Skip to content

C++: Raise cpp/tainted-format-string* precisions to high#3727

Merged
rdmarsh2 merged 1 commit into
github:masterfrom
jbj:tainted-format-string-high
Jun 24, 2020
Merged

C++: Raise cpp/tainted-format-string* precisions to high#3727
rdmarsh2 merged 1 commit into
github:masterfrom
jbj:tainted-format-string-high

Conversation

@jbj
Copy link
Copy Markdown
Contributor

@jbj jbj commented Jun 16, 2020

From the commit:

I think these queries have excellent results on lgtm.com. Many of the results come from projects that use sprintf like it's a templating engine, trusting that values from argv or getenv contain the correct number of %s. I think we want to flag that.

The structure of the change note is modeled after 91af51c.

You can see the alerts on LGTM for the global-taint query and for the local-taint query.

I don't know why there are two queries, but at least it allows us to lower the precision for only one of them if it doesn't work out.

@jbj jbj added the C++ label Jun 16, 2020
@jbj jbj requested a review from geoffw0 June 16, 2020 15:15
@jbj jbj requested a review from a team as a code owner June 16, 2020 15:15
@intrigus-lgtm
Copy link
Copy Markdown
Contributor

intrigus-lgtm commented Jun 16, 2020
edited
Loading

Did I miss something?
Isn't the commit subject incorrect?
The raised precision in the commit are for cpp/tainted-format-string* and not for cpp/path-injection*?

@jbj
C++: @precision high for tainted-format-string*
e0ba23d 
I think these queries have excellent results on lgtm.com. Many of the
results come from projects that use `sprintf` like it's a templating
engine, trusting that values from `argv` or `getenv` contain the correct
number of `%s`. I think we want to flag that.

The structure of the change note is modeled after 91af51c.
@jbj jbj force-pushed the tainted-format-string-high branch from 562959f to e0ba23d Compare June 17, 2020 07:04
@jbj jbj changed the title C++: Raise cpp/path-injection* precisions to high C++: Raise cpp/tainted-format-string* precisions to high Jun 17, 2020
@jbj
Copy link
Copy Markdown
Contributor Author

jbj commented Jun 17, 2020

Thanks for flagging that. I had indeed put the wrong query id in the commit+PR title. Fixed.

geoffw0
geoffw0 reviewed Jun 18, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know why there are two queries

Likely due to either performance or accuracy tradeoffs many years ago. We have a better optimizer and much better data now - we should judge based on what we can see on LGTM now.

Speaking of which, I checked a sample of results currently on LGTM (https://lgtm.com/rules/2155960669/alerts/ and https://lgtm.com/rules/2159571090/alerts/) and all looked good to me (the global vars ones are generally harder to verify). So I'm in favour of this change.

@rdmarsh2 rdmarsh2 self-assigned this Jun 23, 2020
@rdmarsh2 rdmarsh2 merged commit 3e6a198 into github:master Jun 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geoffw0 geoffw0 geoffw0 left review comments

+1 more reviewer

@rdmarsh2 rdmarsh2 rdmarsh2 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rdmarsh2 rdmarsh2

Labels

C++

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jbj @intrigus-lgtm @rdmarsh2 @geoffw0