Skip to content

Commit a4c060a

Browse files
MathiasVPMathiasVP
authored
Merge pull request github#4729 from MathiasVP/safe-external-api-function-use-model-interfaces-only
C++: Use model interfaces in DefaultSafeExternalAPIFunction
2 parents 89a4cff + b02ac7f commit a4c060a

File tree

3 files changed

+24
-28
lines changed

3 files changed

+24
-28
lines changed

cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
*/
44

55
private import cpp
6-
private import semmle.code.cpp.models.implementations.Pure
6+
private import semmle.code.cpp.models.interfaces.SideEffect
77

88
/**
99
* A `Function` that is considered a "safe" external API from a security perspective.
@@ -13,9 +13,12 @@ abstract class SafeExternalAPIFunction extends Function { }
1313
/** The default set of "safe" external APIs. */
1414
private class DefaultSafeExternalAPIFunction extends SafeExternalAPIFunction {
1515
DefaultSafeExternalAPIFunction() {
16-
// implementation note: this should be based on the properties of public interfaces, rather than accessing implementation classes directly. When we've done that, the three classes referenced here should be made fully private.
17-
this instanceof PureStrFunction or
18-
this instanceof StrLenFunction or
19-
this instanceof PureMemFunction
16+
// If a function does not write to any of its arguments, we consider it safe to
17+
// pass untrusted data to it. This means that string functions such as `strcmp`
18+
// and `strlen`, as well as memory functions such as `memcmp`, are considered safe.
19+
exists(SideEffectFunction model | model = this |
20+
model.hasOnlySpecificWriteSideEffects() and
21+
not model.hasSpecificWriteSideEffect(_, _, _)
22+
)
2023
}
2124
}

cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
*/
44

55
private import cpp
6-
private import semmle.code.cpp.models.implementations.Pure
6+
private import semmle.code.cpp.models.interfaces.SideEffect
77

88
/**
99
* A `Function` that is considered a "safe" external API from a security perspective.
@@ -13,9 +13,12 @@ abstract class SafeExternalAPIFunction extends Function { }
1313
/** The default set of "safe" external APIs. */
1414
private class DefaultSafeExternalAPIFunction extends SafeExternalAPIFunction {
1515
DefaultSafeExternalAPIFunction() {
16-
// implementation note: this should be based on the properties of public interfaces, rather than accessing implementation classes directly. When we've done that, the three classes referenced here should be made fully private.
17-
this instanceof PureStrFunction or
18-
this instanceof StrLenFunction or
19-
this instanceof PureMemFunction
16+
// If a function does not write to any of its arguments, we consider it safe to
17+
// pass untrusted data to it. This means that string functions such as `strcmp`
18+
// and `strlen`, as well as memory functions such as `memcmp`, are considered safe.
19+
exists(SideEffectFunction model | model = this |
20+
model.hasOnlySpecificWriteSideEffects() and
21+
not model.hasSpecificWriteSideEffect(_, _, _)
22+
)
2023
}
2124
}

cpp/ql/src/semmle/code/cpp/models/implementations/Pure.qll

Lines changed: 8 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,9 @@ import semmle.code.cpp.models.interfaces.Taint
33
import semmle.code.cpp.models.interfaces.Alias
44
import semmle.code.cpp.models.interfaces.SideEffect
55

6-
/**
7-
* Pure string functions.
8-
*
9-
* INTERNAL: do not use.
10-
*/
11-
class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
6+
/** Pure string functions. */
7+
private class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction,
8+
SideEffectFunction {
129
PureStrFunction() {
1310
hasGlobalOrStdName([
1411
"atof", "atoi", "atol", "atoll", "strcasestr", "strchnul", "strchr", "strchrnul", "strstr",
@@ -63,12 +60,8 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE
6360
}
6461
}
6562

66-
/**
67-
* String standard `strlen` function, and related functions for computing string lengths.
68-
*
69-
* INTERNAL: do not use.
70-
*/
71-
class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
63+
/** String standard `strlen` function, and related functions for computing string lengths. */
64+
private class StrLenFunction extends AliasFunction, ArrayFunction, SideEffectFunction {
7265
StrLenFunction() {
7366
hasGlobalOrStdName(["strlen", "strnlen", "wcslen"])
7467
or
@@ -118,12 +111,9 @@ private class PureFunction extends TaintFunction, SideEffectFunction {
118111
override predicate hasOnlySpecificWriteSideEffects() { any() }
119112
}
120113

121-
/**
122-
* Pure raw-memory functions.
123-
*
124-
* INTERNAL: do not use.
125-
*/
126-
class PureMemFunction extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
114+
/** Pure raw-memory functions. */
115+
private class PureMemFunction extends AliasFunction, ArrayFunction, TaintFunction,
116+
SideEffectFunction {
127117
PureMemFunction() { hasGlobalOrStdName(["memchr", "memrchr", "rawmemchr", "memcmp", "memmem"]) }
128118

129119
override predicate hasArrayInput(int bufParam) {

0 commit comments

Comments
 (0)