From a3d3617598e2a000eb325c28f448efc7f2861f52 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 22 Dec 2023 14:52:13 +0100 Subject: [PATCH 1/4] C++: Add tests with missing flow. --- .../dataflow-consistency.expected | 8 ++ .../dataflow-tests/test-source-sink.expected | 12 +++ .../dataflow/dataflow-tests/test.cpp | 96 +++++++++++++++++++ .../dataflow/fields/aliasing.cpp | 60 ++++++++++++ .../fields/dataflow-consistency.expected | 8 ++ .../fields/partial-definition-diff.expected | 14 +++ .../fields/partial-definition-ir.expected | 16 ++++ .../fields/partial-definition.expected | 14 +++ 8 files changed, 228 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected index 441bef2cddd5..ee34f9e9e4f4 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected @@ -32,6 +32,10 @@ argHasPostUpdate | test.cpp:67:29:67:35 | source1 | ArgumentNode is missing PostUpdateNode. | | test.cpp:813:19:813:35 | * ... | ArgumentNode is missing PostUpdateNode. | | test.cpp:848:23:848:25 | rpx | ArgumentNode is missing PostUpdateNode. | +| test.cpp:972:19:972:37 | * ... | ArgumentNode is missing PostUpdateNode. | +| test.cpp:973:10:973:28 | * ... | ArgumentNode is missing PostUpdateNode. | +| test.cpp:990:19:990:37 | * ... | ArgumentNode is missing PostUpdateNode. | +| test.cpp:991:10:991:28 | * ... | ArgumentNode is missing PostUpdateNode. | postWithInFlow | BarrierGuard.cpp:49:6:49:6 | x [post update] | PostUpdateNode should not be the target of local flow. | | BarrierGuard.cpp:60:7:60:7 | x [post update] | PostUpdateNode should not be the target of local flow. | @@ -159,6 +163,10 @@ postWithInFlow | test.cpp:808:5:808:21 | * ... [post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:808:6:808:21 | global_indirect1 [inner post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:832:5:832:17 | global_direct [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:931:5:931:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:931:6:931:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:961:5:961:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| test.cpp:961:6:961:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. | viableImplInCallContextTooLarge uniqueParameterNodeAtPosition uniqueParameterNodePosition diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 946878eb56ca..198c4caf719b 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -123,6 +123,11 @@ astFlow | test.cpp:842:11:842:16 | call to source | test.cpp:844:8:844:8 | y | | test.cpp:846:13:846:27 | call to indirect_source | test.cpp:848:23:848:25 | rpx | | test.cpp:860:54:860:59 | call to source | test.cpp:861:10:861:37 | static_local_pointer_dynamic | +| test.cpp:931:10:931:15 | call to source | test.cpp:936:19:936:32 | global_int_ptr | +| test.cpp:931:10:931:15 | call to source | test.cpp:1000:19:1000:34 | global_int_array | +| test.cpp:931:10:931:15 | call to source | test.cpp:1005:10:1005:26 | * ... | +| test.cpp:961:10:961:24 | call to indirect_source | test.cpp:966:19:966:36 | global_int_ptr_ptr | +| test.cpp:961:10:961:24 | call to indirect_source | test.cpp:967:10:967:27 | global_int_ptr_ptr | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x | @@ -300,6 +305,13 @@ irFlow | test.cpp:902:56:902:75 | *indirect_source(2) | test.cpp:911:19:911:48 | *global_array_static_indirect_2 | | test.cpp:914:46:914:53 | source | test.cpp:919:10:919:30 | global_pointer_static | | test.cpp:915:57:915:76 | *indirect_source(1) | test.cpp:921:19:921:50 | *global_pointer_static_indirect_1 | +| test.cpp:931:10:931:15 | call to source | test.cpp:936:19:936:32 | *global_int_ptr | +| test.cpp:931:10:931:15 | call to source | test.cpp:941:10:941:24 | * ... | +| test.cpp:931:10:931:15 | call to source | test.cpp:1000:19:1000:34 | *global_int_array | +| test.cpp:931:10:931:15 | call to source | test.cpp:1005:10:1005:26 | * ... | +| test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:966:19:966:36 | **global_int_ptr_ptr | +| test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:972:19:972:37 | ** ... | +| test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:975:10:975:29 | * ... | | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index b5883963620d..022b1c10af6d 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -922,4 +922,100 @@ namespace GlobalArrays { sink(global_pointer_static_indirect_2); // clean: global_pointer_static_indirect_2 does not have 2 indirections indirect_sink(global_pointer_static_indirect_2); // clean: global_pointer_static_indirect_2 does not have 2 indirections } +} + +namespace globals_without_explicit_def { + int* global_int_ptr; + + void set(int* p) { // $ ast-def=p ir-def=*p + *p = source(); + } + + void test1() { + set(global_int_ptr); + indirect_sink(global_int_ptr); // $ ir,ast + } + + void test2() { + set(global_int_ptr); + sink(*global_int_ptr); // $ ir MISSING: ast + } + + void calls_set() { + set(global_int_ptr); + } + + void test3() { + calls_set(); + indirect_sink(global_int_ptr); // $ MISSING: ast,ir + } + + void test4() { + calls_set(); + sink(*global_int_ptr); // $ MISSING: ast,ir + } + + int** global_int_ptr_ptr; + + void set_indirect(int** p) { // $ ast-def=p ir-def=*p ir-def=**p + *p = indirect_source(); + } + + void test5() { + set_indirect(global_int_ptr_ptr); + indirect_sink(global_int_ptr_ptr); // $ ir,ast + sink(global_int_ptr_ptr); // $ SPURIOUS: ast + } + + void test6() { + set_indirect(global_int_ptr_ptr); + indirect_sink(*global_int_ptr_ptr); // $ ir MISSING: ast + sink(*global_int_ptr_ptr); + indirect_sink(**global_int_ptr_ptr); + sink(**global_int_ptr_ptr); // $ ir + } + + void calls_set_indirect() { + set_indirect(global_int_ptr_ptr); + } + + void test7() { + calls_set_indirect(); + indirect_sink(global_int_ptr_ptr); // $ MISSING: ast,ir + sink(global_int_ptr_ptr); // $ MISSING: ast + } + + void test8() { + calls_set_indirect(); + indirect_sink(*global_int_ptr_ptr); // $ MISSING: ast,ir + sink(*global_int_ptr_ptr); + indirect_sink(**global_int_ptr_ptr); + sink(**global_int_ptr_ptr); // $ MISSING: ast,ir + } + + int global_int_array[10]; + + void test9() { + set(global_int_array); + indirect_sink(global_int_array); // $ ir,ast + } + + void test10() { + set(global_int_array); + sink(*global_int_array); // $ ir,ast + } + + void calls_set_array() { + set(global_int_array); + } + + void test11() { + calls_set_array(); + indirect_sink(global_int_array); // $ MISSING: ast,ir + } + + void test12() { + calls_set_array(); + sink(*global_int_array); // $ MISSING: ast,ir + } } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp index 71bfc62b3ba2..255f7ac692d6 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp +++ b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp @@ -204,4 +204,64 @@ void deep_member_field_arrow(S2 *ps2) { void deep_member_field_arrow_different_fields(S2 *ps2) { taint_a_ptr(&ps2->s.m1); sink(ps2->s.m2); +} + +namespace GlobalFieldFlow { + S global_s; + S2 global_s2; + + void set_field() { + global_s.m1 = user_input(); + } + + void read_field() { + sink(global_s.m1); // $ MISSING: ast,ir + } + + void set_nested_field() { + global_s2.s.m1 = user_input(); + } + + void read_nested_field() { + sink(global_s2.s.m1); // $ MISSING: ast,ir + } + + S* global_s_ptr; + S2* global_s2_ptr; + + void set_field_ptr() { + global_s_ptr->m1 = user_input(); + } + + void read_field_ptr() { + sink(global_s_ptr->m1); // $ MISSING: ast,ir + } + + void set_nested_field_ptr() { + global_s2_ptr->s.m1 = user_input(); + } + + void read_nested_field_ptr() { + sink(global_s2_ptr->s.m1); // $ MISSING: ast,ir + } + + S_with_pointer global_s_with_pointer; + + void set_field_indirect() { + *global_s_with_pointer.data = user_input(); + } + + void read_field_indirect() { + sink(*global_s_with_pointer.data); // $ MISSING: ast,ir + } + + S_with_array global_s_with_array; + + void set_field_array() { + *global_s_with_array.data = user_input(); + } + + void read_field_array() { + sink(*global_s_with_array.data); // $ MISSING: ast,ir + } } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected index c2a3a9427c21..7d984176f725 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected @@ -95,6 +95,14 @@ postWithInFlow | aliasing.cpp:194:21:194:22 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. | | aliasing.cpp:200:23:200:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. | | aliasing.cpp:205:23:205:24 | m1 [inner post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:214:14:214:15 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:222:17:222:18 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:233:19:233:20 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:241:22:241:23 | m1 [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:251:5:251:31 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:251:28:251:31 | data [inner post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:261:5:261:29 | * ... [post update] | PostUpdateNode should not be the target of local flow. | +| aliasing.cpp:261:26:261:29 | data [inner post update] | PostUpdateNode should not be the target of local flow. | | arrays.cpp:6:3:6:5 | arr [inner post update] | PostUpdateNode should not be the target of local flow. | | arrays.cpp:6:3:6:8 | access to array [post update] | PostUpdateNode should not be the target of local flow. | | arrays.cpp:15:3:15:10 | * ... [post update] | PostUpdateNode should not be the target of local flow. | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected index 4c85e26fc79d..82962cba007e 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected @@ -141,6 +141,20 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (parti | aliasing.cpp:201:13:201:13 | s | IR only | | aliasing.cpp:206:8:206:10 | ps2 | IR only | | aliasing.cpp:206:13:206:13 | s | IR only | +| aliasing.cpp:214:14:214:15 | m1 | AST only | +| aliasing.cpp:218:10:218:17 | global_s | IR only | +| aliasing.cpp:222:17:222:18 | m1 | AST only | +| aliasing.cpp:226:10:226:18 | global_s2 | IR only | +| aliasing.cpp:226:20:226:20 | s | IR only | +| aliasing.cpp:233:19:233:20 | m1 | AST only | +| aliasing.cpp:237:10:237:21 | global_s_ptr | IR only | +| aliasing.cpp:241:22:241:23 | m1 | AST only | +| aliasing.cpp:245:10:245:22 | global_s2_ptr | IR only | +| aliasing.cpp:245:25:245:25 | s | IR only | +| aliasing.cpp:251:5:251:31 | * ... | AST only | +| aliasing.cpp:255:11:255:31 | global_s_with_pointer | IR only | +| aliasing.cpp:261:5:261:29 | * ... | AST only | +| aliasing.cpp:265:11:265:29 | global_s_with_array | IR only | | arrays.cpp:6:3:6:8 | access to array | AST only | | arrays.cpp:7:8:7:13 | access to array | IR only | | arrays.cpp:7:8:7:13 | access to array | IR only | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected index 823997fd7d33..fce10f098635 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected @@ -285,6 +285,22 @@ | aliasing.cpp:205:21:205:21 | s | | aliasing.cpp:206:8:206:10 | ps2 | | aliasing.cpp:206:13:206:13 | s | +| aliasing.cpp:214:5:214:12 | global_s | +| aliasing.cpp:218:10:218:17 | global_s | +| aliasing.cpp:222:5:222:13 | global_s2 | +| aliasing.cpp:222:15:222:15 | s | +| aliasing.cpp:226:10:226:18 | global_s2 | +| aliasing.cpp:226:20:226:20 | s | +| aliasing.cpp:233:5:233:16 | global_s_ptr | +| aliasing.cpp:237:10:237:21 | global_s_ptr | +| aliasing.cpp:241:5:241:17 | global_s2_ptr | +| aliasing.cpp:241:20:241:20 | s | +| aliasing.cpp:245:10:245:22 | global_s2_ptr | +| aliasing.cpp:245:25:245:25 | s | +| aliasing.cpp:251:6:251:26 | global_s_with_pointer | +| aliasing.cpp:255:11:255:31 | global_s_with_pointer | +| aliasing.cpp:261:6:261:24 | global_s_with_array | +| aliasing.cpp:265:11:265:29 | global_s_with_array | | arrays.cpp:7:8:7:13 | access to array | | arrays.cpp:8:8:8:13 | access to array | | arrays.cpp:9:8:9:11 | * ... | diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected index 608f884ddc07..b0b567c8d539 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected @@ -225,6 +225,20 @@ WARNING: Module DataFlow has been deprecated and may be removed in future (parti | aliasing.cpp:205:15:205:24 | & ... | | aliasing.cpp:205:16:205:18 | ps2 | | aliasing.cpp:205:21:205:21 | s | +| aliasing.cpp:214:5:214:12 | global_s | +| aliasing.cpp:214:14:214:15 | m1 | +| aliasing.cpp:222:5:222:13 | global_s2 | +| aliasing.cpp:222:15:222:15 | s | +| aliasing.cpp:222:17:222:18 | m1 | +| aliasing.cpp:233:5:233:16 | global_s_ptr | +| aliasing.cpp:233:19:233:20 | m1 | +| aliasing.cpp:241:5:241:17 | global_s2_ptr | +| aliasing.cpp:241:20:241:20 | s | +| aliasing.cpp:241:22:241:23 | m1 | +| aliasing.cpp:251:5:251:31 | * ... | +| aliasing.cpp:251:6:251:26 | global_s_with_pointer | +| aliasing.cpp:261:5:261:29 | * ... | +| aliasing.cpp:261:6:261:24 | global_s_with_array | | arrays.cpp:6:3:6:8 | access to array | | arrays.cpp:15:3:15:10 | * ... | | arrays.cpp:36:3:36:3 | o | From c9bcbf7de1e9527dd8b2a5513a0eb5057d6d51eb Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 22 Dec 2023 15:12:17 +0100 Subject: [PATCH 2/4] C++: Synthesize a final use of a global variable if a global variable is passed into a function, or if the global variable is used for field-flow. --- .../ir/dataflow/internal/DataFlowPrivate.qll | 4 +- .../cpp/ir/dataflow/internal/SsaInternals.qll | 41 +++++++++++++++++++ 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index 191406538774..8e32ca7c9def 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -780,9 +780,7 @@ private predicate numberOfLoadsFromOperandRec( * Holds if `operandFrom` flows to `operandTo` using a sequence of conversion-like * operations and exactly `n` `LoadInstruction` operations. */ -private predicate numberOfLoadsFromOperand( - Operand operandFrom, Operand operandTo, int n, boolean certain -) { +predicate numberOfLoadsFromOperand(Operand operandFrom, Operand operandTo, int n, boolean certain) { numberOfLoadsFromOperandRec(operandFrom, operandTo, n, certain) or not Ssa::isDereference(_, operandFrom, _) and diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 11bebd975f0b..5135736a52c1 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -146,14 +146,55 @@ private newtype TDefOrUseImpl = ) } +/** + * Holds if `fa` flows to a the address of a `StoreInstruction`, or flows to + * the qualifier of another field address that transitively flows to a `StoreInstruction`. + */ +private predicate fieldFlowsToStore(FieldAddress fa) { + numberOfLoadsFromOperand(fa, any(StoreInstruction store).getDestinationAddressOperand(), _, _) + or + exists(FieldAddress mid | + numberOfLoadsFromOperand(fa, mid.getObjectAddressOperand(), _, _) and + fieldFlowsToStore(mid) + ) +} + +private predicate isGlobalUseIndirectDefCand(GlobalLikeVariable v, IRFunction f, CppType type) { + exists(VariableAddressInstruction vai, Operand op | + vai.getEnclosingIRFunction() = f and + vai.getAstVariable() = v and + numberOfLoadsFromOperand(vai.getAUse(), op, _, _) and + type = getResultLanguageType(vai) + | + // Either this operand is used as the qualifier of a field that flows to + // a `StoreInstruction` + op = any(FieldAddress fa | fieldFlowsToStore(fa)).getObjectAddressOperand() + or + // Or the operand is potentially modified by a function call + isModifiableByCall(op, _) + ) +} + private predicate isGlobalUse( GlobalLikeVariable v, IRFunction f, int indirection, int indirectionIndex ) { + // Generate a "global use" at the end of the function body if there's a + // direct definition somewhere in the body of the function exists(VariableAddressInstruction vai | vai.getEnclosingIRFunction() = f and vai.getAstVariable() = v and isDef(_, _, _, vai, indirection, indirectionIndex) ) + or + // Generate a "global use" at the end of the function body if the + // global variable is used for field-flow, or is passed as an argument + // to a function that may change its value. + exists(CppType type, int upper | + isGlobalUseIndirectDefCand(v, f, type) and + upper = countIndirectionsForCppType(type) and + indirection = [1 .. upper] and + indirectionIndex = indirection - 1 + ) } private predicate isGlobalDefImpl( From 6c52b8f7fced30c87fd667b2dc04761793b6be65 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Fri, 22 Dec 2023 15:12:24 +0100 Subject: [PATCH 3/4] C++: Accept test changes. --- .../dataflow-tests/test-source-sink.expected | 7 ++ .../dataflow/dataflow-tests/test.cpp | 14 ++-- .../dataflow/fields/aliasing.cpp | 12 +-- .../dataflow/fields/ir-path-flow.expected | 82 +++++++++++++++++++ .../UncontrolledFormatString.expected | 2 + .../CWE/CWE-319/UseOfHttp/UseOfHttp.expected | 1 + .../PotentiallyExposedSystemData.expected | 4 + .../semmle/tests/ExposedSystemData.expected | 1 + .../PotentiallyExposedSystemData.expected | 1 + .../Security/CWE/CWE-611/XXE.expected | 3 + 10 files changed, 114 insertions(+), 13 deletions(-) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected index 198c4caf719b..f94b330e825a 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected @@ -307,11 +307,18 @@ irFlow | test.cpp:915:57:915:76 | *indirect_source(1) | test.cpp:921:19:921:50 | *global_pointer_static_indirect_1 | | test.cpp:931:10:931:15 | call to source | test.cpp:936:19:936:32 | *global_int_ptr | | test.cpp:931:10:931:15 | call to source | test.cpp:941:10:941:24 | * ... | +| test.cpp:931:10:931:15 | call to source | test.cpp:950:19:950:32 | *global_int_ptr | +| test.cpp:931:10:931:15 | call to source | test.cpp:955:10:955:24 | * ... | | test.cpp:931:10:931:15 | call to source | test.cpp:1000:19:1000:34 | *global_int_array | | test.cpp:931:10:931:15 | call to source | test.cpp:1005:10:1005:26 | * ... | +| test.cpp:931:10:931:15 | call to source | test.cpp:1014:19:1014:34 | *global_int_array | +| test.cpp:931:10:931:15 | call to source | test.cpp:1019:10:1019:26 | * ... | | test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:966:19:966:36 | **global_int_ptr_ptr | | test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:972:19:972:37 | ** ... | | test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:975:10:975:29 | * ... | +| test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:984:19:984:36 | **global_int_ptr_ptr | +| test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:990:19:990:37 | ** ... | +| test.cpp:961:10:961:24 | *call to indirect_source | test.cpp:993:10:993:29 | * ... | | true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x | | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x | | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x | diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp index 022b1c10af6d..4a0cb598e25c 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp @@ -947,12 +947,12 @@ namespace globals_without_explicit_def { void test3() { calls_set(); - indirect_sink(global_int_ptr); // $ MISSING: ast,ir + indirect_sink(global_int_ptr); // $ ir MISSING: ast } void test4() { calls_set(); - sink(*global_int_ptr); // $ MISSING: ast,ir + sink(*global_int_ptr); // $ ir MISSING: ast } int** global_int_ptr_ptr; @@ -981,16 +981,16 @@ namespace globals_without_explicit_def { void test7() { calls_set_indirect(); - indirect_sink(global_int_ptr_ptr); // $ MISSING: ast,ir + indirect_sink(global_int_ptr_ptr); // $ ir MISSING: ast sink(global_int_ptr_ptr); // $ MISSING: ast } void test8() { calls_set_indirect(); - indirect_sink(*global_int_ptr_ptr); // $ MISSING: ast,ir + indirect_sink(*global_int_ptr_ptr); // $ ir MISSING: ast sink(*global_int_ptr_ptr); indirect_sink(**global_int_ptr_ptr); - sink(**global_int_ptr_ptr); // $ MISSING: ast,ir + sink(**global_int_ptr_ptr); // $ ir MISSING: ast } int global_int_array[10]; @@ -1011,11 +1011,11 @@ namespace globals_without_explicit_def { void test11() { calls_set_array(); - indirect_sink(global_int_array); // $ MISSING: ast,ir + indirect_sink(global_int_array); // $ ir MISSING: ast } void test12() { calls_set_array(); - sink(*global_int_array); // $ MISSING: ast,ir + sink(*global_int_array); // $ ir MISSING: ast } } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp index 255f7ac692d6..0fbd2e92ad0d 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp +++ b/cpp/ql/test/library-tests/dataflow/fields/aliasing.cpp @@ -215,7 +215,7 @@ namespace GlobalFieldFlow { } void read_field() { - sink(global_s.m1); // $ MISSING: ast,ir + sink(global_s.m1); // $ ir MISSING: ast } void set_nested_field() { @@ -223,7 +223,7 @@ namespace GlobalFieldFlow { } void read_nested_field() { - sink(global_s2.s.m1); // $ MISSING: ast,ir + sink(global_s2.s.m1); // $ ir MISSING: ast } S* global_s_ptr; @@ -234,7 +234,7 @@ namespace GlobalFieldFlow { } void read_field_ptr() { - sink(global_s_ptr->m1); // $ MISSING: ast,ir + sink(global_s_ptr->m1); // $ ir MISSING: ast } void set_nested_field_ptr() { @@ -242,7 +242,7 @@ namespace GlobalFieldFlow { } void read_nested_field_ptr() { - sink(global_s2_ptr->s.m1); // $ MISSING: ast,ir + sink(global_s2_ptr->s.m1); // $ ir MISSING: ast } S_with_pointer global_s_with_pointer; @@ -252,7 +252,7 @@ namespace GlobalFieldFlow { } void read_field_indirect() { - sink(*global_s_with_pointer.data); // $ MISSING: ast,ir + sink(*global_s_with_pointer.data); // $ ir MISSING: ast } S_with_array global_s_with_array; @@ -262,6 +262,6 @@ namespace GlobalFieldFlow { } void read_field_array() { - sink(*global_s_with_array.data); // $ MISSING: ast,ir + sink(*global_s_with_array.data); // $ ir MISSING: ast } } \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected index 66820e93a391..6391c6104222 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected @@ -271,6 +271,42 @@ edges | aliasing.cpp:200:21:200:21 | *s [post update] [m1] | aliasing.cpp:200:16:200:18 | *ps2 [post update] [s, m1] | | aliasing.cpp:201:8:201:10 | *ps2 [s, m1] | aliasing.cpp:201:13:201:13 | *s [m1] | | aliasing.cpp:201:13:201:13 | *s [m1] | aliasing.cpp:201:15:201:16 | m1 | +| aliasing.cpp:210:5:210:12 | *global_s [m1] | aliasing.cpp:218:10:218:17 | *global_s [m1] | +| aliasing.cpp:211:6:211:14 | *global_s2 [s, m1] | aliasing.cpp:211:6:211:14 | *global_s2 [s, m1] | +| aliasing.cpp:211:6:211:14 | *global_s2 [s, m1] | aliasing.cpp:226:10:226:18 | *global_s2 [s, m1] | +| aliasing.cpp:214:5:214:12 | *global_s [post update] [m1] | aliasing.cpp:210:5:210:12 | *global_s [m1] | +| aliasing.cpp:214:5:214:30 | ... = ... | aliasing.cpp:214:5:214:12 | *global_s [post update] [m1] | +| aliasing.cpp:214:19:214:28 | call to user_input | aliasing.cpp:214:5:214:30 | ... = ... | +| aliasing.cpp:218:10:218:17 | *global_s [m1] | aliasing.cpp:218:19:218:20 | m1 | +| aliasing.cpp:222:5:222:13 | *global_s2 [post update] [s, m1] | aliasing.cpp:211:6:211:14 | *global_s2 [s, m1] | +| aliasing.cpp:222:5:222:33 | ... = ... | aliasing.cpp:222:15:222:15 | *s [post update] [m1] | +| aliasing.cpp:222:15:222:15 | *s [post update] [m1] | aliasing.cpp:222:5:222:13 | *global_s2 [post update] [s, m1] | +| aliasing.cpp:222:22:222:31 | call to user_input | aliasing.cpp:222:5:222:33 | ... = ... | +| aliasing.cpp:226:10:226:18 | *global_s2 [s, m1] | aliasing.cpp:226:20:226:20 | *s [m1] | +| aliasing.cpp:226:20:226:20 | *s [m1] | aliasing.cpp:226:22:226:23 | m1 | +| aliasing.cpp:229:6:229:17 | **global_s_ptr [m1] | aliasing.cpp:237:10:237:21 | *global_s_ptr [m1] | +| aliasing.cpp:230:7:230:19 | **global_s2_ptr [s, m1] | aliasing.cpp:230:7:230:19 | **global_s2_ptr [s, m1] | +| aliasing.cpp:230:7:230:19 | **global_s2_ptr [s, m1] | aliasing.cpp:245:10:245:22 | *global_s2_ptr [s, m1] | +| aliasing.cpp:233:5:233:16 | *global_s_ptr [post update] [m1] | aliasing.cpp:229:6:229:17 | **global_s_ptr [m1] | +| aliasing.cpp:233:5:233:35 | ... = ... | aliasing.cpp:233:5:233:16 | *global_s_ptr [post update] [m1] | +| aliasing.cpp:233:24:233:33 | call to user_input | aliasing.cpp:233:5:233:35 | ... = ... | +| aliasing.cpp:237:10:237:21 | *global_s_ptr [m1] | aliasing.cpp:237:24:237:25 | m1 | +| aliasing.cpp:241:5:241:17 | *global_s2_ptr [post update] [s, m1] | aliasing.cpp:230:7:230:19 | **global_s2_ptr [s, m1] | +| aliasing.cpp:241:5:241:38 | ... = ... | aliasing.cpp:241:20:241:20 | *s [post update] [m1] | +| aliasing.cpp:241:20:241:20 | *s [post update] [m1] | aliasing.cpp:241:5:241:17 | *global_s2_ptr [post update] [s, m1] | +| aliasing.cpp:241:27:241:36 | call to user_input | aliasing.cpp:241:5:241:38 | ... = ... | +| aliasing.cpp:245:10:245:22 | *global_s2_ptr [s, m1] | aliasing.cpp:245:25:245:25 | *s [m1] | +| aliasing.cpp:245:25:245:25 | *s [m1] | aliasing.cpp:245:27:245:28 | m1 | +| aliasing.cpp:248:18:248:38 | *global_s_with_pointer [*data] | aliasing.cpp:255:11:255:31 | *global_s_with_pointer [*data] | +| aliasing.cpp:251:5:251:46 | ... = ... | aliasing.cpp:251:6:251:26 | *global_s_with_pointer [post update] [*data] | +| aliasing.cpp:251:6:251:26 | *global_s_with_pointer [post update] [*data] | aliasing.cpp:248:18:248:38 | *global_s_with_pointer [*data] | +| aliasing.cpp:251:35:251:44 | call to user_input | aliasing.cpp:251:5:251:46 | ... = ... | +| aliasing.cpp:255:11:255:31 | *global_s_with_pointer [*data] | aliasing.cpp:255:10:255:36 | * ... | +| aliasing.cpp:258:16:258:34 | *global_s_with_array [data] | aliasing.cpp:265:11:265:29 | *global_s_with_array [data] | +| aliasing.cpp:261:5:261:44 | ... = ... | aliasing.cpp:261:6:261:24 | *global_s_with_array [post update] [data] | +| aliasing.cpp:261:6:261:24 | *global_s_with_array [post update] [data] | aliasing.cpp:258:16:258:34 | *global_s_with_array [data] | +| aliasing.cpp:261:33:261:42 | call to user_input | aliasing.cpp:261:5:261:44 | ... = ... | +| aliasing.cpp:265:11:265:29 | *global_s_with_array [data] | aliasing.cpp:265:10:265:34 | * ... | | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array | | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:8:8:8:13 | access to array | | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... | @@ -1044,6 +1080,46 @@ nodes | aliasing.cpp:201:8:201:10 | *ps2 [s, m1] | semmle.label | *ps2 [s, m1] | | aliasing.cpp:201:13:201:13 | *s [m1] | semmle.label | *s [m1] | | aliasing.cpp:201:15:201:16 | m1 | semmle.label | m1 | +| aliasing.cpp:210:5:210:12 | *global_s [m1] | semmle.label | *global_s [m1] | +| aliasing.cpp:211:6:211:14 | *global_s2 [s, m1] | semmle.label | *global_s2 [s, m1] | +| aliasing.cpp:214:5:214:12 | *global_s [post update] [m1] | semmle.label | *global_s [post update] [m1] | +| aliasing.cpp:214:5:214:30 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:214:19:214:28 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:218:10:218:17 | *global_s [m1] | semmle.label | *global_s [m1] | +| aliasing.cpp:218:19:218:20 | m1 | semmle.label | m1 | +| aliasing.cpp:222:5:222:13 | *global_s2 [post update] [s, m1] | semmle.label | *global_s2 [post update] [s, m1] | +| aliasing.cpp:222:5:222:33 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:222:15:222:15 | *s [post update] [m1] | semmle.label | *s [post update] [m1] | +| aliasing.cpp:222:22:222:31 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:226:10:226:18 | *global_s2 [s, m1] | semmle.label | *global_s2 [s, m1] | +| aliasing.cpp:226:20:226:20 | *s [m1] | semmle.label | *s [m1] | +| aliasing.cpp:226:22:226:23 | m1 | semmle.label | m1 | +| aliasing.cpp:229:6:229:17 | **global_s_ptr [m1] | semmle.label | **global_s_ptr [m1] | +| aliasing.cpp:230:7:230:19 | **global_s2_ptr [s, m1] | semmle.label | **global_s2_ptr [s, m1] | +| aliasing.cpp:233:5:233:16 | *global_s_ptr [post update] [m1] | semmle.label | *global_s_ptr [post update] [m1] | +| aliasing.cpp:233:5:233:35 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:233:24:233:33 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:237:10:237:21 | *global_s_ptr [m1] | semmle.label | *global_s_ptr [m1] | +| aliasing.cpp:237:24:237:25 | m1 | semmle.label | m1 | +| aliasing.cpp:241:5:241:17 | *global_s2_ptr [post update] [s, m1] | semmle.label | *global_s2_ptr [post update] [s, m1] | +| aliasing.cpp:241:5:241:38 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:241:20:241:20 | *s [post update] [m1] | semmle.label | *s [post update] [m1] | +| aliasing.cpp:241:27:241:36 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:245:10:245:22 | *global_s2_ptr [s, m1] | semmle.label | *global_s2_ptr [s, m1] | +| aliasing.cpp:245:25:245:25 | *s [m1] | semmle.label | *s [m1] | +| aliasing.cpp:245:27:245:28 | m1 | semmle.label | m1 | +| aliasing.cpp:248:18:248:38 | *global_s_with_pointer [*data] | semmle.label | *global_s_with_pointer [*data] | +| aliasing.cpp:251:5:251:46 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:251:6:251:26 | *global_s_with_pointer [post update] [*data] | semmle.label | *global_s_with_pointer [post update] [*data] | +| aliasing.cpp:251:35:251:44 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:255:10:255:36 | * ... | semmle.label | * ... | +| aliasing.cpp:255:11:255:31 | *global_s_with_pointer [*data] | semmle.label | *global_s_with_pointer [*data] | +| aliasing.cpp:258:16:258:34 | *global_s_with_array [data] | semmle.label | *global_s_with_array [data] | +| aliasing.cpp:261:5:261:44 | ... = ... | semmle.label | ... = ... | +| aliasing.cpp:261:6:261:24 | *global_s_with_array [post update] [data] | semmle.label | *global_s_with_array [post update] [data] | +| aliasing.cpp:261:33:261:42 | call to user_input | semmle.label | call to user_input | +| aliasing.cpp:265:10:265:34 | * ... | semmle.label | * ... | +| aliasing.cpp:265:11:265:29 | *global_s_with_array [data] | semmle.label | *global_s_with_array [data] | | arrays.cpp:6:12:6:21 | call to user_input | semmle.label | call to user_input | | arrays.cpp:7:8:7:13 | access to array | semmle.label | access to array | | arrays.cpp:8:8:8:13 | access to array | semmle.label | access to array | @@ -1653,6 +1729,12 @@ subpaths | aliasing.cpp:176:13:176:14 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:176:13:176:14 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input | | aliasing.cpp:189:15:189:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:189:15:189:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input | | aliasing.cpp:201:15:201:16 | m1 | aliasing.cpp:106:9:106:18 | call to user_input | aliasing.cpp:201:15:201:16 | m1 | m1 flows from $@ | aliasing.cpp:106:9:106:18 | call to user_input | call to user_input | +| aliasing.cpp:218:19:218:20 | m1 | aliasing.cpp:214:19:214:28 | call to user_input | aliasing.cpp:218:19:218:20 | m1 | m1 flows from $@ | aliasing.cpp:214:19:214:28 | call to user_input | call to user_input | +| aliasing.cpp:226:22:226:23 | m1 | aliasing.cpp:222:22:222:31 | call to user_input | aliasing.cpp:226:22:226:23 | m1 | m1 flows from $@ | aliasing.cpp:222:22:222:31 | call to user_input | call to user_input | +| aliasing.cpp:237:24:237:25 | m1 | aliasing.cpp:233:24:233:33 | call to user_input | aliasing.cpp:237:24:237:25 | m1 | m1 flows from $@ | aliasing.cpp:233:24:233:33 | call to user_input | call to user_input | +| aliasing.cpp:245:27:245:28 | m1 | aliasing.cpp:241:27:241:36 | call to user_input | aliasing.cpp:245:27:245:28 | m1 | m1 flows from $@ | aliasing.cpp:241:27:241:36 | call to user_input | call to user_input | +| aliasing.cpp:255:10:255:36 | * ... | aliasing.cpp:251:35:251:44 | call to user_input | aliasing.cpp:255:10:255:36 | * ... | * ... flows from $@ | aliasing.cpp:251:35:251:44 | call to user_input | call to user_input | +| aliasing.cpp:265:10:265:34 | * ... | aliasing.cpp:261:33:261:42 | call to user_input | aliasing.cpp:265:10:265:34 | * ... | * ... flows from $@ | aliasing.cpp:261:33:261:42 | call to user_input | call to user_input | | arrays.cpp:7:8:7:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:7:8:7:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input | | arrays.cpp:8:8:8:13 | access to array | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:8:8:8:13 | access to array | access to array flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input | | arrays.cpp:9:8:9:11 | * ... | arrays.cpp:6:12:6:21 | call to user_input | arrays.cpp:9:8:9:11 | * ... | * ... flows from $@ | arrays.cpp:6:12:6:21 | call to user_input | call to user_input | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 683d57b5b752..453123dbd42a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -1,7 +1,9 @@ edges +| globalVars.c:8:7:8:10 | **copy | globalVars.c:8:7:8:10 | **copy | | globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | | globalVars.c:8:7:8:10 | **copy | globalVars.c:30:15:30:18 | *copy | | globalVars.c:8:7:8:10 | **copy | globalVars.c:35:11:35:14 | *copy | +| globalVars.c:9:7:9:11 | **copy2 | globalVars.c:9:7:9:11 | **copy2 | | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:38:9:38:13 | *copy2 | | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:41:15:41:19 | *copy2 | | globalVars.c:9:7:9:11 | **copy2 | globalVars.c:50:9:50:13 | *copy2 | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected index 49620af742ff..45d6b1b40544 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected @@ -1,5 +1,6 @@ edges | test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url | +| test.cpp:24:13:24:17 | **url_g | test.cpp:24:13:24:17 | **url_g | | test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g | | test.cpp:24:21:24:40 | *http://example.com | test.cpp:24:13:24:17 | **url_g | | test.cpp:28:10:28:29 | *http://example.com | test.cpp:11:26:11:28 | *url | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected index 6746c557288a..8b26d0f37196 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected @@ -1,6 +1,10 @@ edges +| tests.c:7:6:7:14 | *std_files | tests.c:7:6:7:14 | *std_files | +| tests.c:7:6:7:14 | *std_files | tests.c:70:70:70:77 | *password | +| tests.c:57:21:57:28 | *password | tests.c:7:6:7:14 | *std_files | | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | nodes +| tests.c:7:6:7:14 | *std_files | semmle.label | *std_files | | tests.c:57:21:57:28 | *password | semmle.label | *password | | tests.c:70:70:70:77 | *password | semmle.label | *password | subpaths diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected index 9c5a5a9f2709..3262b7621410 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected @@ -1,4 +1,5 @@ edges +| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:50:13:50:19 | **global1 | | tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 | | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 | | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected index 5178a4019398..d4a4b74bcc54 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected @@ -1,4 +1,5 @@ edges +| tests.cpp:62:7:62:18 | **global_token | tests.cpp:62:7:62:18 | **global_token | | tests.cpp:62:7:62:18 | **global_token | tests.cpp:71:27:71:38 | *global_token | | tests.cpp:62:7:62:18 | **global_token | tests.cpp:73:27:73:31 | *maybe | | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:62:7:62:18 | **global_token | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 4efc0e59620d..6ee0e69174b3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -3,8 +3,10 @@ edges | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | +| tests3.cpp:35:16:35:20 | **p_3_3 | tests3.cpp:35:16:35:20 | **p_3_3 | | tests3.cpp:35:16:35:20 | **p_3_3 | tests3.cpp:38:2:38:6 | *p_3_3 | | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:35:16:35:20 | **p_3_3 | +| tests3.cpp:48:16:48:20 | **p_3_5 | tests3.cpp:48:16:48:20 | **p_3_5 | | tests3.cpp:48:16:48:20 | **p_3_5 | tests3.cpp:56:2:56:6 | *p_3_5 | | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:48:16:48:20 | **p_3_5 | | tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | @@ -12,6 +14,7 @@ edges | tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | | tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | +| tests5.cpp:63:21:63:24 | **g_p2 | tests5.cpp:63:21:63:24 | **g_p2 | | tests5.cpp:63:21:63:24 | **g_p2 | tests5.cpp:77:2:77:5 | *g_p2 | | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:63:21:63:24 | **g_p2 | | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | From 25a8cf390b9cc6f9cb3b0484497a8c68116eedcc Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Mon, 8 Jan 2024 13:32:23 +0000 Subject: [PATCH 4/4] C++: Fix duplicate 'FinalGlobalValue' issue. --- .../code/cpp/ir/dataflow/internal/SsaInternals.qll | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll index 5135736a52c1..247e52a75887 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll @@ -180,11 +180,14 @@ private predicate isGlobalUse( ) { // Generate a "global use" at the end of the function body if there's a // direct definition somewhere in the body of the function - exists(VariableAddressInstruction vai | - vai.getEnclosingIRFunction() = f and - vai.getAstVariable() = v and - isDef(_, _, _, vai, indirection, indirectionIndex) - ) + indirection = + min(int cand, VariableAddressInstruction vai | + vai.getEnclosingIRFunction() = f and + vai.getAstVariable() = v and + isDef(_, _, _, vai, cand, indirectionIndex) + | + cand + ) or // Generate a "global use" at the end of the function body if the // global variable is used for field-flow, or is passed as an argument