Skip to content

C++: Rewrite cpp/cgi-xss to not use default taint tracking #11716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2023
Merged

C++: Rewrite cpp/cgi-xss to not use default taint tracking #11716

merged 1 commit into from
Oct 9, 2023

Conversation

jketema
Copy link
Contributor

@jketema jketema commented Dec 15, 2022
edited
Loading

I'm hard pressed for projects that have actually have relevant sources. MRVA only shows 5, one of which have relevant flow: apache/trafficserver, apple/cups, OpenPrinting/cups, git/git, and git-for-windows/git. DCA doesn't show anything special.

@github-actions github-actions bot added the C++ label Dec 15, 2022
@jketema jketema marked this pull request as ready for review October 9, 2023 08:13
@jketema jketema requested a review from a team as a code owner October 9, 2023 08:13
MathiasVP
MathiasVP approved these changes Oct 9, 2023
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jketema
Copy link
Contributor Author

jketema commented Oct 9, 2023

Does this need a change note?

@MathiasVP
Copy link
Contributor

Hmm... Yeah, maybe we should write a change note saying that we've refactored the query to a straightforward TaintTracking query?

I'd like to claim that the query is now easier to customize with additional sources, sinks and taint steps, but since it's still not as easy to customize as the standard dataflow query is in other languages I'm hesitant to make that claim.

@jketema
Copy link
Contributor Author

jketema commented Oct 9, 2023

Hmm... Yeah, maybe we should write a change note saying that we've refactored the query to a straightforward TaintTracking query?

I'd like to claim that the query is now easier to customize with additional sources, sinks and taint steps, but since it's still not as easy to customize as the standard dataflow query is in other languages I'm hesitant to make that claim.

So neither #11435 nor #13985 added a change note.

@jketema jketema added the no-change-note-required This PR does not need a change note label Oct 9, 2023
@jketema
Copy link
Contributor Author

jketema commented Oct 9, 2023

Discussed internally: since the previous rewrites also didn't come with a change note, we'll not add one here either. We'll add a change note once all rewrites are done.

@jketema jketema merged commit f7bd801 into github:main Oct 9, 2023
@jketema jketema deleted the rewrite-cgi-xss branch October 9, 2023 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MathiasVP MathiasVP MathiasVP approved these changes

Assignees
No one assigned
Labels
C++ no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jketema @MathiasVP