[DIFF-INFORMED] C++: UnsafeCreateProcessCall

d10c · d10c · commit 194d9a9f44e8 · 2025-08-15T12:01:23.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -62,6 +62,16 @@ module NullAppNameCreateProcessFunctionConfig implements DataFlow::ConfigSig {
       val = call.getArgument(call.getApplicationNameArgumentId())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(CreateProcessFunctionCall call | result = call.getLocation() |
+      sink.asExpr() = call.getArgument(call.getApplicationNameArgumentId())
+    )
+  }
 }
 
 module NullAppNameCreateProcessFunction = DataFlow::Global<NullAppNameCreateProcessFunctionConfig>;
@@ -82,6 +92,16 @@ module QuotedCommandInCreateProcessFunctionConfig implements DataFlow::ConfigSig
       val = call.getArgument(call.getCommandLineArgumentId())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(CreateProcessFunctionCall call | result = call.getLocation() |
+      sink.asExpr() = call.getArgument(call.getCommandLineArgumentId())
+    )
+  }
 }
 
 module QuotedCommandInCreateProcessFunction =

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,16 @@ module NullAppNameCreateProcessFunctionConfig implements DataFlow::ConfigSig {`
`62`	`62`	`val = call.getArgument(call.getApplicationNameArgumentId())`
`63`	`63`	`)`
`64`	`64`	`}`
	`65`	`+`
	`66`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`67`	`+`
	`68`	`+ Location getASelectedSourceLocation(DataFlow::Node source) { none() }`
	`69`	`+`
	`70`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`71`	`+ exists(CreateProcessFunctionCall call \| result = call.getLocation() \|`
	`72`	`+ sink.asExpr() = call.getArgument(call.getApplicationNameArgumentId())`
	`73`	`+ )`
	`74`	`+ }`
`65`	`75`	`}`
`66`	`76`
`67`	`77`	`module NullAppNameCreateProcessFunction = DataFlow::Global<NullAppNameCreateProcessFunctionConfig>;`
`@@ -82,6 +92,16 @@ module QuotedCommandInCreateProcessFunctionConfig implements DataFlow::ConfigSig`
`82`	`92`	`val = call.getArgument(call.getCommandLineArgumentId())`
`83`	`93`	`)`
`84`	`94`	`}`
	`95`	`+`
	`96`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`97`	`+`
	`98`	`+ Location getASelectedSourceLocation(DataFlow::Node source) { none() }`
	`99`	`+`
	`100`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`101`	`+ exists(CreateProcessFunctionCall call \| result = call.getLocation() \|`
	`102`	`+ sink.asExpr() = call.getArgument(call.getCommandLineArgumentId())`
	`103`	`+ )`
	`104`	`+ }`
`85`	`105`	`}`
`86`	`106`
`87`	`107`	`module QuotedCommandInCreateProcessFunction =`