need help with taint tracking

[timimin]

Hello all. I'm learning CodeQL. It seems that thanks to its advanced taint analysis, it's very convenient for determining the attack surface and targets for fuzz testing. For educational purposes, I decided to analyze a well-known project (c-cpp).

It is known that the tainted data - a PDF document - reaches the function getObject (this function produces an error during fuzz testing). Having determined that the variable doc is used in main as a reference to the buffer containing the data, I composed the following query:

`import cpp
import semmle.code.cpp.dataflow.new.TaintTracking

module FileToParse implements DataFlow::ConfigSig {

predicate isSource(DataFlow::Node source) {
exists(LocalVariable doc, Function main |
main.getName() = "main" and
doc.getFunction() = main and
doc.getName() = "doc" and
source.asIndirectExpr() = doc.getAnAssignedValue()
)
}

predicate isSink(DataFlow::Node sink) {
exists(FunctionCall fc |
sink.asIndirectExpr(1) = fc.getAnArgument() /and
fc.getTarget().getName() = "getObj"/
)
}
}

module FileToParseFileFlow = TaintTracking::Global;

from
Expr fopen, Expr getObject, DataFlow::Node source, DataFlow::Node sink
where
source.asIndirectExpr(1) = fopen and
sink.asIndirectExpr(1) = getObject and
FileToParseFileFlow::flow(source, sink)
select fopen, "This 'fopen' opens data for $@.", getObject.getParent(), "call"`

The expected function getObject does not appear in the results. Perhaps not the entire document is passed to it, but only parts of it, or maybe there are other entry points... Could you tell me what's wrong with the query?

Thanks in advance

[owen-mc]

You may find this article helpful. It explains how to debug missing flow.

[timimin]

Thanks a lot