Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5dc6e13

Browse files
author
Robert Marsh
committed
C++: use TaintTracking2 in ExecTainted.ql
1 parent 4d2036f commit 5dc6e13

1 file changed

Lines changed: 5 additions & 11 deletions

File tree

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

Lines changed: 5 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ import semmle.code.cpp.ir.IR
2222
import semmle.code.cpp.security.FlowSources
2323
import semmle.code.cpp.models.implementations.Strcat
2424

25+
import DataFlow::PathGraph
26+
2527
Expr sinkAsArgumentIndirection(DataFlow::Node sink) {
2628
result =
2729
sink.asOperand()
@@ -85,7 +87,7 @@ class TaintToConcatenationConfiguration extends TaintTracking::Configuration {
8587
}
8688
}
8789

88-
class ExecTaintConfiguration extends TaintTracking::Configuration {
90+
class ExecTaintConfiguration extends TaintTracking2::Configuration {
8991
ExecTaintConfiguration() { this = "ExecTaintConfiguration" }
9092

9193
override predicate isSource(DataFlow::Node source) {
@@ -101,17 +103,8 @@ class ExecTaintConfiguration extends TaintTracking::Configuration {
101103
}
102104
}
103105

104-
query predicate nodes = DataFlow::PathGraph::nodes/3;
105-
106-
query predicate edges(DataFlow::PathNode a, DataFlow::PathNode b) {
107-
DataFlow::PathGraph::edges(a, b) or
108-
interestingConcatenation(a.getNode(), b.getNode()) and
109-
a.getConfiguration() instanceof TaintToConcatenationConfiguration and
110-
b.getConfiguration() instanceof ExecTaintConfiguration
111-
}
112-
113106
from
114-
DataFlow::PathNode sourceNode, DataFlow::PathNode concatSink, DataFlow::PathNode concatSource, DataFlow::PathNode sinkNode, string taintCause, string callChain,
107+
DataFlow::PathNode sourceNode, DataFlow::PathNode concatSink, DataFlow2::PathNode concatSource, DataFlow2::PathNode sinkNode, string taintCause, string callChain,
115108
TaintToConcatenationConfiguration conf1, ExecTaintConfiguration conf2
116109
where
117110
taintCause = sourceNode.getNode().(FlowSource).getSourceType() and
@@ -122,3 +115,4 @@ where
122115
select sinkAsArgumentIndirection(sinkNode.getNode()), sourceNode, sinkNode,
123116
"This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to " + callChain, sourceNode,
124117
"user input (" + taintCause + ")", concatSource, concatSource.toString()
118+

0 commit comments

Comments
 (0)