CodeQL library for C/C++
codeql/cpp-all 0.4.4 (changelog, source)
Search

Predicate tainted

A tainted expression is either directly user input, or is computed from user input in a way that users can probably control the exact output of the computation.

This doesn’t include data flow through global variables. If you need that you must call taintedIncludingGlobalVars.

Import path

import semmle.code.cpp.security.TaintTrackingImpl
predicate tainted(Expr source, Element tainted)