C++: Fix up isParameterDeref.

geoffw0 · geoffw0 · commit 588447d596a1 · 2022-01-24T11:06:24.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
@@ -59,7 +59,7 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
 
   override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
 
-  override predicate hasSocketInput(FunctionInput input) { input.isParameter(2) }
+  override predicate hasSocketInput(FunctionInput input) { input.isParameterDeref(2) }
 }
 
 
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -58,7 +58,10 @@ class Send extends SendRecv instanceof RemoteFlowSinkFunction {
     call.getTarget() = this and
     exists(FunctionInput input, int arg |
       super.hasSocketInput(input) and
-      input.isParameter(arg) and
+      (
+        input.isParameter(arg) or
+        input.isParameterDeref(arg)
+      ) and
       result = call.getArgument(arg)
     )
   }
@@ -81,7 +84,10 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
     call.getTarget() = this and
     exists(FunctionInput input, int arg |
       super.hasSocketInput(input) and
-      input.isParameter(arg) and
+      (
+        input.isParameter(arg) or
+        input.isParameterDeref(arg)
+      ) and
       result = call.getArgument(arg)
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti`
`59`	`59`
`60`	`60`	`override predicate hasArrayOutput(int bufParam) { bufParam = 0 }`
`61`	`61`
`62`		`- override predicate hasSocketInput(FunctionInput input) { input.isParameter(2) }`
	`62`	`+ override predicate hasSocketInput(FunctionInput input) { input.isParameterDeref(2) }`
`63`	`63`	`}`
`64`	`64`
`65`	`65`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,10 @@ class Send extends SendRecv instanceof RemoteFlowSinkFunction {`
`58`	`58`	`call.getTarget() = this and`
`59`	`59`	`exists(FunctionInput input, int arg \|`
`60`	`60`	`super.hasSocketInput(input) and`
`61`		`- input.isParameter(arg) and`
	`61`	`+ (`
	`62`	`+ input.isParameter(arg) or`
	`63`	`+ input.isParameterDeref(arg)`
	`64`	`+ ) and`
`62`	`65`	`result = call.getArgument(arg)`
`63`	`66`	`)`
`64`	`67`	`}`
`@@ -81,7 +84,10 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {`
`81`	`84`	`call.getTarget() = this and`
`82`	`85`	`exists(FunctionInput input, int arg \|`
`83`	`86`	`super.hasSocketInput(input) and`
`84`		`- input.isParameter(arg) and`
	`87`	`+ (`
	`88`	`+ input.isParameter(arg) or`
	`89`	`+ input.isParameterDeref(arg)`
	`90`	`+ ) and`
`85`	`91`	`result = call.getArgument(arg)`
`86`	`92`	`)`
`87`	`93`	`}`