Skip to content

Commit 08913c5

Browse files
geoffw0geoffw0
authored
Merge pull request #18827 from geoffw0/exectainted
C++: Expand qldoc and tests for cpp/command-line-injection
2 parents 1b2d842 + b6f9055 commit 08913c5

File tree

3 files changed

+267
-162
lines changed

3 files changed

+267
-162
lines changed

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,17 @@ predicate interestingConcatenation(DataFlow::Node incoming, DataFlow::Node outgo
4949
call.getTarget() = op and
5050
op.hasQualifiedName("std", "operator+") and
5151
op.getType().(UserType).hasQualifiedName("std", "basic_string") and
52-
incoming.asIndirectArgument() = call.getArgument(1) and // left operand
52+
incoming.asIndirectArgument() = call.getArgument(1) and // right operand
5353
call = outgoing.asInstruction().getUnconvertedResultExpression()
5454
)
5555
}
5656

57+
/**
58+
* A state will represent the most recent concatenation that occurred in the data flow.
59+
* - `TConcatState` if the concetenation has not yet occurred.
60+
* - `TExecState(incoming, outgoing)`, representing the concatenation of data from `incoming`
61+
* into result `outgoing`.
62+
*/
5763
newtype TState =
5864
TConcatState() or
5965
TExecState(DataFlow::Node incoming, DataFlow::Node outgoing) {
@@ -74,7 +80,9 @@ class ExecState extends TExecState {
7480

7581
DataFlow::Node getOutgoingNode() { result = outgoing }
7682

77-
/** Holds if this is a possible `ExecState` for `sink`. */
83+
/**
84+
* Holds if this is a possible `ExecState` at `sink`, that is, if `outgoing` flows to `sink`.
85+
*/
7886
predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
7987

8088
string toString() { result = "ExecState" }
@@ -110,6 +118,12 @@ module ExecStateConfig implements DataFlow::ConfigSig {
110118

111119
module ExecState = TaintTracking::Global<ExecStateConfig>;
112120

121+
/**
122+
* A full `TaintTracking` configuration from source to concatenation to sink, using a flow
123+
* state to remember the concatenation. It's important that we track flow to the sink even though
124+
* as soon as we reach the concatenation we know it will get there (due to the check of
125+
* `isFeasibleForSink`), because this way we get a complete flow path.
126+
*/
113127
module ExecTaintConfig implements DataFlow::StateConfigSig {
114128
class FlowState = TState;
115129

0 commit comments

Comments
 (0)