Can't un-taint nodes with in place string modification #8558
Replies: 1 comment 1 reply
-
| This is a common issue for C/C++ dataflow analysis. It's a bit unfortunate that the  override predicate isSanitizer(DataFlow::Node node) {
  exists(FunctionCall fc |
    // The function call is always executed before `node`
    dominates(fc, node.asExpr()) and
    (
      // clean_data sanitizes the argument.
      // So we mark any use future use of the argument as a sanitizer.
      fc.getTarget().hasGlobalOrStdName("clean_data") and
      globalValueNumber(node.asExpr()).getAnExpr() = fc.getAnArgument()
      or
      // clean_data sanitizes the return value.
      // So we mark any use future use of the return value as a sanitizer.
      fc.getTarget().hasGlobalOrStdName("clean_data_2") and
      globalValueNumber(node.asExpr()).getAnExpr() = fc
    )
  )
}Consider the flow in  
 That takes care of the  This should hopefully remove the two false positives you're seeing. I hope that helps! | 
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm testing codeql with this source code: bug.cpp.txt
And I created this query:
isSanitizer does not work for clean_data, and no_cmdi_1 is a false positive.
How can I fix it?
Beta Was this translation helpful? Give feedback.
All reactions