CodeQL library for C/C++
Search

Class Configuration

A configuration of interprocedural taint tracking analysis. This defines sources, sinks, and any other configurable aspect of the analysis. Each use of the taint tracking library must define its own unique extension of this abstract class.

A taint-tracking configuration is a special data flow configuration (DataFlow::Configuration) that allows for flow through nodes that do not necessarily preserve values but are still relevant from a taint tracking perspective. (For example, string concatenation, where one of the operands is tainted.)

To create a configuration, extend this class with a subclass whose characteristic predicate is a unique singleton string. For example, write

class MyAnalysisConfiguration extends TaintTracking::Configuration {
  MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
  // Override `isSource` and `isSink`.
  // Optionally override `isSanitizer`.
  // Optionally override `isSanitizerIn`.
  // Optionally override `isSanitizerOut`.
  // Optionally override `isSanitizerGuard`.
  // Optionally override `isAdditionalTaintStep`.
}

Then, to query whether there is flow between some source and sink, write

exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))

Multiple configurations can coexist, but it is unsupported to depend on another TaintTracking::Configuration or a DataFlow::Configuration in the overridden predicates that define sources, sinks, or additional steps. Instead, the dependency should go to a TaintTracking2::Configuration or a DataFlow2::Configuration, DataFlow3::Configuration, etc.

Import path

import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl

Direct supertypes

Indirect supertypes

Known direct subtypes

    Predicates

    hasFlow

    Holds if taint may flow from source to sink for this configuration.

    isAdditionalFlowStep

    Holds if the additional flow step from node1 to node2 must be taken into account in the analysis.

    isAdditionalTaintStep

    Holds if the additional taint propagation step from node1 to node2 must be taken into account in the analysis.

    isBarrier

    Holds if data flow through node is prohibited. This completely removes node from the data flow graph.

    isBarrierGuard

    Holds if data flow through nodes guarded by guard is prohibited.

    isBarrierIn

    Holds if data flow into node is prohibited.

    isBarrierOut

    Holds if data flow out of node is prohibited.

    isSanitizer

    Holds if the node node is a taint sanitizer.

    isSanitizerGuard

    Holds if taint propagation through nodes guarded by guard is prohibited.

    isSanitizerIn

    Holds if taint propagation into node is prohibited.

    isSanitizerOut

    Holds if taint propagation out of node is prohibited.

    isSink

    Holds if sink is a relevant taint sink.

    isSource

    Holds if source is a relevant taint source.

    Inherited predicates

    charAt

    Returns a one-character string containing the character in the receiver at the given index (which ranges from 0 through length minus one)

    from string
    explorationLimit

    Gets the exploration limit for hasPartialFlow and hasPartialFlowRev measured in approximate number of interprocedural steps.

    from Configuration
    fieldFlowBranchLimit

    Gets the virtual dispatch branching limit when calculating field flow. This can be overridden to a smaller value to improve performance (a value of 0 disables field flow), or a larger value to get more results.

    from Configuration
    hasFlowPath

    Holds if data may flow from source to sink for this configuration.

    from Configuration
    hasFlowTo

    Holds if data may flow from some source to sink for this configuration.

    from Configuration
    hasFlowToExpr

    Holds if data may flow from some source to sink for this configuration.

    from Configuration
    hasPartialFlow

    Holds if there is a partial data flow path from source to node. The approximate distance between node and the closest source is dist and is restricted to be less than or equal to explorationLimit(). This predicate completely disregards sink definitions.

    from Configuration
    hasPartialFlowRev

    Holds if there is a partial data flow path from node to sink. The approximate distance between node and the closest sink is dist and is restricted to be less than or equal to explorationLimit(). This predicate completely disregards source definitions.

    from Configuration
    indexOf

    Returns all the offsets (starting at 0) at which the given string occurs in the receiver. Has no result if the string does not occur in the receiver.

    from string
    indexOf

    Returns the index of the n’th (starting at 0) occurrence of the given string within the receiver, starting at the given 0-based offset. Has no result if the string does not occur in the receiver.

    from string
    isLowercase

    Holds when the receiver contains no upper-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols.

    from string
    isUppercase

    Holds when the receiver contains no lower-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols.

    from string
    length

    Returns the length of the receiver (in UTF-16 code units)

    from string
    matches

    Holds when the receiver matches the pattern. Patterns are matched by case sensitive string matching, and there are two wildcards: _ matches a single character, and % matches any sequence of characters. To match the actual characters _ or % in the pattern, they must be escaped using backslashes. For example, "anythingstring%".matches("%string\\%") holds. To match a literal backslash in front of _ or %, you must escape the backslash. In other cases, you don’t need to escape the backslash.

    from string
    prefix

    Returns the substring of the receiver ending at the given 0-based exclusive offset

    from string
    regexpCapture

    When the given regular expression matches the entire receiver, returns the substring matched by the given capture group (starting at 1). The regex format used is Java’s Pattern.

    from string
    regexpFind

    Returns a substring of the receiver which matches the given regular expression. Also returns the offset within the receiver (starting at 0) at which the match occurred (occurrenceOffset), and the number of matches which occur at smaller offsets (occurrenceIndex). The regex format used is Java’s Pattern.

    from string
    regexpMatch

    Holds when the given regular expression matches the entire receiver. The regex format used is Java’s Pattern.

    from string
    regexpReplaceAll

    Returns a copy of the receiver with every substring which matches the given regular expression is replaced by the replacement. The regex format used is Java’s Pattern. The replacement string can contain references to captured groups as described in Java’s appendReplacement docs.

    from string
    replaceAll

    Returns a copy of the receiver with all occurrences of the target replaced by the replacement

    from string
    splitAt

    Returns all the substrings obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of.

    from string
    splitAt

    Returns the n’th (starting at 0) substring obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of.

    from string
    substring

    Returns the substring of the receiver which starts and ends at the given indices. Both indices are 0-based. The start index is inclusive and the end index is exclusive.

    from string
    suffix

    Returns the substring of the receiver starting at the given 0-based inclusive offset

    from string
    toDate

    Returns the date, if any, obtained by parsing the receiver. The recognized formats are described in the documentation.

    from string
    toFloat

    Returns the 64-bit floating point number, if any, obtained by parsing the receiver. The parsing rules are described in Java’s valueOf docs.

    from string
    toInt

    Returns the 32-bit signed integer, if any, obtained by parsing the receiver. The number may consist of an optional leading + or -, followed by one or more digits. Has no result if the value exceeds the value range supported by the int type.

    from string
    toLowerCase

    Returns a copy of the receiver with all uppercase characters replaced by lowercase ones according to Unicode case conversion rules.

    from string
    toString

    Returns the receiver

    from string
    toUpperCase

    Returns a copy of the receiver with all lowercase characters replaced by uppercase ones according to Unicode case conversion rules.

    from string
    trim

    Returns a copy of the receiver with all whitespace removed from the beginning and end of the string (where whitespace is defined as Unicode code points ‘\u0000’ through ‘\u0020’ inclusive)

    from string

    Charpred