|
13 | 13 |
|
14 | 14 | import cpp
|
15 | 15 | import semmle.code.cpp.commons.Environment
|
16 |
| -import semmle.code.cpp.ir.dataflow.TaintTracking |
17 |
| -import semmle.code.cpp.ir.IR |
18 |
| -import Flow::PathGraph |
| 16 | +import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl |
| 17 | +import TaintedWithPath |
19 | 18 |
|
20 | 19 | /** A call that prints its arguments to `stdout`. */
|
21 | 20 | class PrintStdoutCall extends FunctionCall {
|
22 |
| - PrintStdoutCall() { this.getTarget().hasGlobalOrStdName(["puts", "printf"]) } |
| 21 | + PrintStdoutCall() { |
| 22 | + this.getTarget().hasGlobalOrStdName("puts") or |
| 23 | + this.getTarget().hasGlobalOrStdName("printf") |
| 24 | + } |
23 | 25 | }
|
24 | 26 |
|
25 | 27 | /** A read of the QUERY_STRING environment variable */
|
26 | 28 | class QueryString extends EnvironmentRead {
|
27 | 29 | QueryString() { this.getEnvironmentVariable() = "QUERY_STRING" }
|
28 | 30 | }
|
29 | 31 |
|
30 |
| -module Config implements DataFlow::ConfigSig { |
31 |
| - predicate isSource(DataFlow::Node node) { node.asExpr() instanceof QueryString } |
| 32 | +class Configuration extends TaintTrackingConfiguration { |
| 33 | + override predicate isSource(Expr source) { source instanceof QueryString } |
32 | 34 |
|
33 |
| - predicate isSink(DataFlow::Node node) { |
34 |
| - exists(PrintStdoutCall call | call.getAnArgument() = node.asExpr()) |
| 35 | + override predicate isSink(Element tainted) { |
| 36 | + exists(PrintStdoutCall call | call.getAnArgument() = tainted) |
35 | 37 | }
|
36 | 38 |
|
37 |
| - predicate isBarrier(DataFlow::Node node) { |
38 |
| - node.asExpr().getUnspecifiedType() instanceof IntegralType |
| 39 | + override predicate isBarrier(Expr e) { |
| 40 | + super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType |
39 | 41 | }
|
40 | 42 | }
|
41 | 43 |
|
42 |
| -module Flow = TaintTracking::Global<Config>; |
43 |
| - |
44 |
| -from QueryString query, Flow::PathNode sourceNode, Flow::PathNode sinkNode |
45 |
| -where |
46 |
| - Flow::flowPath(sourceNode, sinkNode) and |
47 |
| - query = sourceNode.getNode().asExpr() |
48 |
| -select sinkNode.getNode(), sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.", |
49 |
| - query, "this query data" |
| 44 | +from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode |
| 45 | +where taintedWithPath(query, printedArg, sourceNode, sinkNode) |
| 46 | +select printedArg, sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.", query, |
| 47 | + "this query data" |
0 commit comments