C++: Add and use getRemoteSocket predicates.

Author: geoffw0

cpp/ql/lib/semmle/code/cpp/models/implementations/Recv.qll

@@ -85,4 +85,8 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction,
     ) and
     description = "Buffer read by " + this.getName()
   }
+
+  override predicate hasSocketInput(FunctionInput input) {
+    input.isParameter(0)
+  }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

@@ -60,4 +60,8 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
     input.isParameterDeref(1) and description = "Buffer sent by " + this.getName()
   }
+
+  override predicate hasSocketInput(FunctionInput input) {
+    input.isParameter(0)
+  }
 }

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -18,6 +18,12 @@ abstract class RemoteFlowSourceFunction extends Function {
    * Holds if remote data described by `description` flows from `output` of a call to this function.
    */
   abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
+
+  /**
+   * Holds if remote data from this source comes from a socket described by
+   * `input`. There is no result if a socket is not specified.
+   */
+  predicate hasSocketInput(FunctionInput input) { none() }
 }
 
 /**
@@ -51,4 +57,10 @@ abstract class RemoteFlowSinkFunction extends Function {
    * send over a network connection.
    */
   abstract predicate hasRemoteFlowSink(FunctionInput input, string description);
+
+  /**
+   * Holds if data put into this sink is transmitted through a socket described
+   * by `input`. There is no result if a socket is not specified.
+   */
+  predicate hasSocketInput(FunctionInput input) { none() }
 }

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -43,7 +43,13 @@ class NetworkSend extends NetworkSendRecv {
 
   NetworkSend() { target = this.getTarget() }
 
-  override Expr getSocketExpr() { result = this.getArgument(0) }
+  override Expr getSocketExpr() {
+    exists(FunctionInput input, int arg |
+      target.hasSocketInput(input) and
+      input.isParameter(arg) and
+      result = this.getArgument(arg)
+    )
+  }
 
   override Expr getDataExpr() {
     exists(FunctionInput input, int arg |
@@ -62,7 +68,13 @@ class NetworkRecv extends NetworkSendRecv {
 
   NetworkRecv() { target = this.getTarget() }
 
-  override Expr getSocketExpr() { result = this.getArgument(0) }
+  override Expr getSocketExpr() {
+    exists(FunctionInput input, int arg |
+      target.hasSocketInput(input) and
+      input.isParameter(arg) and
+      result = this.getArgument(arg)
+    )
+  }
 
   override Expr getDataExpr() {
     exists(FunctionOutput output, int arg |
@@ -85,7 +97,7 @@ class SensitiveSendRecvConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     exists(NetworkSendRecv transmission |
       sink.asExpr() = transmission.getDataExpr() and
-      // a zero file descriptor is standard input, which is not interesting for this query.
+      // a zero socket descriptor is standard input, which is not interesting for this query.
       not exists(Zero zero |
         DataFlow::localFlow(DataFlow::exprNode(zero),
           DataFlow::exprNode(transmission.getSocketExpr()))