Skip to content

Commit 9ec479a

Browse files
jketemajketema
committed
C++: Update queries to use DataFlow::ConfigSig 
1 parent 47930f9 commit 9ec479a

File tree

2 files changed

+20
-20
lines changed

2 files changed

+20
-20
lines changed

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ import semmle.code.cpp.security.FunctionWithWrappers
1919
import semmle.code.cpp.security.FlowSources
2020
import semmle.code.cpp.ir.IR
2121
import semmle.code.cpp.ir.dataflow.TaintTracking
22-
import DataFlow::PathGraph
22+
import TaintedPath::PathGraph
2323

2424
/**
2525
* A function for opening a file.
@@ -70,18 +70,16 @@ predicate hasUpperBoundsCheck(Variable var) {
7070
)
7171
}
7272

73-
class TaintedPathConfiguration extends TaintTracking::Configuration {
74-
TaintedPathConfiguration() { this = "TaintedPathConfiguration" }
73+
module TaintedPathConfiguration implements DataFlow::ConfigSig {
74+
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
7575

76-
override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
77-
78-
override predicate isSink(DataFlow::Node node) {
76+
predicate isSink(DataFlow::Node node) {
7977
exists(FileFunction fileFunction |
8078
fileFunction.outermostWrapperFunctionCall(node.asIndirectArgument(), _)
8179
)
8280
}
8381

84-
override predicate isSanitizer(DataFlow::Node node) {
82+
predicate isBarrier(DataFlow::Node node) {
8583
node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType
8684
or
8785
exists(LoadInstruction load, Variable checkedVar |
@@ -92,13 +90,15 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
9290
}
9391
}
9492

93+
module TaintedPath = TaintTracking::Make<TaintedPathConfiguration>;
94+
9595
from
96-
FileFunction fileFunction, Expr taintedArg, FlowSource taintSource, TaintedPathConfiguration cfg,
97-
DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string callChain
96+
FileFunction fileFunction, Expr taintedArg, FlowSource taintSource,
97+
TaintedPath::PathNode sourceNode, TaintedPath::PathNode sinkNode, string callChain
9898
where
9999
taintedArg = sinkNode.getNode().asIndirectArgument() and
100100
fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
101-
cfg.hasFlowPath(sourceNode, sinkNode) and
101+
TaintedPath::hasFlowPath(sourceNode, sinkNode) and
102102
taintSource = sourceNode.getNode()
103103
select taintedArg, sourceNode, sinkNode,
104104
"This argument to a file access function is derived from $@ and then passed to " + callChain + ".",

cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ import semmle.code.cpp.ir.dataflow.TaintTracking
1919
import semmle.code.cpp.ir.IR
2020
import semmle.code.cpp.controlflow.IRGuards
2121
import semmle.code.cpp.security.FlowSources
22-
import DataFlow::PathGraph
22+
import TaintedAllocationSize::PathGraph
2323

2424
/**
2525
* Holds if `alloc` is an allocation, and `tainted` is a child of it that is a
@@ -54,14 +54,12 @@ predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Va
5454

5555
predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
5656

57-
class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
58-
TaintedAllocationSizeConfiguration() { this = "TaintedAllocationSizeConfiguration" }
57+
module TaintedAllocationSizeConfiguration implements DataFlow::ConfigSig {
58+
predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
5959

60-
override predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
60+
predicate isSink(DataFlow::Node sink) { allocSink(_, sink) }
6161

62-
override predicate isSink(DataFlow::Node sink) { allocSink(_, sink) }
63-
64-
override predicate isSanitizer(DataFlow::Node node) {
62+
predicate isBarrier(DataFlow::Node node) {
6563
exists(Expr e | e = node.asExpr() |
6664
// There can be two separate reasons for `convertedExprMightOverflow` not holding:
6765
// 1. `e` really cannot overflow.
@@ -97,12 +95,14 @@ class TaintedAllocationSizeConfiguration extends TaintTracking::Configuration {
9795
}
9896
}
9997

98+
module TaintedAllocationSize = TaintTracking::Make<TaintedAllocationSizeConfiguration>;
99+
100100
from
101-
Expr alloc, DataFlow::PathNode source, DataFlow::PathNode sink, string taintCause,
102-
TaintedAllocationSizeConfiguration conf
101+
Expr alloc, TaintedAllocationSize::PathNode source, TaintedAllocationSize::PathNode sink,
102+
string taintCause
103103
where
104104
isFlowSource(source.getNode(), taintCause) and
105-
conf.hasFlowPath(source, sink) and
105+
TaintedAllocationSize::hasFlowPath(source, sink) and
106106
allocSink(alloc, sink.getNode())
107107
select alloc, source, sink, "This allocation size is derived from $@ and might overflow.",
108108
source.getNode(), "user input (" + taintCause + ")"

0 commit comments

Comments
 (0)