Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b951bf0

Browse files
MathiasVPMathiasVP
committed
C++: Remove conflation from taint-tracking.
1 parent a5bb093 commit b951bf0

6 files changed

Lines changed: 233 additions & 19 deletions

File tree

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -28,18 +28,6 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
2828
or
2929
modeledTaintStep(nodeFrom, nodeTo)
3030
or
31-
// Flow from `op` to `*op`.
32-
exists(Operand operand, int indirectionIndex |
33-
nodeHasOperand(nodeFrom, operand, indirectionIndex) and
34-
nodeHasOperand(nodeTo, operand, indirectionIndex - 1)
35-
)
36-
or
37-
// Flow from `instr` to `*instr`.
38-
exists(Instruction instr, int indirectionIndex |
39-
nodeHasInstruction(nodeFrom, instr, indirectionIndex) and
40-
nodeHasInstruction(nodeTo, instr, indirectionIndex - 1)
41-
)
42-
or
4331
// Flow from (the indirection of) an operand of a pointer arithmetic instruction to the
4432
// indirection of the pointer arithmetic instruction. This provides flow from `source`
4533
// in `x[source]` to the result of the associated load instruction.

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,17 @@
11
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
22
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
3+
| defaulttainttracking.cpp:4:33:4:52 | // $ ir MISSING: ast | Missing result:ir= |
4+
| defaulttainttracking.cpp:5:32:5:42 | // $ ast,ir | Missing result:ir= |
5+
| defaulttainttracking.cpp:10:37:10:47 | // $ ast,ir | Missing result:ir= |
6+
| defaulttainttracking.cpp:12:14:12:24 | // $ ast,ir | Missing result:ir= |
7+
| defaulttainttracking.cpp:174:16:174:26 | // $ ast,ir | Missing result:ir= |
8+
| defaulttainttracking.cpp:178:14:178:24 | // $ ast,ir | Missing result:ir= |
9+
| defaulttainttracking.cpp:179:14:179:34 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
10+
| defaulttainttracking.cpp:198:14:198:34 | // $ SPURIOUS: ast,ir | Fixed spurious result:ir= |
11+
| stl.cpp:74:11:74:30 | // $ ir MISSING: ast | Missing result:ir= |
12+
| stl.cpp:91:13:91:32 | // $ ir MISSING: ast | Missing result:ir= |
13+
| stl.cpp:92:13:92:32 | // $ ir MISSING: ast | Missing result:ir= |
14+
| stl.cpp:93:13:93:32 | // $ ir MISSING: ast | Missing result:ir= |
15+
| stl.cpp:94:13:94:32 | // $ ir MISSING: ast | Missing result:ir= |
16+
| stl.cpp:144:12:144:31 | // $ ir MISSING: ast | Missing result:ir= |
17+
| stl.cpp:158:12:158:31 | // $ ir MISSING: ast | Missing result:ir= |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be rem
2828
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
2929
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | AST only |
3030
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
31-
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | array to pointer conversion | IR only |
31+
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
3232
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | AST only |
3333
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
3434
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
@@ -37,6 +37,8 @@ WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be rem
3737
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
3838
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | AST only |
3939
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
40+
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | AST only |
41+
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | AST only |
4042
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | AST only |
4143
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
4244
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | AST only |
@@ -49,3 +51,5 @@ WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be rem
4951
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
5052
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | AST only |
5153
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |
54+
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... | AST only |
55+
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy | AST only |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,6 @@ WARNING: Module TaintedWithPath has been deprecated and may be removed in future
2222
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv |
2323
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... |
2424
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName |
25-
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | array to pointer conversion |
26-
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy |
2725
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |
2826
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |
2927
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |
@@ -33,8 +31,6 @@ WARNING: Module TaintedWithPath has been deprecated and may be removed in future
3331
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... |
3432
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp |
3533
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... |
36-
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... |
37-
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy |
3834
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets |
3935
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
4036
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer |
@@ -44,5 +40,3 @@ WARNING: Module TaintedWithPath has been deprecated and may be removed in future
4440
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... |
4541
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp |
4642
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... |
47-
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... |
48-
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy |

cpp/ql/test/library-tests/dataflow/smart-pointers-taint/taint.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
| test.cpp:34:13:34:23 | // $ ast,ir | Missing result:ir= |

0 commit comments

Comments
 (0)