Merge pull request #14561 from jketema/rewrite-uncontrolled-process-operation

jketema · web-flow · commit f22979f4b6fd · 2023-11-15T16:03:58.000+01:00
C++: Rewrite `cpp/uncontrolled-process-operation` to not use `DefaultTaintTracking`
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -14,25 +14,47 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.IR
+import Flow::PathGraph
 
-predicate isProcessOperationExplanation(Expr arg, string processOperation) {
+predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperation) {
   exists(int processOperationArg, FunctionCall call |
     isProcessOperationArgument(processOperation, processOperationArg) and
     call.getTarget().getName() = processOperation and
-    call.getArgument(processOperationArg) = arg
+    call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()]
   )
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
+predicate isSource(FlowSource source, string sourceType) {
+  not source instanceof DataFlow::ExprNode and
+  sourceType = source.getSourceType()
 }
 
-from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { isSource(node, _) }
+
+  predicate isSink(DataFlow::Node node) { isProcessOperationExplanation(node, _) }
+
+  predicate isBarrier(DataFlow::Node node) {
+    isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
+    or
+    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+from
+  string processOperation, string sourceType, DataFlow::Node source, DataFlow::Node sink,
+  Flow::PathNode sourceNode, Flow::PathNode sinkNode
 where
-  isProcessOperationExplanation(arg, processOperation) and
-  taintedWithPath(source, arg, sourceNode, sinkNode)
-select arg, sourceNode, sinkNode,
+  source = sourceNode.getNode() and
+  sink = sinkNode.getNode() and
+  isSource(source, sourceType) and
+  isProcessOperationExplanation(sink, processOperation) and
+  Flow::flowPath(sourceNode, sinkNode)
+select sink, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being passed to " + processOperation + ".",
-  source, source.toString()
+  source, sourceType
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -1,23 +1,12 @@
 edges
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:73:24:73:27 | data | test.cpp:37:73:37:76 | data |
+| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:73:24:73:27 | data indirection |
 | test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | data indirection |
-subpaths
 nodes
-| test.cpp:37:73:37:76 | data | semmle.label | data |
 | test.cpp:37:73:37:76 | data indirection | semmle.label | data indirection |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:73:24:73:27 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
+subpaths
 #select
-| test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv | call to getenv |
+| test.cpp:43:32:43:35 | data indirection | test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:43:32:43:35 | data indirection | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv indirection | an environment variable |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -1,112 +1,48 @@
 edges
-| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
-| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
-| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
-| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
-| test.cpp:42:18:42:23 | call to getenv | test.cpp:24:30:24:36 | command |
-| test.cpp:42:18:42:34 | call to getenv | test.cpp:24:30:24:36 | command |
-| test.cpp:43:18:43:23 | call to getenv | test.cpp:29:30:29:36 | command |
-| test.cpp:43:18:43:34 | call to getenv | test.cpp:29:30:29:36 | command |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-subpaths
+| test.cpp:24:30:24:36 | command indirection | test.cpp:26:10:26:16 | command indirection |
+| test.cpp:29:30:29:36 | command indirection | test.cpp:31:10:31:16 | command indirection |
+| test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:24:30:24:36 | command indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | command indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection |
+| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
+| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
+| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
+| test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection |
 nodes
-| test.cpp:24:30:24:36 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:29:30:29:36 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:42:18:42:34 | call to getenv | semmle.label | call to getenv |
-| test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:43:18:43:34 | call to getenv | semmle.label | call to getenv |
-| test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
-| test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
+| test.cpp:24:30:24:36 | command indirection | semmle.label | command indirection |
+| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
+| test.cpp:29:30:29:36 | command indirection | semmle.label | command indirection |
+| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
+| test.cpp:42:18:42:34 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
-| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
-| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
+| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
+| test.cpp:64:10:64:16 | (reference dereference) indirection | semmle.label | (reference dereference) indirection |
+| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
+| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
 | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
-| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
-| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
-| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
+| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
-| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
-| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
-| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
+| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
-| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
-| test.cpp:113:8:113:12 | call to fgets | semmle.label | call to fgets |
-| test.cpp:113:8:113:12 | call to fgets | semmle.label | call to fgets |
-| test.cpp:114:9:114:11 | ptr | semmle.label | ptr |
-| test.cpp:114:9:114:11 | ptr | semmle.label | ptr |
+| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:113:8:113:12 | call to fgets indirection | semmle.label | call to fgets indirection |
+| test.cpp:114:9:114:11 | ptr indirection | semmle.label | ptr indirection |
+subpaths
 #select
-| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:23 | call to getenv | call to getenv |
-| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:23 | call to getenv | call to getenv |
-| test.cpp:62:10:62:15 | buffer | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:64:10:64:16 | dataref | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:65:10:65:14 | data2 | test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | buffer | buffer |
-| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | buffer | buffer |
-| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | buffer | buffer |
-| test.cpp:114:9:114:11 | ptr | test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | call to fgets | call to fgets |
+| test.cpp:26:10:26:16 | command indirection | test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:26:10:26:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | call to getenv indirection | an environment variable |
+| test.cpp:31:10:31:16 | command indirection | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:31:10:31:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | call to getenv indirection | an environment variable |
+| test.cpp:62:10:62:15 | buffer indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:63:10:63:13 | data indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:64:10:64:16 | (reference dereference) indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:64:10:64:16 | dataref indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:65:10:65:14 | data2 indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:78:10:78:15 | buffer indirection | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets |
+| test.cpp:99:15:99:20 | buffer indirection | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv |
+| test.cpp:107:15:107:20 | buffer indirection | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv |
+| test.cpp:114:9:114:11 | ptr indirection | test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | call to fgets indirection | string read by fgets |
