@@ -51,6 +51,15 @@ predicate underscoreMacro(Expr e) {
5151 )
5252}
5353
54+ /**
55+ * Holds if `t` cannot hold a character array, directly or indirectly.
56+ */
57+ predicate cannotContainString ( Type t ) {
58+ t .getUnspecifiedType ( ) instanceof BuiltInType
59+ or
60+ t .getUnspecifiedType ( ) instanceof IntegralOrEnumType
61+ }
62+
5463predicate isNonConst ( DataFlow:: Node node ) {
5564 exists ( Expr e | e = node .asExpr ( ) |
5665 exists ( FunctionCall fc | fc = e .( FunctionCall ) |
@@ -99,16 +108,26 @@ predicate isNonConst(DataFlow::Node node) {
99108 node instanceof DataFlow:: DefinitionByReferenceNode
100109}
101110
111+ pragma [ noinline]
112+ predicate isSanitizerNode ( DataFlow:: Node node ) {
113+ underscoreMacro ( node .asExpr ( ) )
114+ or
115+ cannotContainString ( node .getType ( ) )
116+ }
117+
102118class NonConstFlow extends TaintTracking:: Configuration {
103119 NonConstFlow ( ) { this = "NonConstFlow" }
104120
105- override predicate isSource ( DataFlow:: Node source ) { isNonConst ( source ) }
121+ override predicate isSource ( DataFlow:: Node source ) {
122+ isNonConst ( source ) and
123+ not cannotContainString ( source .getType ( ) )
124+ }
106125
107126 override predicate isSink ( DataFlow:: Node sink ) {
108127 exists ( FormattingFunctionCall fc | sink .asExpr ( ) = fc .getArgument ( fc .getFormatParameterIndex ( ) ) )
109128 }
110129
111- override predicate isSanitizer ( DataFlow:: Node node ) { underscoreMacro ( node . asExpr ( ) ) }
130+ override predicate isSanitizer ( DataFlow:: Node node ) { isSanitizerNode ( node ) }
112131}
113132
114133from FormattingFunctionCall call , Expr formatString
0 commit comments