C++: Improve recognition of stdin, stdout etc.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -36,13 +36,23 @@ abstract class NetworkSendRecv extends FunctionCall {
   abstract Expr getDataExpr();
 
   /**
-   * Holds if any socket used by this call could be a true network socket.
-   * A zero socket descriptor is standard input, which is not a network
-   * operation.
+   * Holds if the socket used by this call could be a true network socket (or
+   * if no socket is specified). A constant value is likely to indicate standard
+   * input, standard output or a similar non-network socket.
    */
   predicate checkSocket() {
-    not exists(Zero zero |
-      DataFlow::localFlow(DataFlow::exprNode(zero), DataFlow::exprNode(getSocketExpr()))
+    not exists(GVN g |
+      g = globalValueNumber(getSocketExpr()) and
+      (
+        // literal constant
+        globalValueNumber(any(Literal l)) = g
+        or
+        // variable (such as a global) initialized to a literal constant
+        exists(Variable v |
+          v.getInitializer().getExpr() instanceof Literal and
+          g = globalValueNumber(v.getAnAccess())
+        )
+      )
     )
   }
 }

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected

@@ -196,7 +196,6 @@ subpaths
 #select
 | test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@ | test3.cpp:22:15:22:23 | password1 | password1 |
 | test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@ | test3.cpp:26:15:26:23 | password2 | password2 |
-| test3.cpp:38:3:38:6 | call to send | test3.cpp:38:23:38:31 | password2 | test3.cpp:38:23:38:31 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@ | test3.cpp:38:23:38:31 | password2 | password2 |
 | test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:47:15:47:22 | password | password |
 | test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:55:15:55:22 | password | password |
 | test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:74:21:74:29 | password1 | password1 |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

@@ -35,7 +35,7 @@ void test_send(const char *password1, const char *password2, const char *passwor
 	}
 
 	{
-		send(stdout_fileno, password2, strlen(password2), val()); // GOOD: `password2` is sent to stdout, not a network socket (this may be an issue but is not within the scope of the `cpp/cleartext-transmission` query) [FALSE POSITIVE]
+		send(stdout_fileno, password2, strlen(password2), val()); // GOOD: `password2` is sent to stdout, not a network socket (this may be an issue but is not within the scope of the `cpp/cleartext-transmission` query)
 	}
 }