-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathTaintedFormatStrings.ql
More file actions
93 lines (83 loc) · 2.86 KB
/
TaintedFormatStrings.ql
File metadata and controls
93 lines (83 loc) · 2.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/**
* @name Taint test
* @kind table
* @id cpp/points-to/tainted-format-strings
* @deprecated
*/
// This query is not suitable for production use and has been deprecated.
import cpp
import semmle.code.cpp.pointsto.PointsTo
import semmle.code.cpp.pointsto.CallGraph
predicate inputArgument(string function, int arg)
{
(function = "read" and arg = 1) or
(function = "fread" and arg = 0) or
(function = "fgets" and arg = 0)
// ... add more
}
predicate inputBuffer(Expr e) {
exists(FunctionCall fc, string fname, int i |
fc.getTarget().getName() = fname and
inputArgument(fname, i) and
e = fc.getArgument(i))
}
class InputBuffer extends PointsToExpr
{
InputBuffer() { inputBuffer(this) }
override predicate interesting() { inputBuffer(this) }
}
predicate formatArgument(string function, int i)
{
(function = "printf" and i = 0) or
(function = "fprintf" and i = 1) or
(function = "sprintf" and i = 1) or
(function = "snprintf" and i = 2) or
(function = "d_printf" and i = 0) or
(function = "talloc_asprintf" and i = 1) or
(function = "fstr_sprintf" and i = 1) or
(function = "talloc_asprintf_append" and i = 1) or
(function = "d_fprintf" and i = 1) or
(function = "asprintf" and i = 1) or
(function = "talloc_asprintf_append_buffer" and i = 1) or
(function = "fdprintf" and i = 1) or
(function = "d_vfprintf" and i = 1) or
(function = "smb_xvasprintf" and i = 1) or
(function = "asprintf_strupper_m" and i = 1) or
(function = "talloc_asprintf_strupper_m" and i = 1) or
(function = "sprintf_append" and i = 4) or
(function = "x_vfprintf" and i = 1) or
(function = "x_fprintf" and i = 1) or
(function = "vasprintf" and i = 1) or
(function = "ldb_asprintf_errstring" and i = 1) or
(function = "talloc_vasprintf" and i = 1) or
(function = "talloc_vasprintf" and i = 1) or
(function = "fprintf_file" and i = 1) or
(function = "vsnprintf" and i = 2) or
(function = "talloc_vasprintf_append" and i = 1) or
(function = "__talloc_vaslenprintf_append" and i = 2) or
(function = "talloc_vasprintf_append_buffer" and i = 1) or
(function = "fprintf_attr" and i = 2) or
(function = "vprintf" and i = 0) or
(function = "vsprintf" and i = 1)
}
predicate formatBuffer(Expr e)
{
exists(FunctionCall fc, string fname, int i |
fc.getTarget().getName() = fname and
formatArgument(fname, i) and
fc.getArgument(i) = e
)
}
class FormatBuffer extends PointsToExpr
{
FormatBuffer() { formatBuffer(this) }
override predicate interesting() { formatBuffer(this) }
}
predicate potentialViolation(InputBuffer source, FormatBuffer dest)
{
source.pointsTo() = dest.pointsTo() and
not exists(FunctionCall fc | fc = dest and fc.getTarget().hasName("lang_msg_rotate") and fc.getArgument(1) instanceof Literal)
}
from InputBuffer source, FormatBuffer dest
where potentialViolation(source, dest)
select dest.getFile() as File, dest as FormatString