New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
C++: Add more documentation about dataflow through indirections #14524
C++: Add more documentation about dataflow through indirections #14524
Conversation
ab880de
to
75a8f01
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just read this through. Looks fantastic and very valuable to advanced users! I do have a fair number of minor corrections and some suggestions that I think may improve readability. Feel free to accept / reject / change / discuss my suggestions as you see fit.
I have not checked all the links work.
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
…-cpp.rst Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
…-cpp.rst Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
|
I'm going to hold off on starting the writer review until you let me know that the technical review is complete. |
Thanks. Sorry about the premature ping. I'll make sure to ping you once I've worked through Geoffrey's comments. |
…-cpp.rst Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
…-cpp.rst Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
|
@geoffw0 thanks for all the great feedback! I think I've incorporated all the changes that I wanted to incorporate 😅. I think the only one I left out was #14524 (comment) because I do think it serves a purpose to show that "standard dataflow" works well even for complex cases such as this. |
|
@MathiasVP has addressed all my comments, I'm happy. |
|
I'll take a look tomorrow morning 👍🏻 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many thanks for taking the time to write this detailed article. It looks as if the examples of different ways to track pointers and indirections will be really useful in helping query writers understand their options. 💖
I've added a lot of small text suggestions and a few other thoughts on how this could be clearer. As always, please take care to ensure that the suggested changes don't change the meaning, and remember that I'm not in the target audience for this article so feel free to reject suggestions 🙂
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
| free(u); | ||
| } | ||
|
|
||
| Since data is no longer a pointer our ``isAdditionalFlowStep`` doesn't make any sense because it specifies flow to the indirection of the field (and an integer does not have any indirections). So there is no choice about whether to taint the value of the field or its indirection: it has to be the value. However, since we pass the address of ``data`` to ``use_pointer`` the tainted data is what is pointed to by the argument of ``use_pointer`` (since the data pointed to by ``&data`` is exactly ``data``). So to handle this case we need a mix of the two situations above: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find this difficult to follow. Is it possible to simplify it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed this is technically a complex paragraph. I've tried to clear up the explanation in a36d432.
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
|
@felicitymay thank you for all the suggestions. They certainly made the article a lot nicer to read! I believe I've fixed all your comments now 🤞 |
Many thanks for working through all the comments 💖 Sadly I have meetings the rest of the day, but I will take a last look tomorrow morning. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many thanks for all the updates. I found a couple of very small nits, but otherwise this looks ready to merge.
I particularly like the way you've formatted the C/C++ examples.
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
Outdated
Show resolved
Hide resolved
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst Co-authored-by: Felicity Chapman <felicitymay@github.com>
|
@MathiasVP - we're just about to start the update process for the CodeQL docs site for the release of the CLI. If you'd like this to be published sooner, you could retarget this against the release candidate branch. Otherwise, this is likely to be published in a couple of weeks. |
Thanks for the heads up. There's no rush to get this in, so I think we'll just wait for the next release 🙂. |
This PR adds a new article (linked from https://codeql.github.com/docs/codeql-language-guides/codeql-for-cpp/) explaining how we would tackle a few situations that involve tainting a pointer or tainting its indirection.
We know from past experience that this has been something Microsoft has needed some explanation of, and this document should hopefully answer some of the common questions we've gotten (with the expectation that other people will have similar questions).
cc @felicitymay