CodeQL library for C/C++
Search

Module TaintedWithPath

Provides definitions for augmenting source/sink pairs with data-flow paths between them. From a @kind path-problem query, import this module in the global scope, extend TaintTrackingConfiguration, and use taintedWithPath in place of tainted.

Importing this module will also import the query predicates that contain the taint paths.

Import path

import semmle.code.cpp.ir.dataflow.DefaultTaintTracking

Predicates

edges

Holds if (a,b) is an edge in the graph of data flow path explanations.

nodes

Holds if n is a node in the graph of data flow path explanations.

subpaths

Holds if there is flow from arg to out across a call that can by summarized by the flow from par to ret within it, in the graph of data flow path explanations.

taintedWithPath

Holds if tainted may contain taint from source, where sourceNode and sinkNode are the corresponding PathNodes that can be used in a query to provide path explanations. Extend TaintTrackingConfiguration to use this predicate.

taintedWithoutGlobals

Holds if tainted can be reached from a taint source without passing through a global variable.

Classes

PathNode

An opaque type used for the nodes of a data-flow path.

TaintTrackingConfiguration

A taint-tracking configuration that matches sources and sinks in the same way as the tainted predicate.