Merge pull request #6184 from github/rdmarsh2/improve-exec-tainted

C++: Refactor ExecTainted.ql to only report results after string concatenation

Author: jbj

cpp/change-notes/2021-09-27-command-line-injection.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Uncontrolled data used in OS command" (`cpp/command-line-injection`) query has been enhanced to reduce false positive results and its `@precision` increased to `high`

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -253,6 +253,21 @@ class FormattingFunctionCall extends Expr {
     // format arguments must be known
     exists(getTarget().(FormattingFunction).getFirstFormatArgumentIndex())
   }
+
+  /**
+   * Gets the argument, if any, to which the output is written. If `isStream` is
+   * `true`, the output argument is a stream (that is, this call behaves like
+   * `fprintf`). If `isStream` is `false`, the output argument is a buffer (that
+   * is, this call behaves like `sprintf`)
+   */
+  Expr getOutputArgument(boolean isStream) {
+    result =
+      this.(Call)
+          .getArgument(this.(Call)
+                .getTarget()
+                .(FormattingFunction)
+                .getOutputParameterIndex(isStream))
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -4,7 +4,7 @@ private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
 private import semmle.code.cpp.ir.dataflow.DataFlow3
 private import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as Dispatch
+private import semmle.code.cpp.ir.dataflow.ResolveCall
 private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.models.interfaces.Taint
 private import semmle.code.cpp.models.interfaces.DataFlow
@@ -355,20 +355,6 @@ predicate taintedIncludingGlobalVars(Expr source, Element tainted, string global
  */
 GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
 
-/**
- * Resolve potential target function(s) for `call`.
- *
- * If `call` is a call through a function pointer (`ExprCall`) or
- * targets a virtual method, simple data flow analysis is performed
- * in order to identify target(s).
- */
-Function resolveCall(Call call) {
-  exists(CallInstruction callInstruction |
-    callInstruction.getAST() = call and
-    result = Dispatch::viableCallable(callInstruction)
-  )
-}
-
 /**
  * Provides definitions for augmenting source/sink pairs with data-flow paths
  * between them. From a `@kind path-problem` query, import this module in the

cpp/ql/lib/semmle/code/cpp/ir/dataflow/ResolveCall.qll

@@ -0,0 +1,23 @@
+/**
+ * Provides a predicate for non-contextual virtual dispatch and function
+ * pointer resolution.
+ */
+
+import cpp
+private import semmle.code.cpp.ir.ValueNumbering
+private import internal.DataFlowDispatch
+private import semmle.code.cpp.ir.IR
+
+/**
+ * Resolve potential target function(s) for `call`.
+ *
+ * If `call` is a call through a function pointer (`ExprCall`) or its target is
+ * a virtual member function, simple data flow analysis is performed in order
+ * to identify the possible target(s).
+ */
+Function resolveCall(Call call) {
+  exists(CallInstruction callInstruction |
+    callInstruction.getAST() = call and
+    result = viableCallable(callInstruction)
+  )
+}

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -36,3 +36,4 @@ private import implementations.Select
 private import implementations.MySql
 private import implementations.SqLite3
 private import implementations.PostgreSql
+private import implementations.System

cpp/ql/lib/semmle/code/cpp/models/implementations/System.qll

@@ -0,0 +1,43 @@
+import cpp
+import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.CommandExecution
+
+/**
+ * A function for running a command using a command interpreter.
+ */
+private class SystemFunction extends CommandExecutionFunction, ArrayFunction, AliasFunction,
+  SideEffectFunction {
+  SystemFunction() {
+    hasGlobalOrStdName("system") or // system(command)
+    hasGlobalName("popen") or // popen(command, mode)
+    // Windows variants
+    hasGlobalName("_popen") or // _popen(command, mode)
+    hasGlobalName("_wpopen") or // _wpopen(command, mode)
+    hasGlobalName("_wsystem") // _wsystem(command)
+  }
+
+  override predicate hasCommandArgument(FunctionInput input) { input.isParameterDeref(0) }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 or bufParam = 1 }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 0 or bufParam = 1 }
+
+  override predicate parameterNeverEscapes(int index) { index = 0 or index = 1 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() {
+    hasGlobalOrStdName("system") or
+    hasGlobalName("_wsystem")
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    (i = 0 or i = 1) and
+    buffer = true
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/interfaces/CommandExecution.qll

@@ -0,0 +1,23 @@
+/**
+ * Provides classes for modeling functions that execute new programs by
+ * interpreting string data as shell commands. To use this QL library, create
+ * a QL class extending `CommandExecutionFunction` with a characteristic
+ * predicate that selects the function or set of functions you are modeling.
+ * Within that class, override the `hasCommandArgument` predicate to indicate
+ * which parameters are interpreted as shell commands.
+ */
+
+import cpp
+import FunctionInputsAndOutputs
+import semmle.code.cpp.models.Models
+
+/**
+ * A function, such as `exec` or `popen` that starts a new process by
+ * interpreting a string as a shell command.
+ */
+abstract class CommandExecutionFunction extends Function {
+  /**
+   * Holds if `input` is interpreted as a shell command.
+   */
+  abstract predicate hasCommandArgument(FunctionInput input);
+}

cpp/ql/lib/semmle/code/cpp/security/CommandExecution.qll

@@ -4,42 +4,20 @@ import cpp
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.CommandExecution
 
 /**
  * A function for running a command using a command interpreter.
  */
-class SystemFunction extends FunctionWithWrappers, ArrayFunction, AliasFunction, SideEffectFunction {
-  SystemFunction() {
-    hasGlobalOrStdName("system") or // system(command)
-    hasGlobalName("popen") or // popen(command, mode)
-    // Windows variants
-    hasGlobalName("_popen") or // _popen(command, mode)
-    hasGlobalName("_wpopen") or // _wpopen(command, mode)
-    hasGlobalName("_wsystem") // _wsystem(command)
-  }
-
-  override predicate interestingArg(int arg) { arg = 0 }
-
-  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 or bufParam = 1 }
-
-  override predicate hasArrayInput(int bufParam) { bufParam = 0 or bufParam = 1 }
-
-  override predicate parameterNeverEscapes(int index) { index = 0 or index = 1 }
-
-  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
-
-  override predicate parameterIsAlwaysReturned(int index) { none() }
-
-  override predicate hasOnlySpecificReadSideEffects() { any() }
-
-  override predicate hasOnlySpecificWriteSideEffects() {
-    hasGlobalOrStdName("system") or
-    hasGlobalName("_wsystem")
-  }
-
-  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
-    (i = 0 or i = 1) and
-    buffer = true
+class SystemFunction extends FunctionWithWrappers instanceof CommandExecutionFunction {
+  override predicate interestingArg(int arg) {
+    exists(FunctionInput input |
+      this.(CommandExecutionFunction).hasCommandArgument(input) and
+      (
+        input.isParameterDerefOrQualifierObject(arg) or
+        input.isParameterOrQualifierAddress(arg)
+      )
+    )
   }
 }
 

cpp/ql/lib/semmle/code/cpp/security/FunctionWithWrappers.qll

@@ -17,7 +17,7 @@
 
 import cpp
 import PrintfLike
-private import TaintTracking
+private import semmle.code.cpp.ir.dataflow.ResolveCall
 
 bindingset[index]
 private string toCause(Function func, int index) {

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.c

@@ -9,7 +9,7 @@ int main(int argc, char** argv) {
     system(command1);
   }
 
-  {  
+  {
     // GOOD: the user string is encoded by a library routine.
     char userNameQuoted[1000] = {0};
     encodeShellString(userNameQuoted, 1000, userName);