Skip to content

Commit 330b4c3

Browse files
geoffw0geoffw0
committed
C++: Generalize hasSocketInput a little to include fgets and friends.
1 parent 9c2d961 commit 330b4c3

File tree

4 files changed

+9
-8
lines changed

4 files changed

+9
-8
lines changed

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,4 +65,6 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
6565
}
6666

6767
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
68+
69+
override predicate hasSocketInput(FunctionInput input) { input.isParameter(2) }
6870
}

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,8 +20,9 @@ abstract class RemoteFlowSourceFunction extends Function {
2020
abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
2121

2222
/**
23-
* Holds if remote data from this source comes from a socket described by
24-
* `input`. There is no result if a socket is not specified.
23+
* Holds if remote data from this source comes from a socket or stream
24+
* described by `input`. There is no result if none is specified by a
25+
* parameter.
2526
*/
2627
predicate hasSocketInput(FunctionInput input) { none() }
2728
}
@@ -59,8 +60,9 @@ abstract class RemoteFlowSinkFunction extends Function {
5960
abstract predicate hasRemoteFlowSink(FunctionInput input, string description);
6061

6162
/**
62-
* Holds if data put into this sink is transmitted through a socket described
63-
* by `input`. There is no result if a socket is not specified.
63+
* Holds if data put into this sink is transmitted through a socket or stream
64+
* described by `input`. There is no result if none is specified by a
65+
* parameter.
6466
*/
6567
predicate hasSocketInput(FunctionInput input) { none() }
6668
}

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,6 @@ edges
3939
| test3.cpp:217:18:217:28 | call to rtn_encrypt | test3.cpp:219:15:219:26 | password_ptr |
4040
| test3.cpp:225:34:225:41 | password | test3.cpp:228:26:228:33 | password |
4141
| test3.cpp:239:7:239:14 | password | test3.cpp:241:8:241:15 | password |
42-
| test3.cpp:239:7:239:14 | password | test3.cpp:242:8:242:15 | password |
4342
| test3.cpp:252:8:252:16 | password1 | test3.cpp:254:15:254:23 | password1 |
4443
| test3.cpp:252:8:252:16 | password1 | test3.cpp:256:3:256:19 | call to decrypt_to_buffer |
4544
| test3.cpp:252:8:252:16 | password1 | test3.cpp:256:21:256:29 | password1 |
@@ -149,7 +148,6 @@ nodes
149148
| test3.cpp:228:26:228:33 | password | semmle.label | password |
150149
| test3.cpp:239:7:239:14 | password | semmle.label | password |
151150
| test3.cpp:241:8:241:15 | password | semmle.label | password |
152-
| test3.cpp:242:8:242:15 | password | semmle.label | password |
153151
| test3.cpp:252:8:252:16 | password1 | semmle.label | password1 |
154152
| test3.cpp:252:24:252:32 | password2 | semmle.label | password2 |
155153
| test3.cpp:254:15:254:23 | password1 | semmle.label | password1 |
@@ -225,7 +223,6 @@ subpaths
225223
| test3.cpp:159:3:159:6 | call to send | test3.cpp:152:29:152:36 | password | test3.cpp:159:15:159:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:152:29:152:36 | password | password |
226224
| test3.cpp:228:2:228:5 | call to send | test3.cpp:225:34:225:41 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:225:34:225:41 | password | password |
227225
| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:239:7:239:14 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:239:7:239:14 | password | password |
228-
| test3.cpp:242:2:242:6 | call to fgets | test3.cpp:239:7:239:14 | password | test3.cpp:242:8:242:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:239:7:239:14 | password | password |
229226
| test3.cpp:272:3:272:6 | call to send | test3.cpp:268:19:268:26 | password | test3.cpp:272:15:272:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:268:19:268:26 | password | password |
230227
| test3.cpp:295:2:295:5 | call to send | test3.cpp:308:58:308:66 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:308:58:308:66 | password2 | password2 |
231228
| test3.cpp:300:2:300:5 | call to send | test3.cpp:308:58:308:66 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:308:58:308:66 | password2 | password2 |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -239,7 +239,7 @@ void test_fgets(FILE *stream)
239239
char password[128];
240240

241241
fgets(password, 128, stream); // BAD
242-
fgets(password, 128, STDIN_STREAM); // GOOD: `STDIN_STREAM` is probably standard input [FALSE POSITIVE]
242+
fgets(password, 128, STDIN_STREAM); // GOOD: `STDIN_STREAM` is probably standard input
243243
}
244244

245245
void encrypt_to_buffer(const char *input, char* output);

0 commit comments

Comments
 (0)