-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathgetuid-geteuid-comparison.ql
45 lines (40 loc) · 1.16 KB
/
getuid-geteuid-comparison.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import cpp
// Define a class for the `geteuid` function
class GetEuidFunction extends Function {
GetEuidFunction() {
this.hasName("geteuid")
}
}
// Define a class for the `getuid` function
class GetUidFunction extends Function {
GetUidFunction() {
this.hasName("getuid")
}
}
// Define a class for the `getgid` function
class GetGidFunction extends Function {
GetGidFunction() {
this.hasName("getgid")
}
}
// Define a class for the `getegid` function
class GetEgidFunction extends Function {
GetEgidFunction() {
this.hasName("getegid")
}
}
from FunctionCall call, Function target, ComparisonOperation comparison
where
(
(call.getTarget() = target and target instanceof GetEuidFunction) or
(call.getTarget() = target and target instanceof GetUidFunction)
) and
call.getParent() = comparison and
not exists(FunctionCall prohibitedCall |
prohibitedCall.getParent() = comparison and
(
prohibitedCall.getTarget() instanceof GetGidFunction or
prohibitedCall.getTarget() instanceof GetEgidFunction
)
)
select call, "Call to " + target.getName() + " detected inside a comparison without calls to getgid or getegid."