stash: change sinks to zip handles and sources to the zip handle initializers

am0o0 · am0o0 · commit e0798b29da1e · 2023-07-04T18:28:00.000+10:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsLibMiniz.ql b/cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsLibMiniz.ql
@@ -21,6 +21,7 @@ import semmle.code.cpp.security.FlowSources
 private class PointerVar extends VariableAccess {
   PointerVar() { this.getType() instanceof PointerType }
 }
+
 /**
  * A unsigned char Variable is used in Flow source
  */
@@ -56,6 +57,18 @@ private class MzUncompress extends Function {
   MzUncompress() { this.hasGlobalName(["uncompress", "mz_uncompress", "mz_uncompress2"]) }
 }
 
+/**
+ * A `zip handle` is used in Flow source
+ */
+private class MzZip extends Function {
+  MzZip() {
+    this.hasGlobalName([
+        "mz_zip_reader_open", "mz_zip_reader_open_file", "mz_zip_reader_open_file_in_memory",
+        "mz_zip_reader_open_buffer", "mz_zip_reader_entry_open"
+      ])
+  }
+}
+
 /**
  * The `mz_inflate` functions are used in Flow Sink
  */
@@ -138,6 +151,9 @@ module MinizTaintConfig implements DataFlow::StateConfigSig {
     source.asDefiningArgument() =
       any(Call call | call.getTarget() instanceof MzInflateInit).getArgument(0) and
     state = "inflate"
+    or
+    source.asDefiningArgument() = any(Call call | call.getTarget() instanceof MzZip).getArgument(0) and
+    state = ""
   }
 
   predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
