CodeQL library for C/C++
codeql/cpp-all 0.4.4 (changelog, source)
Search

Predicate taintedIncludingGlobalVars

A tainted expression is either directly user input, or is computed from user input in a way that users can probably control the exact output of the computation.

This version gives the same results as tainted but also includes data flow through global variables.

The parameter globalVar is the name of the last global variable used to move the value from source to tainted.

Import path

import semmle.code.cpp.security.TaintTrackingImpl
predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar)