CPP: Make wordexp take an indirect argument.

alexet · alexet · commit 45ddb4832cbd · 2023-08-25T13:05:10.000+01:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
@@ -40,7 +40,7 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall fc | fc.getTarget() instanceof WordexpFunction |
-      fc.getArgument(0) = sink.asExpr() and
+      fc.getArgument(0) = sink.asIndirectArgument(1) and
       not isCommandSubstitutionDisabled(fc)
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {`
`40`	`40`
`41`	`41`	`predicate isSink(DataFlow::Node sink) {`
`42`	`42`	`exists(FunctionCall fc \| fc.getTarget() instanceof WordexpFunction \|`
`43`		`- fc.getArgument(0) = sink.asExpr() and`
	`43`	`+ fc.getArgument(0) = sink.asIndirectArgument(1) and`
`44`	`44`	`not isCommandSubstitutionDisabled(fc)`
`45`	`45`	`)`
`46`	`46`	`}`