Include changes from review

Porcupiney Hairs · Porcupiney Hairs · commit 57d1035acd24 · 2024-09-19T03:32:34.000+05:30
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.qhelp
@@ -1,10 +1,11 @@
 <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
 <qhelp>
   <overview>
-    Disabling verification of the SSL certificate allows man-in-the-middle attacks. Disabling the
-    peer or the host's certificate verification makes the SSL communication insecure. Just having
-    encryption on a transfer is not enough as you cannot be sure that you are communicating with the
-    correct end-point.
+    Disabling verification of the SSL certificate allows man-in-the-middle attacks.
+    A SSL connection is vulnerable to man-in-the-middle attacks if the certification is not checked
+    properly.
+    If the peer or the host's certificate verification is not verified, the underlying SSL
+    communication is insecure.
   </overview>
   <recommendation>
     It is recommended that all communications be done post verification of the host as well as the
@@ -21,10 +22,12 @@
   <references>
     <li> Curl Documentation:<a href="https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html">
       CURLOPT_SSL_VERIFYHOST</a></li>
-    <li> Curl Documentation:<a href="https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html">
-      CURLOPT_SSL_VERIFYHOST</a></li>
-    <li> Related CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-33684"> CVE-2022-33684</a></li>
-    <li> Related CVE: <a href="https://huntr.com/bounties/42325662-6329-4e04-875a-49e2f5d69f78">
-      `openframeworks/openframeworks`</a></li>
+    <li> Curl Documentation:<a href="https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html">
+      CURLOPT_SSL_VERIFYPEER</a></li>
+    <li> Related CVE: <a href="https://github.com/advisories/GHSA-5r3h-c3r7-9w4h"> CVE-2022-33684</a></li>
+    <li> Related security advisory: <a
+        href="https://huntr.com/bounties/42325662-6329-4e04-875a-49e2f5d69f78">
+        <code>openframeworks/openframeworks</code>
+      </a></li>
   </references>
 </qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
@@ -15,7 +15,7 @@ import semmle.code.cpp.dataflow.new.TaintTracking
 private class CurlSetOptCall extends FunctionCall {
   CurlSetOptCall() {
     exists(FunctionCall fc, Function f |
-      f.hasGlobalName("curl_easy_setopt") and
+      f.hasGlobalOrStdName("curl_easy_setopt") and
       fc.getTarget() = f
     |
       this = fc
@@ -34,6 +34,7 @@ private class CurlVerificationConstant extends EnumConstantAccess {
 
 from CurlSetOptCall c
 where
-  c.getArgument(1) = any(CurlVerificationConstant v) and
+  c.getArgument(1) = any(CurlVerificationConstant v) 
+  and
   c.getArgument(2).getValue() = "0"
 select c, "This call disables Secure Socket Layer and could potentially lead to MITM attacks"
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLBad.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLBad.cpp
@@ -4,6 +4,6 @@ void bad(void) {
 		std::unique_ptr<CURL, void(*)(CURL*)>(curl_easy_init(), curl_easy_cleanup);
 	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
 	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); 
-  curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());
-  curl_easy_perform(curl.get());
+  	curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());
+  	curl_easy_perform(curl.get());
 }
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLGood.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSLGood.cpp
@@ -4,6 +4,6 @@ void good(void) {
 		std::unique_ptr<CURL, void(*)(CURL*)>(curl_easy_init(), curl_easy_cleanup);
 	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 2);
 	curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2); 
-  curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());
-  curl_easy_perform(curl.get());
+  	curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());
+  	curl_easy_perform(curl.get());
 }
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.expected
@@ -1 +1,2 @@
-a
+| CurlSSL.cpp:25:2:25:17 | call to curl_easy_setopt | This call disables Secure Socket Layer and could potentially lead to MITM attacks |
+| CurlSSL.cpp:26:2:26:17 | call to curl_easy_setopt | This call disables Secure Socket Layer and could potentially lead to MITM attacks |

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,6 @@ void bad(void) {`
`4`	`4`	`std::unique_ptr<CURL, void()(CURL)>(curl_easy_init(), curl_easy_cleanup);`
`5`	`5`	`curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);`
`6`	`6`	`curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);`
`7`		`- curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());`
`8`		`- curl_easy_perform(curl.get());`
	`7`	`+ curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());`
	`8`	`+ curl_easy_perform(curl.get());`
`9`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,6 @@ void good(void) {`
`4`	`4`	`std::unique_ptr<CURL, void()(CURL)>(curl_easy_init(), curl_easy_cleanup);`
`5`	`5`	`curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 2);`
`6`	`6`	`curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);`
`7`		`- curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());`
`8`		`- curl_easy_perform(curl.get());`
	`7`	`+ curl_easy_setopt(curl.get(), CURLOPT_URL, host.c_str());`
	`8`	`+ curl_easy_perform(curl.get());`
`9`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-a`
	`1`	`+\| CurlSSL.cpp:25:2:25:17 \| call to curl_easy_setopt \| This call disables Secure Socket Layer and could potentially lead to MITM attacks \|`
	`2`	`+\| CurlSSL.cpp:26:2:26:17 \| call to curl_easy_setopt \| This call disables Secure Socket Layer and could potentially lead to MITM attacks \|`