C++: Convert 'cpp/tainted-arithmetic' to a 'path-problem' query.

MathiasVP · MathiasVP · commit 17df8e44d0ff · 2021-06-18T14:56:17.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -2,7 +2,7 @@
  * @name User-controlled data in arithmetic expression
  * @description Arithmetic operations on user-controlled data that is
  *              not validated can cause overflows.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @security-severity 5.9
  * @precision low
@@ -16,22 +16,34 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
-from Expr origin, Operation op, Expr e, string effect
+bindingset[op]
+predicate missingGuard(Operation op, Expr e, string effect) {
+  missingGuardAgainstUnderflow(op, e) and effect = "underflow"
+  or
+  missingGuardAgainstOverflow(op, e) and effect = "overflow"
+  or
+  not e instanceof VariableAccess and effect = "overflow"
+}
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element e) {
+    exists(Operation op |
+      missingGuard(op, e, _) and
+      op.getAnOperand() = e
+    |
+      op instanceof UnaryArithmeticOperation or
+      op instanceof BinaryArithmeticOperation
+    )
+  }
+}
+
+from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
 where
-  isUserInput(origin, _) and
-  tainted(origin, e) and
+  taintedWithPath(origin, e, sourceNode, sinkNode) and
   op.getAnOperand() = e and
-  (
-    missingGuardAgainstUnderflow(op, e) and effect = "underflow"
-    or
-    missingGuardAgainstOverflow(op, e) and effect = "overflow"
-    or
-    not e instanceof VariableAccess and effect = "overflow"
-  ) and
-  (
-    op instanceof UnaryArithmeticOperation or
-    op instanceof BinaryArithmeticOperation
-  )
-select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  origin, "User-provided value"
+  missingGuard(op, e, effect)
+select e, sourceNode, sinkNode,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
+  "User-provided value"
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -1,9 +1,68 @@
-| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
-| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
-| test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
-| test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
-| test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
-| test.c:54:7:54:10 | len3 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:51:17:51:20 | argv | User-provided value |
+edges
+| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
+| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
+| test2.cpp:25:22:25:23 | & ... | test2.cpp:27:2:27:11 | v |
+| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:2:27:11 | v |
+| test2.cpp:27:2:27:11 | v | test2.cpp:12:21:12:21 | v |
+| test5.cpp:9:7:9:9 | buf | test5.cpp:10:9:10:27 | Store |
+| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:10:9:10:27 | Store |
+| test5.cpp:10:9:10:27 | Store | test5.cpp:17:6:17:18 | call to getTaintedInt |
+| test5.cpp:10:9:10:27 | Store | test5.cpp:17:6:17:18 | call to getTaintedInt |
+| test5.cpp:10:9:10:27 | Store | test5.cpp:18:6:18:18 | call to getTaintedInt |
+| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
+| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
+nodes
+| test2.cpp:12:21:12:21 | v | semmle.label | v |
+| test2.cpp:14:11:14:11 | v | semmle.label | v |
+| test2.cpp:14:11:14:11 | v | semmle.label | v |
+| test2.cpp:14:11:14:11 | v | semmle.label | v |
+| test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
+| test2.cpp:25:22:25:23 | fscanf output argument | semmle.label | fscanf output argument |
+| test2.cpp:27:2:27:11 | v | semmle.label | v |
+| test5.cpp:9:7:9:9 | buf | semmle.label | buf |
+| test5.cpp:9:7:9:9 | gets output argument | semmle.label | gets output argument |
+| test5.cpp:10:9:10:27 | Store | semmle.label | Store |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:18:6:18:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
+| test5.cpp:19:6:19:6 | y | semmle.label | y |
+| test5.cpp:19:6:19:6 | y | semmle.label | y |
+| test5.cpp:19:6:19:6 | y | semmle.label | y |
+| test.c:11:29:11:32 | argv | semmle.label | argv |
+| test.c:11:29:11:32 | argv | semmle.label | argv |
+| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
+| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
+| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
+| test.c:41:17:41:20 | argv | semmle.label | argv |
+| test.c:41:17:41:20 | argv | semmle.label | argv |
+| test.c:44:7:44:10 | len2 | semmle.label | len2 |
+| test.c:44:7:44:10 | len2 | semmle.label | len2 |
+| test.c:44:7:44:10 | len2 | semmle.label | len2 |
+| test.c:51:17:51:20 | argv | semmle.label | argv |
+| test.c:51:17:51:20 | argv | semmle.label | argv |
+| test.c:54:7:54:10 | len3 | semmle.label | len3 |
+| test.c:54:7:54:10 | len3 | semmle.label | len3 |
+| test.c:54:7:54:10 | len3 | semmle.label | len3 |
+#select
+| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
+| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | buf | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
+| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
+| test.c:44:7:44:10 | len2 | test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
+| test.c:54:7:54:10 | len3 | test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:51:17:51:20 | argv | User-provided value |
