C++: Stop taint from flowing to arithmetic types

These are not likely to give the user much control over what can be accessed.

Author: jketema

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -75,6 +75,10 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
   }
 
   override predicate isSanitizerIn(DataFlow::Node node) { this.isSource(node) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType
+  }
 }
 
 from

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/stdlib.h

@@ -6,10 +6,12 @@
 typedef struct {} FILE;
 #define FILENAME_MAX 1000
 typedef unsigned long size_t;
+#define NULL ((void*)0)
 
 FILE *fopen(const char *filename, const char *mode);
 int sprintf(char *s, const char *format, ...);
 size_t strlen(const char *s);
 char *strncat(char *s1, const char *s2, size_t n);
 int scanf(const char *format, ...);
 void *malloc(size_t size);
+double strtod(const char *ptr, char **endptr);

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/test.c

@@ -43,4 +43,12 @@ int main(int argc, char** argv) {
     scanf("%s", fileName);
     fopen(fileName, "wb+"); // BAD
   }
+
+  {
+    char *aNumber = getenv("A_NUMBER");
+    double number = strtod(aNumber, 0);
+    char fileName[20];
+    sprintf(fileName, "/foo/%f", number);
+    fopen(fileName, "wb+"); // GOOD
+  }
 }