working on implementing pr fixes

dilanbhalla · dilanbhalla · commit 05a4798b5eb6 · 2020-07-08T09:19:46.000-07:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextBufferWrite.ql b/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextBufferWrite.ql
@@ -9,24 +9,61 @@
  *       external/cwe/cwe-312
  */
 
+
 import cpp
 import semmle.code.cpp.security.BufferWrite
-import semmle.code.cpp.security.TaintTracking
 import experimental.semmle.code.cpp.security.PrivateData
-import TaintedWithPath
+import semmle.code.cpp.dataflow.TaintTracking
+
+/** A call to any method whose name suggests that it encodes or encrypts the parameter. */
+class ProtectSanitizer extends DataFlow::ExprNode {
+  ProtectSanitizer() {
+    exists(Function m, string s |
+      this.getExpr().(FunctionCall).getTarget() = m and
+      m.getName().regexpMatch("(?i).*" + s + ".*")
+    |
+      s = "protect" or s = "encode" or s = "encrypt"
+    )
+  }
+}
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) { exists(BufferWrite w | w.getASource() = tainted) }
+class BufferConfig extends TaintTracking::Configuration {
+  BufferConfig() {
+    this = "Buffer store configuration"
+  }
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof PrivateDataExpr }
+  override predicate isSink(DataFlow::Node sink) { exists(BufferWrite w | sink.asExpr() = w.getDest()) }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof ProtectSanitizer }
 }
 
 from
-  BufferWrite w, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
-  string taintCause, PrivateDataExpr dest
+  BufferWrite w, BufferConfig b, Expr taintedArg, DataFlow::Node source, DataFlow::Node sink
 where
-  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
-  isUserInput(taintSource, taintCause) and
-  w.getASource() = taintedArg and
-  dest = w.getDest()
-select w, sourceNode, sinkNode,
-  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
-  taintSource, "user input (" + taintCause + ")"
+  b.hasFlow(source, sink) and
+  w.getASource() = taintedArg
+select w, source, sink, "This write into this buffer may contain unencrypted data"
+
+
+
+
+// import cpp
+// import semmle.code.cpp.security.BufferWrite
+// import semmle.code.cpp.security.TaintTracking
+// import experimental.semmle.code.cpp.security.PrivateData
+// import TaintedWithPath
+
+// class Configuration extends TaintTrackingConfiguration {
+//   override predicate isSink(Element tainted) { exists(BufferWrite w | w.getASource() = tainted) }
+// }
+
+// from
+//   BufferWrite w, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
+//   string taintCause, PrivateDataExpr dest
+// where
+//   taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
+//   isUserInput(taintSource, taintCause) and
+//   w.getASource() = taintedArg and
+//   dest = w.getDest()
+// select w, sourceNode, sinkNode,
+//   "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
+//   taintSource, "user input (" + taintCause + ")"
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextFileWrite.ql b/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextFileWrite.ql
@@ -1,21 +1,54 @@
 /**
  * @name Cleartext storage of sensitive information in file
- * @description Storing sensitive information in cleartext can expose it
+ * @description Storing private data in cleartext can expose it
  *              to an attacker.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @id cpp/private-cleartext-storage-file
  * @tags security
  *       external/cwe/cwe-313
  */
 
+
 import cpp
 import experimental.semmle.code.cpp.security.PrivateData
 import semmle.code.cpp.security.FileWrite
+import semmle.code.cpp.dataflow.TaintTracking
+
+/** A call to any method whose name suggests that it encodes or encrypts the parameter. */
+class ProtectSanitizer extends DataFlow::ExprNode {
+  ProtectSanitizer() {
+    exists(Function m, string s |
+      this.getExpr().(FunctionCall).getTarget() = m and
+      m.getName().regexpMatch("(?i).*" + s + ".*")
+    |
+      s = "protect" or s = "encode" or s = "encrypt"
+    )
+  }
+}
+
+class FileConfig extends TaintTracking::Configuration {
+  FileConfig() {
+    this = "File write configuration"
+  }
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof PrivateDataExpr }
+  override predicate isSink(DataFlow::Node sink) { exists(FileWrite w | sink.asExpr() = w.getASource()) }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof ProtectSanitizer }
+}
+
+from FileConfig b, DataFlow::Node source, DataFlow::Node sink
+where b.hasFlow(source, sink)
+select sink, "This file write may contain unencrypted data"
+
+
+
+// import cpp
+// import experimental.semmle.code.cpp.security.PrivateData
+// import semmle.code.cpp.security.FileWrite
 
-from FileWrite w, PrivateDataExpr source, Expr dest
-where
-  source = w.getASource() and
-  dest = w.getDest()
-select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
-  source, "this source."
+// from FileWrite w, PrivateDataExpr source, Expr dest
+// where
+//   source = w.getASource() and
+//   dest = w.getDest()
+// select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
+//   source, "this source."
