CPP: Adjust ArithmeticTainted.ql so that it can work on non-VariableAccesses.

geoffw0 · geoffw0 · commit b0805f8e791f · 2019-01-28T17:36:56.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -16,18 +16,18 @@ import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
 
-predicate taintedVarAccess(Expr origin, VariableAccess va) {
-  isUserInput(origin, _) and
-  tainted(origin, va)
-}
-
-from Expr origin, Operation op, VariableAccess va, string effect
-where taintedVarAccess(origin, va)
-  and op.getAnOperand() = va
+from Expr origin, Operation op, Expr e, string effect
+where isUserInput(origin, _)
+  and tainted(origin, e)
+  and op.getAnOperand() = e
   and
   (
-    (missingGuardAgainstUnderflow(op, va) and effect = "underflow") or
-    (missingGuardAgainstOverflow(op, va) and effect = "overflow")
+    (missingGuardAgainstUnderflow(op, e) and effect = "underflow") or
+    (missingGuardAgainstOverflow(op, e) and effect = "overflow") or
+    (not e instanceof VariableAccess and effect = "overflow")
+  ) and (
+    op instanceof UnaryArithmeticOperation or
+    op instanceof BinaryArithmeticOperation
   )
-select va, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
+select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
   origin, "User-provided value"
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -1,6 +1,7 @@
 | test3.c:15:10:15:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
 | test3.c:15:14:15:14 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
 | test3.c:15:18:15:18 | z | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
@@ -14,7 +14,7 @@ void useTaintedInt()
 {
 	int x, y;
 
-	x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value [NOT DETECTED]
+	x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value
 	y = getTaintedInt();
 	y = y * 1024; // BAD: arithmetic on a tainted value
 }

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ void useTaintedInt()`
`14`	`14`	`{`
`15`	`15`	`int x, y;`
`16`	`16`
`17`		`- x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value [NOT DETECTED]`
	`17`	`+ x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value`
`18`	`18`	`y = getTaintedInt();`
`19`	`19`	`y = y * 1024; // BAD: arithmetic on a tainted value`
`20`	`20`	`}`