlow::Node sink
+  |
+    toCfg.hasFlow(DataFlow::exprNode(source), store) and
+    store
+        .asInstruction()
+        .(StoreInstruction)
+        .getDestinationAddress()
+        .(VariableAddressInstruction)
+        .getASTVariable() = global and
+    load
+        .asInstruction()
+        .(LoadInstruction)
+        .getSourceAddress()
+        .(VariableAddressInstruction)
+        .getASTVariable() = global and
+    fromCfg.hasFlow(load, sink) and
+    tainted = adjustedSink(sink) and
+    global = globalVarFromId(globalVar)
+  )
 }
 
-GlobalOrNamespaceVariable globalVarFromId(string id) {
-  // TODO: Implement this when `taintedIncludingGlobalVars` has support for
-  // global variables.
-  none()
-}
+GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
 
 Function resolveCall(Call call) {
   exists(CallInstruction callInstruction |
