C++: Switch from GVN to localFlow.

geoffw0 · geoffw0 · commit 02b1774d7f49 · 2022-02-03T16:00:26.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -14,7 +14,6 @@
 import cpp
 import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.dataflow.TaintTracking
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.commons.File
 import DataFlow::PathGraph
@@ -121,35 +120,30 @@ abstract class NetworkSendRecv extends FunctionCall {
   NetworkSendRecv() {
     this.getTarget() = target and
     // exclude calls based on the socket...
-    not exists(GVN g |
-      g = globalValueNumber(target.getSocketExpr(this)) and
+    not exists(DataFlow::Node src, DataFlow::Node dest |
+      DataFlow::localFlow(src, dest) and
+      dest.asExpr() = target.getSocketExpr(this) and
       (
         // literal constant
-        globalValueNumber(any(Literal l)) = g
+        src.asExpr() instanceof Literal
         or
         // variable (such as a global) initialized to a literal constant
         exists(Variable v |
           v.getInitializer().getExpr() instanceof Literal and
-          g = globalValueNumber(v.getAnAccess())
+          src.asExpr() = v.getAnAccess()
         )
         or
         // result of a function call with literal inputs (likely constant)
-        exists(FunctionCall fc |
-          forex(Expr arg | arg = fc.getAnArgument() | arg instanceof Literal) and
-          g = globalValueNumber(fc)
-        )
+        forex(Expr arg | arg = src.asExpr().(FunctionCall).getAnArgument() | arg instanceof Literal)
         or
         // variable called `stdin`, `stdout` or `stderr`
-        exists(VariableAccess v |
-          v.getTarget().getName() = ["stdin", "stdout", "stderr"] and
-          g = globalValueNumber(v)
-        )
+        src.asExpr().(VariableAccess).getTarget().getName() = ["stdin", "stdout", "stderr"]
         or
         // open of `"/dev/tty"`
         exists(FunctionCall fc |
           fopenCall(fc) and
           fc.getAnArgument().getValue() = "/dev/tty" and
-          g = globalValueNumber(fc)
+          src.asExpr() = fc
         )
         // (this is not exhaustive)
       )
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
@@ -90,7 +90,6 @@ edges
 | test3.cpp:398:18:398:25 | password | test3.cpp:400:16:400:23 | password |
 | test3.cpp:398:18:398:25 | password | test3.cpp:400:33:400:40 | password |
 | test3.cpp:429:7:429:14 | password | test3.cpp:431:8:431:15 | password |
-| test3.cpp:465:8:465:15 | password | test3.cpp:474:11:474:18 | password |
 | test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:21:48:27 | call to encrypt |
 | test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:29:48:39 | thePassword |
 | test.cpp:66:23:66:43 | cleartext password! | test.cpp:76:21:76:27 | call to encrypt |
@@ -212,8 +211,6 @@ nodes
 | test3.cpp:400:33:400:40 | password | semmle.label | password |
 | test3.cpp:429:7:429:14 | password | semmle.label | password |
 | test3.cpp:431:8:431:15 | password | semmle.label | password |
-| test3.cpp:465:8:465:15 | password | semmle.label | password |
-| test3.cpp:474:11:474:18 | password | semmle.label | password |
 | test.cpp:41:23:41:43 | cleartext password! | semmle.label | cleartext password! |
 | test.cpp:48:21:48:27 | call to encrypt | semmle.label | call to encrypt |
 | test.cpp:48:29:48:39 | thePassword | semmle.label | thePassword |
@@ -245,4 +242,3 @@ subpaths
 | test3.cpp:341:4:341:7 | call to recv | test3.cpp:339:9:339:16 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:339:9:339:16 | password | password |
 | test3.cpp:388:3:388:6 | call to recv | test3.cpp:386:8:386:15 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:386:8:386:15 | password | password |
 | test3.cpp:431:2:431:6 | call to fgets | test3.cpp:429:7:429:14 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:429:7:429:14 | password | password |
-| test3.cpp:474:3:474:6 | call to recv | test3.cpp:465:8:465:15 | password | test3.cpp:474:11:474:18 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:465:8:465:15 | password | password |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
@@ -471,6 +471,6 @@ void test_tty()
 			f = STDIN_FILENO;
 		}
 
-		recv(f, password, 256, val()); // GOOD: from terminal or stdin [FALSE POSITIVE]
+		recv(f, password, 256, val()); // GOOD: from terminal or stdin
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -471,6 +471,6 @@ void test_tty()`
`471`	`471`	`f = STDIN_FILENO;`
`472`	`472`	`}`
`473`	`473`
`474`		`- recv(f, password, 256, val()); // GOOD: from terminal or stdin [FALSE POSITIVE]`
	`474`	`+ recv(f, password, 256, val()); // GOOD: from terminal or stdin`
`475`	`475`	`}`
`476`	`476`	`}`