C++: Rewrite cpp/uncontrolled-process-operation to not use `Default…

…TaintTracking`
github · Oct 26, 2023 · d013b4a · d013b4a
1 parent dbb4167
commit d013b4a
Showing 1 changed file with 28 additions and 10 deletions.
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -14,25 +14,43 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import Flow::PathGraph
 
-predicate isProcessOperationExplanation(Expr arg, string processOperation) {
+predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperation) {
   exists(int processOperationArg, FunctionCall call |
     isProcessOperationArgument(processOperation, processOperationArg) and
     call.getTarget().getName() = processOperation and
-    call.getArgument(processOperationArg) = arg
+    call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()]
   )
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    node instanceof FlowSource and not node instanceof DataFlow::ExprNode
+  }
+
+  predicate isSink(DataFlow::Node node) { isProcessOperationExplanation(node, _) }
 }
 
-from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
+module Flow = TaintTracking::Global<Config>;
+
+from
+  string processOperation, DataFlow::Node source, DataFlow::Node sink, Flow::PathNode sourceNode,
+  Flow::PathNode sinkNode
 where
-  isProcessOperationExplanation(arg, processOperation) and
-  taintedWithPath(source, arg, sourceNode, sinkNode)
-select arg, sourceNode, sinkNode,
+  source = sourceNode.getNode() and
+  sink = sinkNode.getNode() and
+  isProcessOperationExplanation(sink, processOperation) and
+  Flow::flowPath(sourceNode, sinkNode)
+//  and
+// not exists(int i, int j, DataFlow::Node sink2, Flow::PathNode sinkNode2 |
+//   Flow::flowPath(sourceNode, sinkNode2) and
+//   sink2 = sinkNode2.getNode() and
+//   sink2.asIndirectExpr(i) = sink.asIndirectExpr(j) and
+//   i < j
+// )
+select sink, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being passed to " + processOperation + ".",
   source, source.toString()