Skip to content

Commit d9a2347

Browse files
geoffw0geoffw0
committed
C++: Switch back to IR taint.
1 parent e4a3e9e commit d9a2347

File tree

1 file changed

+14
-6
lines changed

1 file changed

+14
-6
lines changed

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,31 +12,39 @@
1212
*/
1313

1414
import cpp
15-
import semmle.code.cpp.security.BufferWrite
15+
import semmle.code.cpp.security.BufferWrite as BufferWrite
1616
import semmle.code.cpp.security.SensitiveExprs
1717
import semmle.code.cpp.security.Security
18-
import semmle.code.cpp.dataflow.TaintTracking
18+
import semmle.code.cpp.ir.dataflow.TaintTracking
1919
import DataFlow::PathGraph
2020

21+
Expr exprForNode(DataFlow::Node n) {
22+
n = DataFlow::exprNode(result)
23+
or
24+
// (similar to DefaultTaintTracking's `getNodeForExpr`)
25+
n = DataFlow::definitionByReferenceNodeFromArgument(result) and
26+
not argv(result.(VariableAccess).getTarget())
27+
}
28+
2129
/**
2230
* Taint flow from user input to a buffer write.
2331
*/
2432
class ToBufferConfiguration extends TaintTracking::Configuration {
2533
ToBufferConfiguration() { this = "ToBufferConfiguration" }
2634

27-
override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
35+
override predicate isSource(DataFlow::Node source) { isUserInput(exprForNode(source), _) }
2836

2937
override predicate isSink(DataFlow::Node sink) {
30-
exists(BufferWrite w | w.getASource() = sink.asExpr())
38+
exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
3139
}
3240
}
3341

3442
from
35-
ToBufferConfiguration config, BufferWrite w, Expr taintSource, DataFlow::PathNode sourceNode,
43+
ToBufferConfiguration config, BufferWrite::BufferWrite w, Expr taintSource, DataFlow::PathNode sourceNode,
3644
DataFlow::PathNode sinkNode, string taintCause, SensitiveExpr dest
3745
where
3846
config.hasFlowPath(sourceNode, sinkNode) and
39-
taintSource = sourceNode.getNode().asExpr() and
47+
taintSource = exprForNode(sourceNode.getNode()) and
4048
w.getASource() = sinkNode.getNode().asExpr() and
4149
isUserInput(taintSource, taintCause) and
4250
dest = w.getDest()

0 commit comments

Comments
 (0)