Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C++: Add more documentation about dataflow through indirections #14524

Merged
merged 43 commits into from Oct 19, 2023

Conversation

MathiasVP
Copy link
Contributor

This PR adds a new article (linked from https://codeql.github.com/docs/codeql-language-guides/codeql-for-cpp/) explaining how we would tackle a few situations that involve tainting a pointer or tainting its indirection.

We know from past experience that this has been something Microsoft has needed some explanation of, and this document should hopefully answer some of the common questions we've gotten (with the expectation that other people will have similar questions).

cc @felicitymay

@MathiasVP MathiasVP force-pushed the add-more-dataflow-documentation branch from ab880de to 75a8f01 Compare October 17, 2023 08:53
@MathiasVP MathiasVP added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Oct 17, 2023
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just read this through. Looks fantastic and very valuable to advanced users! I do have a fair number of minor corrections and some suggestions that I think may improve readability. Feel free to accept / reject / change / discuss my suggestions as you see fit.

I have not checked all the links work.

@felicitymay
Copy link
Contributor

I'm going to hold off on starting the writer review until you let me know that the technical review is complete.

@MathiasVP
Copy link
Contributor Author

I'm going to hold off on starting the writer review until you let me know that the technical review is complete.

Thanks. Sorry about the premature ping. I'll make sure to ping you once I've worked through Geoffrey's comments.

@MathiasVP
Copy link
Contributor Author

@geoffw0 thanks for all the great feedback! I think I've incorporated all the changes that I wanted to incorporate 😅. I think the only one I left out was #14524 (comment) because I do think it serves a purpose to show that "standard dataflow" works well even for complex cases such as this.

@geoffw0
Copy link
Contributor

geoffw0 commented Oct 17, 2023

@MathiasVP has addressed all my comments, I'm happy.

@felicitymay
Copy link
Contributor

I'll take a look tomorrow morning 👍🏻

Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for taking the time to write this detailed article. It looks as if the examples of different ways to track pointers and indirections will be really useful in helping query writers understand their options. 💖

I've added a lot of small text suggestions and a few other thoughts on how this could be clearer. As always, please take care to ensure that the suggested changes don't change the meaning, and remember that I'm not in the target audience for this article so feel free to reject suggestions 🙂

free(u);
}

Since data is no longer a pointer our ``isAdditionalFlowStep`` doesn't make any sense because it specifies flow to the indirection of the field (and an integer does not have any indirections). So there is no choice about whether to taint the value of the field or its indirection: it has to be the value. However, since we pass the address of ``data`` to ``use_pointer`` the tainted data is what is pointed to by the argument of ``use_pointer`` (since the data pointed to by ``&data`` is exactly ``data``). So to handle this case we need a mix of the two situations above:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find this difficult to follow. Is it possible to simplify it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed this is technically a complex paragraph. I've tried to clear up the explanation in a36d432.

docs/codeql/codeql-language-guides/codeql-for-cpp.rst Outdated Show resolved Hide resolved
MathiasVP and others added 7 commits October 18, 2023 14:03
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
MathiasVP and others added 19 commits October 18, 2023 14:06
Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
@MathiasVP
Copy link
Contributor Author

@felicitymay thank you for all the suggestions. They certainly made the article a lot nicer to read! I believe I've fixed all your comments now 🤞

@felicitymay
Copy link
Contributor

I believe I've fixed all your comments now 🤞

Many thanks for working through all the comments 💖

Sadly I have meetings the rest of the day, but I will take a last look tomorrow morning.

felicitymay
felicitymay previously approved these changes Oct 19, 2023
Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many thanks for all the updates. I found a couple of very small nits, but otherwise this looks ready to merge.

I particularly like the way you've formatted the C/C++ examples.

…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
MathiasVP and others added 2 commits October 19, 2023 11:00
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
…-cpp.rst

Co-authored-by: Felicity Chapman <felicitymay@github.com>
@felicitymay
Copy link
Contributor

@MathiasVP - we're just about to start the update process for the CodeQL docs site for the release of the CLI. If you'd like this to be published sooner, you could retarget this against the release candidate branch. Otherwise, this is likely to be published in a couple of weeks.

@MathiasVP
Copy link
Contributor Author

@MathiasVP - we're just about to start the update process for the CodeQL docs site for the release of the CLI. If you'd like this to be published sooner, you could retarget this against the release candidate branch. Otherwise, this is likely to be published in a couple of weeks.

Thanks for the heads up. There's no rush to get this in, so I think we'll just wait for the next release 🙂.

@MathiasVP MathiasVP merged commit 0bfa53c into github:main Oct 19, 2023
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants