C++: This commit does two things:

MathiasVP · MathiasVP · commit 61597f5ac79b · 2024-03-13T22:40:06.000Z
1. It fixes a logic error in the cannotContainString predicate.
2. It reverts the changes to the `isSource` predicate that required the external
function to be within the source root.

The change to `isSource` was meant to fix the a performance problem that occurred
because of the logic error in the cannotContainString predicate. However, now that
the logic error is fixed this is no longer necessary 🎉
diff --git a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
@@ -37,6 +37,11 @@ class UncalledFunction extends Function {
   }
 }
 
+/** The `unsigned short` type. */
+class UnsignedShort extends ShortType {
+  UnsignedShort() { this.isUnsigned() }
+}
+
 /**
  * Holds if `t` cannot refer to a string. That is, it's a built-in
  * or arithmetic type that is not a "`char` like" type.
@@ -51,7 +56,7 @@ predicate cannotContainString(Type t) {
     not unspecified instanceof Char16Type and
     not unspecified instanceof Char32Type and
     // C often defines `wchar_t` as `unsigned short`
-    unspecified = any(ShortType short | not short.isUnsigned())
+    not unspecified instanceof UnsignedShort
   |
     unspecified instanceof ArithmeticType or
     unspecified instanceof BuiltInType
@@ -63,14 +68,6 @@ predicate dataFlowOrTaintFlowFunction(Function func, FunctionOutput output) {
   func.(TaintFunction).hasTaintFlow(_, output)
 }
 
-/** Holds if `func` is declared inside the source root. */
-predicate isInsideSourceRoot(Function func) {
-  exists(File f |
-    f = func.getFile() and
-    exists(f.getRelativePath())
-  )
-}
-
 /**
  * Holds if `node` is a non-constant source of data flow for non-const format string detection.
  * This is defined as either:
@@ -119,8 +116,7 @@ predicate isNonConst(DataFlow::Node node) {
   // The function's output must also not be const to be considered a non-const source
   exists(Function func, CallInstruction call |
     not func.hasDefinition() and
-    func = call.getStaticCallTarget() and
-    isInsideSourceRoot(func)
+    func = call.getStaticCallTarget()
   |
     // Case 1: It's a known dataflow or taintflow function with flow to the return value
     call.getUnconvertedResultExpression() = node.asIndirectExpr() and
