C++: Change the behavior of 'isUserInput' so that the 'argv' paramter (and not all of the uses of 'argv') is user input. This removes the duplicate paths.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll

@@ -47,14 +47,24 @@ predicate predictableOnlyFlow(string name) {
     ]
 }
 
-private DataFlow::Node getNodeForSource(Expr source) {
-  isUserInput(source, _) and
-  result = getNodeForExpr(source)
+private DataFlow::Node getNodeForSource(Element source) {
+  (
+    // It is user input
+    isUserInput(source, _) and
+    // But `isUserInput` also marks all uses of `argv` as user input, and we don't want those.
+    not argv(source.(VariableAccess).getTarget())
+    or
+    // Instead, we want the actual parameter as user input.
+    argv(source)
+  ) and
+  result = getNodeForElement(source)
 }
 
-private DataFlow::Node getNodeForExpr(Expr node) {
+private DataFlow::Node getNodeForElement(Element node) {
   result = DataFlow::exprNode(node)
   or
+  result.asParameter() = node
+  or
   // Some of the sources in `isUserInput` are intended to match the value of
   // an expression, while others (those modeled below) are intended to match
   // the taint that propagates out of an argument, like the `char *` argument
@@ -194,13 +204,7 @@ private module Cached {
   cached
   predicate nodeIsBarrierIn(DataFlow::Node node) {
     // don't use dataflow into taint sources, as this leads to duplicate results.
-    exists(Expr source | isUserInput(source, _) |
-      node = DataFlow::exprNode(source)
-      or
-      // This case goes together with the similar (but not identical) rule in
-      // `getNodeForSource`.
-      node = DataFlow::definitionByReferenceNodeFromArgument(source)
-    )
+    node = getNodeForSource(_)
     or
     // don't use dataflow into binary instructions if both operands are unpredictable
     exists(BinaryInstruction iTo |
@@ -303,7 +307,7 @@ private import Cached
  * If you need that you must call `taintedIncludingGlobalVars`.
  */
 cached
-predicate tainted(Expr source, Element tainted) {
+predicate tainted(Element source, Element tainted) {
   exists(DefaultTaintTrackingCfg cfg, DataFlow::Node sink |
     cfg.hasFlow(getNodeForSource(source), sink) and
     tainted = adjustedSink(sink)
@@ -326,7 +330,7 @@ predicate tainted(Expr source, Element tainted) {
  * through a global variable, then `globalVar = ""`.
  */
 cached
-predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
+predicate taintedIncludingGlobalVars(Element source, Element tainted, string globalVar) {
   tainted(source, tainted) and
   globalVar = ""
   or
@@ -376,13 +380,13 @@ module TaintedWithPath {
    */
   class TaintTrackingConfiguration extends TSingleton {
     /** Override this to specify which elements are sources in this configuration. */
-    predicate isSource(Expr source) { exists(getNodeForSource(source)) }
+    predicate isSource(Element source) { exists(getNodeForSource(source)) }
 
     /** Override this to specify which elements are sinks in this configuration. */
     abstract predicate isSink(Element e);
 
     /** Override this to specify which expressions are barriers in this configuration. */
-    predicate isBarrier(Expr e) { nodeIsBarrier(getNodeForExpr(e)) }
+    predicate isBarrier(Expr e) { nodeIsBarrier(getNodeForElement(e)) }
 
     /**
      * Override this predicate to `any()` to allow taint to flow through global
@@ -398,8 +402,8 @@ module TaintedWithPath {
     AdjustedConfiguration() { this = "AdjustedConfiguration" }
 
     override predicate isSource(DataFlow::Node source) {
-      exists(TaintTrackingConfiguration cfg, Expr e |
-        cfg.isSource(e) and source = getNodeForExpr(e)
+      exists(TaintTrackingConfiguration cfg, Element e |
+        cfg.isSource(e) and source = getNodeForElement(e)
       )
     }
 
@@ -419,7 +423,9 @@ module TaintedWithPath {
     }
 
     override predicate isSanitizer(DataFlow::Node node) {
-      exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
+      exists(TaintTrackingConfiguration cfg, Element e |
+        cfg.isBarrier(e) and node = getNodeForElement(e)
+      )
     }
 
     override predicate isSanitizerIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
@@ -447,7 +453,7 @@ module TaintedWithPath {
       exists(AdjustedConfiguration cfg, DataFlow3::Node sourceNode, DataFlow3::Node sinkNode |
         cfg.hasFlow(sourceNode, sinkNode)
       |
-        sourceNode = getNodeForExpr(e) and
+        sourceNode = getNodeForElement(e) and
         exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
         or
         e = adjustedSink(sinkNode) and
@@ -506,7 +512,7 @@ module TaintedWithPath {
   }
 
   private class EndpointPathNode extends PathNode, TEndpointPathNode {
-    Expr inner() { this = TEndpointPathNode(result) }
+    Element inner() { this = TEndpointPathNode(result) }
 
     override string toString() { result = this.inner().toString() }
 
@@ -543,14 +549,14 @@ module TaintedWithPath {
     // Same for the first node
     exists(WrapPathNode sourceNode |
       DataFlow3::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
+      sourceNode.inner().getNode() = getNodeForElement(a.(InitialPathNode).inner())
     )
     or
     // Finally, handle the case where the path goes directly from a source to a
     // sink, meaning that they both need to be translated.
     exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
       DataFlow3::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
+      sourceNode.inner().getNode() = getNodeForElement(a.(InitialPathNode).inner()) and
       b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
     )
   }
@@ -575,15 +581,15 @@ module TaintedWithPath {
     exists(WrapPathNode sourceNode |
       DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
         ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
+      sourceNode.inner().getNode() = getNodeForElement(arg.(InitialPathNode).inner())
     )
     or
     // Finally, handle the case where the path goes directly from a source to a
     // sink, meaning that they both need to be translated.
     exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
       DataFlow3::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
         ret.(WrapPathNode).inner(), sinkNode.inner()) and
-      sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
+      sourceNode.inner().getNode() = getNodeForElement(arg.(InitialPathNode).inner()) and
       out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
     )
   }
@@ -603,10 +609,10 @@ module TaintedWithPath {
    * user input in a way that users can probably control the exact output of
    * the computation.
    */
-  predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
+  predicate taintedWithPath(Element source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
     exists(AdjustedConfiguration cfg, DataFlow3::Node flowSource, DataFlow3::Node flowSink |
       source = sourceNode.(InitialPathNode).inner() and
-      flowSource = getNodeForExpr(source) and
+      flowSource = getNodeForElement(source) and
       cfg.hasFlow(flowSource, flowSink) and
       tainted = adjustedSink(flowSink) and
       tainted = sinkNode.(FinalPathNode).inner()

cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp

@@ -88,20 +88,20 @@ class CRTPDoesNotCallSink : public CRTP<CRTPDoesNotCallSink> {
     void g(const char* p) {}
 };
 
-int main(int argc, char *argv[]) {
-    sink(argv[0]); // $ ast,ir-path,ir-sink
+int main(int argc, char *argv[]) { // $ ir-path
+    sink(argv[0]); // $ ast,ir-sink
 
-    sink(reinterpret_cast<int>(argv)); // $ ast,ir-path,ir-sink
+    sink(reinterpret_cast<int>(argv)); // $ ast,ir-sink
 
     calls_sink_with_argv(argv[1]); // $ ast,ir-path
 
-    char*** p = &argv; // $ ast,ir-path
+    char*** p = &argv; // $ ast
 
-    sink(*p[0]); // $ ast ir-sink=92:10 ir-sink=94:32 ir-sink=96:26 ir-sink=98:18
+    sink(*p[0]); // $ ast,ir-sink
 
-    calls_sink_with_argv(*p[i]); // $ ir-path=92:10 ir-path=94:32 ir-path=96:26 ir-path=98:18 MISSING:ast
+    calls_sink_with_argv(*p[i]); // $ ir-path MISSING:ast
 
-    sink(*(argv + 1)); // $ ast ir-path ir-sink
+    sink(*(argv + 1)); // $ ast,ir-sink
 
     BaseWithPureVirtual* b = new DerivedCallsSink;
 

cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected

@@ -1,10 +1,4 @@
-| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
-| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | AST only |
-| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
-| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
-| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | AST only |
-| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
@@ -14,33 +8,20 @@
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... | AST only |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal | AST only |
-| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | AST only |
-| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
-| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only |
-| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
-| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | AST only |
-| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
-| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
-| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | AST only |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
-| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | AST only |
 | test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
-| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | AST only |
 | test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only |
 | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only |
-| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
-| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
-| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | AST only |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | AST only |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |

cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected

@@ -1,3 +1,5 @@
+| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 |
+| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr |
 | test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv |
 | test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... |
 | test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... |
@@ -8,21 +10,33 @@
 | test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp |
 | test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... |
 | test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr |
+| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 |
+| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr |
 | test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv |
 | test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... |
 | test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr |
+| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal |
+| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... |
 | test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr |
+| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s |
+| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... |
 | test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName |
+| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 |
+| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName |
+| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |
+| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 |
+| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 |
+| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName |
@@ -31,9 +45,14 @@
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... |
 | test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy |
+| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer |
 | test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets |
+| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s |
 | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
 | test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer |
+| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 |
+| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 |
+| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... |
 | test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName |