Skip to content

C++: exclude printf implementation internals from uncontrolled format string sinks#21493

Open
MarkLee131 wants to merge 1 commit intogithub:mainfrom
MarkLee131:fix/format-string-fp-in-printf-impl
Open

C++: exclude printf implementation internals from uncontrolled format string sinks#21493
MarkLee131 wants to merge 1 commit intogithub:mainfrom
MarkLee131:fix/format-string-fp-in-printf-impl

Conversation

@MarkLee131
Copy link

@MarkLee131 MarkLee131 commented Mar 17, 2026

Fix #21492

  • The fix only narrows the sink definition; no new false negatives for direct calls like printf(tainted_str)
  • Only sinks inside printf-like function bodies are excluded; outermost call sites (e.g., smsg(tainted_fmt, ...)) remain
    flagged

@MarkLee131 MarkLee131 requested a review from a team as a code owner March 17, 2026 14:56
Copilot AI review requested due to automatic review settings March 17, 2026 14:56
@github-actions github-actions bot added the C++ label Mar 17, 2026
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the C++ cpp/tainted-format-string query to reduce false positives that occur inside implementations of printf-like functions (and their wrappers), by excluding certain internal format-string sinks while preserving reporting at the outermost call sites.

Changes:

  • Introduces a helper predicate to identify printf-like functions and wrapper functions forwarding format strings.
  • Narrows the sink definition to exclude sinks occurring inside those identified functions.

You can also share your feedback on Copilot code review. Take the survey.

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
* Holds if `f` is a printf-like function or a (possibly nested) wrapper
* that forwards a format-string parameter to one.
*
* Functions that *implement* printf-like behaviour (e.g. a custom
Copy link
Contributor

@geoffw0 geoffw0 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot is right, we prefer American spellings in documentation, including in /** comments that may be extracted to documentation.

geoffw0
geoffw0 reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarkLee131 thank you for your contribution! I'm going to start some CI and probably try this out locally.

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
Comment on lines +50 to +51
not isPrintfImplementation(node.asExpr().getEnclosingFunction()) and
not isPrintfImplementation(node.asIndirectExpr().getEnclosingFunction())
Copy link
Contributor

@geoffw0 geoffw0 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use the [] syntax from line 48 here as well:

Suggested change
not isPrintfImplementation(node.asExpr().getEnclosingFunction()) and
not isPrintfImplementation(node.asIndirectExpr().getEnclosingFunction())
not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
* Holds if `f` is a printf-like function or a (possibly nested) wrapper
* that forwards a format-string parameter to one.
*
* Functions that *implement* printf-like behaviour (e.g. a custom
Copy link
Contributor

@geoffw0 geoffw0 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot is right, we prefer American spellings in documentation, including in /** comments that may be extracted to documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 17, 2026
View reviewed changes
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
Comment on lines +26 to +36
/**
* Holds if `f` is a printf-like function or a (possibly nested) wrapper
* that forwards a format-string parameter to one.
*
* Functions that *implement* printf-like behaviour (e.g. a custom
* `vsnprintf` variant) internally parse the caller-supplied format string
* and build small, bounded, local format strings such as `"%d"` or `"%ld"`
* for inner `sprintf` calls. Taint that reaches those inner calls via the
* parsed format specifier is not exploitable, so sinks inside such
* functions should be excluded.
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geoffw0 geoffw0 geoffw0 left review comments

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

C++

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cpp/tainted-format-string: false positives inside printf-like function implementations

3 participants

@MarkLee131 @geoffw0