Replies: 2 comments
-
Hmm... This is hard for a couple of reasons. I don't have a good solution off the top of my head. Let me try to explain why it's hard: My first thought was to add an additional flow step from the final (implicit) mention of void HandleWrite(uint64_t value) {
obj.tainted = value;
obj.not_tainted = 1;
uint64_t tmp = obj.tainted; // <-- `this` is implicitly accessed here
outside_fun(tmp);
} to void test() {
// <-- `this` is implicitly defined here
uint64_t tmp = obj.tainted;
outside_fun(tmp);
tmp = obj.not_tainted;
outside_fun(tmp);
} However, a non-documented requirement is that the "access path" (i.e., the list of fields that must be accessed to read the data we're tracking) must be empty for any additional flow steps to be taken into account during the analysis. This is a problem since the access path is Now, if we're following flow into So let's assume that we have a way of adding this flow step from the final (implicit) mention of However! Now we run into another invariant: Value preserving steps must preserve the enclosing callable. In order words: Dataflow steps that can be taken while the access path is non-empty cannot transfer flow from one function to another. That's a problem in our case since we're specifically looking for a way to transfer flow from So, in summary, I'm not really sure how to add such a step (either via |
Beta Was this translation helpful? Give feedback.
-
It is possible to add value steps using models-as-data (as you can see in the implementation of Can we taint the |
Beta Was this translation helpful? Give feedback.
-
Hello,
This is probably a C++ edge case. Assume that we have an object that exposes two functions and we can't know which function will be called first. In this case, I would like anything that gets tainted in one function to retain its taint when accessed by the other (even if it leads to over-tainting).
For instance:
library.cc
:BUILD
:and
query.ql
:Create the db with:
codeql database create database --language=cpp --command='bazel build --spawn_strategy=local --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results //library:library'
and execute the query with:
codeql query run --database=
<path>/database --
<path>/query.ql
In this example, the module identifies the tainted member at line 17, taints the variable and also identifies the flow at line 18. This does not happen at lines 22-23 which is what I'm trying to do (note that if we add a call to
test()
after line 18, the results do include lines 22-23).Does anyone have any ideas on how to modify the
isAdditionalFlowStep()
predicate to capture this case?Thanks!
Beta Was this translation helpful? Give feedback.
All reactions