diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql index 883a6b07423fa..2870f1e541426 100644 --- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql +++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql @@ -14,25 +14,43 @@ import cpp import semmle.code.cpp.security.Security -import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl -import TaintedWithPath +import semmle.code.cpp.security.FlowSources +import semmle.code.cpp.ir.dataflow.TaintTracking +import Flow::PathGraph -predicate isProcessOperationExplanation(Expr arg, string processOperation) { +predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperation) { exists(int processOperationArg, FunctionCall call | isProcessOperationArgument(processOperation, processOperationArg) and call.getTarget().getName() = processOperation and - call.getArgument(processOperationArg) = arg + call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()] ) } -class Configuration extends TaintTrackingConfiguration { - override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) } +module Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { + node instanceof FlowSource and not node instanceof DataFlow::ExprNode + } + + predicate isSink(DataFlow::Node node) { isProcessOperationExplanation(node, _) } } -from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode +module Flow = TaintTracking::Global; + +from + string processOperation, DataFlow::Node source, DataFlow::Node sink, Flow::PathNode sourceNode, + Flow::PathNode sinkNode where - isProcessOperationExplanation(arg, processOperation) and - taintedWithPath(source, arg, sourceNode, sinkNode) -select arg, sourceNode, sinkNode, + source = sourceNode.getNode() and + sink = sinkNode.getNode() and + isProcessOperationExplanation(sink, processOperation) and + Flow::flowPath(sourceNode, sinkNode) +// and +// not exists(int i, int j, DataFlow::Node sink2, Flow::PathNode sinkNode2 | +// Flow::flowPath(sourceNode, sinkNode2) and +// sink2 = sinkNode2.getNode() and +// sink2.asIndirectExpr(i) = sink.asIndirectExpr(j) and +// i < j +// ) +select sink, sourceNode, sinkNode, "The value of this argument may come from $@ and is being passed to " + processOperation + ".", source, source.toString()