C++: require that other operands be predictable

rdmarsh2 · rdmarsh2 · commit 258d2c1dd1be · 2020-04-30T14:25:17.000-07:00
This brings back a constraint that was lost when switching
DefaultTaintTracking to use a TaintTracking::Configuration
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -181,6 +181,25 @@ private predicate nodeIsBarrier(DataFlow::Node node) {
 private predicate nodeIsBarrierIn(DataFlow::Node node) {
   // don't use dataflow into taint sources, as this leads to duplicate results.
   node = getNodeForSource(any(Expr e))
+  or
+  // don't use dataflow into binary instructions if both operands are unpredictable
+  exists(BinaryInstruction iTo |
+    iTo = node.asInstruction() and
+    not predictableInstruction(iTo.getLeft()) and
+    not predictableInstruction(iTo.getRight())
+  )
+  or
+  // don't use dataflow through calls to pure functions if two or more operands
+  // are unpredictable
+  exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
+    iTo = node.asInstruction() and
+    isPureFunction(iTo.getStaticCallTarget().getName()) and
+    iFrom1 = iTo.getAnArgument() and
+    iFrom2 = iTo.getAnArgument() and
+    not predictableInstruction(iFrom1) and
+    not predictableInstruction(iFrom2) and
+    iFrom1 != iFrom2
+  )
 }
 
 cached
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -27,21 +27,6 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:97:18:97:23 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
-| test.cpp:97:18:97:23 | buffer | test.cpp:101:17:101:22 | array to pointer conversion |
-| test.cpp:97:18:97:23 | buffer | test.cpp:101:25:101:39 | ... + ... |
-| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:17:100:22 | array to pointer conversion |
-| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:17:101:22 | array to pointer conversion |
-| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:25:101:39 | ... + ... |
-| test.cpp:100:17:100:22 | array to pointer conversion | test.cpp:100:17:100:22 | processData1 output argument |
-| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:17:101:22 | array to pointer conversion |
-| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:25:101:39 | ... + ... |
-| test.cpp:101:17:101:22 | array to pointer conversion | test.cpp:75:25:75:29 | start |
-| test.cpp:101:25:101:39 | ... + ... | test.cpp:75:38:75:40 | end |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
@@ -99,19 +84,6 @@ nodes
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:64:25:64:30 | InitializeIndirection | semmle.label | InitializeIndirection |
-| test.cpp:64:25:64:30 | buffer | semmle.label | buffer |
-| test.cpp:75:25:75:29 | start | semmle.label | start |
-| test.cpp:75:38:75:40 | end | semmle.label | end |
-| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
-| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
-| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
-| test.cpp:97:18:97:23 | buffer | semmle.label | buffer |
-| test.cpp:97:18:97:23 | fread output argument | semmle.label | fread output argument |
-| test.cpp:100:17:100:22 | array to pointer conversion | semmle.label | array to pointer conversion |
-| test.cpp:100:17:100:22 | processData1 output argument | semmle.label | processData1 output argument |
-| test.cpp:101:17:101:22 | array to pointer conversion | semmle.label | array to pointer conversion |
-| test.cpp:101:25:101:39 | ... + ... | semmle.label | ... + ... |
 | test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
@@ -157,7 +129,6 @@ nodes
 | test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:79:9:79:29 | new[] | test.cpp:97:18:97:23 | buffer | test.cpp:79:18:79:28 | ... - ... | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |
 | test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
 | test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
 | test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -35,14 +35,6 @@ edges
 | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
 | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
 | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
-| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
@@ -96,13 +88,6 @@ nodes
 | test.c:77:9:77:9 | r | semmle.label | r |
 | test.c:77:9:77:9 | r | semmle.label | r |
 | test.c:77:9:77:9 | r | semmle.label | r |
-| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
-| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
-| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
-| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
-| test.c:83:9:83:9 | r | semmle.label | r |
-| test.c:83:9:83:9 | r | semmle.label | r |
-| test.c:83:9:83:9 | r | semmle.label | r |
 | test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
 | test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
 | test.c:100:5:100:5 | r | semmle.label | r |
@@ -123,7 +108,5 @@ nodes
 | test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
 | test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
 | test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected
@@ -7,25 +7,15 @@ edges
 | test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
 | test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
 | test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
-| test.cpp:29:27:29:32 | call to getenv | test.cpp:30:10:30:37 | ! ... |
-| test.cpp:29:27:29:32 | call to getenv | test.cpp:30:11:30:16 | call to strcmp |
-| test.cpp:29:27:29:42 | (const char *)... | test.cpp:30:10:30:37 | ! ... |
-| test.cpp:29:27:29:42 | (const char *)... | test.cpp:30:11:30:16 | call to strcmp |
 nodes
 | test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
 | test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
 | test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
 | test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
-| test.cpp:29:27:29:32 | call to getenv | semmle.label | call to getenv |
-| test.cpp:29:27:29:42 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:30:10:30:37 | ! ... | semmle.label | ! ... |
-| test.cpp:30:11:30:16 | call to strcmp | semmle.label | call to strcmp |
-| test.cpp:30:11:30:16 | call to strcmp | semmle.label | call to strcmp |
 | test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
 | test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
 | test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
 #select
 | test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
-| test.cpp:30:10:30:37 | ! ... | test.cpp:29:27:29:32 | call to getenv | test.cpp:30:10:30:37 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:29:27:29:32 | call to getenv | call to getenv | test.cpp:31:9:31:27 | ... = ... | ... = ... |
 | test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
