Skip to content

C++: Use model interfaces in DefaultSafeExternalAPIFunction #4729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 26, 2020
Merged

C++: Use model interfaces in DefaultSafeExternalAPIFunction #4729

merged 3 commits into from
Nov 26, 2020

Conversation

MathiasVP
Copy link
Contributor

Fixes https://github.com/github/codeql-c-analysis-team/issues/189.

It turns out that the set of functions which are ArrayFunctions with no output parameters is a strict superset of functions satisfying either PureStrFunction, StrLenFunction or PureMemFunction. And when you factor out the functions that satisfy either TaintFunction or DataFlowFunction (like we do in ExternalAPIDataNode), I think these two sets are equivalent.

@MathiasVP MathiasVP added the C++ label Nov 25, 2020
@MathiasVP MathiasVP requested review from a team as code owners November 25, 2020 17:11
@github-actions github-actions bot added the C# label Nov 25, 2020
@MathiasVP
C++: Use model interfaces in SafeExternalAPIFunction and make the thr…
7730f5d 
…ee previosuly-used implementation models private.
@MathiasVP MathiasVP force-pushed the safe-external-api-function-use-model-interfaces-only branch from f165f49 to 7730f5d Compare November 25, 2020 17:21
@MathiasVP MathiasVP removed the C# label Nov 25, 2020
geoffw0
geoffw0 reviewed Nov 25, 2020
View reviewed changes
jbj
jbj approved these changes Nov 26, 2020
View reviewed changes
Copy link
Contributor

@jbj jbj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've discussed of whether "write side effects" includes writes to sockets, files, or memory not seen by the caller. I think we decided it does not, but for the purpose of DefaultSafeExternalAPIFunction I don't think we have to be precise about it.

geoffw0
geoffw0 approved these changes Nov 26, 2020
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

We've discussed of whether "write side effects" includes writes to sockets, files, or memory not seen by the caller.

I think that means we may want to refine the models in future. We also already have some special cases in Function.mayHaveSideEffects() that seem very similar to this.

@MathiasVP MathiasVP merged commit a4c060a into github:main Nov 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbj jbj jbj approved these changes

@geoffw0 geoffw0 geoffw0 approved these changes

Assignees
No one assigned
Labels
C++
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MathiasVP @jbj @geoffw0