C++: Remove use of 'FunctionWithWrappers' from 'cpp/tainted-format-string'.

MathiasVP · MathiasVP · commit 076bcc017967 · 2026-05-18T15:31:45.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -15,40 +15,26 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.FunctionWithWrappers
+import semmle.code.cpp.security.PrintfLike
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.ir.IR
 import Flow::PathGraph
 
 predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
 
-/**
- * Holds if `f` is a printf-like function or a (possibly nested) wrapper
- * that forwards a format-string parameter to one.
- *
- * Functions that *implement* printf-like behavior (e.g. a custom
- * `vsnprintf` variant) internally parse the caller-supplied format string
- * and build small, bounded, local format strings such as `"%d"` or `"%ld"`
- * for inner `sprintf` calls.  Taint that reaches those inner calls via the
- * parsed format specifier is not exploitable, so sinks inside such
- * functions should be excluded.
- */
-private predicate isPrintfImplementation(Function f) {
-  f instanceof PrintfLikeFunction
-  or
-  exists(PrintfLikeFunction printf | printf.wrapperFunction(f, _, _))
+predicate isSink(DataFlow::Node node, Function f) {
+  exists(Call c, int i |
+    c.getTarget() = f and
+    printfLikeFunction(f, i) and
+    c.getArgument(i) = node.asIndirectExpr()
+  )
 }
 
 module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { isSource(node, _) }
 
-  predicate isSink(DataFlow::Node node) {
-    exists(PrintfLikeFunction printf |
-      printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
-    ) and
-    not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())
-  }
+  predicate isSink(DataFlow::Node node) { isSink(node, _) }
 
   private predicate isArithmeticNonCharType(ArithmeticType type) {
     not type instanceof CharType and
@@ -69,14 +55,14 @@ module Config implements DataFlow::ConfigSig {
 module Flow = TaintTracking::Global<Config>;
 
 from
-  PrintfLikeFunction printf, string printfFunction, string sourceType, DataFlow::Node source,
-  DataFlow::Node sink, Flow::PathNode sourceNode, Flow::PathNode sinkNode
+  Function printf, string sourceType, DataFlow::Node source, DataFlow::Node sink,
+  Flow::PathNode sourceNode, Flow::PathNode sinkNode
 where
   source = sourceNode.getNode() and
   sink = sinkNode.getNode() and
   isSource(source, sourceType) and
-  printf.outermostWrapperFunctionCall([sink.asExpr(), sink.asIndirectExpr()], printfFunction) and
+  isSink(sink, printf) and
   Flow::flowPath(sourceNode, sinkNode)
 select sink, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being used as a formatting argument to " +
-    printfFunction + ".", source, sourceType
+    printf + ".", source, sourceType
