-
Notifications
You must be signed in to change notification settings - Fork 1.9k
C++: Add flow sources from Windows' http.h
#21619
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
MathiasVP
merged 8 commits into
github:main
from
MathiasVP:more-http-remote-flow-sources
Mar 31, 2026
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
18a25c5
C++: Add tests with missing flow sources.
MathiasVP 21ea7eb
C++: Model a few more remote flow sources from 'http.h' and accept te…
MathiasVP c6d1ec5
C++: Add examples that need taint inheriting content.
MathiasVP 102221d
C++: Add lots of taint inheriting content related to '_HTTP_REQUEST'.
MathiasVP 9e97e04
C++: Accept test changes.
MathiasVP ab34bd2
C++: Add change note.
MathiasVP dc8dc61
C++: Fix type name.
MathiasVP 16a7e39
C++: Fix pointer indirection. Currently, this does not have any effec…
MathiasVP File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
193 changes: 193 additions & 0 deletions
193
cpp/ql/lib/semmle/code/cpp/models/implementations/Http.qll
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,193 @@ | ||
| private import cpp | ||
| private import semmle.code.cpp.ir.dataflow.FlowSteps | ||
| private import semmle.code.cpp.dataflow.new.DataFlow | ||
|
|
||
| private class HttpRequest extends Class { | ||
| HttpRequest() { this.hasGlobalName("_HTTP_REQUEST_V1") } | ||
| } | ||
|
|
||
| private class HttpRequestInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { | ||
| HttpRequestInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof HttpRequest and | ||
| ( | ||
| this.getAField().hasName("pRawUrl") and | ||
| this.getIndirectionIndex() = 2 | ||
| or | ||
| this.getAField().hasName("CookedUrl") and | ||
| this.getIndirectionIndex() = 1 | ||
| or | ||
| this.getAField().hasName("Headers") and | ||
| this.getIndirectionIndex() = 1 | ||
| or | ||
| this.getAField().hasName("pEntityChunks") and | ||
| this.getIndirectionIndex() = 2 | ||
| or | ||
| this.getAField().hasName("pSslInfo") and | ||
| this.getIndirectionIndex() = 2 | ||
| ) | ||
| } | ||
| } | ||
|
|
||
| private class HttpCookedUrl extends Class { | ||
| HttpCookedUrl() { this.hasGlobalName("_HTTP_COOKED_URL") } | ||
| } | ||
|
|
||
| private class HttpCookedUrlInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { | ||
| HttpCookedUrlInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof HttpCookedUrl and | ||
| this.getAField().hasName(["pFullUrl", "pHost", "pAbsPath", "pQueryString"]) and | ||
| this.getIndirectionIndex() = 2 | ||
| } | ||
| } | ||
|
|
||
| private class HttpRequestHeaders extends Class { | ||
| HttpRequestHeaders() { this.hasGlobalName("_HTTP_REQUEST_HEADERS") } | ||
| } | ||
|
|
||
| private class HttpRequestHeadersInheritingContent extends TaintInheritingContent, | ||
| DataFlow::FieldContent | ||
| { | ||
| HttpRequestHeadersInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof HttpRequestHeaders and | ||
| ( | ||
| this.getAField().hasName("KnownHeaders") and | ||
| this.getIndirectionIndex() = 1 | ||
| or | ||
| this.getAField().hasName("pUnknownHeaders") and | ||
| this.getIndirectionIndex() = 2 | ||
| ) | ||
| } | ||
| } | ||
|
|
||
| private class HttpKnownHeader extends Class { | ||
| HttpKnownHeader() { this.hasGlobalName("_HTTP_KNOWN_HEADER") } | ||
| } | ||
|
|
||
| private class HttpKnownHeaderInheritingContent extends TaintInheritingContent, | ||
| DataFlow::FieldContent | ||
| { | ||
| HttpKnownHeaderInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof HttpKnownHeader and | ||
| this.getAField().hasName("pRawValue") and | ||
| this.getIndirectionIndex() = 2 | ||
| } | ||
| } | ||
|
|
||
| private class HttpUnknownHeader extends Class { | ||
| HttpUnknownHeader() { this.hasGlobalName("_HTTP_UNKNOWN_HEADER") } | ||
| } | ||
|
|
||
| private class HttpUnknownHeaderInheritingContent extends TaintInheritingContent, | ||
| DataFlow::FieldContent | ||
| { | ||
| HttpUnknownHeaderInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof HttpUnknownHeader and | ||
| this.getAField().hasName(["pName", "pRawValue"]) and | ||
| this.getIndirectionIndex() = 2 | ||
| } | ||
| } | ||
|
|
||
| private class HttpDataChunk extends Class { | ||
| HttpDataChunk() { this.hasGlobalName("_HTTP_DATA_CHUNK") } | ||
| } | ||
|
|
||
| private class HttpDataChunkInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { | ||
| HttpDataChunkInheritingContent() { | ||
| this.getAField().getDeclaringType().(Union).getDeclaringType() instanceof HttpDataChunk and | ||
| ( | ||
| this.getAField().hasName("FromMemory") and | ||
| this.getIndirectionIndex() = 1 | ||
| or | ||
| this.getAField().hasName("FromFileHandle") and | ||
| this.getIndirectionIndex() = 1 | ||
| or | ||
| this.getAField().hasName("FromFragmentCache") and | ||
| this.getIndirectionIndex() = 1 | ||
| or | ||
| this.getAField().hasName("FromFragmentCacheEx") and | ||
| this.getIndirectionIndex() = 1 | ||
| or | ||
| this.getAField().hasName("Trailers") and | ||
| this.getIndirectionIndex() = 1 | ||
| ) | ||
| } | ||
| } | ||
|
|
||
| private class FromMemory extends Class { | ||
| FromMemory() { | ||
| this.getDeclaringType().(Union).getDeclaringType() instanceof HttpDataChunk and | ||
| this.getAField().hasName("pBuffer") | ||
| } | ||
| } | ||
|
|
||
| private class FromMemoryInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { | ||
| FromMemoryInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof FromMemory and | ||
| this.getAField().hasName("pBuffer") and | ||
| this.getIndirectionIndex() = 2 | ||
| } | ||
| } | ||
|
|
||
| private class FromFileHandle extends Class { | ||
| FromFileHandle() { | ||
| this.getDeclaringType().(Union).getDeclaringType() instanceof HttpDataChunk and | ||
| this.getAField().hasName("FileHandle") | ||
| } | ||
| } | ||
|
|
||
| private class FromFileHandleInheritingContent extends TaintInheritingContent, DataFlow::FieldContent | ||
| { | ||
| FromFileHandleInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof FromFileHandle and | ||
| this.getIndirectionIndex() = 1 and | ||
| this.getAField().hasName("FileHandle") | ||
| } | ||
| } | ||
|
|
||
| private class FromFragmentCacheOrCacheEx extends Class { | ||
| FromFragmentCacheOrCacheEx() { | ||
| this.getDeclaringType().(Union).getDeclaringType() instanceof HttpDataChunk and | ||
| this.getAField().hasName("pFragmentName") | ||
| } | ||
| } | ||
|
|
||
| private class FromFragmentCacheInheritingContent extends TaintInheritingContent, | ||
| DataFlow::FieldContent | ||
| { | ||
| FromFragmentCacheInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof FromFragmentCacheOrCacheEx and | ||
| this.getIndirectionIndex() = 2 and | ||
| this.getAField().hasName("pFragmentName") | ||
| } | ||
| } | ||
|
|
||
| private class HttpSslInfo extends Class { | ||
| HttpSslInfo() { this.hasGlobalName("_HTTP_SSL_INFO") } | ||
| } | ||
|
|
||
| private class HttpSslInfoInheritingContent extends TaintInheritingContent, DataFlow::FieldContent { | ||
| HttpSslInfoInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof HttpSslInfo and | ||
| this.getAField().hasName(["pServerCertIssuer", "pServerCertSubject", "pClientCertInfo"]) and | ||
| this.getIndirectionIndex() = 2 | ||
| } | ||
| } | ||
|
|
||
| private class HttpSslClientCertInfo extends Class { | ||
| HttpSslClientCertInfo() { this.hasGlobalName("_HTTP_SSL_CLIENT_CERT_INFO") } | ||
| } | ||
|
|
||
| private class HttpSslClientCertInfoInheritingContent extends TaintInheritingContent, | ||
| DataFlow::FieldContent | ||
| { | ||
| HttpSslClientCertInfoInheritingContent() { | ||
| this.getAField().getDeclaringType() instanceof HttpSslClientCertInfo and | ||
| ( | ||
| this.getAField().hasName("pCertEncoded") and | ||
| this.getIndirectionIndex() = 2 | ||
| or | ||
| this.getAField().hasName("Token") and | ||
| this.getIndirectionIndex() = 1 | ||
| ) | ||
| } | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this one also be updated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're too fast for me 😅 The TLDR is 'no'. I've explained why here