C++: Never track flow out of an argv argument

jbj · jbj · commit 2801941ca248 · 2020-03-26T20:40:16.000+01:00
This change removes some duplicate results that will otherwise appear due to github#3123 and possibly github#2704.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -60,7 +60,14 @@ private DataFlow::Node getNodeForSource(Expr source) {
   (
     result = DataFlow::exprNode(source)
     or
-    result = DataFlow::definitionByReferenceNode(source)
+    // Some of the sources in `isUserInput` are intended to match the value of
+    // an expression, while others (those modeled below) are intended to match
+    // the taint that propagates out of an argument, like the `char *` argument
+    // to `gets`. It's impossible here to tell which is which, but the "access
+    // to argv" source is definitely not intended to match an output argument,
+    // and it causes false positives if we let it.
+    result = DataFlow::definitionByReferenceNode(source) and
+    not argv(source.(VariableAccess).getTarget())
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,14 @@ private DataFlow::Node getNodeForSource(Expr source) {`
`60`	`60`	`(`
`61`	`61`	`result = DataFlow::exprNode(source)`
`62`	`62`	`or`
`63`		`- result = DataFlow::definitionByReferenceNode(source)`
	`63`	+ // Some of the sources in `isUserInput` are intended to match the value of
	`64`	`+ // an expression, while others (those modeled below) are intended to match`
	`65`	+ // the taint that propagates out of an argument, like the `char *` argument
	`66`	+ // to `gets`. It's impossible here to tell which is which, but the "access
	`67`	`+ // to argv" source is definitely not intended to match an output argument,`
	`68`	`+ // and it causes false positives if we let it.`
	`69`	`+ result = DataFlow::definitionByReferenceNode(source) and`
	`70`	`+ not argv(source.(VariableAccess).getTarget())`
`64`	`71`	`)`
`65`	`72`	`}`
`66`	`73`