The self-implemented taintloop rule has an empty detection result. Is there a good debugging method?

[ysuLihua]

test code:

#include <stdio.h>
#include <stdint.h>
#include <string.h>

void bad1(){
    int factor = atoi(getenv("BRANCHING_FACTOR"));
    int i;
    for(i = 0; i<factor; i++){
        printf("sfasdfad");
    }
}


void bad2(){
    int factor = atoi(getenv("BRANCHING_FACTOR"));
    int i = 0;
    while (i < factor)
    {
        printf("sfasdfad");
        i++;
    }
}

int main(){

}

TaintedLoop.ql

/**
 * @name Untrusted input for a condition
 * @description Using untrusted inputs in a statement that makes a
 *              security decision makes code vulnerable to
 *              attack.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision medium
 * @id cpp/tainted-loop-check
 * @tags security
 *       external/cwe/cwe-606
 */

import cpp
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.FlowSources
import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.ir.IR
import Flow::PathGraph

predicate sensitiveCondition(Expr condition) {
  exists(ForStmt forstmt |
    forstmt.getCondition() = condition
  )
}


predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }

module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) { isSource(node, _) }

  predicate isSink(DataFlow::Node node) {
    sensitiveCondition(node.asExpr())
  }

}

module Flow = TaintTracking::Global<Config>;


from
  string sourceType, DataFlow::Node source, DataFlow::Node sink,
  Flow::PathNode sourceNode, Flow::PathNode sinkNode
where
  source = sourceNode.getNode() and
  sink = sinkNode.getNode() and
  isSource(source, sourceType) and
  sensitiveCondition(sink.asExpr()) and
  Flow::flowPath(sourceNode, sinkNode)
select sink, sourceNode, sinkNode, "Taint data to loop condition"

But the SARIF results is None. How can I debug and resolve this problem?

[jketema]

Hi @ysuLihua

This:

 predicate sensitiveCondition(Expr condition) {
   exists(ForStmt forstmt |
     forstmt.getCondition() = condition
   )
 }

looks incorrect, as factor is not the condition itself, but a child of the condition. You probably want to write something like:

 predicate sensitiveCondition(Expr condition) {
   exists(ForStmt forstmt |
     forstmt.getCondition().getAChild*() = condition
   )
 }

[ysuLihua]

@jketema Brother
After modification, the result is still empty.How can i printout the sinknode expr.

[jketema]

Hi @ysuLihua

I'm not your "Brother", please keep the conversation respectful.

With the above change to sensitiveCondition I get precisely one result. Are you sure you correctly modified your query?

[ysuLihua]

Hi @jketema ,Thank you very much!
The problem is solved.

[jketema]

Great to hear. Closing this issue as completed.