C++: handle global vars in DefaultTaintTracking

Robert Marsh · Robert Marsh · commit d99a90bfea1c · 2019-12-03T16:08:43.000-08:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -37,6 +37,61 @@ private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
   }
 }
 
+private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
+  ToGlobalVarTaintTrackingCfg() { this = "GlobalVarTaintTrackingCfg" }
+
+  override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(GlobalOrNamespaceVariable gv |
+      accessesVariable(sink.asInstruction(), gv) and
+      sink.asInstruction() instanceof StoreInstruction
+    )
+  }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    instructionTaintStep(n1.asInstruction(), n2.asInstruction())
+    or
+    exists(StoreInstruction i1, LoadInstruction i2, GlobalOrNamespaceVariable gv |
+      accessesVariable(i1, gv) and
+      accessesVariable(i2, gv) and
+      i1 = n1.asInstruction() and
+      i2 = n2.asInstruction()
+    )
+  }
+
+  override predicate isBarrier(DataFlow::Node node) {
+    exists(Variable checkedVar |
+      accessesVariable(node.asInstruction(), checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+  }
+}
+
+private class FromGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
+  FromGlobalVarTaintTrackingCfg() { this = "FromGlobalVarTaintTrackingCfg" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(GlobalOrNamespaceVariable gv |
+      accessesVariable(source.asInstruction(), gv) and
+      source.asInstruction() instanceof LoadInstruction
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { any() }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    instructionTaintStep(n1.asInstruction(), n2.asInstruction())
+  }
+
+  override predicate isBarrier(DataFlow::Node node) {
+    exists(Variable checkedVar |
+      accessesVariable(node.asInstruction(), checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+  }
+}
+
 private predicate accessesVariable(CopyInstruction copy, Variable var) {
   exists(VariableAddressInstruction va | va.getASTVariable() = var |
     copy.(StoreInstruction).getDestinationAddress() = va
@@ -99,35 +154,39 @@ private predicate instructionTaintStep(Instruction i1, Instruction i2) {
   // addition expression.
 }
 
+private Element adjustedSink(DataFlow::Node sink) {
+  // TODO: is it more appropriate to use asConvertedExpr here and avoid
+  // `getConversion*`? Or will that cause us to miss some cases where there's
+  // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
+  // pretend there was flow to the converted `Expr` for the sake of
+  // compatibility.
+  sink.asExpr().getConversion*() = result
+  or
+  // For compatibility, send flow from arguments to parameters, even for
+  // functions with no body.
+  exists(FunctionCall call, int i |
+    sink.asExpr() = call.getArgument(i) and
+    result = resolveCall(call).getParameter(i)
+  )
+  or
+  // For compatibility, send flow into a `Variable` if there is flow to any
+  // Load or Store of that variable.
+  exists(CopyInstruction copy |
+    copy.getSourceValue() = sink.asInstruction() and
+    accessesVariable(copy, result) and
+    not hasUpperBoundsCheck(result)
+  )
+  or
+  // For compatibility, send flow into a `NotExpr` even if it's part of a
+  // short-circuiting condition and thus might get skipped.
+  result.(NotExpr).getOperand() = sink.asExpr()
+}
+
 predicate tainted(Expr source, Element tainted) {
   exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
     cfg.hasFlow(DataFlow::exprNode(source), sink)
   |
-    // TODO: is it more appropriate to use asConvertedExpr here and avoid
-    // `getConversion*`? Or will that cause us to miss some cases where there's
-    // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
-    // pretend there was flow to the converted `Expr` for the sake of
-    // compatibility.
-    sink.asExpr().getConversion*() = tainted
-    or
-    // For compatibility, send flow from arguments to parameters, even for
-    // functions with no body.
-    exists(FunctionCall call, int i |
-      sink.asExpr() = call.getArgument(i) and
-      tainted = resolveCall(call).getParameter(i)
-    )
-    or
-    // For compatibility, send flow into a `Variable` if there is flow to any
-    // Load or Store of that variable.
-    exists(CopyInstruction copy |
-      copy.getSourceValue() = sink.asInstruction() and
-      accessesVariable(copy, tainted) and
-      not hasUpperBoundsCheck(tainted)
-    )
-    or
-    // For compatibility, send flow into a `NotExpr` even if it's part of a
-    // short-circuiting condition and thus might get skipped.
-    tainted.(NotExpr).getOperand() = sink.asExpr()
+    tainted = adjustedSink(sink)
   )
 }
 
@@ -137,12 +196,24 @@ predicate taintedIncludingGlobalVars(Expr source, Element tainted, string global
   // global variable that taint has passed through. Also make sure we emulate
   // its behavior for interprocedural flow through globals.
   globalVar = ""
+  or
+  exists(
+    ToGlobalVarTaintTrackingCfg toCfg, FromGlobalVarTaintTrackingCfg fromCfg, DataFlow::Node store,
+    GlobalOrNamespaceVariable global, DataFlow::Node load, DataFlow::Node sink
+  |
+    toCfg.hasFlow(DataFlow::exprNode(source), store) and
+    accessesVariable(store.asInstruction(), global) and
+    accessesVariable(load.asInstruction(), global) and
+    fromCfg.hasFlow(load, sink) and
+    tainted = adjustedSink(sink) and
+    globalVar = global.toString()
+  )
 }
 
 GlobalOrNamespaceVariable globalVarFromId(string id) {
-  // TODO: Implement this when `taintedIncludingGlobalVars` has support for
-  // global variables.
-  none()
+  if result instanceof NamespaceVariable
+  then id = result.getNamespace() + "::" + result.getName()
+  else id = result.getName()
 }
 
 Function resolveCall(Call call) {
