C++: Fix the FP.

geoffw0 · geoffw0 · commit c16302be139e · 2022-02-24T10:54:08.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
@@ -57,7 +57,12 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node src) {
     // Sources are strings containing an HTTP URL not in a private domain.
-    src.asExpr() instanceof HttpStringLiteral
+    src.asExpr() instanceof HttpStringLiteral and
+    // block taint starting at `strstr`, which is likely testing an existing URL, rather than constructing an HTTP URL.
+    not exists(FunctionCall fc |
+      fc.getTarget().getName() = ["strstr", "strcasestr"] and
+      fc.getAnArgument() = src.asExpr()
+    )
   }
 
   override predicate isSink(DataFlow::Node sink) {
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
@@ -7,8 +7,6 @@ edges
 | test.cpp:40:11:40:17 | access to array | test.cpp:11:26:11:28 | url |
 | test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer |
 | test.cpp:49:11:49:16 | buffer | test.cpp:11:26:11:28 | url |
-| test.cpp:81:21:81:29 | http:// | test.cpp:86:11:86:13 | ptr |
-| test.cpp:86:11:86:13 | ptr | test.cpp:11:26:11:28 | url |
 nodes
 | test.cpp:11:26:11:28 | url | semmle.label | url |
 | test.cpp:15:30:15:32 | url | semmle.label | url |
@@ -19,12 +17,9 @@ nodes
 | test.cpp:40:11:40:17 | access to array | semmle.label | access to array |
 | test.cpp:46:18:46:26 | http:// | semmle.label | http:// |
 | test.cpp:49:11:49:16 | buffer | semmle.label | buffer |
-| test.cpp:81:21:81:29 | http:// | semmle.label | http:// |
-| test.cpp:86:11:86:13 | ptr | semmle.label | ptr |
 subpaths
 #select
 | test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
 | test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
-| test.cpp:81:21:81:29 | http:// | test.cpp:81:21:81:29 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp
@@ -78,7 +78,7 @@ void test3(char *url)
 	ptr = strstr(url, "https://");
 	if (!ptr)
 	{
-		ptr = strstr(url, "http://"); // GOOD (we are not constructing the URL) [FALSE POSITIVE]
+		ptr = strstr(url, "http://"); // GOOD (we are not constructing the URL)
 	}
 
 	if (ptr)

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ void test3(char *url)`
`78`	`78`	`ptr = strstr(url, "https://");`
`79`	`79`	`if (!ptr)`
`80`	`80`	`{`
`81`		`- ptr = strstr(url, "http://"); // GOOD (we are not constructing the URL) [FALSE POSITIVE]`
	`81`	`+ ptr = strstr(url, "http://"); // GOOD (we are not constructing the URL)`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`if (ptr)`