C++: Block flow through all bitwise 'and' and 'or' operations. This seems to be a common source of false positives on LGTM.

MathiasVP · MathiasVP · commit 5bfb78b58339 · 2021-06-24T15:53:59.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -97,7 +97,15 @@ class UncontrolledArithConfiguration extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }
 
-  override predicate isSanitizer(DataFlow::Node barrier) { bounded(barrier.asExpr()) }
+  override predicate isSanitizer(DataFlow::Node node) {
+    bounded(node.asExpr())
+    or
+    // If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
+    // only used as a bit pattern.
+    node.asExpr() =
+      any(BinaryBitwiseOperation op | op instanceof BitwiseOrExpr or op instanceof BitwiseAndExpr)
+          .getAnOperand*()
+  }
 }
 
 Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -2,10 +2,6 @@ edges
 | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
 | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
 | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
-| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
-| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
-| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
@@ -25,12 +21,6 @@ nodes
 | test.c:35:5:35:5 | r | semmle.label | r |
 | test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
 | test.c:45:5:45:5 | r | semmle.label | r |
-| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
-| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
-| test.c:77:9:77:9 | r | semmle.label | r |
-| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
-| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
-| test.c:83:9:83:9 | r | semmle.label | r |
 | test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
 | test.c:100:5:100:5 | r | semmle.label | r |
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
@@ -51,10 +41,6 @@ nodes
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
 | test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@@ -74,13 +74,13 @@ void randomTester() {
   {
     int r = RAND2();
 
-    r = r - 100; // BAD
+    r = r - 100; // BAD [NOT DETECTED]
   }
 
   {
     int r = (rand() ^ rand());
 
-    r = r - 100; // BAD
+    r = r - 100; // BAD [NOT DETECTED]
   }
 
   {

Original file line number	Diff line number	Diff line change
`@@ -74,13 +74,13 @@ void randomTester() {`
`74`	`74`	`{`
`75`	`75`	`int r = RAND2();`
`76`	`76`
`77`		`- r = r - 100; // BAD`
	`77`	`+ r = r - 100; // BAD [NOT DETECTED]`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`{`
`81`	`81`	`int r = (rand() ^ rand());`
`82`	`82`
`83`		`- r = r - 100; // BAD`
	`83`	`+ r = r - 100; // BAD [NOT DETECTED]`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`{`