Skip to content

Commit

Permalink
C++: mass enable diff-informed data flow
Browse files Browse the repository at this point in the history
  • Loading branch information
asgerf committed Dec 20, 2024
1 parent 772b972 commit c222f13
Show file tree
Hide file tree
Showing 53 changed files with 283 additions and 0 deletions.
30 changes: 30 additions & 0 deletions cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,12 @@ module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {
c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:141: Flow call outside 'select' clause
none()
}
}

module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;
Expand Down Expand Up @@ -535,6 +541,12 @@ module KeyGeneration {
c.getArgument(sizeInd) = node.asExpr()
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:557: Flow call outside 'select' clause
none()
}
}

module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;
Expand Down Expand Up @@ -574,6 +586,12 @@ module KeyGeneration {
c.getArgument(3) = node.asExpr()
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:598: Flow call outside 'select' clause
none()
}
}

module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =
Expand Down Expand Up @@ -622,6 +640,12 @@ module KeyGeneration {
isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:689: Flow call outside 'select' clause
none()
}
}

module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;
Expand Down Expand Up @@ -656,6 +680,12 @@ module KeyGeneration {
predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }

predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:706: Flow call outside 'select' clause
none()
}
}

module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ module PrivateCleartextWrite {
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

module WriteFlow = TaintTracking::Global<WriteConfig>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
Original file line number Diff line number Diff line change
Expand Up @@ -756,6 +756,12 @@ private module FieldFlow {
or
node.asExpr().getParent() instanceof ThrowExpr
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll:764: Flow call outside 'select' clause
none()
}
}

private module Flow = DataFlow::Global<FieldConfig>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -387,6 +387,13 @@ module ProductFlow {
predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) }

int fieldFlowBranchLimit() { result = Config::fieldFlowBranchLimit1() }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:400: Flow call outside 'select' clause
// cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:407: Flow call outside 'select' clause
none()
}
}

private module Flow1 = DataFlow::GlobalWithState<Config1>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,14 @@ private module SizeBarrier {
}

predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:151: Flow call outside 'select' clause
// cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:162: Flow call outside 'select' clause
// cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:211: Flow call outside 'select' clause
none()
}
}

module SizeBarrierFlow = DataFlow::Global<SizeBarrierConfig>;
Expand Down Expand Up @@ -330,6 +338,12 @@ private module Config implements ProductFlow::StateConfigSig {
predicate isBarrierOut2(DataFlow::Node node) {
node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
}

predicate observeDiffInformedIncrementalMode() {

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:377: Flow call outside 'select' clause
none()
}
}

private module AllocToInvalidPointerFlow = ProductFlow::GlobalWithState<Config>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,12 @@ private module InvalidPointerToDerefBarrier {
predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }

int fieldFlowBranchLimit() { result = invalidPointerToDereferenceFieldFlowBranchLimit() }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll:129: Flow call outside 'select' clause
none()
}
}

private module BarrierFlow = DataFlow::Global<BarrierConfig>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -503,6 +503,12 @@ module BoostorgAsio {
not sink.getLocation().getFile().toString().matches("%/boost/asio/%")
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:48: Flow call outside 'select' clause
none()
}
}

module SslOptionFlow = DataFlow::Global<SslOptionConfig>;
Expand Down
12 changes: 12 additions & 0 deletions cpp/ql/src/Critical/MissingCheckScanf.ql
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,12 @@ module UninitializedToScanfConfig implements ConfigSig {
FlowFeature getAFeature() { result instanceof FeatureEqualSourceSinkCallContext }

int accessPathLimit() { result = 0 }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Critical/MissingCheckScanf.ql:72: Flow call outside 'select' clause
none()
}
}

module UninitializedToScanfFlow = Global<UninitializedToScanfConfig>;
Expand Down Expand Up @@ -111,6 +117,12 @@ module ScanfToUseConfig implements ConfigSig {
// modified, and thus it's safe to later read the value.
exists(n.asIndirectArgument())
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Critical/MissingCheckScanf.ql:127: Flow call outside 'select' clause
none()
}
}

module ScanfToUseFlow = Global<ScanfToUseConfig>;
Expand Down
2 changes: 2 additions & 0 deletions cpp/ql/src/Critical/OverflowDestination.ql
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,8 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
nodeIsBarrierEqualityCandidate(node, access, checkedVar)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
) and
getFullyConvertedType(node) = state
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,8 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
cannotContainString(t)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;
Expand Down
18 changes: 18 additions & 0 deletions cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,17 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument())
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:57: Column 1 does not select a source or sink originating from the flow call on line 34
// cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:57: Column 1 does not select a source or sink originating from the flow call on line 41
// cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 3 does not select a source or sink originating from the flow call on line 34
// cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 3 does not select a source or sink originating from the flow call on line 41
// cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 5 does not select a source or sink originating from the flow call on line 34
// cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 5 does not select a source or sink originating from the flow call on line 41
none()
}
}

module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
Expand Down Expand Up @@ -285,6 +296,13 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
aexpr.getLValue() = fa
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql:21: Column 1 does not select a source or sink originating from the flow call on line 19
// cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql:23: Column 3 does not select a source or sink originating from the flow call on line 19
none()
}
}

module PossibleYearArithmeticOperationCheckFlow =
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,8 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
gc.controls(node.asExpr().getBasicBlock(), _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module NetworkToBufferSizeFlow = DataFlow::Global<NetworkToBufferSizeConfig>;
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ module ExistsAnyFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }

predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:43: Flow call outside 'select' clause
none()
}
}

module ExistsAnyFlow = DataFlow::Global<ExistsAnyFlowConfig>;
Expand Down
7 changes: 7 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
}

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll:13: Flow call outside 'select' clause
// cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll:16: Flow call outside 'select' clause
none()
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
7 changes: 7 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll:13: Flow call outside 'select' clause
// cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll:16: Flow call outside 'select' clause
none()
}
}

module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
2 changes: 2 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
// make sinks barriers so that we only report the closest instance
isSink(node)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
Expand Down
8 changes: 8 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,12 @@ module ExecStateConfig implements DataFlow::ConfigSig {
predicate isBarrierOut(DataFlow::Node node) {
isSink(node) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql:78: Flow call outside 'select' clause
none()
}
}

module ExecState = TaintTracking::Global<ExecStateConfig>;
Expand Down Expand Up @@ -136,6 +142,8 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
predicate isBarrierOut(DataFlow::Node node) {
isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module ExecTaint = TaintTracking::GlobalWithState<ExecTaintConfig>;
Expand Down
2 changes: 2 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig {
or
node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module Flow = TaintTracking::Global<Config>;
Expand Down
2 changes: 2 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
sql.barrierSqlArgument(input, _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module SqlTainted = TaintTracking::Global<SqlTaintedConfig>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig {
or
node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module Flow = TaintTracking::Global<Config>;
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,12 @@ module StringSizeConfig implements ProductFlow::StateConfigSig {
state1 = state2 + delta
)
}

predicate observeDiffInformedIncrementalMode() {

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
// TODO(diff-informed): Manually verify if config can be diff-informed.
// cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql:251: Flow call outside 'select' clause
none()
}
}

module StringSizeFlow = ProductFlow::GlobalWithState<StringSizeConfig>;
Expand Down
2 changes: 2 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,8 @@ module Config implements DataFlow::ConfigSig {
// Block flow if the node is guarded by any <, <= or = operations.
node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module Flow = TaintTracking::Global<Config>;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
not offsetIsAlwaysInBounds(arrayExpr, offsetExpr)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module ImproperArrayIndexValidation = TaintTracking::Global<ImproperArrayIndexValidationConfig>;
Expand Down
2 changes: 2 additions & 0 deletions cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ module Config implements DataFlow::ConfigSig {
or
isArithmeticNonCharType(node.asInstruction().(StoreInstruction).getResultType())
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module Flow = TaintTracking::Global<Config>;
Expand Down
Loading

0 comments on commit c222f13

Please sign in to comment.