Skip to content

C++: Rewrite cpp/cgi-xss to not use default taint tracking#11716

Merged
jketema merged 1 commit intogithub:mainfrom
jketema:rewrite-cgi-xss
Oct 9, 2023
Merged

C++: Rewrite cpp/cgi-xss to not use default taint tracking#11716
jketema merged 1 commit intogithub:mainfrom
jketema:rewrite-cgi-xss

Conversation

@jketema
Copy link
Contributor

@jketema jketema commented Dec 15, 2022
edited
Loading

I'm hard pressed for projects that have actually have relevant sources. MRVA only shows 5, one of which have relevant flow: apache/trafficserver, apple/cups, OpenPrinting/cups, git/git, and git-for-windows/git. DCA doesn't show anything special.

@github-actions github-actions bot added the C++ label Dec 15, 2022
@jketema jketema marked this pull request as ready for review October 9, 2023 08:13
@jketema jketema requested a review from a team as a code owner October 9, 2023 08:13
MathiasVP
MathiasVP approved these changes Oct 9, 2023
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jketema
Copy link
Contributor Author

jketema commented Oct 9, 2023

Does this need a change note?

@MathiasVP
Copy link
Contributor

MathiasVP commented Oct 9, 2023

Hmm... Yeah, maybe we should write a change note saying that we've refactored the query to a straightforward TaintTracking query?

I'd like to claim that the query is now easier to customize with additional sources, sinks and taint steps, but since it's still not as easy to customize as the standard dataflow query is in other languages I'm hesitant to make that claim.

@jketema
Copy link
Contributor Author

jketema commented Oct 9, 2023

Hmm... Yeah, maybe we should write a change note saying that we've refactored the query to a straightforward TaintTracking query?

I'd like to claim that the query is now easier to customize with additional sources, sinks and taint steps, but since it's still not as easy to customize as the standard dataflow query is in other languages I'm hesitant to make that claim.

So neither #11435 nor #13985 added a change note.

@jketema jketema added the no-change-note-required This PR does not need a change note label Oct 9, 2023
@jketema
Copy link
Contributor Author

jketema commented Oct 9, 2023

Discussed internally: since the previous rewrites also didn't come with a change note, we'll not add one here either. We'll add a change note once all rewrites are done.

@jketema jketema merged commit f7bd801 into github:main Oct 9, 2023
@jketema jketema deleted the rewrite-cgi-xss branch October 9, 2023 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MathiasVP MathiasVP MathiasVP approved these changes

Assignees

No one assigned

Labels

C++ no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jketema @MathiasVP