Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 82a1b15

Browse files
mbgowen-mc
mbg
authored and
owen-mc
committed
Make AllocationSizeOverflow use new API
The extra nodes in .expected files are due to the changes from #13717, which are not applied to configuration classes extending DataFlow::Configuration or TaintTracking::Configuration.
1 parent 5a6ce29 commit 82a1b15

3 files changed

Lines changed: 79 additions & 17 deletions

File tree

go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll

Lines changed: 45 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,11 @@ module AllocationSizeOverflow {
1414
import AllocationSizeOverflowCustomizations::AllocationSizeOverflow
1515

1616
/**
17+
* DEPRECATED: Use `FindLargeLensFlow` instead.
18+
*
1719
* A taint-tracking configuration for identifying `len(...)` calls whose argument may be large.
1820
*/
19-
class FindLargeLensConfiguration extends TaintTracking2::Configuration {
21+
deprecated class FindLargeLensConfiguration extends TaintTracking2::Configuration {
2022
FindLargeLensConfiguration() { this = "AllocationSizeOverflow::FindLargeLens" }
2123

2224
override predicate isSource(DataFlow::Node nd) { nd instanceof Source }
@@ -30,16 +32,28 @@ module AllocationSizeOverflow {
3032
override predicate isSanitizer(DataFlow::Node nd) { nd instanceof Sanitizer }
3133
}
3234

35+
private module FindLargeLensConfig implements DataFlow::ConfigSig {
36+
predicate isSource(DataFlow::Node nd) { nd instanceof Source }
37+
38+
predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) }
39+
40+
predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
41+
}
42+
43+
private module FindLargeLensFlow = TaintTracking::Global<FindLargeLensConfig>;
44+
3345
private DataFlow::CallNode getALargeLenCall() {
34-
exists(FindLargeLensConfiguration config, DataFlow::Node lenArg | config.hasFlow(_, lenArg) |
46+
exists(DataFlow::Node lenArg | FindLargeLensFlow::flow(_, lenArg) |
3547
result.getArgument(0) = lenArg
3648
)
3749
}
3850

3951
/**
52+
* DEPRECATED: Use `Flow` instead.
53+
*
4054
* A taint-tracking configuration for identifying allocation-size overflows.
4155
*/
42-
class Configuration extends TaintTracking::Configuration {
56+
deprecated class Configuration extends TaintTracking::Configuration {
4357
Configuration() { this = "AllocationSizeOverflow" }
4458

4559
override predicate isSource(DataFlow::Node nd) { nd instanceof Source }
@@ -70,4 +84,32 @@ module AllocationSizeOverflow {
7084

7185
override predicate isSanitizer(DataFlow::Node nd) { nd instanceof Sanitizer }
7286
}
87+
88+
/**
89+
* Holds if `nd` is at a position where overflow might occur, and its result is used to compute
90+
* allocation size `allocsz`.
91+
*/
92+
predicate isSinkWithAllocationSize(DataFlow::Node nd, DataFlow::Node allocsz) {
93+
nd.(Sink).getAllocationSize() = allocsz
94+
}
95+
96+
private module Config implements DataFlow::ConfigSig {
97+
predicate isSource(DataFlow::Node source) { source instanceof Source }
98+
99+
predicate isSink(DataFlow::Node sink) { isSinkWithAllocationSize(sink, _) }
100+
101+
predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
102+
103+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
104+
additionalStep(pred, succ)
105+
or
106+
exists(DataFlow::CallNode c |
107+
c = getALargeLenCall() and
108+
pred = c.getArgument(0) and
109+
succ = c
110+
)
111+
}
112+
}
113+
114+
module Flow = TaintTracking::Global<Config>;
73115
}

go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,15 +12,15 @@
1212
*/
1313

1414
import go
15-
import DataFlow::PathGraph
1615
import semmle.go.security.AllocationSizeOverflow
16+
import AllocationSizeOverflow::Flow::PathGraph
1717

1818
from
19-
AllocationSizeOverflow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
19+
AllocationSizeOverflow::Flow::PathNode source, AllocationSizeOverflow::Flow::PathNode sink,
2020
DataFlow::Node allocsz
2121
where
22-
cfg.hasFlowPath(source, sink) and
23-
cfg.isSinkWithAllocationSize(sink.getNode(), allocsz)
22+
AllocationSizeOverflow::Flow::flowPath(source, sink) and
23+
AllocationSizeOverflow::isSinkWithAllocationSize(sink.getNode(), allocsz)
2424
select sink, source, sink,
2525
"This operation, which is used in an $@, involves a $@ and might overflow.", allocsz,
2626
"allocation", source, "potentially large value"

go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected

Lines changed: 30 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,33 +1,53 @@
11
edges
2-
| AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | AllocationSizeOverflow.go:10:10:10:22 | call to len |
3-
| tst2.go:9:2:9:37 | ... := ...[0] | tst2.go:10:22:10:30 | call to len |
4-
| tst2.go:14:2:14:29 | ... := ...[0] | tst2.go:15:22:15:30 | call to len |
5-
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:7:22:7:34 | call to len |
6-
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:24:16:24:28 | call to len |
7-
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:32:16:32:28 | call to len |
8-
| tst.go:14:2:14:30 | ... = ...[0] | tst.go:15:22:15:34 | call to len |
9-
| tst.go:20:2:20:31 | ... = ...[0] | tst.go:21:22:21:34 | call to len |
10-
| tst.go:26:2:26:31 | ... = ...[0] | tst.go:27:26:27:38 | call to len |
11-
| tst.go:34:2:34:30 | ... = ...[0] | tst.go:35:22:35:34 | call to len |
2+
| AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | AllocationSizeOverflow.go:10:14:10:21 | jsonData |
3+
| AllocationSizeOverflow.go:10:14:10:21 | jsonData | AllocationSizeOverflow.go:10:10:10:22 | call to len |
4+
| tst2.go:9:2:9:37 | ... := ...[0] | tst2.go:10:26:10:29 | data |
5+
| tst2.go:10:26:10:29 | data | tst2.go:10:22:10:30 | call to len |
6+
| tst2.go:14:2:14:29 | ... := ...[0] | tst2.go:15:26:15:29 | data |
7+
| tst2.go:15:26:15:29 | data | tst2.go:15:22:15:30 | call to len |
8+
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:7:26:7:33 | jsonData |
9+
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:24:20:24:27 | jsonData |
10+
| tst3.go:6:2:6:31 | ... := ...[0] | tst3.go:32:20:32:27 | jsonData |
11+
| tst3.go:7:26:7:33 | jsonData | tst3.go:7:22:7:34 | call to len |
12+
| tst3.go:24:20:24:27 | jsonData | tst3.go:24:16:24:28 | call to len |
13+
| tst3.go:32:20:32:27 | jsonData | tst3.go:32:16:32:28 | call to len |
14+
| tst.go:14:2:14:30 | ... = ...[0] | tst.go:15:26:15:33 | jsonData |
15+
| tst.go:15:26:15:33 | jsonData | tst.go:15:22:15:34 | call to len |
16+
| tst.go:20:2:20:31 | ... = ...[0] | tst.go:21:26:21:33 | jsonData |
17+
| tst.go:21:26:21:33 | jsonData | tst.go:21:22:21:34 | call to len |
18+
| tst.go:26:2:26:31 | ... = ...[0] | tst.go:27:30:27:37 | jsonData |
19+
| tst.go:27:30:27:37 | jsonData | tst.go:27:26:27:38 | call to len |
20+
| tst.go:34:2:34:30 | ... = ...[0] | tst.go:35:26:35:33 | jsonData |
21+
| tst.go:35:26:35:33 | jsonData | tst.go:35:22:35:34 | call to len |
1222
nodes
1323
| AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | semmle.label | ... := ...[0] |
1424
| AllocationSizeOverflow.go:10:10:10:22 | call to len | semmle.label | call to len |
25+
| AllocationSizeOverflow.go:10:14:10:21 | jsonData | semmle.label | jsonData |
1526
| tst2.go:9:2:9:37 | ... := ...[0] | semmle.label | ... := ...[0] |
1627
| tst2.go:10:22:10:30 | call to len | semmle.label | call to len |
28+
| tst2.go:10:26:10:29 | data | semmle.label | data |
1729
| tst2.go:14:2:14:29 | ... := ...[0] | semmle.label | ... := ...[0] |
1830
| tst2.go:15:22:15:30 | call to len | semmle.label | call to len |
31+
| tst2.go:15:26:15:29 | data | semmle.label | data |
1932
| tst3.go:6:2:6:31 | ... := ...[0] | semmle.label | ... := ...[0] |
2033
| tst3.go:7:22:7:34 | call to len | semmle.label | call to len |
34+
| tst3.go:7:26:7:33 | jsonData | semmle.label | jsonData |
2135
| tst3.go:24:16:24:28 | call to len | semmle.label | call to len |
36+
| tst3.go:24:20:24:27 | jsonData | semmle.label | jsonData |
2237
| tst3.go:32:16:32:28 | call to len | semmle.label | call to len |
38+
| tst3.go:32:20:32:27 | jsonData | semmle.label | jsonData |
2339
| tst.go:14:2:14:30 | ... = ...[0] | semmle.label | ... = ...[0] |
2440
| tst.go:15:22:15:34 | call to len | semmle.label | call to len |
41+
| tst.go:15:26:15:33 | jsonData | semmle.label | jsonData |
2542
| tst.go:20:2:20:31 | ... = ...[0] | semmle.label | ... = ...[0] |
2643
| tst.go:21:22:21:34 | call to len | semmle.label | call to len |
44+
| tst.go:21:26:21:33 | jsonData | semmle.label | jsonData |
2745
| tst.go:26:2:26:31 | ... = ...[0] | semmle.label | ... = ...[0] |
2846
| tst.go:27:26:27:38 | call to len | semmle.label | call to len |
47+
| tst.go:27:30:27:37 | jsonData | semmle.label | jsonData |
2948
| tst.go:34:2:34:30 | ... = ...[0] | semmle.label | ... = ...[0] |
3049
| tst.go:35:22:35:34 | call to len | semmle.label | call to len |
50+
| tst.go:35:26:35:33 | jsonData | semmle.label | jsonData |
3151
subpaths
3252
#select
3353
| AllocationSizeOverflow.go:10:10:10:22 | call to len | AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | AllocationSizeOverflow.go:10:10:10:22 | call to len | This operation, which is used in an $@, involves a $@ and might overflow. | AllocationSizeOverflow.go:11:25:11:28 | size | allocation | AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] | potentially large value |

0 commit comments

Comments
 (0)