Class Configuration
DEPRECATED: Use Global
and GlobalWithState
instead.
A configuration of interprocedural taint tracking analysis. This defines sources, sinks, and any other configurable aspect of the analysis. Each use of the taint tracking library must define its own unique extension of this abstract class.
A taint-tracking configuration is a special data flow configuration
(DataFlow::Configuration
) that allows for flow through nodes that do not
necessarily preserve values but are still relevant from a taint tracking
perspective. (For example, string concatenation, where one of the operands
is tainted.)
To create a configuration, extend this class with a subclass whose characteristic predicate is a unique singleton string. For example, write
class MyAnalysisConfiguration extends TaintTracking::Configuration {
MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
// Override `isSource` and `isSink`.
// Optionally override `isSanitizer`.
// Optionally override `isSanitizerIn`.
// Optionally override `isSanitizerOut`.
// Optionally override `isSanitizerGuard`.
// Optionally override `isAdditionalTaintStep`.
}
Then, to query whether there is flow between some source
and sink
,
write
exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
Multiple configurations can coexist, but it is unsupported to depend on
another TaintTracking::Configuration
or a DataFlow::Configuration
in the
overridden predicates that define sources, sinks, or additional steps.
Instead, the dependency should go to a TaintTracking2::Configuration
or a
DataFlow2::Configuration
, DataFlow3::Configuration
, etc.
Import path
import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
Direct supertypes
Indirect supertypes
Predicates
allowImplicitRead | Holds if an arbitrary number of implicit read steps of content |
hasFlow | Holds if taint may flow from |
isAdditionalFlowStep | Holds if data may flow from |
isAdditionalFlowStep | Holds if data may flow from |
isAdditionalTaintStep | Holds if taint may propagate from |
isAdditionalTaintStep | Holds if taint may propagate from |
isBarrier | Holds if data flow through |
isBarrier | Holds if data flow through |
isBarrierIn | Holds if data flow into |
isBarrierOut | Holds if data flow out of |
isSanitizer | Holds if the node |
isSanitizer | Holds if the node |
isSanitizerIn | Holds if taint propagation into |
isSanitizerOut | Holds if taint propagation out of |
isSink | Holds if |
isSink | Holds if |
isSource | Holds if |
isSource | Holds if |
Inherited predicates
charAt | Returns a one-character string containing the character in the receiver at the given index (which ranges from 0 through length minus one) | from string |
codePointAt | Returns an integer for the Unicode code point value of the character starting at the given index, counted by UTF-16 code units. | from string |
codePointCount | Returns the number of Unicode code points found in the receiver between the given start index (inclusive) and end index (exclusive). | from string |
explorationLimit | DEPRECATED: Use | from Configuration |
fieldFlowBranchLimit | Gets the virtual dispatch branching limit when calculating field flow. This can be overridden to a smaller value to improve performance (a value of 0 disables field flow), or a larger value to get more results. | from Configuration |
getAFeature | Gets a data flow configuration feature to add restrictions to the set of valid flow paths. | from Configuration |
hasFlowPath | Holds if data may flow from | from Configuration |
hasFlowTo | Holds if data may flow from some source to | from Configuration |
hasFlowToExpr | Holds if data may flow from some source to | from Configuration |
includeHiddenNodes | Holds if hidden nodes should be included in the data flow graph. | from Configuration |
indexOf | Returns all the offsets (starting at 0) at which the given string occurs in the receiver. Has no result if the string does not occur in the receiver. | from string |
indexOf | Returns the index of the n’th (starting at 0) occurrence of the given string within the receiver, starting at the given 0-based offset. Has no result if the string does not occur in the receiver. | from string |
isLowercase | Holds when the receiver contains no upper-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols. | from string |
isUppercase | Holds when the receiver contains no lower-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols. | from string |
length | Returns the length of the receiver (in UTF-16 code units) | from string |
matches | Holds when the receiver matches the pattern. Patterns are matched by case sensitive string matching, and there are two wildcards: _ matches a single character, and % matches any sequence of characters. To match the actual characters _ or % in the pattern, they must be escaped using backslashes. For example, | from string |
prefix | Returns the substring of the receiver ending at the given 0-based exclusive offset | from string |
regexpCapture | When the given regular expression matches the entire receiver, returns the substring matched by the given capture group (starting at 1). The regex format used is Java’s Pattern. | from string |
regexpFind | Returns a substring of the receiver which matches the given regular expression. Also returns the offset within the receiver (starting at 0) at which the match occurred (occurrenceOffset), and the number of matches which occur at smaller offsets (occurrenceIndex). The regex format used is Java’s Pattern. | from string |
regexpMatch | Holds when the given regular expression matches the entire receiver. The regex format used is Java’s Pattern. | from string |
regexpReplaceAll | Returns a copy of the receiver with every substring which matches the given regular expression is replaced by the replacement. The regex format used is Java’s Pattern. The replacement string can contain references to captured groups as described in Java’s appendReplacement docs. | from string |
replaceAll | Returns a copy of the receiver with all occurrences of the target replaced by the replacement | from string |
sinkGrouping | Holds if sinks should be grouped in the result of | from Configuration |
sourceGrouping | Holds if sources should be grouped in the result of | from Configuration |
splitAt | Returns all the substrings obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of. | from string |
splitAt | Returns the n’th (starting at 0) substring obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of. | from string |
substring | Returns the substring of the receiver which starts and ends at the given indices. Both indices are 0-based. The start index is inclusive and the end index is exclusive. | from string |
suffix | Returns the substring of the receiver starting at the given 0-based inclusive offset | from string |
toBigInt | Returns the arbitrary-precision signed integer, if any, obtained by parsing the receiver. The number may consist of an optional leading | from string |
toDate | Returns the date, if any, obtained by parsing the receiver. The recognized formats are described in the documentation. | from string |
toFloat | Returns the 64-bit floating point number, if any, obtained by parsing the receiver. The parsing rules are described in Java’s valueOf docs. | from string |
toInt | Returns the 32-bit signed integer, if any, obtained by parsing the receiver. The number may consist of an optional leading | from string |
toLowerCase | Returns a copy of the receiver with all uppercase characters replaced by lowercase ones according to Unicode case conversion rules. | from string |
toString | Returns the receiver | from string |
toUpperCase | Returns a copy of the receiver with all lowercase characters replaced by uppercase ones according to Unicode case conversion rules. | from string |
trim | Returns a copy of the receiver with all whitespace removed from the beginning and end of the string (where whitespace is defined as Unicode code points ‘\u0000’ through ‘\u0020’ inclusive) | from string |