From f54379d09654ad40e90529f957648606448784fb Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 25 Oct 2023 09:38:49 +0100 Subject: [PATCH 1/2] C++: Add failing test. --- .../dataflow/taint-tests/localTaint.expected | 7 +++++++ .../test/library-tests/dataflow/taint-tests/taint.cpp | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected index 22b44fd27d5..8080f4f3c7a 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected @@ -6622,6 +6622,13 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future ( | taint.cpp:711:13:711:13 | s | taint.cpp:711:2:711:8 | call to strncpy | TAINT | | taint.cpp:711:13:711:13 | s | taint.cpp:711:10:711:10 | ref arg d | TAINT | | taint.cpp:712:7:712:7 | ref arg d | taint.cpp:709:25:709:25 | d | | +| taint.cpp:718:17:718:31 | call to indirect_source | taint.cpp:720:27:720:32 | source | | +| taint.cpp:719:22:719:29 | ,.-;:_ | taint.cpp:720:35:720:39 | delim | | +| taint.cpp:719:22:719:29 | ,.-;:_ | taint.cpp:722:8:722:12 | delim | | +| taint.cpp:720:20:720:25 | call to strtok | taint.cpp:721:8:721:16 | tokenized | | +| taint.cpp:720:27:720:32 | source | taint.cpp:720:20:720:25 | call to strtok | TAINT | +| taint.cpp:721:8:721:16 | tokenized | taint.cpp:721:7:721:16 | * ... | TAINT | +| taint.cpp:722:8:722:12 | delim | taint.cpp:722:7:722:12 | * ... | TAINT | | vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 | | | vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 | | | vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v | | diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index 2df0fc85bb6..75359c146d3 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -710,4 +710,14 @@ void test_strncpy(char* d, char* s) { argument_source(s); strncpy(d, s, 16); sink(d); // $ ast ir +} + +char* indirect_source(); + +void test_strtok_indirect() { + char *source = indirect_source(); + const char* delim = ",.-;:_"; + char* tokenized = strtok(source, delim); + sink(*tokenized); // $ MISSING: ast,ir + sink(*delim); } \ No newline at end of file From 032572b924fb2f3f09ff82502f41277a64a1a696 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Wed, 25 Oct 2023 09:39:36 +0100 Subject: [PATCH 2/2] C++: Fix 'strtok' model. --- cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll | 2 ++ cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll index f2759e4a737..6ccc4eb2fbe 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strtok.qll @@ -32,6 +32,8 @@ private class Strtok extends ArrayFunction, AliasFunction, TaintFunction, SideEf override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { input.isParameter(0) and output.isReturnValue() + or + input.isParameterDeref(0) and output.isReturnValueDeref() } override predicate hasOnlySpecificReadSideEffects() { none() } diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp index 75359c146d3..6c13e8fa2bb 100644 --- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp +++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp @@ -718,6 +718,6 @@ void test_strtok_indirect() { char *source = indirect_source(); const char* delim = ",.-;:_"; char* tokenized = strtok(source, delim); - sink(*tokenized); // $ MISSING: ast,ir + sink(*tokenized); // $ ir MISSING: ast sink(*delim); } \ No newline at end of file