false positive:Data flow does't restrict while variable reassigned

[mrlzh]

Demo code:

#include <string>
#include <stdio.h>
#include <stdlib.h>

using namespace std;

void mysql_query(char *test1,const char *test2){ //just for test
    printf("%s %s\n",test1,test2);
}

int main(){
    char input[100];
    scanf("%s", input);

    string in(input, strlen(input));

    in="test";

    string sql="select * from test where  xxx='"+in+"'";

    mysql_query("test", sql.c_str());
}

Variable in was reassigned.But Ql in cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql still alerts.

[hmakholm]

Thanks for the report. I'll hear what our C++ analysis experts have to say about it.

[MathiasVP]

Hi @mrlzh,

Thanks for the issue! The problem is that in="test"; isn't just a simple assignment: it's a call to the std::string::operator= assignment operator, and we don't seem to realize that this assignment operator completely overrides the string.

I'll open an internal issue for how to detect this so that such assignments through overloaded operators are properly detected as sanitizers.

[intrigus-lgtm]

If it makes you feel any better, neither gcc, clang nor icc detect this (and fold it to "select * from test where xxx='test'"):
https://godbolt.org/z/f1oboT6h7

But they also don't optimize this ¯_(ツ)_/¯

[mrlzh]

Hi @mrlzh,

Thanks for the issue! The problem is that in="test"; isn't just a simple assignment: it's a call to the std::string::operator= assignment operator, and we don't seem to realize that this assignment operator completely overrides the string.

I'll open an internal issue for how to detect this so that such assignments through overloaded operators are properly detected as sanitizers.

@MathiasVP Have this false positive been fixed?

[MathiasVP]

@MathiasVP Have this false positive been fixed?

Not yet, no. We are in the process of doing a fairly large rewrite of the C++ dataflow library, and once we get that change in I to expect we'll be able to fix this fairly easily. I'll make sure to ping you on this issue once we've fixed it!

[mrlzh]

Hello,is there any way to fix this false positive?
It cause so many bad case in our scan results.I want to fix it as soon as possible.Even if the fix is not perfect.