C++: Pragmatic solution to include more sinks (plus autoformat changes).

geoffw0 · geoffw0 · commit 6c40cda68d5c · 2022-02-24T12:10:34.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -296,17 +296,20 @@ class ExposedSystemDataConfiguration extends TaintTracking::Configuration {
     exists(FunctionCall fc, FunctionInput input, int arg |
       fc.getTarget().(RemoteFlowSinkFunction).hasRemoteFlowSink(input, _) and
       input.isParameterDeref(arg) and
-      fc.getArgument(arg) = sink.asExpr()
+      fc.getArgument(arg).getAChild*() = sink.asExpr()
     )
   }
 }
 
 from ExposedSystemDataConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-and not exists(DataFlow::Node alt | // remove duplicate results on conversions
-  config.hasFlow(source.getNode(), alt) and
-  alt.asConvertedExpr() = sink.getNode().asExpr() and
-  alt != sink.getNode()
-)
+where
+  config.hasFlowPath(source, sink) and
+  not exists(
+    DataFlow::Node alt // remove duplicate results on conversions
+  |
+    config.hasFlow(source.getNode(), alt) and
+    alt.asConvertedExpr() = sink.getNode().asExpr() and
+    alt != sink.getNode()
+  )
 select sink, source, sink, "This operation exposes system data from $@.", source,
   source.getNode().toString()
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -6,6 +6,7 @@ edges
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
 | tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 |
+| tests2.cpp:99:8:99:15 | call to getpwuid | tests2.cpp:100:14:100:15 | pw |
 | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | tests2.cpp:109:14:109:15 | c1 [read] [ptr] |
 | tests2.cpp:107:6:107:8 | ptr [post update] | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] |
 | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:107:6:107:8 | ptr [post update] |
@@ -26,6 +27,8 @@ nodes
 | tests2.cpp:79:14:79:19 | (const char *)... | semmle.label | (const char *)... |
 | tests2.cpp:89:42:89:45 | str1 | semmle.label | str1 |
 | tests2.cpp:91:14:91:17 | str1 | semmle.label | str1 |
+| tests2.cpp:99:8:99:15 | call to getpwuid | semmle.label | call to getpwuid |
+| tests2.cpp:100:14:100:15 | pw | semmle.label | pw |
 | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | semmle.label | c1 [post update] [ptr] |
 | tests2.cpp:107:6:107:8 | ptr [post update] | semmle.label | ptr [post update] |
 | tests2.cpp:107:12:107:17 | call to getenv | semmle.label | call to getenv |
@@ -40,4 +43,5 @@ subpaths
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:79:14:79:19 | (const char *)... | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:91:14:91:17 | str1 | tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 | This operation exposes system data from $@. | tests2.cpp:89:42:89:45 | str1 | str1 |
+| tests2.cpp:100:14:100:15 | pw | tests2.cpp:99:8:99:15 | call to getpwuid | tests2.cpp:100:14:100:15 | pw | This operation exposes system data from $@. | tests2.cpp:99:8:99:15 | call to getpwuid | call to getpwuid |
 | tests2.cpp:109:14:109:19 | (const char *)... | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:109:14:109:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
@@ -97,7 +97,7 @@ void test1()
 		passwd *pw;
 
 		pw = getpwuid(val());
-		send(sock, pw->pw_passwd, val(), val()); // BAD [NOT DETECTED]
+		send(sock, pw->pw_passwd, val(), val()); // BAD
 	}
 
 	// tests for containers

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ void test1()`
`97`	`97`	`passwd *pw;`
`98`	`98`
`99`	`99`	`pw = getpwuid(val());`
`100`		`- send(sock, pw->pw_passwd, val(), val()); // BAD [NOT DETECTED]`
	`100`	`+ send(sock, pw->pw_passwd, val(), val()); // BAD`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`// tests for containers`