Merge pull request #2259 from rdmarsh2/rdmarsh/cpp/default-taint-tracking-sources

jbj · web-flow · commit a13748f4843e · 2019-12-19T14:09:41.000+01:00
C++: move sources into DefaultTaintTracking.qll
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -19,10 +19,32 @@ private predicate predictableInstruction(Instruction instr) {
   predictableInstruction(instr.(UnaryInstruction).getUnary())
 }
 
+private predicate userInputInstruction(Instruction instr) {
+  exists(CallInstruction ci, WriteSideEffectInstruction wsei |
+    userInputArgument(ci.getConvertedResultExpression(), wsei.getIndex()) and
+    instr = wsei and
+    wsei.getPrimaryInstruction() = ci
+  )
+  or
+  userInputReturned(instr.getConvertedResultExpression())
+  or
+  instr.getConvertedResultExpression() instanceof EnvironmentRead
+  or
+  instr
+      .(LoadInstruction)
+      .getSourceAddress()
+      .(VariableAddressInstruction)
+      .getASTVariable()
+      .hasName("argv") and
+  instr.getEnclosingFunction().hasGlobalName("main")
+}
+
 private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
   DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
 
-  override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
+  override predicate isSource(DataFlow::Node source) {
+    userInputInstruction(source.asInstruction())
+  }
 
   override predicate isSink(DataFlow::Node sink) { any() }
 
@@ -135,6 +157,8 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
   // This is part of the translation of `a[i]`, where we want taint to flow
   // from `a`.
   i2.(PointerAddInstruction).getLeft() = i1
+  // TODO: robust Chi handling
+  //
   // TODO: Flow from argument to return of known functions: Port missing parts
   // of `returnArgument` to the `interfaces.Taint` and `interfaces.DataFlow`
   // libraries.
@@ -176,11 +200,30 @@ private Element adjustedSink(DataFlow::Node sink) {
   // For compatibility, send flow into a `NotExpr` even if it's part of a
   // short-circuiting condition and thus might get skipped.
   result.(NotExpr).getOperand() = sink.asExpr()
+  or
+  // For compatibility, send flow from argument read side effects to their
+  // corresponding argument expression
+  exists(IndirectReadSideEffectInstruction read |
+    read.getAnOperand().(SideEffectOperand).getAnyDef() = sink.asInstruction() and
+    read.getArgumentDef().getUnconvertedResultExpression() = result
+  )
+  or
+  exists(BufferReadSideEffectInstruction read |
+    read.getAnOperand().(SideEffectOperand).getAnyDef() = sink.asInstruction() and
+    read.getArgumentDef().getUnconvertedResultExpression() = result
+  )
+  or
+  exists(SizedBufferReadSideEffectInstruction read |
+    read.getAnOperand().(SideEffectOperand).getAnyDef() = sink.asInstruction() and
+    read.getArgumentDef().getUnconvertedResultExpression() = result
+  )
 }
 
 predicate tainted(Expr source, Element tainted) {
   exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
     cfg.hasFlow(DataFlow::exprNode(source), sink)
+    or
+    cfg.hasFlow(DataFlow::definitionByReferenceNode(source), sink)
   |
     tainted = adjustedSink(sink)
   )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -173,11 +173,48 @@ abstract class PostUpdateNode extends Node {
   abstract Node getPreUpdateNode();
 }
 
+/**
+ * A node that represents the value of a variable after a function call that
+ * may have changed the variable because it's passed by reference.
+ *
+ * A typical example would be a call `f(&x)`. Firstly, there will be flow into
+ * `x` from previous definitions of `x`. Secondly, there will be a
+ * `DefinitionByReferenceNode` to represent the value of `x` after the call has
+ * returned. This node will have its `getArgument()` equal to `&x` and its
+ * `getVariableAccess()` equal to `x`.
+ */
+class DefinitionByReferenceNode extends Node {
+  override WriteSideEffectInstruction instr;
+
+  /** Gets the argument corresponding to this node. */
+  Expr getArgument() {
+    result = instr
+          .getPrimaryInstruction()
+          .(CallInstruction)
+          .getPositionalArgument(instr.getIndex())
+          .getUnconvertedResultExpression()
+    or
+    result = instr
+          .getPrimaryInstruction()
+          .(CallInstruction)
+          .getThisArgument()
+          .getUnconvertedResultExpression() and
+    instr.getIndex() = -1
+  }
+
+  /** Gets the parameter through which this value is assigned. */
+  Parameter getParameter() {
+    exists(CallInstruction ci | result = ci.getStaticCallTarget().getParameter(instr.getIndex()))
+  }
+}
+
 /**
  * Gets the node corresponding to `instr`.
  */
 Node instructionNode(Instruction instr) { result.asInstruction() = instr }
 
+DefinitionByReferenceNode definitionByReferenceNode(Expr e) { result.getArgument() = e }
+
 /**
  * Gets a `Node` corresponding to `e` or any of its conversions. There is no
  * result if `e` is a `Conversion`.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -1236,6 +1236,8 @@ class IndirectReadSideEffectInstruction extends SideEffectInstruction {
   IndirectReadSideEffectInstruction() { getOpcode() instanceof Opcode::IndirectReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1245,6 +1247,8 @@ class BufferReadSideEffectInstruction extends SideEffectInstruction {
   BufferReadSideEffectInstruction() { getOpcode() instanceof Opcode::BufferReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1258,12 +1262,14 @@ class SizedBufferReadSideEffectInstruction extends SideEffectInstruction {
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
 
   Instruction getSizeDef() { result = getAnOperand().(BufferSizeOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
  * An instruction representing a side effect of a function call.
  */
-class WriteSideEffectInstruction extends SideEffectInstruction {
+class WriteSideEffectInstruction extends SideEffectInstruction, IndexedInstruction {
   WriteSideEffectInstruction() { getOpcode() instanceof WriteSideEffectOpcode }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -1236,6 +1236,8 @@ class IndirectReadSideEffectInstruction extends SideEffectInstruction {
   IndirectReadSideEffectInstruction() { getOpcode() instanceof Opcode::IndirectReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1245,6 +1247,8 @@ class BufferReadSideEffectInstruction extends SideEffectInstruction {
   BufferReadSideEffectInstruction() { getOpcode() instanceof Opcode::BufferReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1258,12 +1262,14 @@ class SizedBufferReadSideEffectInstruction extends SideEffectInstruction {
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
 
   Instruction getSizeDef() { result = getAnOperand().(BufferSizeOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
  * An instruction representing a side effect of a function call.
  */
-class WriteSideEffectInstruction extends SideEffectInstruction {
+class WriteSideEffectInstruction extends SideEffectInstruction, IndexedInstruction {
   WriteSideEffectInstruction() { getOpcode() instanceof WriteSideEffectOpcode }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -1236,6 +1236,8 @@ class IndirectReadSideEffectInstruction extends SideEffectInstruction {
   IndirectReadSideEffectInstruction() { getOpcode() instanceof Opcode::IndirectReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1245,6 +1247,8 @@ class BufferReadSideEffectInstruction extends SideEffectInstruction {
   BufferReadSideEffectInstruction() { getOpcode() instanceof Opcode::BufferReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1258,12 +1262,14 @@ class SizedBufferReadSideEffectInstruction extends SideEffectInstruction {
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
 
   Instruction getSizeDef() { result = getAnOperand().(BufferSizeOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
  * An instruction representing a side effect of a function call.
  */
-class WriteSideEffectInstruction extends SideEffectInstruction {
+class WriteSideEffectInstruction extends SideEffectInstruction, IndexedInstruction {
   WriteSideEffectInstruction() { getOpcode() instanceof WriteSideEffectOpcode }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -1,3 +1,4 @@
+private import implementations.Fread
 private import implementations.IdentityFunction
 private import implementations.Inet
 private import implementations.Memcpy
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
@@ -0,0 +1,14 @@
+import semmle.code.cpp.models.interfaces.Alias
+
+class Fread extends AliasFunction {
+  Fread() { this.hasGlobalName("fread") }
+
+  override predicate parameterNeverEscapes(int n) {
+    n = 0 or
+    n = 3
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int n) { none() }
+
+  override predicate parameterIsAlwaysReturned(int n) { none() }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
@@ -1,9 +1,10 @@
 import semmle.code.cpp.models.interfaces.FormattingFunction
+import semmle.code.cpp.models.interfaces.Alias
 
 /**
  * The standard functions `printf`, `wprintf` and their glib variants.
  */
-class Printf extends FormattingFunction {
+class Printf extends FormattingFunction, AliasFunction {
   Printf() {
     this instanceof TopLevelFunction and
     (
@@ -22,6 +23,12 @@ class Printf extends FormattingFunction {
     hasGlobalOrStdName("wprintf") or
     hasGlobalName("wprintf_s")
   }
+
+  override predicate parameterNeverEscapes(int n) { n = 0 }
+
+  override predicate parameterEscapesOnlyViaReturn(int n) { none() }
+
+  override predicate parameterIsAlwaysReturned(int n) { none() }
 }
 
 /**
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/Instruction.qll
@@ -1236,6 +1236,8 @@ class IndirectReadSideEffectInstruction extends SideEffectInstruction {
   IndirectReadSideEffectInstruction() { getOpcode() instanceof Opcode::IndirectReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1245,6 +1247,8 @@ class BufferReadSideEffectInstruction extends SideEffectInstruction {
   BufferReadSideEffectInstruction() { getOpcode() instanceof Opcode::BufferReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1258,12 +1262,14 @@ class SizedBufferReadSideEffectInstruction extends SideEffectInstruction {
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
 
   Instruction getSizeDef() { result = getAnOperand().(BufferSizeOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
  * An instruction representing a side effect of a function call.
  */
-class WriteSideEffectInstruction extends SideEffectInstruction {
+class WriteSideEffectInstruction extends SideEffectInstruction, IndexedInstruction {
   WriteSideEffectInstruction() { getOpcode() instanceof WriteSideEffectOpcode }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -1236,6 +1236,8 @@ class IndirectReadSideEffectInstruction extends SideEffectInstruction {
   IndirectReadSideEffectInstruction() { getOpcode() instanceof Opcode::IndirectReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1245,6 +1247,8 @@ class BufferReadSideEffectInstruction extends SideEffectInstruction {
   BufferReadSideEffectInstruction() { getOpcode() instanceof Opcode::BufferReadSideEffect }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
@@ -1258,12 +1262,14 @@ class SizedBufferReadSideEffectInstruction extends SideEffectInstruction {
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }
 
   Instruction getSizeDef() { result = getAnOperand().(BufferSizeOperand).getDef() }
+
+  Instruction getSideEffect() { result = getAnOperand().(SideEffectOperand).getDef() }
 }
 
 /**
  * An instruction representing a side effect of a function call.
  */
-class WriteSideEffectInstruction extends SideEffectInstruction {
+class WriteSideEffectInstruction extends SideEffectInstruction, IndexedInstruction {
   WriteSideEffectInstruction() { getOpcode() instanceof WriteSideEffectOpcode }
 
   Instruction getArgumentDef() { result = getAnOperand().(AddressOperand).getDef() }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+private import implementations.Fread`
`1`	`2`	`private import implementations.IdentityFunction`
`2`	`3`	`private import implementations.Inet`
`3`	`4`	`private import implementations.Memcpy`