codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

false positive:Data flow does't restrict while variable reassigned

Open mrlzh opened this issue 1 year ago • 5 comments

Demo code:

#include <string>
#include <stdio.h>
#include <stdlib.h>

using namespace std;

void mysql_query(char *test1,const char *test2){ //just for test
    printf("%s %s\n",test1,test2);
}

int main(){
    char input[100];
    scanf("%s", input);

    string in(input, strlen(input));

    in="test";

    string sql="select * from test where  xxx='"+in+"'";

    mysql_query("test", sql.c_str());
}

Variable in was reassigned.But Ql in cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql still alerts.

mrlzh avatar Aug 01 '22 07:08 mrlzh

Thanks for the report. I'll hear what our C++ analysis experts have to say about it.

hmakholm avatar Aug 01 '22 14:08 hmakholm

Hi @mrlzh,

Thanks for the issue! The problem is that in="test"; isn't just a simple assignment: it's a call to the std::string::operator= assignment operator, and we don't seem to realize that this assignment operator completely overrides the string.

I'll open an internal issue for how to detect this so that such assignments through overloaded operators are properly detected as sanitizers.

MathiasVP avatar Aug 02 '22 13:08 MathiasVP

If it makes you feel any better, neither gcc, clang nor icc detect this (and fold it to "select * from test where xxx='test'"): https://godbolt.org/z/f1oboT6h7

But they also don't optimize this ¯_(ツ)_/¯

intrigus-lgtm avatar Aug 02 '22 13:08 intrigus-lgtm

Hi @mrlzh,

Thanks for the issue! The problem is that in="test"; isn't just a simple assignment: it's a call to the std::string::operator= assignment operator, and we don't seem to realize that this assignment operator completely overrides the string.

I'll open an internal issue for how to detect this so that such assignments through overloaded operators are properly detected as sanitizers.

@MathiasVP Have this false positive been fixed?

mrlzh avatar Sep 15 '22 12:09 mrlzh

@MathiasVP Have this false positive been fixed?

Not yet, no. We are in the process of doing a fairly large rewrite of the C++ dataflow library, and once we get that change in I to expect we'll be able to fix this fairly easily. I'll make sure to ping you on this issue once we've fixed it!

MathiasVP avatar Sep 15 '22 16:09 MathiasVP

Hello,is there any way to fix this false positive? It cause so many bad case in our scan results.I want to fix it as soon as possible.Even if the fix is not perfect.

mrlzh avatar Feb 16 '23 10:02 mrlzh