Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e683f61

Browse files
geoffw0geoffw0
committed
C++: Model 'gets'.
1 parent 8dcd46f commit e683f61

5 files changed

Lines changed: 50 additions & 0 deletions

File tree

cpp/ql/src/semmle/code/cpp/models/Models.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
private import implementations.Allocation
22
private import implementations.Deallocation
33
private import implementations.Fread
4+
private import implementations.Gets
45
private import implementations.IdentityFunction
56
private import implementations.Inet
67
private import implementations.Memcpy

cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
import semmle.code.cpp.models.interfaces.DataFlow
2+
import semmle.code.cpp.models.interfaces.Taint
3+
import semmle.code.cpp.models.interfaces.ArrayFunction
4+
import semmle.code.cpp.models.interfaces.Alias
5+
import semmle.code.cpp.models.interfaces.SideEffect
6+
7+
/**
8+
* The standard functions `gets` and `fgets`.
9+
*/
10+
class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, AliasFunction, SideEffectFunction {
11+
GetsFunction() {
12+
exists(string name | name = getName() |
13+
name = "gets" or // gets(str)
14+
name = "fgets" // fgets(str, num, stream)
15+
)
16+
}
17+
18+
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
19+
input.isParameter(0) and
20+
output.isReturnValue()
21+
}
22+
23+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
24+
input.isParameterDeref(2) and
25+
output.isParameterDeref(0)
26+
}
27+
28+
override predicate parameterNeverEscapes(int index) { index = 2 }
29+
30+
override predicate parameterEscapesOnlyViaReturn(int index) { index = 0 }
31+
32+
override predicate parameterIsAlwaysReturned(int index) { index = 0 }
33+
34+
override predicate hasOnlySpecificReadSideEffects() { any() }
35+
36+
override predicate hasOnlySpecificWriteSideEffects() { any() }
37+
38+
override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
39+
i = 0 and
40+
buffer = true and
41+
mustWrite = true
42+
}
43+
}

cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,6 @@
1010
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
1111
| test.cpp:87:12:87:15 | call to gets | test.cpp:87:2:87:8 | pointer | AST only |
1212
| test.cpp:87:17:87:22 | buffer | test.cpp:84:7:84:12 | buffer | AST only |
13+
| test.cpp:87:17:87:22 | buffer | test.cpp:85:8:85:14 | pointer | IR only |
14+
| test.cpp:87:17:87:22 | buffer | test.cpp:87:12:87:15 | call to gets | IR only |
1315
| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion | IR only |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,5 +43,7 @@
4343
| test.cpp:87:12:87:15 | call to gets | test.cpp:85:8:85:14 | pointer | |
4444
| test.cpp:87:12:87:15 | call to gets | test.cpp:87:12:87:15 | call to gets | |
4545
| test.cpp:87:17:87:22 | buffer | test.cpp:80:18:80:18 | s | |
46+
| test.cpp:87:17:87:22 | buffer | test.cpp:85:8:85:14 | pointer | |
47+
| test.cpp:87:17:87:22 | buffer | test.cpp:87:12:87:15 | call to gets | |
4648
| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion | |
4749
| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | buffer | |

cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
| funcsLocal.c:17:9:17:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:16:8:16:9 | i1 | fread |
22
| funcsLocal.c:27:9:27:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:26:8:26:9 | i3 | fgets |
33
| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:13:31:17 | call to fgets | fgets |
4+
| funcsLocal.c:32:9:32:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:31:19:31:21 | i41 | fgets |
45
| funcsLocal.c:37:9:37:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:36:7:36:8 | i5 | gets |
56
| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:13:41:16 | call to gets | gets |
7+
| funcsLocal.c:42:9:42:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | funcsLocal.c:41:18:41:20 | i61 | gets |

0 commit comments

Comments
 (0)