C++: Add a new model class describing pure memory functions, and use this new model in DefaultSafeExternalAPIFunction.

MathiasVP · MathiasVP · commit 715f2333609c · 2020-11-18T12:47:33.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll b/cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll
@@ -12,5 +12,9 @@ abstract class SafeExternalAPIFunction extends Function { }
 
 /** The default set of "safe" external APIs. */
 private class DefaultSafeExternalAPIFunction extends SafeExternalAPIFunction {
-  DefaultSafeExternalAPIFunction() { this.hasGlobalName(["strcmp", "strlen", "memcmp"]) }
+  DefaultSafeExternalAPIFunction() {
+    this instanceof PureStrFunction or
+    this instanceof StrLenFunction or
+    this instanceof PureMemFunction
+  }
 }
diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll
@@ -12,5 +12,9 @@ abstract class SafeExternalAPIFunction extends Function { }
 
 /** The default set of "safe" external APIs. */
 private class DefaultSafeExternalAPIFunction extends SafeExternalAPIFunction {
-  DefaultSafeExternalAPIFunction() { this.hasGlobalName(["strcmp", "strlen", "memcmp"]) }
+  DefaultSafeExternalAPIFunction() {
+    this instanceof PureStrFunction or
+    this instanceof StrLenFunction or
+    this instanceof PureMemFunction
+  }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll
@@ -3,6 +3,7 @@ import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
 
+/** Pure string functions. */
 class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
   PureStrFunction() {
     hasGlobalOrStdName([
@@ -58,6 +59,7 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE
   }
 }
 
+/** String standard `strlen` function, and related functions for computing string lengths. */
 class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
   StrLenFunction() {
     hasGlobalOrStdName(["strlen", "strnlen", "wcslen"])
@@ -91,6 +93,7 @@ class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
   }
 }
 
+/** Pure functions. */
 class PureFunction extends TaintFunction, SideEffectFunction {
   PureFunction() { hasGlobalOrStdName(["abs", "labs"]) }
 
@@ -106,3 +109,49 @@ class PureFunction extends TaintFunction, SideEffectFunction {
 
   override predicate hasOnlySpecificWriteSideEffects() { any() }
 }
+
+/** Pure raw-memory functions. */
+class PureMemFunction extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
+  PureMemFunction() { hasGlobalOrStdName(["memchr", "memrchr", "rawmemchr", "memcmp", "memmem"]) }
+
+  override predicate hasArrayInput(int bufParam) {
+    getParameter(bufParam).getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    exists(ParameterIndex i |
+      input.isParameter(i) and
+      exists(getParameter(i))
+      or
+      input.isParameterDeref(i) and
+      getParameter(i).getUnspecifiedType() instanceof PointerType
+    ) and
+    (
+      output.isReturnValueDeref() and
+      getUnspecifiedType() instanceof PointerType
+      or
+      output.isReturnValue()
+    )
+  }
+
+  override predicate parameterNeverEscapes(int i) {
+    getParameter(i).getUnspecifiedType() instanceof PointerType and
+    not parameterEscapesOnlyViaReturn(i)
+  }
+
+  override predicate parameterEscapesOnlyViaReturn(int i) {
+    i = 0 and
+    getUnspecifiedType() instanceof PointerType
+  }
+
+  override predicate parameterIsAlwaysReturned(int i) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    getParameter(i).getUnspecifiedType() instanceof PointerType and
+    buffer = true
+  }
+}
