Merge pull request github#3137 from jbj/DefaultTaintTracking-argv

rdmarsh2 · web-flow · commit 968ddc6274a4 · 2020-03-26T15:29:52.000-07:00
C++: Never track flow out of an argv argument
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -60,7 +60,14 @@ private DataFlow::Node getNodeForSource(Expr source) {
   (
     result = DataFlow::exprNode(source)
     or
-    result = DataFlow::definitionByReferenceNode(source)
+    // Some of the sources in `isUserInput` are intended to match the value of
+    // an expression, while others (those modeled below) are intended to match
+    // the taint that propagates out of an argument, like the `char *` argument
+    // to `gets`. It's impossible here to tell which is which, but the "access
+    // to argv" source is definitely not intended to match an output argument,
+    // and it causes false positives if we let it.
+    result = DataFlow::definitionByReferenceNode(source) and
+    not argv(source.(VariableAccess).getTarget())
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,14 @@ private DataFlow::Node getNodeForSource(Expr source) {`
`60`	`60`	`(`
`61`	`61`	`result = DataFlow::exprNode(source)`
`62`	`62`	`or`
`63`		`- result = DataFlow::definitionByReferenceNode(source)`
	`63`	+ // Some of the sources in `isUserInput` are intended to match the value of
	`64`	`+ // an expression, while others (those modeled below) are intended to match`
	`65`	+ // the taint that propagates out of an argument, like the `char *` argument
	`66`	+ // to `gets`. It's impossible here to tell which is which, but the "access
	`67`	`+ // to argv" source is definitely not intended to match an output argument,`
	`68`	`+ // and it causes false positives if we let it.`
	`69`	`+ result = DataFlow::definitionByReferenceNode(source) and`
	`70`	`+ not argv(source.(VariableAccess).getTarget())`
`64`	`71`	`)`
`65`	`72`	`}`
`66`	`73`