C++: Redesign and fix results that appear to be encrypted.

geoffw0 · geoffw0 · commit 6896b20dcd13 · 2021-12-07T20:42:13.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -125,6 +125,8 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
     sink.asExpr() = any(NetworkSendRecv nsr | nsr.checkSocket()).getDataExpr()
     or
     sink.asExpr() instanceof Encrypted
+    or
+    sink.asExpr() instanceof SensitiveExpr
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
@@ -150,11 +152,16 @@ where
   sink.getNode().asExpr() = networkSendRecv.getDataExpr() and
   networkSendRecv.checkSocket() and
   // no flow from sensitive -> evidence of encryption
-  not exists(DataFlow::Node anySource, DataFlow::Node encrypted |
-    config.hasFlow(anySource, sink.getNode()) and
-    config.hasFlow(anySource, encrypted) and
+  not exists(DataFlow::Node encrypted |
+    config.hasFlow(source.getNode(), encrypted) and
     encrypted.asExpr() instanceof Encrypted
   ) and
+  // only use the 'first' sensitive expression
+  not exists(DataFlow::Node sensitive |
+    config.hasFlow(sensitive, source.getNode()) and
+    sensitive.asExpr() instanceof SensitiveExpr and
+    not source.getNode() = sensitive
+  ) and
   // construct result
   if networkSendRecv instanceof NetworkSend
   then
@@ -165,4 +172,4 @@ where
     msg =
       "This operation receives into '" + sink.toString() +
         "', which may put unencrypted sensitive data into $@"
-select networkSendRecv, source, sink, msg, source, source.getNode().asExpr().toString()
+select networkSendRecv, source, sink, msg, source, source.getNode().toString()
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
@@ -1,10 +1,32 @@
 edges
+| test2.cpp:43:34:43:34 | s [post update] [password] | test2.cpp:62:16:62:16 | s [password] |
 | test2.cpp:43:34:43:34 | s [post update] [password] | test2.cpp:63:22:63:22 | s [password] |
+| test2.cpp:43:34:43:34 | s [post update] [password] | test2.cpp:72:15:72:15 | s [password] |
+| test2.cpp:43:34:43:34 | s [post update] [password] | test2.cpp:79:34:79:34 | s [password] |
+| test2.cpp:43:34:43:34 | s [post update] [password] | test2.cpp:91:43:91:43 | s [password] |
 | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | ref arg password |
 | test2.cpp:43:36:43:43 | ref arg password | test2.cpp:43:34:43:34 | s [post update] [password] |
+| test2.cpp:54:39:54:39 | s [post update] [widepassword] | test2.cpp:55:38:55:38 | s [widepassword] |
+| test2.cpp:54:41:54:52 | ref arg widepassword | test2.cpp:54:39:54:39 | s [post update] [widepassword] |
+| test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | ref arg widepassword |
+| test2.cpp:55:38:55:38 | s [widepassword] | test2.cpp:55:40:55:51 | widepassword |
+| test2.cpp:62:16:62:16 | s [password] | test2.cpp:62:18:62:25 | password |
 | test2.cpp:63:22:63:22 | s [password] | test2.cpp:63:24:63:31 | password |
 | test2.cpp:63:22:63:22 | s [password] | test2.cpp:63:24:63:31 | password |
+| test2.cpp:63:22:63:22 | s [post update] [password] | test2.cpp:72:15:72:15 | s [password] |
+| test2.cpp:63:22:63:22 | s [post update] [password] | test2.cpp:79:34:79:34 | s [password] |
+| test2.cpp:63:22:63:22 | s [post update] [password] | test2.cpp:91:43:91:43 | s [password] |
 | test2.cpp:63:24:63:31 | password | test2.cpp:63:16:63:20 | call to crypt |
+| test2.cpp:63:24:63:31 | password | test2.cpp:63:24:63:31 | ref arg password |
+| test2.cpp:63:24:63:31 | ref arg password | test2.cpp:63:22:63:22 | s [post update] [password] |
+| test2.cpp:72:15:72:15 | s [password] | test2.cpp:72:17:72:24 | password |
+| test2.cpp:79:34:79:34 | s [password] | test2.cpp:79:36:79:43 | password |
+| test2.cpp:79:34:79:34 | s [password] | test2.cpp:79:36:79:43 | password |
+| test2.cpp:79:34:79:34 | s [post update] [password] | test2.cpp:91:43:91:43 | s [password] |
+| test2.cpp:79:36:79:43 | password | test2.cpp:79:36:79:43 | ref arg password |
+| test2.cpp:79:36:79:43 | ref arg password | test2.cpp:79:34:79:34 | s [post update] [password] |
+| test2.cpp:91:43:91:43 | s [password] | test2.cpp:91:45:91:52 | password |
+| test3.cpp:47:15:47:22 | password | test3.cpp:49:28:49:35 | password |
 | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr |
 | test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr |
 | test3.cpp:112:20:112:25 | buffer | test3.cpp:114:14:114:19 | buffer |
@@ -20,6 +42,7 @@ edges
 | test3.cpp:173:15:173:22 | password | test3.cpp:175:19:175:26 | password |
 | test3.cpp:173:15:173:22 | password | test3.cpp:175:19:175:26 | password |
 | test3.cpp:175:19:175:26 | password | test3.cpp:175:3:175:17 | call to decrypt_inplace |
+| test3.cpp:181:15:181:22 | password | test3.cpp:182:3:182:10 | password |
 | test3.cpp:181:15:181:22 | password | test3.cpp:184:3:184:17 | call to decrypt_inplace |
 | test3.cpp:181:15:181:22 | password | test3.cpp:184:19:184:26 | password |
 | test3.cpp:181:15:181:22 | password | test3.cpp:184:19:184:26 | password |
@@ -30,45 +53,90 @@ edges
 | test3.cpp:193:30:193:37 | password | test3.cpp:193:18:193:28 | call to rtn_decrypt |
 | test3.cpp:199:19:199:26 | password | test3.cpp:199:3:199:17 | call to encrypt_inplace |
 | test3.cpp:199:19:199:26 | password | test3.cpp:201:15:201:22 | password |
+| test3.cpp:199:19:199:26 | password | test3.cpp:201:32:201:39 | password |
 | test3.cpp:207:19:207:26 | password | test3.cpp:207:3:207:17 | call to encrypt_inplace |
+| test3.cpp:207:19:207:26 | password | test3.cpp:208:3:208:10 | password |
 | test3.cpp:207:19:207:26 | password | test3.cpp:210:15:210:22 | password |
+| test3.cpp:207:19:207:26 | password | test3.cpp:210:32:210:39 | password |
 | test3.cpp:217:18:217:28 | call to rtn_encrypt | test3.cpp:219:15:219:26 | password_ptr |
+| test3.cpp:217:18:217:28 | call to rtn_encrypt | test3.cpp:219:36:219:47 | password_ptr |
 | test3.cpp:217:30:217:37 | password | test3.cpp:217:18:217:28 | call to rtn_encrypt |
 | test3.cpp:217:30:217:37 | password | test3.cpp:217:18:217:28 | call to rtn_encrypt |
 | test3.cpp:217:30:217:37 | password | test3.cpp:219:15:219:26 | password_ptr |
+| test3.cpp:217:30:217:37 | password | test3.cpp:219:36:219:47 | password_ptr |
 | test3.cpp:241:8:241:15 | password | test3.cpp:242:8:242:15 | password |
 | test.cpp:48:29:48:39 | thePassword | test.cpp:48:21:48:27 | call to encrypt |
+| test.cpp:58:11:58:16 | passwd | test.cpp:61:11:61:16 | passwd |
 | test.cpp:76:29:76:39 | thePassword | test.cpp:76:21:76:27 | call to encrypt |
 nodes
 | test2.cpp:43:34:43:34 | s [post update] [password] | semmle.label | s [post update] [password] |
 | test2.cpp:43:36:43:43 | password | semmle.label | password |
+| test2.cpp:43:36:43:43 | password | semmle.label | password |
 | test2.cpp:43:36:43:43 | ref arg password | semmle.label | ref arg password |
+| test2.cpp:44:37:44:45 | thepasswd | semmle.label | thepasswd |
+| test2.cpp:50:41:50:53 | passwd_config | semmle.label | passwd_config |
+| test2.cpp:52:44:52:57 | password_tries | semmle.label | password_tries |
+| test2.cpp:54:39:54:39 | s [post update] [widepassword] | semmle.label | s [post update] [widepassword] |
+| test2.cpp:54:41:54:52 | ref arg widepassword | semmle.label | ref arg widepassword |
+| test2.cpp:54:41:54:52 | widepassword | semmle.label | widepassword |
+| test2.cpp:54:41:54:52 | widepassword | semmle.label | widepassword |
+| test2.cpp:55:38:55:38 | s [widepassword] | semmle.label | s [widepassword] |
+| test2.cpp:55:40:55:51 | widepassword | semmle.label | widepassword |
+| test2.cpp:57:39:57:49 | call to getPassword | semmle.label | call to getPassword |
+| test2.cpp:62:16:62:16 | s [password] | semmle.label | s [password] |
+| test2.cpp:62:18:62:25 | password | semmle.label | password |
 | test2.cpp:63:16:63:20 | call to crypt | semmle.label | call to crypt |
 | test2.cpp:63:22:63:22 | s [password] | semmle.label | s [password] |
+| test2.cpp:63:22:63:22 | s [post update] [password] | semmle.label | s [post update] [password] |
 | test2.cpp:63:24:63:31 | password | semmle.label | password |
 | test2.cpp:63:24:63:31 | password | semmle.label | password |
+| test2.cpp:63:24:63:31 | ref arg password | semmle.label | ref arg password |
+| test2.cpp:72:15:72:15 | s [password] | semmle.label | s [password] |
+| test2.cpp:72:17:72:24 | password | semmle.label | password |
+| test2.cpp:79:34:79:34 | s [password] | semmle.label | s [password] |
+| test2.cpp:79:34:79:34 | s [post update] [password] | semmle.label | s [post update] [password] |
+| test2.cpp:79:36:79:43 | password | semmle.label | password |
+| test2.cpp:79:36:79:43 | password | semmle.label | password |
+| test2.cpp:79:36:79:43 | ref arg password | semmle.label | ref arg password |
+| test2.cpp:82:15:82:28 | passwd_config2 | semmle.label | passwd_config2 |
+| test2.cpp:84:50:84:63 | passwd_config2 | semmle.label | passwd_config2 |
+| test2.cpp:91:43:91:43 | s [password] | semmle.label | s [password] |
+| test2.cpp:91:45:91:52 | password | semmle.label | password |
+| test3.cpp:20:28:20:36 | password1 | semmle.label | password1 |
 | test3.cpp:22:15:22:23 | password1 | semmle.label | password1 |
+| test3.cpp:22:33:22:41 | password1 | semmle.label | password1 |
 | test3.cpp:26:15:26:23 | password2 | semmle.label | password2 |
+| test3.cpp:26:33:26:41 | password2 | semmle.label | password2 |
 | test3.cpp:38:23:38:31 | password2 | semmle.label | password2 |
+| test3.cpp:38:41:38:49 | password2 | semmle.label | password2 |
+| test3.cpp:47:15:47:22 | password | semmle.label | password |
 | test3.cpp:47:15:47:22 | password | semmle.label | password |
+| test3.cpp:49:28:49:35 | password | semmle.label | password |
 | test3.cpp:55:15:55:22 | password | semmle.label | password |
 | test3.cpp:74:21:74:29 | password1 | semmle.label | password1 |
+| test3.cpp:74:21:74:29 | password1 | semmle.label | password1 |
 | test3.cpp:76:15:76:17 | ptr | semmle.label | ptr |
 | test3.cpp:81:15:81:22 | password | semmle.label | password |
+| test3.cpp:81:15:81:22 | password | semmle.label | password |
 | test3.cpp:83:15:83:17 | ptr | semmle.label | ptr |
 | test3.cpp:101:12:101:19 | password | semmle.label | password |
+| test3.cpp:108:12:108:19 | password | semmle.label | password |
 | test3.cpp:112:20:112:25 | buffer | semmle.label | buffer |
 | test3.cpp:114:14:114:19 | buffer | semmle.label | buffer |
 | test3.cpp:117:28:117:33 | buffer | semmle.label | buffer |
 | test3.cpp:119:9:119:14 | buffer | semmle.label | buffer |
 | test3.cpp:126:9:126:23 | global_password | semmle.label | global_password |
+| test3.cpp:126:9:126:23 | global_password | semmle.label | global_password |
+| test3.cpp:134:11:134:18 | password | semmle.label | password |
 | test3.cpp:134:11:134:18 | password | semmle.label | password |
 | test3.cpp:138:21:138:22 | call to id | semmle.label | call to id |
 | test3.cpp:138:24:138:32 | password1 | semmle.label | password1 |
+| test3.cpp:138:24:138:32 | password1 | semmle.label | password1 |
 | test3.cpp:140:15:140:17 | ptr | semmle.label | ptr |
 | test3.cpp:144:16:144:29 | call to get_global_str | semmle.label | call to get_global_str |
 | test3.cpp:146:15:146:18 | data | semmle.label | data |
 | test3.cpp:157:19:157:26 | password | semmle.label | password |
+| test3.cpp:157:19:157:26 | password | semmle.label | password |
 | test3.cpp:159:15:159:20 | buffer | semmle.label | buffer |
 | test3.cpp:173:15:173:22 | password | semmle.label | password |
 | test3.cpp:173:15:173:22 | password | semmle.label | password |
@@ -77,35 +145,49 @@ nodes
 | test3.cpp:175:19:175:26 | password | semmle.label | password |
 | test3.cpp:181:15:181:22 | password | semmle.label | password |
 | test3.cpp:181:15:181:22 | password | semmle.label | password |
+| test3.cpp:182:3:182:10 | password | semmle.label | password |
 | test3.cpp:184:3:184:17 | call to decrypt_inplace | semmle.label | call to decrypt_inplace |
 | test3.cpp:184:19:184:26 | password | semmle.label | password |
 | test3.cpp:184:19:184:26 | password | semmle.label | password |
 | test3.cpp:191:15:191:22 | password | semmle.label | password |
 | test3.cpp:191:15:191:22 | password | semmle.label | password |
+| test3.cpp:193:3:193:14 | password_ptr | semmle.label | password_ptr |
 | test3.cpp:193:18:193:28 | call to rtn_decrypt | semmle.label | call to rtn_decrypt |
 | test3.cpp:193:30:193:37 | password | semmle.label | password |
 | test3.cpp:193:30:193:37 | password | semmle.label | password |
 | test3.cpp:199:3:199:17 | call to encrypt_inplace | semmle.label | call to encrypt_inplace |
 | test3.cpp:199:19:199:26 | password | semmle.label | password |
 | test3.cpp:199:19:199:26 | password | semmle.label | password |
 | test3.cpp:201:15:201:22 | password | semmle.label | password |
+| test3.cpp:201:32:201:39 | password | semmle.label | password |
 | test3.cpp:207:3:207:17 | call to encrypt_inplace | semmle.label | call to encrypt_inplace |
 | test3.cpp:207:19:207:26 | password | semmle.label | password |
 | test3.cpp:207:19:207:26 | password | semmle.label | password |
+| test3.cpp:208:3:208:10 | password | semmle.label | password |
 | test3.cpp:210:15:210:22 | password | semmle.label | password |
+| test3.cpp:210:32:210:39 | password | semmle.label | password |
+| test3.cpp:217:3:217:14 | password_ptr | semmle.label | password_ptr |
 | test3.cpp:217:18:217:28 | call to rtn_encrypt | semmle.label | call to rtn_encrypt |
 | test3.cpp:217:18:217:28 | call to rtn_encrypt | semmle.label | call to rtn_encrypt |
 | test3.cpp:217:30:217:37 | password | semmle.label | password |
 | test3.cpp:217:30:217:37 | password | semmle.label | password |
 | test3.cpp:219:15:219:26 | password_ptr | semmle.label | password_ptr |
+| test3.cpp:219:36:219:47 | password_ptr | semmle.label | password_ptr |
 | test3.cpp:227:22:227:29 | password | semmle.label | password |
 | test3.cpp:228:26:228:33 | password | semmle.label | password |
 | test3.cpp:241:8:241:15 | password | semmle.label | password |
 | test3.cpp:241:8:241:15 | password | semmle.label | password |
 | test3.cpp:242:8:242:15 | password | semmle.label | password |
+| test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
 | test.cpp:48:21:48:27 | call to encrypt | semmle.label | call to encrypt |
 | test.cpp:48:29:48:39 | thePassword | semmle.label | thePassword |
 | test.cpp:48:29:48:39 | thePassword | semmle.label | thePassword |
+| test.cpp:58:11:58:16 | passwd | semmle.label | passwd |
+| test.cpp:58:11:58:16 | passwd | semmle.label | passwd |
+| test.cpp:61:11:61:16 | passwd | semmle.label | passwd |
+| test.cpp:70:38:70:48 | thePassword | semmle.label | thePassword |
+| test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword |
+| test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword |
 | test.cpp:76:21:76:27 | call to encrypt | semmle.label | call to encrypt |
 | test.cpp:76:29:76:39 | thePassword | semmle.label | thePassword |
 | test.cpp:76:29:76:39 | thePassword | semmle.label | thePassword |
@@ -128,4 +210,3 @@ subpaths
 | test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:228:26:228:33 | password | password |
 | test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:241:8:241:15 | password | password |
 | test3.cpp:242:2:242:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:242:8:242:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:241:8:241:15 | password | password |
-| test3.cpp:242:2:242:6 | call to fgets | test3.cpp:242:8:242:15 | password | test3.cpp:242:8:242:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:242:8:242:15 | password | password |
