codepropertygraph icon indicating copy to clipboard operation
codepropertygraph copied to clipboard

Published 20 hours ago verified publisher icon ShiftLeftSecurity

Incorrect data-flow when using methodReturn node

Open jaiverma opened this issue 3 years ago • 2 comments

I was using the following snippet to run a test,

int main(int argc, char *argv[]) {
  int *tmp = NULL;
  int x = 2;

  if (argc > 0) {
    tmp = &argc;
  }
  return *tmp;
}

x has no influence on the return value here, but

joern> def src = cpg.identifier.name("x") 
defined function src

joern> def sink = cpg.method.name("main").methodReturn 
defined function sink

joern> sink.reachableByFlows(src).p 
res7: List[String] = List(
  """__________________________________________________________
| tracked| lineNumber| method| file                       |
|=========================================================|
| x = 2  | 6         | main  | /Users/jai/dump/ret/main.c |
| int    | 4         | main  | /Users/jai/dump/ret/main.c |
"""
)

Using <node>.ast.isReturn works correctly though,

joern> def src = cpg.method.name("main").parameter.order(1) 
defined function src

joern> def sink = cpg.method.name("main").ast.isReturn 
defined function sink

joern> sink.reachableByFlows(src).p 
res22: List[String] = List()

jaiverma avatar Jun 23 '21 17:06 jaiverma