C++: Add simple dataflow to the query.

geoffw0 · geoffw0 · commit 652f9034574c · 2021-07-13T17:48:48.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -14,10 +14,11 @@
 import cpp
 import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.security.FileWrite
+import semmle.code.cpp.dataflow.DataFlow
 
 from FileWrite w, SensitiveExpr source, Expr dest
 where
-  source = w.getASource() and
+  DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(w.getASource())) and
   dest = w.getDest()
 select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
   source, "this source."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,6 +1,7 @@
 | test2.cpp:28:2:28:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:28:36:28:43 | password | this source. |
 | test2.cpp:29:2:29:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:29:37:29:45 | thepasswd | this source. |
 | test2.cpp:30:2:30:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:30:38:30:47 | accountkey | this source. |
+| test2.cpp:40:3:40:9 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:37:18:37:25 | password | this source. |
 | test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp
@@ -37,7 +37,7 @@ void tests(FILE *log, myStruct &s)
 		char *cpy1 = s.password;
 		char *cpy2 = crypt(s.password);
 
-		fprintf(log, "cpy1 = %s\n", cpy1); // BAD [NOT DETECTED]
+		fprintf(log, "cpy1 = %s\n", cpy1); // BAD
 		fprintf(log, "cpy2 = %s\n", cpy2); // GOOD
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ void tests(FILE *log, myStruct &s)`
`37`	`37`	`char *cpy1 = s.password;`
`38`	`38`	`char *cpy2 = crypt(s.password);`
`39`	`39`
`40`		`- fprintf(log, "cpy1 = %s\n", cpy1); // BAD [NOT DETECTED]`
	`40`	`+ fprintf(log, "cpy1 = %s\n", cpy1); // BAD`
`41`	`41`	`fprintf(log, "cpy2 = %s\n", cpy2); // GOOD`
`42`	`42`	`}`
`43`	`43`