C++: Different approach to sensitive exprs.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -18,6 +18,21 @@ import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.models.interfaces.FlowSource
 import DataFlow::PathGraph
 
+/**
+ * A DataFlow node corresponding to a variable or function call that
+ * might contain or return a password or other sensitive information.
+ */
+class SensitiveNode extends DataFlow::Node {
+  SensitiveNode() {
+    this.asExpr() = any(SensitiveVariable sv).getInitializer().getExpr() or
+    this.asExpr().(VariableAccess).getTarget() =
+      any(SensitiveVariable sv).(GlobalOrNamespaceVariable) or
+    this.asUninitialized() instanceof SensitiveVariable or
+    this.asParameter() instanceof SensitiveVariable or
+    this.asExpr().(FunctionCall).getTarget() instanceof SensitiveFunction
+  }
+}
+
 /**
  * A function call that sends or receives data over a network.
  *
@@ -129,25 +144,19 @@ class Encrypted extends Expr {
 class FromSensitiveConfiguration extends TaintTracking::Configuration {
   FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+  override predicate isSource(DataFlow::Node source) { source instanceof SensitiveNode }
 
   override predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(NetworkSendRecv nsr | nsr.checkSocket()).getDataExpr()
     or
     sink.asExpr() instanceof Encrypted
-    or
-    sink.asExpr() instanceof SensitiveExpr
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     // flow from pre-update to post-update of the source
     isSource(node1) and
     node2.(DataFlow::PostUpdateNode).getPreUpdateNode() = node1
     or
-    // flow from pre-update to post-update of the sink (in case we can reach other sinks)
-    isSink(node1) and
-    node2.(DataFlow::PostUpdateNode).getPreUpdateNode() = node1
-    or
     // flow through encryption functions to the return value (in case we can reach other sinks)
     node2.asExpr().(Encrypted).(FunctionCall).getAnArgument() = node1.asExpr()
   }
@@ -166,12 +175,6 @@ where
     config.hasFlow(source.getNode(), encrypted) and
     encrypted.asExpr() instanceof Encrypted
   ) and
-  // only use the 'first' sensitive expression
-  not exists(DataFlow::Node sensitive |
-    config.hasFlow(sensitive, source.getNode()) and
-    sensitive.asExpr() instanceof SensitiveExpr and
-    not source.getNode() = sensitive
-  ) and
   // construct result
   if networkSendRecv instanceof NetworkSend
   then