CodeQL library for C/C++
Search

Predicate tainted

Holds if tainted may contain taint from source.

A tainted expression is either directly user input, or is computed from user input in a way that users can probably control the exact output of the computation.

This doesn’t include data flow through global variables. If you need that you must call taintedIncludingGlobalVars.

Import path

import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
predicate tainted(Expr source, Element tainted)