C++: Taint flow to formatting function return values. #3533
Conversation
|
Isn't the return value of I know I change my opinion about what taint means about once per month, but it's currently this: a tainted expression can be influenced by an attacker to have unusual values. An unusual value for an integer is almost never the length of a string. |
I like this definition. 'unusual' is a bit open to interpretation, but it captures the idea that booleans and things like string lengths don't necessarily need to be considered tainted just because they're computed from things that are. The old security taint tracking library did consider these return values tainted, but I don't think it was an important detail in practice (real world or samate tests, for example). The change was motivated by consistency with the old code and our handling of
|
|
Do you think taint should flow through |
|
Closed in favour of #3569. |
No, I don't think it should. Right now it's excluded in |
|
I'm slightly cautious because I don't want to port every hack from the old taint tracking library to the new one, but I agree. I'll make a PR for that change as well. |
|
The |
Strictly speaking, taint should flow from a tainted argument to a formatting function such as
sprintfto the return value (the number of characters written / error code). This is much less important than the existing flow to the output parameter, but could conceivably come up as allowing a user to control the size of an allocation or something like that.This is consistent with how we handle
strftime(the only similar case I could find) and is the final part of https://jira.semmle.com/browse/CPP-466 (which I am keen to close).The new test results in
format.cppare on lines that look like this: