C++: Fixes to gets models.

geoffw0 · geoffw0 · commit af09dd8af124 · 2022-01-28T16:04:23.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
@@ -50,6 +50,9 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
     description = "String read by " + this.getName()
+    or
+    output.isReturnValue() and
+    description = "String read by " + this.getName()
   }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
@@ -78,8 +81,7 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isParameter(2) and
-    output.isParameterDeref(0)
+    none()
   }
 
   override predicate parameterNeverEscapes(int index) { none() }
@@ -101,6 +103,9 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
     description = "String read by " + this.getName()
+    or
+    output.isReturnValue() and
+    description = "String read by " + this.getName()
   }
 
   override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 0 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
@@ -1,8 +1,10 @@
 edges
 | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
 nodes
+| test2.cpp:110:3:110:6 | call to gets | semmle.label | call to gets |
 | test.cpp:54:17:54:20 | argv | semmle.label | argv |
 | test.cpp:58:25:58:29 | input | semmle.label | input |
 subpaths
 #select
+| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | This write into buffer 'password' may contain unencrypted data from $@ | test2.cpp:110:3:110:6 | call to gets | user input (String read by gets) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (a command-line argument) |

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,9 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti`
`50`	`50`	`override predicate hasRemoteFlowSource(FunctionOutput output, string description) {`
`51`	`51`	`output.isParameterDeref(0) and`
`52`	`52`	`description = "String read by " + this.getName()`
	`53`	`+ or`
	`54`	`+ output.isReturnValue() and`
	`55`	`+ description = "String read by " + this.getName()`
`53`	`56`	`}`
`54`	`57`
`55`	`58`	`override predicate hasArrayWithVariableSize(int bufParam, int countParam) {`
`@@ -78,8 +81,7 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio`
`78`	`81`	`}`
`79`	`82`
`80`	`83`	`override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {`
`81`		`- input.isParameter(2) and`
`82`		`- output.isParameterDeref(0)`
	`84`	`+ none()`
`83`	`85`	`}`
`84`	`86`
`85`	`87`	`override predicate parameterNeverEscapes(int index) { none() }`
`@@ -101,6 +103,9 @@ private class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunctio`
`101`	`103`	`override predicate hasLocalFlowSource(FunctionOutput output, string description) {`
`102`	`104`	`output.isParameterDeref(0) and`
`103`	`105`	`description = "String read by " + this.getName()`
	`106`	`+ or`
	`107`	`+ output.isReturnValue() and`
	`108`	`+ description = "String read by " + this.getName()`
`104`	`109`	`}`
`105`	`110`
`106`	`111`	`override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 0 }`