CodeQL library for C/C++
Search

Module DefaultTaintTracking

Import path

import semmle.code.cpp.ir.dataflow.DefaultTaintTracking

Imports

Security

Definitions related to security queries. These can be extended for specific code bases.

cpp

Provides classes and predicates for working with C/C++ code.

Predicates

globalVarFromId

Gets the global variable whose qualified name is id. Use this predicate together with taintedIncludingGlobalVars. Example:

predictableOnlyFlow

Functions that we should only allow taint to flow through (to the return value) if all but the source argument are ‘predictable’. This is done to emulate the old security library’s implementation rather than due to any strong belief that this is the right approach.

resolveCall

Resolve potential target function(s) for call.

tainted

Holds if tainted may contain taint from source.

taintedIncludingGlobalVars

Holds if tainted may contain taint from source, where the taint passed through a global variable named globalVar.

Modules

TaintedWithPath

Provides definitions for augmenting source/sink pairs with data-flow paths between them. From a @kind path-problem query, import this module in the global scope, extend TaintTrackingConfiguration, and use taintedWithPath in place of tainted.