From 965d4829b5e51832edcabb6b9827946d0563821d Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 26 May 2020 17:00:49 +0100 Subject: [PATCH 1/3] C++: Consistency. --- .../src/semmle/code/cpp/models/implementations/Strftime.qll | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Strftime.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Strftime.qll index b4c7f69bde4f..3e58fd8c2584 100644 --- a/cpp/ql/src/semmle/code/cpp/models/implementations/Strftime.qll +++ b/cpp/ql/src/semmle/code/cpp/models/implementations/Strftime.qll @@ -10,10 +10,7 @@ class Strftime extends TaintFunction, ArrayFunction { input.isParameterDeref(2) or input.isParameterDeref(3) ) and - ( - output.isParameterDeref(0) or - output.isReturnValue() - ) + output.isParameterDeref(0) } override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 2 } From 1baf14461da88cb48bca24455590b8720d50bebe Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 26 May 2020 17:24:00 +0100 Subject: [PATCH 2/3] C++: Add a definition of taint to the models library. --- cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll index 02e7c8e78a16..927dae25e250 100644 --- a/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll +++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll @@ -15,6 +15,9 @@ import semmle.code.cpp.models.Models * A library function for which a taint-tracking library should propagate taint * from a parameter or qualifier to an output buffer, return value, or qualifier. * + * An expression is tainted if it could be influenced by an attacker to have + * an unusual value. + * * Note that this does not include direct copying of values; that is covered by * DataFlowModel.qll. If a value is sometimes copied in full, and sometimes * altered (for example copying a string with `strncpy`), this is also considered @@ -22,4 +25,4 @@ import semmle.code.cpp.models.Models */ abstract class TaintFunction extends Function { abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output); -} +} \ No newline at end of file From 6fcfd0310feee8c80d80cac7a53b08783f0d27b1 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 28 May 2020 15:23:48 +0100 Subject: [PATCH 3/3] C++: Autoformat. --- cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll index 927dae25e250..c619f2efaa5c 100644 --- a/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll +++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/Taint.qll @@ -25,4 +25,4 @@ import semmle.code.cpp.models.Models */ abstract class TaintFunction extends Function { abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output); -} \ No newline at end of file +}