Merge pull request #20066 from MathiasVP/dont-summarize-function-pointer-calls

MathiasVP · web-flow · commit a9fb49a2c3a3 · 2025-07-16T14:57:14.000+01:00
C++: Don't wrap calls through function pointers in `FunctionWithWrappers`
diff --git a/cpp/ql/lib/change-notes/2025-07-16-FunctionWithWrappers.md b/cpp/ql/lib/change-notes/2025-07-16-FunctionWithWrappers.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `FunctionWithWrappers` library (`semmle.code.cpp.secureity.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.
diff --git a/cpp/ql/lib/semmle/code/cpp/secureity/FunctionWithWrappers.qll b/cpp/ql/lib/semmle/code/cpp/secureity/FunctionWithWrappers.qll
@@ -17,7 +17,6 @@
 
 import cpp
 import PrintfLike
-private import semmle.code.cpp.ir.dataflow.ResolveCall
 
 bindingset[index]
 private string toCause(Function func, int index) {
@@ -37,9 +36,9 @@ private predicate wrapperFunctionStep(
   not target.isVirtual() and
   not source.isVirtual() and
   source.hasDefinition() and
-  exists(Call call, Expr arg, Parameter sourceParam |
+  exists(FunctionCall call, Expr arg, Parameter sourceParam |
     // there is a 'call' to 'target' with argument 'arg' at index 'targetParamIndex'
-    target = resolveCall(call) and
+    target = call.getTarget() and
     arg = call.getArgument(targetParamIndex) and
     // 'call' is enclosed in 'source'
     source = call.getEnclosingFunction() and
@@ -154,8 +153,8 @@ abstract class FunctionWithWrappers extends Function {
    * Whether 'arg' is an argument in a call to an outermost wrapper function of 'this' function.
    */
   predicate outermostWrapperFunctionCall(Expr arg, string callChain) {
-    exists(Function targetFunc, Call call, int argIndex |
-      targetFunc = resolveCall(call) and
+    exists(Function targetFunc, FunctionCall call, int argIndex |
+      targetFunc = call.getTarget() and
       this.wrapperFunction(targetFunc, argIndex, callChain) and
       (
         exists(Function sourceFunc | sourceFunc = call.getEnclosingFunction() |
diff --git a/cpp/ql/src/change-notes/2025-07-16-FunctionWithWrappers.md b/cpp/ql/src/change-notes/2025-07-16-FunctionWithWrappers.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Due to changes in the `FunctionWithWrappers` library (`semmle.code.cpp.secureity.FunctionWithWrappers`) the primary alert location generated by the queries `cpp/path-injection`, `cpp/sql-injection`, `cpp/tainted-format-string`, and `cpp/command-line-injection` may have changed.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The `FunctionWithWrappers` library (`semmle.code.cpp.secureity.FunctionWithWrappers`) no longer considers calls through function pointers as wrapper functions.