C++: Better deduplication.

geoffw0 · geoffw0 · commit 703f18b82f92 · 2022-02-15T17:52:27.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -296,12 +296,17 @@ class ExposedSystemDataConfiguration extends TaintTracking::Configuration {
     exists(FunctionCall fc, FunctionInput input, int arg |
       fc.getTarget().(RemoteFlowSinkFunction).hasRemoteFlowSink(input, _) and
       input.isParameterDeref(arg) and
-      fc.getArgument(arg).getFullyConverted() = sink.asConvertedExpr()
+      fc.getArgument(arg) = sink.asExpr()
     )
   }
 }
 
 from ExposedSystemDataConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
+and not exists(DataFlow::Node alt | // remove duplicate results on conversions
+  config.hasFlow(source.getNode(), alt) and
+  alt.asConvertedExpr() = sink.getNode().asExpr() and
+  alt != sink.getNode()
+)
 select sink, source, sink, "This operation exposes system data from $@.", source,
   source.getNode().toString()
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -12,10 +12,13 @@ edges
 | tests2.cpp:109:14:109:15 | c1 [read] [ptr] | tests2.cpp:109:14:109:19 | (const char *)... |
 nodes
 | tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:63:13:63:26 | (const char *)... | semmle.label | (const char *)... |
 | tests2.cpp:64:13:64:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:64:13:64:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:64:13:64:26 | (const char *)... | semmle.label | (const char *)... |
 | tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:65:13:65:30 | (const char *)... | semmle.label | (const char *)... |
 | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
@@ -30,9 +33,9 @@ nodes
 | tests2.cpp:109:14:109:19 | (const char *)... | semmle.label | (const char *)... |
 subpaths
 #select
-| tests2.cpp:63:13:63:26 | (const char *)... | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
-| tests2.cpp:64:13:64:26 | (const char *)... | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:26 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
-| tests2.cpp:65:13:65:30 | (const char *)... | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:30 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
+| tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
+| tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
+| tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:79:14:79:19 | (const char *)... | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | call to mysql_get_client_info |

Original file line number	Diff line number	Diff line change
`@@ -296,12 +296,17 @@ class ExposedSystemDataConfiguration extends TaintTracking::Configuration {`
`296`	`296`	`exists(FunctionCall fc, FunctionInput input, int arg \|`
`297`	`297`	`fc.getTarget().(RemoteFlowSinkFunction).hasRemoteFlowSink(input, _) and`
`298`	`298`	`input.isParameterDeref(arg) and`
`299`		`- fc.getArgument(arg).getFullyConverted() = sink.asConvertedExpr()`
	`299`	`+ fc.getArgument(arg) = sink.asExpr()`
`300`	`300`	`)`
`301`	`301`	`}`
`302`	`302`	`}`
`303`	`303`
`304`	`304`	`from ExposedSystemDataConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink`
`305`	`305`	`where config.hasFlowPath(source, sink)`
	`306`	`+and not exists(DataFlow::Node alt \| // remove duplicate results on conversions`
	`307`	`+ config.hasFlow(source.getNode(), alt) and`
	`308`	`+ alt.asConvertedExpr() = sink.getNode().asExpr() and`
	`309`	`+ alt != sink.getNode()`
	`310`	`+)`
`306`	`311`	`select sink, source, sink, "This operation exposes system data from $@.", source,`
`307`	`312`	`source.getNode().toString()`