C++: Only look for sensitive strings in appropriate parameters.

geoffw0 · geoffw0 · commit cb33ed4fc26c · 2022-03-07T11:29:09.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll b/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll
@@ -311,6 +311,12 @@ class RegQuery extends SystemData {
   override Expr getAnExpr() { regQuery(this, TReturnData(result)) }
 
   override predicate isSensitive() {
-    this.(FunctionCall).getAnArgument().getValue().toLowerCase().regexpMatch(".*(pass|token|key).*")
+    exists(Expr e |
+      (
+        regQuery(this, TSubKeyName(e)) or
+        regQuery(this, TValueName(e))
+      ) and
+      e.getValue().toLowerCase().regexpMatch(".*(pass|token|key).*")
+    )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -311,6 +311,12 @@ class RegQuery extends SystemData {`
`311`	`311`	`override Expr getAnExpr() { regQuery(this, TReturnData(result)) }`
`312`	`312`
`313`	`313`	`override predicate isSensitive() {`
`314`		`- this.(FunctionCall).getAnArgument().getValue().toLowerCase().regexpMatch(".(pass\|token\|key).")`
	`314`	`+ exists(Expr e \|`
	`315`	`+ (`
	`316`	`+ regQuery(this, TSubKeyName(e)) or`
	`317`	`+ regQuery(this, TValueName(e))`
	`318`	`+ ) and`
	`319`	`+ e.getValue().toLowerCase().regexpMatch(".(pass\|token\|key).")`
	`320`	`+ )`
`315`	`321`	`}`
`316`	`322`	`}`