C++: Use asDefiningArgument() where appropriate.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -21,9 +21,7 @@ import SystemData
 class ExposedSystemDataConfiguration extends TaintTracking::Configuration {
   ExposedSystemDataConfiguration() { this = "ExposedSystemDataConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source.asConvertedExpr() = any(SystemData sd).getAnExpr()
-  }
+  override predicate isSource(DataFlow::Node source) { source = any(SystemData sd).getAnExpr() }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall fc, FunctionInput input, int arg |

cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql

@@ -35,7 +35,7 @@ class PotentiallyExposedSystemDataConfiguration extends TaintTracking::Configura
   PotentiallyExposedSystemDataConfiguration() { this = "PotentiallyExposedSystemDataConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
-    source.asExpr() = any(SystemData sd | sd.isSensitive()).getAnExpr()
+    source = any(SystemData sd | sd.isSensitive()).getAnExpr()
   }
 
   override predicate isSink(DataFlow::Node sink) {

cpp/ql/src/Security/CWE/CWE-497/SystemData.qll

@@ -4,6 +4,7 @@
 
 import cpp
 import semmle.code.cpp.commons.Environment
+import semmle.code.cpp.ir.dataflow.TaintTracking
 
 /**
  * An element that should not be exposed to an adversary.
@@ -12,7 +13,7 @@ abstract class SystemData extends Element {
   /**
    * Gets an expression that is part of this `SystemData`.
    */
-  abstract Expr getAnExpr();
+  abstract DataFlow::Node getAnExpr();
 
   /**
    * Holds if this system data is considered especially sensitive (for example
@@ -33,7 +34,7 @@ class EnvData extends SystemData {
         .regexpMatch(".*(user|host|admin|root|home|path|http|ssl|snmp|sock|port|proxy|pass|token|crypt|key).*")
   }
 
-  override Expr getAnExpr() { result = this }
+  override DataFlow::Node getAnExpr() { result.asConvertedExpr() = this }
 
   override predicate isSensitive() {
     this.(EnvironmentRead)
@@ -49,7 +50,7 @@ class EnvData extends SystemData {
 class SQLClientInfo extends SystemData {
   SQLClientInfo() { this.(FunctionCall).getTarget().hasName("mysql_get_client_info") }
 
-  override Expr getAnExpr() { result = this }
+  override DataFlow::Node getAnExpr() { result.asConvertedExpr() = this }
 
   override predicate isSensitive() { any() }
 }
@@ -68,21 +69,24 @@ private predicate sqlConnectInfo(FunctionCall source, Expr use) {
 class SQLConnectInfo extends SystemData {
   SQLConnectInfo() { sqlConnectInfo(this, _) }
 
-  override Expr getAnExpr() { sqlConnectInfo(this, result) }
+  override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asConvertedExpr()) }
 
   override predicate isSensitive() { any() }
 }
 
-private predicate posixSystemInfo(FunctionCall source, Element use) {
+private predicate posixSystemInfo(FunctionCall source, DataFlow::Node use) {
   // size_t confstr(int name, char *buf, size_t len)
   //  - various OS / system strings, such as the libc version
   // int statvfs(const char *__path, struct statvfs *__buf)
   // int fstatvfs(int __fd, struct statvfs *__buf)
+  source.getTarget().hasName(["confstr", "statvfs", "fstatvfs"]) and
+  use.asDefiningArgument() = source.getArgument(1)
+  or
   //  - various filesystem parameters
   // int uname(struct utsname *buf)
   //  - OS name and version
-  source.getTarget().hasName(["confstr", "statvfs", "fstatvfs", "uname"]) and
-  use = source.getArgument(1)
+  source.getTarget().hasName("uname") and
+  use.asDefiningArgument() = source.getArgument(0)
 }
 
 /**
@@ -91,10 +95,10 @@ private predicate posixSystemInfo(FunctionCall source, Element use) {
 class PosixSystemInfo extends SystemData {
   PosixSystemInfo() { posixSystemInfo(this, _) }
 
-  override Expr getAnExpr() { posixSystemInfo(this, result) }
+  override DataFlow::Node getAnExpr() { posixSystemInfo(this, result) }
 }
 
-private predicate posixPWInfo(FunctionCall source, Element use) {
+private predicate posixPWInfo(FunctionCall source, DataFlow::Node use) {
   // struct passwd *getpwnam(const char *name);
   // struct passwd *getpwuid(uid_t uid);
   // struct passwd *getpwent(void);
@@ -104,7 +108,7 @@ private predicate posixPWInfo(FunctionCall source, Element use) {
   source
       .getTarget()
       .hasName(["getpwnam", "getpwuid", "getpwent", "getgrnam", "getgrgid", "getgrent"]) and
-  use = source
+  use.asConvertedExpr() = source
   or
   // int getpwnam_r(const char *name, struct passwd *pwd,
   //                char *buf, size_t buflen, struct passwd **result);
@@ -115,14 +119,20 @@ private predicate posixPWInfo(FunctionCall source, Element use) {
   // int getgrnam_r(const char *name, struct group *grp,
   //                char *buf, size_t buflen, struct group **result);
   source.getTarget().hasName(["getpwnam_r", "getpwuid_r", "getgrgid_r", "getgrnam_r"]) and
-  use = source.getArgument([1, 2, 4])
+  (
+    use.asConvertedExpr() = source.getArgument([1, 2]) or
+    use.asDefiningArgument() = source.getArgument(4)
+  )
   or
   // int getpwent_r(struct passwd *pwd, char *buffer, size_t bufsize,
   //                struct passwd **result);
   // int getgrent_r(struct group *gbuf, char *buf,
   //                size_t buflen, struct group **gbufp);
   source.getTarget().hasName(["getpwent_r", "getgrent_r"]) and
-  use = source.getArgument([0, 1, 3])
+  (
+    use.asConvertedExpr() = source.getArgument([0, 1]) or
+    use.asDefiningArgument() = source.getArgument(3)
+  )
 }
 
 /**
@@ -131,15 +141,15 @@ private predicate posixPWInfo(FunctionCall source, Element use) {
 class PosixPWInfo extends SystemData {
   PosixPWInfo() { posixPWInfo(this, _) }
 
-  override Expr getAnExpr() { posixPWInfo(this, result) }
+  override DataFlow::Node getAnExpr() { posixPWInfo(this, result) }
 
   override predicate isSensitive() { any() }
 }
 
-private predicate windowsSystemInfo(FunctionCall source, Element use) {
+private predicate windowsSystemInfo(FunctionCall source, DataFlow::Node use) {
   // DWORD WINAPI GetVersion(void);
   source.getTarget().hasGlobalName("GetVersion") and
-  use = source
+  use.asConvertedExpr() = source
   or
   // BOOL WINAPI GetVersionEx(_Inout_ LPOSVERSIONINFO lpVersionInfo);
   // void WINAPI GetSystemInfo(_Out_ LPSYSTEM_INFO lpSystemInfo);
@@ -149,7 +159,7 @@ private predicate windowsSystemInfo(FunctionCall source, Element use) {
       .hasGlobalName([
           "GetVersionEx", "GetVersionExA", "GetVersionExW", "GetSystemInfo", "GetNativeSystemInfo"
         ]) and
-  use = source.getArgument(0)
+  use.asDefiningArgument() = source.getArgument(0)
 }
 
 /**
@@ -158,7 +168,7 @@ private predicate windowsSystemInfo(FunctionCall source, Element use) {
 class WindowsSystemInfo extends SystemData {
   WindowsSystemInfo() { windowsSystemInfo(this, _) }
 
-  override Expr getAnExpr() { windowsSystemInfo(this, result) }
+  override DataFlow::Node getAnExpr() { windowsSystemInfo(this, result) }
 }
 
 private predicate windowsFolderPath(FunctionCall source, Element use) {
@@ -217,7 +227,7 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
 class WindowsFolderPath extends SystemData {
   WindowsFolderPath() { windowsFolderPath(this, _) }
 
-  override Expr getAnExpr() { windowsFolderPath(this, result) }
+  override DataFlow::Node getAnExpr() { windowsFolderPath(this, result.asDefiningArgument()) }
 }
 
 private predicate logonUser(FunctionCall source, VariableAccess use) {
@@ -231,7 +241,7 @@ private predicate logonUser(FunctionCall source, VariableAccess use) {
 class LogonUser extends SystemData {
   LogonUser() { logonUser(this, _) }
 
-  override Expr getAnExpr() { logonUser(this, result) }
+  override DataFlow::Node getAnExpr() { logonUser(this, result.asConvertedExpr()) }
 
   override predicate isSensitive() { any() }
 }
@@ -313,7 +323,7 @@ private predicate regQuery(FunctionCall source, TRegQueryParameter param) {
 class RegQuery extends SystemData {
   RegQuery() { regQuery(this, _) }
 
-  override Expr getAnExpr() { regQuery(this, TReturnData(result)) }
+  override DataFlow::Node getAnExpr() { regQuery(this, TReturnData(result.asDefiningArgument())) }
 
   override predicate isSensitive() {
     exists(Expr e |

cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected

@@ -1,11 +1,8 @@
 edges
-| tests.c:57:21:57:28 | array to pointer conversion | tests.c:70:70:70:77 | array to pointer conversion |
 | tests.c:57:21:57:28 | password | tests.c:70:70:70:77 | array to pointer conversion |
 nodes
-| tests.c:57:21:57:28 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:57:21:57:28 | password | semmle.label | password |
 | tests.c:70:70:70:77 | array to pointer conversion | semmle.label | array to pointer conversion |
 subpaths
 #select
-| tests.c:70:70:70:77 | array to pointer conversion | tests.c:57:21:57:28 | array to pointer conversion | tests.c:70:70:70:77 | array to pointer conversion | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | array to pointer conversion | array to pointer conversion |
 | tests.c:70:70:70:77 | array to pointer conversion | tests.c:57:21:57:28 | password | tests.c:70:70:70:77 | array to pointer conversion | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password | password |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected

@@ -20,8 +20,8 @@ edges
 | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | path |
 | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | (const void *)... |
 | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | path |
-| tests_sysconf.cpp:36:21:36:27 | pathbuf | tests_sysconf.cpp:39:19:39:25 | (const void *)... |
-| tests_sysconf.cpp:36:21:36:27 | pathbuf | tests_sysconf.cpp:39:19:39:25 | pathbuf |
+| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | (const void *)... |
+| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf |
 nodes
 | tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
@@ -58,7 +58,7 @@ nodes
 | tests_sockets.cpp:76:19:76:22 | path | semmle.label | path |
 | tests_sockets.cpp:80:20:80:23 | (const void *)... | semmle.label | (const void *)... |
 | tests_sockets.cpp:80:20:80:23 | path | semmle.label | path |
-| tests_sysconf.cpp:36:21:36:27 | pathbuf | semmle.label | pathbuf |
+| tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | (const void *)... | semmle.label | (const void *)... |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf | semmle.label | pathbuf |
 subpaths
@@ -77,4 +77,4 @@ subpaths
 | tests_sockets.cpp:43:20:43:23 | path | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv | call to getenv |
 | tests_sockets.cpp:76:19:76:22 | path | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv | call to getenv |
 | tests_sockets.cpp:80:20:80:23 | path | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv | call to getenv |
-| tests_sysconf.cpp:39:19:39:25 | pathbuf | tests_sysconf.cpp:36:21:36:27 | pathbuf | tests_sysconf.cpp:39:19:39:25 | pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | pathbuf | pathbuf |
+| tests_sysconf.cpp:39:19:39:25 | pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |