search

ShiftLeftSecurity / codepropertygraph

Code Property Graph: specification, query language, and utilities
Apache License 2.0
456 stars 71 forks source link

Incorrect data-flow when using methodReturn node #1272

Open jaiverma opened 3 years ago

jaiverma commented 3 years ago

I was using the following snippet to run a test,

int main(int argc, char *argv[]) {
  int *tmp = NULL;
  int x = 2;

  if (argc > 0) {
    tmp = &argc;
  }
  return *tmp;
}

x has no influence on the return value here, but

joern> def src = cpg.identifier.name("x") 
defined function src

joern> def sink = cpg.method.name("main").methodReturn 
defined function sink

joern> sink.reachableByFlows(src).p 
res7: List[String] = List(
  """__________________________________________________________
| tracked| lineNumber| method| file                       |
|=========================================================|
| x = 2  | 6         | main  | /Users/jai/dump/ret/main.c |
| int    | 4         | main  | /Users/jai/dump/ret/main.c |
"""
)

Using <node>.ast.isReturn works correctly though,

joern> def src = cpg.method.name("main").parameter.order(1) 
defined function src

joern> def sink = cpg.method.name("main").ast.isReturn 
defined function sink

joern> sink.reachableByFlows(src).p 
res22: List[String] = List()
yaoyue123 commented 4 months ago

In April 2024, the problem still exists image

yaoyue123 commented 4 months ago

may be you can use

def sink = cpg.method.name("main").methodReturn.toReturn