Fix mitigation search in over and underflows

Fraunhofer-AISEC · Nov 29, 2023 · db42d6d · db42d6d
1 parent f5b1840
commit db42d6d
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/cpg-solidity/src/main/resources/OverUnderflow b/cpg-solidity/src/main/resources/OverUnderflow
@@ -5,6 +5,9 @@ and(
     (
     exists{
         (b)-[d:DFG*#]->(:FieldDeclaration)
+    } or exists {
+        (b)-[d:DFG*#]->(bin:BinaryOperator)-[:DFG]->()-[:EOG]->(:Rollback)
+            where bin.operatorCode in ['<', '>', '<=', '>=', '==']
     } or exists {
         (b)-[d:DFG*#]->(bin:BinaryOperator)-[:LHS]->()-[:BASE|CALLEE|LHS|ARRAY_EXPRESSION*]->()<-[:DFG*#]-(:FieldDeclaration)
         where bin.operatorCode in ['=', '|=', '^=', '&=', '<<=','>>=','+=', '-=', '*=', '/=', '%=']
@@ -21,13 +24,19 @@ and(
     }or exists {
         (b)<-[:VALUE]-(:SpecifiedExpression)
     }
-) and not exists {
-    bpath=(f)-[:EOG*]->(branch)-[:EOG*]->(l)
-    where branch in nodes(p) and not exists((l)-[:EOG]->())
+) and not exists {// There is no mitigation
+       match bpath=(f)-[:EOG*]->(cond:BinaryOperator)-[:EOG]->(branch)-[:EOG*]->(l)
+       match (c1)<-[:LHS|RHS]-(cond)-[:LHS|RHS]->(c2)
+       where c1 <> c2 and branch in nodes(p) and not exists((l)-[:EOG]->())
         and (not b in nodes(bpath) or 'Rollback' in labels(l))
         and not exists {
             (dfOrigin)-[:DFG*#]->(b) where not exists(()-[:DFG]->(dfOrigin)) and not exists ((dfOrigin)-[:DFG*]->(branch))
-        } and not exists{(b)-[:DFG*#]->(branch)}
+        } and (
+             not exists{(b)-[:DFG*#]->(branch)} or
+             // Both sides of the comparison need to contain a relevant dfg to avoid constants and overflows on one side
+             exists ((b)<-[:DFG*]-()-[:DFG*]->(c1))
+             and exists ((b)<-[:DFG*]-()-[:DFG*]->(c2))
+        )
 }
 
 )