Comments (2)
Hi @mies47
Thanks for your question!
There are a couple of problems with your query. I'll first list the issues and then suggest how you may rewrite your query to fix these.
-
Your specify that
source
is the value ofin
. However, remember thatin[3]
really means*(in + 3)
. The fact that there is a dereference there means you need to specify that your source is whatever the parameter points to so that there's flow through the dereference. -
There's not really flow from the right-hand side of an assignment to the left-hand side since the left-hand side is an address (i.e., the address of
a
that's being written to), and the right-hand side is the value that ends up being stored ina
. Sosink.asExpr
is probably the wrong predicate to use in this case.
Those are the two issues in your query. Now, let me propose how you might fix these issues:
-
In order to specify that your source is what the parameter points to you can use
source.asParameter(1)
to specify that it's notin
that's your source, but rather whateverin
points to (i.e.,*in
, and*(in + 1)
, etc). -
In order to select the assignment to
a
as your sink you can use a somewhat esotetic predicatesink.asDefinition()
. That predicate gives you the node that represents an assignment operation (or initializer of a declaration in case your code instead waschar a = in[3]
). In this case, this will give you back aAssignExpr
, and you can ask for the left-hand side of this assignment to geta
.
Finally, since you need to modify your sink to use sink.asDefinition
you still need to account for the fact that you also want to reach buff
in printf("%s\n", buff);
as that's not a definition. So that needs to use sink.asIndirectExpr()
to match the fact that you're selecting what the source points to.
Combining all of these points, your query becomes:
from DataFlow::Node source, DataFlow::Node sink, LocalVariable lv, Function f
where
f.getAParameter() = source.asParameter(1) and
lv.getAnAccess() = [sink.asDefinition().(AssignExpr).getLValue(), sink.asIndirectExpr()] and
lv.getFunction() = f and
TaintTracking::localTaint(source, sink)
select source, sink
I hope that helps! Let me know if you have any more questions :)
from codeql.
@MathiasVP Thank you so much for your detailed explanation. This definitely works.
I was just wondering if there are any resources that explain these concepts in detail like you did :)
I explored the guides and I mainly use the API reference that doesn't go into much detail.
I also used the following yesterday and added isAdditionalFlowStep
which gave me buff
:
module FuncParamToBuffTaint implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(Function f, Type t |
f.getAParameter() = source.asParameter() and
source.getType() = t and
t instanceof PointerType
)
}
predicate isSink(DataFlow::Node sink) {
exists(ArrayExpr ae |
ae.getArrayBase() = sink.asExpr()
) or
exists(PointerArithmeticOperation pao |
pao.getLeftOperand() = sink.asExpr()
)
}
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(LoadInstruction l |
l.getSourceAddressOperand() = pred.asOperand()
)
}
}
module FuncParamToBuffTaintFlow = TaintTracking::Global<FuncParamToBuffTaint>;
from DataFlow::Node source, DataFlow::Node sink
where
source.getFunction() = sink.getFunction() and
FuncParamToBuffTaintFlow::flow(source, sink)
select source, sink, source.getFunction()
I am trying to take source and sink as pointers. Of course this doesn't count a
as sink which is fine since I'm more interested in buff. Would this work the same way as your version?
from codeql.
Related Issues (20)
- General issue
- CodeQL run time increased from mins to hours HOT 8
- [cpp] extractor crashed when creating database HOT 5
- Create a database from a project with Bazel, can't do it HOT 2
- CodeQL is throwing errors while analyzing on a python flask app HOT 4
- Go Autobuild failure reason unclear HOT 2
- Problems porting deprecated DataFlow to new IR DataFlow (field-involved) HOT 2
- False positive - A secret detected in a go context causes codeql to think all context values are secret HOT 3
- [REMOVED]
- Insecure randomness - Documentation issue - Code example is misleading and could be improved HOT 4
- Python: Dataflow fails when Class attributes are accessed as Instance attributes. HOT 2
- [email protected]
- raw.githubusercontent.com/square/okhttp/master/samples/guide/src/main/java/okhttp3/guide/PostExample.java
- CodeQL XSS False Positive when using ESAPI.encoder().encodeForHTML() to defend against XSS HOT 1
- Python - unable to find suitable examples to iterate over objects HOT 8
- General issue
- CodeQL autobuild action doesn't work with reusable workflow HOT 1
- Use-After-Query.ql does not work on this simple situation HOT 2
- Use-After-Query.ql doesn't work on this simple situation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from codeql.