C++: Generalize the ArgvSource flow source

jketema · jketema · commit 331fab5ac0d1 · 2022-12-09T23:12:31.000+01:00
This matches `isUserInput` and handles cases where `argv` has a different name,
which is allowed.
diff --git a/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
@@ -89,9 +89,9 @@ private class LocalParameterSource extends LocalFlowSource {
 
 private class ArgvSource extends LocalFlowSource {
   ArgvSource() {
-    exists(Parameter argv |
-      argv.hasName("argv") and
-      argv.getFunction().hasGlobalName("main") and
+    exists(Function main, Parameter argv |
+      main.hasGlobalName("main") and
+      main.getParameter(1) = argv and
       this.asExpr() = argv.getAnAccess()
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -89,9 +89,9 @@ private class LocalParameterSource extends LocalFlowSource {`
`89`	`89`
`90`	`90`	`private class ArgvSource extends LocalFlowSource {`
`91`	`91`	`ArgvSource() {`
`92`		`- exists(Parameter argv \|`
`93`		`- argv.hasName("argv") and`
`94`		`- argv.getFunction().hasGlobalName("main") and`
	`92`	`+ exists(Function main, Parameter argv \|`
	`93`	`+ main.hasGlobalName("main") and`
	`94`	`+ main.getParameter(1) = argv and`
`95`	`95`	`this.asExpr() = argv.getAnAccess()`
`96`	`96`	`)`
`97`	`97`	`}`