diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql index 4e626d0bc77..94a9cacf9f4 100644 --- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -88,6 +88,11 @@ module TaintedPathConfig implements DataFlow::ConfigSig { hasUpperBoundsCheck(checkedVar) ) } + + predicate isBarrierOut(DataFlow::Node node) { + // make sinks barriers so that we only report the closest instance + isSink(node) + } } module TaintedPath = TaintTracking::Global; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected index 4706b972967..f8b96c81b1e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected @@ -9,7 +9,6 @@ edges | test.c:48:21:48:26 | *call to getenv | test.c:48:21:48:26 | *call to getenv | provenance | | | test.c:48:21:48:26 | *call to getenv | test.c:49:11:49:17 | *tainted | provenance | | | test.c:54:21:54:26 | *call to getenv | test.c:55:11:55:16 | *buffer | provenance | TaintFunction | -| test.c:54:21:54:26 | *call to getenv | test.c:56:11:56:16 | *buffer | provenance | TaintFunction | | test.c:74:13:74:18 | read output argument | test.c:76:11:76:16 | *buffer | provenance | | | test.c:75:13:75:18 | read output argument | test.c:76:11:76:16 | *buffer | provenance | | nodes @@ -27,7 +26,6 @@ nodes | test.c:49:11:49:17 | *tainted | semmle.label | *tainted | | test.c:54:21:54:26 | *call to getenv | semmle.label | *call to getenv | | test.c:55:11:55:16 | *buffer | semmle.label | *buffer | -| test.c:56:11:56:16 | *buffer | semmle.label | *buffer | | test.c:69:14:69:20 | *access to array | semmle.label | *access to array | | test.c:74:13:74:18 | read output argument | semmle.label | read output argument | | test.c:75:13:75:18 | read output argument | semmle.label | read output argument | @@ -40,7 +38,6 @@ subpaths | test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | *fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | scanf output argument | user input (value read by scanf) | | test.c:49:11:49:17 | tainted | test.c:48:21:48:26 | *call to getenv | test.c:49:11:49:17 | *tainted | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:48:21:48:26 | *call to getenv | user input (an environment variable) | | test.c:55:11:55:16 | buffer | test.c:54:21:54:26 | *call to getenv | test.c:55:11:55:16 | *buffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:54:21:54:26 | *call to getenv | user input (an environment variable) | -| test.c:56:11:56:16 | buffer | test.c:54:21:54:26 | *call to getenv | test.c:56:11:56:16 | *buffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:54:21:54:26 | *call to getenv | user input (an environment variable) | | test.c:69:14:69:20 | access to array | test.c:8:27:8:30 | **argv | test.c:69:14:69:20 | *access to array | This argument to a file access function is derived from $@ and then passed to readFile(fileName), which calls fopen(filename). | test.c:8:27:8:30 | **argv | user input (a command-line argument) | | test.c:76:11:76:16 | buffer | test.c:74:13:74:18 | read output argument | test.c:76:11:76:16 | *buffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:74:13:74:18 | read output argument | user input (buffer read by read) | | test.c:76:11:76:16 | buffer | test.c:75:13:75:18 | read output argument | test.c:76:11:76:16 | *buffer | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:75:13:75:18 | read output argument | user input (buffer read by read) |