Skip to content

C++: exclude printf implementation internals from uncontrolled format string sinks#21493

Open
MarkLee131 wants to merge 7 commits intogithub:mainfrom
MarkLee131:fix/format-string-fp-in-printf-impl
Open

C++: exclude printf implementation internals from uncontrolled format string sinks#21493
MarkLee131 wants to merge 7 commits intogithub:mainfrom
MarkLee131:fix/format-string-fp-in-printf-impl

Conversation

@MarkLee131
Copy link

@MarkLee131 MarkLee131 commented Mar 17, 2026

Fix #21492

  • The fix only narrows the sink definition; no new false negatives for direct calls like printf(tainted_str)
  • Only sinks inside printf-like function bodies are excluded; outermost call sites (e.g., smsg(tainted_fmt, ...)) remain
    flagged

@MarkLee131 MarkLee131 requested a review from a team as a code owner March 17, 2026 14:56
Copilot AI review requested due to automatic review settings March 17, 2026 14:56
@github-actions github-actions bot added the C++ label Mar 17, 2026
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the C++ cpp/tainted-format-string query to reduce false positives that occur inside implementations of printf-like functions (and their wrappers), by excluding certain internal format-string sinks while preserving reporting at the outermost call sites.

Changes:

  • Introduces a helper predicate to identify printf-like functions and wrapper functions forwarding format strings.
  • Narrows the sink definition to exclude sinks occurring inside those identified functions.

You can also share your feedback on Copilot code review. Take the survey.

geoffw0
geoffw0 reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarkLee131 thank you for your contribution! I'm going to start some CI and probably try this out locally.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 17, 2026
View reviewed changes
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
Comment on lines +26 to +36
/**
* Holds if `f` is a printf-like function or a (possibly nested) wrapper
* that forwards a format-string parameter to one.
*
* Functions that *implement* printf-like behaviour (e.g. a custom
* `vsnprintf` variant) internally parse the caller-supplied format string
* and build small, bounded, local format strings such as `"%d"` or `"%ld"`
* for inner `sprintf` calls. Taint that reaches those inner calls via the
* parsed format specifier is not exploitable, so sinks inside such
* functions should be excluded.
*/
MarkLee131 and others added 3 commits March 19, 2026 14:35
@MarkLee131
use American spellings in documentation
2c76e6e 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@MarkLee131 @geoffw0
the [] syntax directly
c155394 
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
@MarkLee131
Merge branch 'main' into fix/format-string-fp-in-printf-impl
1ddf81c
@MarkLee131
Copy link
Author

MarkLee131 commented Mar 19, 2026

Hi @geoffw0, I have resolved the issues mentioned above. Could you pelase review this PR again? thanks~

@geoffw0 geoffw0 mentioned this pull request Mar 19, 2026
Merged
@geoffw0
Copy link
Contributor

geoffw0 commented Mar 19, 2026

Thanks for resolving the issues. We do need a change note for this - I've proposed one in MarkLee131#1 .

@MarkLee131
Copy link
Author

MarkLee131 commented Mar 20, 2026

I have merged it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geoffw0 geoffw0 geoffw0 left review comments

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

C++ documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cpp/tainted-format-string: false positives inside printf-like function implementations

3 participants

@MarkLee131 @geoffw0