C++: Rewrite cpp/uncontrolled-process-operation to not use `Default…

…TaintTracking`
github · Nov 15, 2023 · 9df3252 · 9df3252
1 parent b8f0f85
commit 9df3252
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 132 deletions.
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -14,25 +14,43 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.IR
+import Flow::PathGraph
 
-predicate isProcessOperationExplanation(Expr arg, string processOperation) {
+predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperation) {
   exists(int processOperationArg, FunctionCall call |
     isProcessOperationArgument(processOperation, processOperationArg) and
     call.getTarget().getName() = processOperation and
-    call.getArgument(processOperationArg) = arg
+    call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()]
   )
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    node instanceof FlowSource and not node instanceof DataFlow::ExprNode
+  }
+
+  predicate isSink(DataFlow::Node node) { isProcessOperationExplanation(node, _) }
+
+  predicate isBarrier(DataFlow::Node node) {
+    isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
+    or
+    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+  }
 }
 
-from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
+module Flow = TaintTracking::Global<Config>;
+
+from
+  string processOperation, DataFlow::Node source, DataFlow::Node sink, Flow::PathNode sourceNode,
+  Flow::PathNode sinkNode
 where
-  isProcessOperationExplanation(arg, processOperation) and
-  taintedWithPath(source, arg, sourceNode, sinkNode)
-select arg, sourceNode, sinkNode,
+  source = sourceNode.getNode() and
+  sink = sinkNode.getNode() and
+  isProcessOperationExplanation(sink, processOperation) and
+  Flow::flowPath(sourceNode, sinkNode)
+select sink, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being passed to " + processOperation + ".",
   source, source.toString()
diff --git a/...ity/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/...ity/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -1,23 +1,12 @@
 edges
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:73:24:73:27 | data | test.cpp:37:73:37:76 | data |
+| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:73:24:73:27 | data indirection |
 | test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | data indirection |
-subpaths
 nodes
-| test.cpp:37:73:37:76 | data | semmle.label | data |
 | test.cpp:37:73:37:76 | data indirection | semmle.label | data indirection |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:73:24:73:27 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
+subpaths
 #select
-| test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv | call to getenv |
+| test.cpp:43:32:43:35 | data indirection | test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:43:32:43:35 | data indirection | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv indirection | call to getenv indirection |
diff --git a/...ity/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/...ity/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -1,112 +1,48 @@
 edges
-| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
-| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
-| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
-| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
-| test.cpp:42:18:42:23 | call to getenv | test.cpp:24:30:24:36 | command |
-| test.cpp:42:18:42:34 | call to getenv | test.cpp:24:30:24:36 | command |
-| test.cpp:43:18:43:23 | call to getenv | test.cpp:29:30:29:36 | command |
-| test.cpp:43:18:43:34 | call to getenv | test.cpp:29:30:29:36 | command |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-subpaths
+| test.cpp:24:30:24:36 | command indirection | test.cpp:26:10:26:16 | command indirection |
+| test.cpp:29:30:29:36 | command indirection | test.cpp:31:10:31:16 | command indirection |
+| test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:24:30:24:36 | command indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | command indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection |
+| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
+| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
+| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
+| test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection |
 nodes
-| test.cpp:24:30:24:36 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:29:30:29:36 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:42:18:42:34 | call to getenv | semmle.label | call to getenv |
-| test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:43:18:43:34 | call to getenv | semmle.label | call to getenv |
-| test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
-| test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
+| test.cpp:24:30:24:36 | command indirection | semmle.label | command indirection |
+| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
+| test.cpp:29:30:29:36 | command indirection | semmle.label | command indirection |
+| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
+| test.cpp:42:18:42:34 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
-| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
-| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
+| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
+| test.cpp:64:10:64:16 | (reference dereference) indirection | semmle.label | (reference dereference) indirection |
+| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
+| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
 | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
-| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
-| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
-| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
+| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
-| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
-| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
-| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
+| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
-| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
-| test.cpp:113:8:113:12 | call to fgets | semmle.label | call to fgets |
-| test.cpp:113:8:113:12 | call to fgets | semmle.label | call to fgets |
-| test.cpp:114:9:114:11 | ptr | semmle.label | ptr |
-| test.cpp:114:9:114:11 | ptr | semmle.label | ptr |
+| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:113:8:113:12 | call to fgets indirection | semmle.label | call to fgets indirection |
+| test.cpp:114:9:114:11 | ptr indirection | semmle.label | ptr indirection |
+subpaths
 #select
-| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:23 | call to getenv | call to getenv |
-| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:23 | call to getenv | call to getenv |
-| test.cpp:62:10:62:15 | buffer | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:64:10:64:16 | dataref | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:65:10:65:14 | data2 | test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | buffer | buffer |
-| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | buffer | buffer |
-| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | buffer | buffer |
-| test.cpp:114:9:114:11 | ptr | test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | call to fgets | call to fgets |
+| test.cpp:26:10:26:16 | command indirection | test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:26:10:26:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | call to getenv indirection | call to getenv indirection |
+| test.cpp:31:10:31:16 | command indirection | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:31:10:31:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | call to getenv indirection | call to getenv indirection |
+| test.cpp:62:10:62:15 | buffer indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | fgets output argument |
+| test.cpp:63:10:63:13 | data indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | fgets output argument |
+| test.cpp:64:10:64:16 | (reference dereference) indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | fgets output argument |
+| test.cpp:64:10:64:16 | dataref indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | fgets output argument |
+| test.cpp:65:10:65:14 | data2 indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | fgets output argument |
+| test.cpp:78:10:78:15 | buffer indirection | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | fgets output argument |
+| test.cpp:99:15:99:20 | buffer indirection | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | recv output argument |
+| test.cpp:107:15:107:20 | buffer indirection | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | recv output argument |
+| test.cpp:114:9:114:11 | ptr indirection | test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | call to fgets indirection | call to fgets indirection |