Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e7b0536

Browse files
MathiasVPMathiasVP
committed
C++: Repair 'cpp/non-constant-format' in preparation for IR-based use-use dataflow.
1 parent 134cc62 commit e7b0536

2 files changed

Lines changed: 42 additions & 11 deletions

File tree

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -55,14 +55,20 @@ predicate underscoreMacro(Expr e) {
5555
/**
5656
* Holds if `t` cannot hold a character array, directly or indirectly.
5757
*/
58-
predicate cannotContainString(Type t) {
59-
t.getUnspecifiedType() instanceof BuiltInType
60-
or
61-
t.getUnspecifiedType() instanceof IntegralOrEnumType
58+
predicate cannotContainString(Type t, boolean isIndirect) {
59+
isIndirect = false and
60+
(
61+
t.getUnspecifiedType() instanceof BuiltInType or
62+
t.getUnspecifiedType() instanceof IntegralOrEnumType
63+
)
6264
}
6365

64-
predicate isNonConst(DataFlow::Node node) {
65-
exists(Expr e | e = node.asExpr() |
66+
predicate isNonConst(DataFlow::Node node, boolean isIndirect) {
67+
exists(Expr e |
68+
e = node.asExpr() and isIndirect = false
69+
or
70+
e = node.asIndirectExpr() and isIndirect = true
71+
|
6672
exists(FunctionCall fc | fc = e |
6773
not (
6874
whitelistFunction(fc.getTarget(), _) or
@@ -106,22 +112,28 @@ predicate isNonConst(DataFlow::Node node) {
106112
)
107113
)
108114
or
109-
node instanceof DataFlow::DefinitionByReferenceNode
115+
node instanceof DataFlow::DefinitionByReferenceNode and
116+
isIndirect = true
110117
}
111118

112119
pragma[noinline]
113120
predicate isSanitizerNode(DataFlow::Node node) {
114121
underscoreMacro(node.asExpr())
115122
or
116-
cannotContainString(node.getType())
123+
not exists(node.asIndirectExpr()) and
124+
not exists(node.asDefiningArgument()) and
125+
cannotContainString(node.getType(), false)
117126
}
118127

119128
class NonConstFlow extends TaintTracking::Configuration {
120129
NonConstFlow() { this = "NonConstFlow" }
121130

122131
override predicate isSource(DataFlow::Node source) {
123-
isNonConst(source) and
124-
not cannotContainString(source.getType())
132+
exists(boolean isIndirect, Type t |
133+
isNonConst(source, isIndirect) and
134+
t = source.getType() and
135+
not cannotContainString(t, isIndirect)
136+
)
125137
}
126138

127139
override predicate isSink(DataFlow::Node sink) {

cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,20 @@
1-
Timeout (5m0s) in DataFlowUtil#47741e1f::simpleLocalFlowStep#2#ff
1+
| NonConstantFormat.c:30:10:30:16 | access to array | The format string argument to printf should be constant to prevent security issues and other potential errors. |
2+
| NonConstantFormat.c:41:9:41:27 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
3+
| nested.cpp:21:23:21:26 | fmt0 | The format string argument to snprintf should be constant to prevent security issues and other potential errors. |
4+
| nested.cpp:79:32:79:38 | call to get_fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
5+
| nested.cpp:87:18:87:20 | fmt | The format string argument to diagnostic should be constant to prevent security issues and other potential errors. |
6+
| test.cpp:56:12:56:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
7+
| test.cpp:59:12:59:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
8+
| test.cpp:60:12:60:26 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
9+
| test.cpp:61:12:61:17 | + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
10+
| test.cpp:62:12:62:18 | * ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
11+
| test.cpp:63:12:63:18 | & ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
12+
| test.cpp:64:12:64:39 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
13+
| test.cpp:66:10:66:35 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
14+
| test.cpp:69:12:69:20 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
15+
| test.cpp:81:12:81:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
16+
| test.cpp:92:12:92:18 | ++ ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
17+
| test.cpp:99:12:99:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
18+
| test.cpp:109:12:109:24 | new[] | The format string argument to printf should be constant to prevent security issues and other potential errors. |
19+
| test.cpp:114:12:114:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
20+
| test.cpp:129:20:129:26 | access to array | The format string argument to sprintf should be constant to prevent security issues and other potential errors. |

0 commit comments

Comments
 (0)