C++: Convert to IR taint tracking.

geoffw0 · geoffw0 · commit 00ba76b7e475 · 2022-02-11T13:00:42.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -14,7 +14,7 @@
 
 import cpp
 import semmle.code.cpp.commons.Environment
-import semmle.code.cpp.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.models.interfaces.FlowSource
 import DataFlow::PathGraph
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -1,26 +1,64 @@
 edges
-| tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | buffer |
-| tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | tests2.cpp:109:14:109:15 | c1 [ptr] |
-| tests2.cpp:107:3:107:36 | ... = ... | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] |
-| tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:107:3:107:36 | ... = ... |
-| tests2.cpp:109:14:109:15 | c1 [ptr] | tests2.cpp:109:17:109:19 | ptr |
+| tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:26 | (const char *)... |
+| tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:26 | (const char *)... |
+| tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:26 | (const char *)... |
+| tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:26 | (const char *)... |
+| tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:26 | (const char *)... |
+| tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:26 | (const char *)... |
+| tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:26 | (const char *)... |
+| tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:26 | (const char *)... |
+| tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:30 | (const char *)... |
+| tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:30 | (const char *)... |
+| tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:30 | (const char *)... |
+| tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:30 | (const char *)... |
+| tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | (const char *)... |
+| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
+| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
+| tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 |
+| tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | tests2.cpp:109:14:109:15 | c1 [read] [ptr] |
+| tests2.cpp:107:6:107:8 | ptr [post update] | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] |
+| tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:107:6:107:8 | ptr [post update] |
+| tests2.cpp:109:14:109:15 | c1 [read] [ptr] | tests2.cpp:109:14:109:19 | (const char *)... |
 nodes
 | tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:63:13:63:26 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:63:13:63:26 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:64:13:64:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:64:13:64:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:64:13:64:26 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:64:13:64:26 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:65:13:65:30 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:65:13:65:30 | (const char *)... | semmle.label | (const char *)... |
 | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
-| tests2.cpp:79:14:79:19 | buffer | semmle.label | buffer |
+| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
+| tests2.cpp:79:14:79:19 | (const char *)... | semmle.label | (const char *)... |
+| tests2.cpp:89:42:89:45 | str1 | semmle.label | str1 |
+| tests2.cpp:91:14:91:17 | str1 | semmle.label | str1 |
 | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | semmle.label | c1 [post update] [ptr] |
-| tests2.cpp:107:3:107:36 | ... = ... | semmle.label | ... = ... |
+| tests2.cpp:107:6:107:8 | ptr [post update] | semmle.label | ptr [post update] |
 | tests2.cpp:107:12:107:17 | call to getenv | semmle.label | call to getenv |
-| tests2.cpp:109:14:109:15 | c1 [ptr] | semmle.label | c1 [ptr] |
-| tests2.cpp:109:17:109:19 | ptr | semmle.label | ptr |
+| tests2.cpp:109:14:109:15 | c1 [read] [ptr] | semmle.label | c1 [read] [ptr] |
+| tests2.cpp:109:14:109:19 | (const char *)... | semmle.label | (const char *)... |
 subpaths
 #select
 | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
+| tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
+| tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | (const char *)... | (const char *)... |
+| tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | (const char *)... | (const char *)... |
 | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
+| tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
+| tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | (const char *)... | (const char *)... |
+| tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | (const char *)... | (const char *)... |
 | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
+| tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:30 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
+| tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:30 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | (const char *)... | (const char *)... |
+| tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:30 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | (const char *)... | (const char *)... |
+| tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
-| tests2.cpp:79:14:79:19 | buffer | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | buffer | This operation exposes system data from $@. | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | call to mysql_get_client_info |
-| tests2.cpp:109:17:109:19 | ptr | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:109:17:109:19 | ptr | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |
+| tests2.cpp:79:14:79:19 | (const char *)... | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:91:14:91:17 | str1 | tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 | This operation exposes system data from $@. | tests2.cpp:89:42:89:45 | str1 | str1 |
+| tests2.cpp:109:14:109:19 | (const char *)... | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:109:14:109:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
@@ -88,7 +88,7 @@ void test1()
 
 		mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val());
 
-		send(sock, str1, val(), val()); // BAD [NOT DETECTED]
+		send(sock, str1, val(), val()); // BAD
 		send(sock, str2, val(), val()); // GOOD: not system data
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ void test1()`
`88`	`88`
`89`	`89`	`mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val());`
`90`	`90`
`91`		`- send(sock, str1, val(), val()); // BAD [NOT DETECTED]`
	`91`	`+ send(sock, str1, val(), val()); // BAD`
`92`	`92`	`send(sock, str2, val(), val()); // GOOD: not system data`
`93`	`93`	`}`
`94`	`94`