Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 656dc4e

Browse files
am0o0am0o0
committed
use abstract class for decompression sinks
1 parent 13f697c commit 656dc4e

12 files changed

Lines changed: 139 additions & 352 deletions

File tree

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/Brotli.qll

Lines changed: 9 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -6,33 +6,22 @@ import cpp
66
import semmle.code.cpp.ir.dataflow.TaintTracking
77
import semmle.code.cpp.security.FlowSources
88
import semmle.code.cpp.commons.File
9+
import DecompressionBomb
910

1011
/**
11-
* A Pointer Variable is used in Flow source
12+
* The `BrotliDecoderDecompress` function is used in flow sink. * Ref: https://www.brotli.org/decode.html#af68
1213
*/
13-
class PointerVar extends VariableAccess {
14-
PointerVar() { this.getType() instanceof PointerType }
15-
}
16-
17-
/**
18-
* A Pointer Variable is used in Flow source
19-
*/
20-
class Uint8Var extends VariableAccess {
21-
Uint8Var() { this.getType() instanceof UInt8_t }
22-
}
23-
24-
/**
25-
* The `BrotliDecoderDecompress` function is used in Flow sink
26-
* Ref: https://www.brotli.org/decode.html#af68
27-
*/
28-
class BrotliDecoderDecompressFunction extends Function {
14+
class BrotliDecoderDecompressFunction extends DecompressionFunction {
2915
BrotliDecoderDecompressFunction() { this.hasGlobalName(["BrotliDecoderDecompress"]) }
16+
17+
override int getArchiveParameterIndex() { result = 1 }
3018
}
3119

3220
/**
33-
* The `BrotliDecoderDecompressStream` function is used in Flow sink
34-
* Ref: https://www.brotli.org/decode.html#a234
21+
* The `BrotliDecoderDecompressStream` function is used in flow sink. * Ref: https://www.brotli.org/decode.html#a234
3522
*/
36-
class BrotliDecoderDecompressStreamFunction extends Function {
23+
class BrotliDecoderDecompressStreamFunction extends DecompressionFunction {
3724
BrotliDecoderDecompressStreamFunction() { this.hasGlobalName(["BrotliDecoderDecompressStream"]) }
25+
26+
override int getArchiveParameterIndex() { result = 2 }
3827
}

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/Bzip2.qll

Lines changed: 15 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -6,45 +6,40 @@ import cpp
66
import semmle.code.cpp.ir.dataflow.TaintTracking
77
import semmle.code.cpp.security.FlowSources
88
import semmle.code.cpp.commons.File
9-
10-
/**
11-
* A `bz_stream` Variable as a Flow source
12-
*/
13-
class BzStreamVar extends VariableAccess {
14-
BzStreamVar() { this.getType().hasName("bz_stream") }
15-
}
16-
17-
/**
18-
* A `BZFILE` Variable as a Flow source
19-
*/
20-
class BzFileVar extends VariableAccess {
21-
BzFileVar() { this.getType().hasName("BZFILE") }
22-
}
9+
import DecompressionBomb
2310

2411
/**
2512
* The `BZ2_bzDecompress` function as a Flow source
2613
*/
27-
class BZ2BzDecompressFunction extends Function {
14+
class BZ2BzDecompressFunction extends DecompressionFunction {
2815
BZ2BzDecompressFunction() { this.hasGlobalName(["BZ2_bzDecompress"]) }
16+
17+
override int getArchiveParameterIndex() { result = 0 }
2918
}
3019

3120
/**
3221
* The `BZ2_bzReadOpen` function
3322
*/
34-
class BZ2BzReadOpenFunction extends Function {
23+
class BZ2BzReadOpenFunction extends DecompressionFunction {
3524
BZ2BzReadOpenFunction() { this.hasGlobalName(["BZ2_bzReadOpen"]) }
25+
26+
override int getArchiveParameterIndex() { result = 0 }
3627
}
3728

3829
/**
39-
* The `BZ2_bzRead` function is used in Flow sink
30+
* The `BZ2_bzRead` function is used in flow sink.
4031
*/
41-
class BZ2BzReadFunction extends Function {
32+
class BZ2BzReadFunction extends DecompressionFunction {
4233
BZ2BzReadFunction() { this.hasGlobalName("BZ2_bzRead") }
34+
35+
override int getArchiveParameterIndex() { result = 1 }
4336
}
4437

4538
/**
46-
* The `BZ2_bzBuffToBuffDecompress` function is used in Flow sink
39+
* The `BZ2_bzBuffToBuffDecompress` function is used in flow sink.
4740
*/
48-
class BZ2BzBuffToBuffDecompressFunction extends Function {
41+
class BZ2BzBuffToBuffDecompressFunction extends DecompressionFunction {
4942
BZ2BzBuffToBuffDecompressFunction() { this.hasGlobalName("BZ2_bzBuffToBuffDecompress") }
43+
44+
override int getArchiveParameterIndex() { result = 2 }
5045
}

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBomb.qll

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
import cpp
2+
3+
/**
4+
* The Decompression Sink instances, extend this class to defind new decompression sinks.
5+
*/
6+
abstract class DecompressionFunction extends Function {
7+
abstract int getArchiveParameterIndex();
8+
}

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs.ql

Lines changed: 3 additions & 126 deletions
Original file line numberDiff line numberDiff line change
@@ -15,124 +15,16 @@ import cpp
1515
import semmle.code.cpp.ir.dataflow.TaintTracking
1616
import semmle.code.cpp.security.FlowSources
1717
import semmle.code.cpp.commons.File
18-
import Bzip2
19-
import Brotli
20-
import LibArchive
21-
import LibMiniz
22-
import ZSTD
2318
import MiniZip
24-
import XZ
2519
import ZlibGzopen
26-
import ZlibUncompress
27-
import ZlibInflator
28-
import Brotli
20+
import DecompressionBomb
2921

3022
module DecompressionTaintConfig implements DataFlow::ConfigSig {
3123
predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
3224

3325
predicate isSink(DataFlow::Node sink) {
34-
exists(FunctionCall fc | fc.getTarget() instanceof BrotliDecoderDecompressStreamFunction |
35-
fc.getArgument(2) = sink.asExpr()
36-
)
37-
or
38-
exists(FunctionCall fc | fc.getTarget() instanceof BrotliDecoderDecompressFunction |
39-
fc.getArgument(1) = sink.asExpr()
40-
)
41-
or
42-
exists(FunctionCall fc | fc.getTarget() instanceof BZ2BzDecompressFunction |
43-
fc.getArgument(0) = sink.asExpr()
44-
)
45-
or
46-
exists(FunctionCall fc | fc.getTarget() instanceof BZ2BzReadFunction |
47-
fc.getArgument(1) = sink.asExpr()
48-
)
49-
or
50-
exists(FunctionCall fc | fc.getTarget() instanceof BZ2BzBuffToBuffDecompressFunction |
51-
fc.getArgument(2) = sink.asExpr()
52-
)
53-
or
54-
exists(FunctionCall fc | fc.getTarget() instanceof Archive_read_data_block |
55-
fc.getArgument(0) = sink.asExpr()
56-
)
57-
or
58-
exists(FunctionCall fc | fc.getTarget() instanceof MzUncompress |
59-
fc.getArgument(0) = sink.asExpr()
60-
)
61-
or
62-
exists(FunctionCall fc | fc.getTarget() instanceof MzZipReaderExtract |
63-
fc.getArgument(1) = sink.asExpr()
64-
)
65-
or
66-
exists(FunctionCall fc | fc.getTarget() instanceof MzInflate |
67-
fc.getArgument(0) = sink.asExpr()
68-
)
69-
or
70-
exists(FunctionCall fc | fc.getTarget() instanceof TinflDecompress |
71-
fc.getArgument(1) = sink.asExpr()
72-
)
73-
or
74-
exists(FunctionCall fc | fc.getTarget() instanceof TinflDecompressMem |
75-
fc.getArgument(0) = sink.asExpr()
76-
)
77-
or
78-
exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressFunction |
79-
fc.getArgument(2) = sink.asExpr()
80-
)
81-
or
82-
exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressDCtxFunction |
83-
fc.getArgument(3) = sink.asExpr()
84-
)
85-
or
86-
exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressStreamFunction |
87-
fc.getArgument(2) = sink.asExpr()
88-
)
89-
or
90-
exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressUsingDictFunction |
91-
fc.getArgument(3) = sink.asExpr()
92-
)
93-
or
94-
exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressUsingDDictFunction |
95-
fc.getArgument(3) = sink.asExpr()
96-
)
97-
or
98-
exists(FunctionCall fc | fc.getTarget() instanceof UnzReadCurrentFileFunction |
99-
fc.getArgument(0) = sink.asExpr()
100-
)
101-
or
102-
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_reader_entry |
103-
fc.getArgument(1) = sink.asExpr()
104-
)
105-
or
106-
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_entry |
107-
fc.getArgument(1) = sink.asExpr()
108-
)
109-
or
110-
exists(FunctionCall fc | fc.getTarget() instanceof LzmaStreamBufferDecodeFunction |
111-
fc.getArgument(1) = sink.asExpr()
112-
)
113-
or
114-
exists(FunctionCall fc | fc.getTarget() instanceof LzmaCodeFunction |
115-
fc.getArgument(0) = sink.asExpr()
116-
)
117-
or
118-
exists(FunctionCall fc | fc.getTarget() instanceof GzReadFunction |
119-
fc.getArgument(0) = sink.asExpr()
120-
)
121-
or
122-
exists(FunctionCall fc | fc.getTarget() instanceof GzFreadFunction |
123-
sink.asExpr() = fc.getArgument(3)
124-
)
125-
or
126-
exists(FunctionCall fc | fc.getTarget() instanceof GzGetsFunction |
127-
sink.asExpr() = fc.getArgument(0)
128-
)
129-
or
130-
exists(FunctionCall fc | fc.getTarget() instanceof InflateFunction |
131-
fc.getArgument(0) = sink.asExpr()
132-
)
133-
or
134-
exists(FunctionCall fc | fc.getTarget() instanceof UncompressFunction |
135-
fc.getArgument(0) = sink.asExpr()
26+
exists(FunctionCall fc, DecompressionFunction f | fc.getTarget() = f |
27+
fc.getArgument(f.getArchiveParameterIndex()) = sink.asExpr()
13628
)
13729
}
13830

@@ -158,21 +50,6 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig {
15850
node1.asExpr() = fc.getArgument(0) and
15951
node2.asExpr() = fc
16052
)
161-
or
162-
exists(FunctionCall fc | fc.getTarget() instanceof GzReadFunction |
163-
node1.asExpr() = fc.getArgument(0) and
164-
node2.asExpr() = fc.getArgument(1)
165-
)
166-
or
167-
exists(FunctionCall fc | fc.getTarget() instanceof GzFreadFunction |
168-
node1.asExpr() = fc.getArgument(3) and
169-
node2.asExpr() = fc.getArgument(0)
170-
)
171-
or
172-
exists(FunctionCall fc | fc.getTarget() instanceof GzGetsFunction |
173-
node1.asExpr() = fc.getArgument(0) and
174-
node1.asExpr() = fc.getArgument(1)
175-
)
17653
}
17754
}
17855

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/LibArchive.qll

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -5,21 +5,16 @@
55
import cpp
66
import semmle.code.cpp.ir.dataflow.TaintTracking
77
import semmle.code.cpp.security.FlowSources
8+
import DecompressionBomb
89

910
/**
10-
* The `archive_read_new` function as a Flow source
11-
* create a `archive` instance
12-
*/
13-
class Archive_read_new extends Function {
14-
Archive_read_new() { this.hasGlobalName("archive_read_new") }
15-
}
16-
17-
/**
18-
* The `archive_read_data*` functions are used in Flow Sink
11+
* The `archive_read_data*` functions are used in flow sink.
1912
* [Examples](https://github.com/libarchive/libarchive/wiki/Examples)
2013
*/
21-
class Archive_read_data_block extends Function {
14+
class Archive_read_data_block extends DecompressionFunction {
2215
Archive_read_data_block() {
2316
this.hasGlobalName(["archive_read_data_block", "archive_read_data", "archive_read_data_into_fd"])
2417
}
18+
19+
override int getArchiveParameterIndex() { result = 0 }
2520
}

0 commit comments

Comments
 (0)