Merge pull request #3694 from geoffw0/models

jbj · web-flow · commit 3747bd98f3b1 · 2020-06-23T10:15:32.000+02:00
C++: Extend the GetsFunction and SystemFunction models.
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
@@ -48,4 +48,17 @@ class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, Alias
     output.isParameterDeref(0) and
     description = "String read by " + this.getName()
   }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    not hasGlobalOrStdName("gets") and
+    bufParam = 0 and
+    countParam = 1
+  }
+
+  override predicate hasArrayWithUnknownSize(int bufParam) {
+    hasGlobalOrStdName("gets") and
+    bufParam = 0
+  }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/security/CommandExecution.qll b/cpp/ql/src/semmle/code/cpp/security/CommandExecution.qll
@@ -2,21 +2,44 @@
 
 import cpp
 import semmle.code.cpp.security.FunctionWithWrappers
+import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
  * A function for running a command using a command interpreter.
  */
-class SystemFunction extends FunctionWithWrappers {
+class SystemFunction extends FunctionWithWrappers, ArrayFunction, AliasFunction, SideEffectFunction {
   SystemFunction() {
-    hasGlobalOrStdName("system") or
-    hasGlobalName("popen") or
+    hasGlobalOrStdName("system") or // system(command)
+    hasGlobalName("popen") or // popen(command, mode)
     // Windows variants
-    hasGlobalName("_popen") or
-    hasGlobalName("_wpopen") or
-    hasGlobalName("_wsystem")
+    hasGlobalName("_popen") or // _popen(command, mode)
+    hasGlobalName("_wpopen") or // _wpopen(command, mode)
+    hasGlobalName("_wsystem") // _wsystem(command)
   }
 
   override predicate interestingArg(int arg) { arg = 0 }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 or bufParam = 1 }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 0 or bufParam = 1 }
+
+  override predicate parameterNeverEscapes(int index) { index = 0 or index = 1 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate parameterIsAlwaysReturned(int index) { none() }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() {
+    hasGlobalOrStdName("system") or
+    hasGlobalName("_wsystem")
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    (i = 0 or i = 1) and
+    buffer = true
+  }
 }
 
 /**
