Skip to content

Commit fe60269

Browse files
authored
Merge pull request #14416 from jketema/revert-cgi-xss-rewrite
Revert "C++: Rewrite `cpp/cgi-xss` to not use default taint tracking"
2 parents 8af7277 + 6ff8e06 commit fe60269

File tree

2 files changed

+24
-19
lines changed

2 files changed

+24
-19
lines changed

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

Lines changed: 16 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -13,37 +13,35 @@
1313

1414
import cpp
1515
import semmle.code.cpp.commons.Environment
16-
import semmle.code.cpp.ir.dataflow.TaintTracking
17-
import semmle.code.cpp.ir.IR
18-
import Flow::PathGraph
16+
import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
17+
import TaintedWithPath
1918

2019
/** A call that prints its arguments to `stdout`. */
2120
class PrintStdoutCall extends FunctionCall {
22-
PrintStdoutCall() { this.getTarget().hasGlobalOrStdName(["puts", "printf"]) }
21+
PrintStdoutCall() {
22+
this.getTarget().hasGlobalOrStdName("puts") or
23+
this.getTarget().hasGlobalOrStdName("printf")
24+
}
2325
}
2426

2527
/** A read of the QUERY_STRING environment variable */
2628
class QueryString extends EnvironmentRead {
2729
QueryString() { this.getEnvironmentVariable() = "QUERY_STRING" }
2830
}
2931

30-
module Config implements DataFlow::ConfigSig {
31-
predicate isSource(DataFlow::Node node) { node.asExpr() instanceof QueryString }
32+
class Configuration extends TaintTrackingConfiguration {
33+
override predicate isSource(Expr source) { source instanceof QueryString }
3234

33-
predicate isSink(DataFlow::Node node) {
34-
exists(PrintStdoutCall call | call.getAnArgument() = node.asExpr())
35+
override predicate isSink(Element tainted) {
36+
exists(PrintStdoutCall call | call.getAnArgument() = tainted)
3537
}
3638

37-
predicate isBarrier(DataFlow::Node node) {
38-
node.asExpr().getUnspecifiedType() instanceof IntegralType
39+
override predicate isBarrier(Expr e) {
40+
super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
3941
}
4042
}
4143

42-
module Flow = TaintTracking::Global<Config>;
43-
44-
from QueryString query, Flow::PathNode sourceNode, Flow::PathNode sinkNode
45-
where
46-
Flow::flowPath(sourceNode, sinkNode) and
47-
query = sourceNode.getNode().asExpr()
48-
select sinkNode.getNode(), sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.",
49-
query, "this query data"
44+
from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode
45+
where taintedWithPath(query, printedArg, sourceNode, sinkNode)
46+
select printedArg, sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.", query,
47+
"this query data"
Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,26 @@
11
edges
22
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
3+
| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
4+
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
35
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
46
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
7+
| search.c:51:21:51:26 | call to getenv | search.c:55:17:55:25 | raw_query |
8+
| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
59
| search.c:51:21:51:26 | call to getenv | search.c:57:17:57:25 | raw_query |
610
| search.c:55:17:55:25 | raw_query | search.c:14:24:14:28 | query |
711
| search.c:57:17:57:25 | raw_query | search.c:22:24:22:28 | query |
12+
subpaths
813
nodes
914
| search.c:14:24:14:28 | query | semmle.label | query |
1015
| search.c:17:8:17:12 | query | semmle.label | query |
16+
| search.c:17:8:17:12 | query | semmle.label | query |
1117
| search.c:22:24:22:28 | query | semmle.label | query |
1218
| search.c:23:39:23:43 | query | semmle.label | query |
19+
| search.c:23:39:23:43 | query | semmle.label | query |
20+
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
1321
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
1422
| search.c:55:17:55:25 | raw_query | semmle.label | raw_query |
1523
| search.c:57:17:57:25 | raw_query | semmle.label | raw_query |
16-
subpaths
1724
#select
1825
| search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
1926
| search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |

0 commit comments

Comments
 (0)