Skip to content

Commit b6132d2

Browse files
jketemajketema
committed
C++: Rewrite cpp/cgi-xss to not use default taint tracking
1 parent eb3f196 commit b6132d2

File tree

2 files changed

+19
-24
lines changed

2 files changed

+19
-24
lines changed

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

Lines changed: 18 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -13,35 +13,37 @@
1313

1414
import cpp
1515
import semmle.code.cpp.commons.Environment
16-
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
17-
import TaintedWithPath
16+
import semmle.code.cpp.ir.dataflow.TaintTracking
17+
import semmle.code.cpp.ir.IR
18+
import Flow::PathGraph
1819

1920
/** A call that prints its arguments to `stdout`. */
2021
class PrintStdoutCall extends FunctionCall {
21-
PrintStdoutCall() {
22-
this.getTarget().hasGlobalOrStdName("puts") or
23-
this.getTarget().hasGlobalOrStdName("printf")
24-
}
22+
PrintStdoutCall() { this.getTarget().hasGlobalOrStdName(["puts", "printf"]) }
2523
}
2624

2725
/** A read of the QUERY_STRING environment variable */
2826
class QueryString extends EnvironmentRead {
2927
QueryString() { this.getEnvironmentVariable() = "QUERY_STRING" }
3028
}
3129

32-
class Configuration extends TaintTrackingConfiguration {
33-
override predicate isSource(Expr source) { source instanceof QueryString }
30+
module Config implements DataFlow::ConfigSig {
31+
predicate isSource(DataFlow::Node node) { node.asExpr() instanceof QueryString }
3432

35-
override predicate isSink(Element tainted) {
36-
exists(PrintStdoutCall call | call.getAnArgument() = tainted)
33+
predicate isSink(DataFlow::Node node) {
34+
exists(PrintStdoutCall call | call.getAnArgument() = node.asExpr())
3735
}
3836

39-
override predicate isBarrier(Expr e) {
40-
super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
37+
predicate isBarrier(DataFlow::Node node) {
38+
node.asExpr().getUnspecifiedType() instanceof IntegralType
4139
}
4240
}
4341

44-
from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode
45-
where taintedWithPath(query, printedArg, sourceNode, sinkNode)
46-
select printedArg, sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.", query,
47-
"this query data"
42+
module Flow = TaintTracking::Global<Config>;
43+
44+
from QueryString query, Flow::PathNode sourceNode, Flow::PathNode sinkNode
45+
where
46+
Flow::flowPath(sourceNode, sinkNode) and
47+
query = sourceNode.getNode().asExpr()
48+
select sinkNode.getNode(), sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.",
49+
query, "this query data"

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

Lines changed: 1 addition & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,19 @@
11
edges
22
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
3-
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
4-
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
53
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
64
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
7-
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
8-
| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
95
| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
106
| search.c:55:17:55:25 | raw_query | search.c:14:24:14:28 | query |
117
| search.c:57:17:57:25 | raw_query | search.c:22:24:22:28 | query |
12-
subpaths
138
nodes
149
| search.c:14:24:14:28 | query | semmle.label | query |
1510
| search.c:17:8:17:12 | query | semmle.label | query |
16-
| search.c:17:8:17:12 | query | semmle.label | query |
1711
| search.c:22:24:22:28 | query | semmle.label | query |
1812
| search.c:23:39:23:43 | query | semmle.label | query |
19-
| search.c:23:39:23:43 | query | semmle.label | query |
20-
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
2113
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
2214
| search.c:55:17:55:25 | raw_query | semmle.label | raw_query |
2315
| search.c:57:17:57:25 | raw_query | semmle.label | raw_query |
16+
subpaths
2417
#select
2518
| search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
2619
| search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |

0 commit comments

Comments
 (0)