Skip to content

Commit d4d505d

Browse files
am0o0am0o0
committed
complete the minizip query
1 parent 042133a commit d4d505d

1 file changed

Lines changed: 67 additions & 17 deletions

File tree

cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBombsMiniZip.ql

Lines changed: 67 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,43 @@ import cpp
1515
import semmle.code.cpp.ir.dataflow.TaintTracking
1616
import semmle.code.cpp.security.FlowSources
1717

18+
/**
19+
* The `mz_zip_reader_create` function as a Flow source
20+
* create a `mz_zip_reader` instance
21+
*/
22+
private class Mz_zip_reader_create extends Function {
23+
Mz_zip_reader_create() { this.hasGlobalName("mz_zip_reader_create") }
24+
}
25+
26+
/**
27+
* The `mz_zip_create` function as a Flow source
28+
* create a `mz_zip` instance
29+
*/
30+
private class Mz_zip_create extends Function {
31+
Mz_zip_create() { this.hasGlobalName("mz_zip_create") }
32+
}
33+
34+
/**
35+
* The `mz_zip_entry` function is used in Flow source
36+
* [docuemnt](https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip.md)
37+
*/
38+
private class Mz_zip_entry extends Function {
39+
Mz_zip_entry() { this.hasGlobalName("mz_zip_entry_read") }
40+
}
41+
42+
/**
43+
* The `mz_zip_reader_entry_*` and `mz_zip_reader_save_all` functions are used in Flow source
44+
* [docuemnt](https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip_rw.md)
45+
*/
46+
private class Mz_zip_reader_entry extends Function {
47+
Mz_zip_reader_entry() {
48+
this.hasGlobalName([
49+
"mz_zip_reader_entry_save", "mz_zip_reader_entry_read", "mz_zip_reader_entry_save_process",
50+
"mz_zip_reader_entry_save_file", "mz_zip_reader_entry_save_buffer", "mz_zip_reader_save_all"
51+
])
52+
}
53+
}
54+
1855
/**
1956
* A `unzFile` Variable as a Flow source
2057
*/
@@ -29,13 +66,6 @@ private class UnzOpenFunction extends Function {
2966
UnzOpenFunction() { this.hasGlobalName(["UnzOpen", "unzOpen64", "unzOpen2", "unzOpen2_64"]) }
3067
}
3168

32-
/**
33-
* The `mz_stream_open` function is used in Flow source
34-
*/
35-
private class MzStreamOpenFunction extends Function {
36-
MzStreamOpenFunction() { this.hasGlobalName("mz_stream_open") }
37-
}
38-
3969
/**
4070
* The `unzReadCurrentFile` function is used in Flow sink
4171
*/
@@ -55,24 +85,31 @@ module MiniZipTaintConfig implements DataFlow::StateConfigSig {
5585
source.asExpr() instanceof UnzFileVar and
5686
state = "unzFile"
5787
or
58-
// TO Check
59-
exists(FunctionCall fc | fc.getTarget() instanceof MzStreamOpenFunction |
60-
fc.getArgument(0).getEnclosingVariable() = source.asVariable() and
61-
state = "MzStream"
88+
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_reader_create |
89+
fc = source.asExpr() and
90+
state = "mz_zip_reader"
6291
)
6392
or
64-
// TO Check
65-
exists(FunctionCall fc | fc.getTarget() instanceof MzStreamOpenFunction |
66-
fc.getArgument(0).getEnclosingVariable() = source.asVariable() and
67-
state = "MzStream"
93+
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_create |
94+
fc = source.asExpr() and
95+
state = "mz_zip"
6896
)
6997
}
7098

7199
predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
72100
exists(FunctionCall fc | fc.getTarget() instanceof UnzReadCurrentFileFunction |
73101
fc.getArgument(0) = sink.asExpr() and
74102
state = "unzFile"
75-
// and not sanitizer(fc)
103+
)
104+
or
105+
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_reader_entry |
106+
fc.getArgument(1) = sink.asExpr() and
107+
state = "mz_zip_reader"
108+
)
109+
or
110+
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_entry |
111+
fc.getArgument(1) = sink.asExpr() and
112+
state = "mz_zip"
76113
)
77114
}
78115

@@ -86,12 +123,25 @@ module MiniZipTaintConfig implements DataFlow::StateConfigSig {
86123
state1 = "" and
87124
state2 = "unzFile"
88125
)
126+
or
127+
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_reader_entry |
128+
node1.asExpr() = fc.getArgument(0) and
129+
node2.asExpr() = fc.getArgument(1) and
130+
state1 = "" and
131+
state2 = "mz_zip_reader"
132+
)
133+
or
134+
exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_entry |
135+
node1.asExpr() = fc.getArgument(0) and
136+
node2.asExpr() = fc.getArgument(1) and
137+
state1 = "" and
138+
state2 = "mz_zip"
139+
)
89140
}
90141

91142
predicate isBarrier(DataFlow::Node node, DataFlow::FlowState state) { none() }
92143
}
93144

94-
95145
module MiniZipTaint = TaintTracking::GlobalWithState<MiniZipTaintConfig>;
96146

97147
import MiniZipTaint::PathGraph

0 commit comments

Comments
 (0)