Merge pull request #7426 from MathiasVP/fix-join-order-in-http-string-literal-charpred

aschackmull · web-flow · commit 3adc0b57edf9 · 2021-12-17T11:21:38.000+01:00
C++: Fix join-order in `HttpStringLiteral` charpred
diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
@@ -28,6 +28,11 @@ class PrivateHostName extends string {
   }
 }
 
+pragma[nomagic]
+predicate privateHostNameFlowsToExpr(Expr e) {
+  TaintTracking::localExprTaint(any(StringLiteral p | p.getValue() instanceof PrivateHostName), e)
+}
+
 /**
  * A string containing an HTTP URL not in a private domain.
  */
@@ -38,11 +43,9 @@ class HttpStringLiteral extends StringLiteral {
       or
       exists(string tail |
         tail = s.regexpCapture("http://(.*)", 1) and not tail instanceof PrivateHostName
-      ) and
-      not TaintTracking::localExprTaint(any(StringLiteral p |
-          p.getValue() instanceof PrivateHostName
-        ), this.getParent*())
-    )
+      )
+    ) and
+    not privateHostNameFlowsToExpr(this.getParent*())
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,11 @@ class PrivateHostName extends string {`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`
	`31`	`+pragma[nomagic]`
	`32`	`+predicate privateHostNameFlowsToExpr(Expr e) {`
	`33`	`+ TaintTracking::localExprTaint(any(StringLiteral p \| p.getValue() instanceof PrivateHostName), e)`
	`34`	`+}`
	`35`	`+`
`31`	`36`	`/**`
`32`	`37`	`* A string containing an HTTP URL not in a private domain.`
`33`	`38`	`*/`
`@@ -38,11 +43,9 @@ class HttpStringLiteral extends StringLiteral {`
`38`	`43`	`or`
`39`	`44`	`exists(string tail \|`
`40`	`45`	`tail = s.regexpCapture("http://(.*)", 1) and not tail instanceof PrivateHostName`
`41`		`- ) and`
`42`		`- not TaintTracking::localExprTaint(any(StringLiteral p \|`
`43`		`- p.getValue() instanceof PrivateHostName`
`44`		`- ), this.getParent*())`
`45`		`- )`
	`46`	`+ )`
	`47`	`+ ) and`
	`48`	`+ not privateHostNameFlowsToExpr(this.getParent*())`
`46`	`49`	`}`
`47`	`50`	`}`
`48`	`51`