CodeQL library for C/C++
Search

Predicate taintedIncludingGlobalVars

Holds if tainted may contain taint from source, where the taint passed through a global variable named globalVar.

A tainted expression is either directly user input, or is computed from user input in a way that users can probably control the exact output of the computation.

This version gives the same results as tainted but also includes data flow through global variables.

The parameter globalVar is the qualified name of the last global variable used to move the value from source to tainted. If the taint did not pass through a global variable, then globalVar = "".

Import path

import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar)