C++: Rewrite 'cpp/user-controlled-bypass' away from 'DefaultTaintTracking'.

MathiasVP · MathiasVP · commit 5604fd7d80d1 · 2023-11-23T17:35:54.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -12,8 +12,10 @@
  *       external/cwe/cwe-290
  */
 
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import cpp
+import semmle.code.cpp.dataflow.new.TaintTracking
+import semmle.code.cpp.security.FlowSources as FS
+import Flow::PathGraph
 
 string getATopLevelDomain() {
   result =
@@ -46,6 +48,12 @@ predicate useOfHardCodedAddressOrIP(Expr use) {
   )
 }
 
+Expr getExprWithoutNot(Expr expr) {
+  result = expr and not expr instanceof NotExpr
+  or
+  result = getExprWithoutNot(expr.(NotExpr).getOperand()) and expr instanceof NotExpr
+}
+
 /**
  * Find `IfStmt`s that have a hard-coded IP or web address in
  * their condition. If the condition also depends on an
@@ -57,16 +65,31 @@ predicate hardCodedAddressInCondition(Expr subexpression, Expr condition) {
   // One of the sub-expressions of the condition is a hard-coded
   // IP or web-address.
   exists(Expr use | use = condition.getAChild+() | useOfHardCodedAddressOrIP(use)) and
-  condition = any(IfStmt ifStmt).getCondition()
+  condition = getExprWithoutNot(any(IfStmt ifStmt).getCondition())
+}
+
+predicate isSource(FS::FlowSource source, string sourceType) {
+  source.getSourceType() = sourceType and not source instanceof DataFlow::ExprNode
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element sink) { hardCodedAddressInCondition(sink, _) }
+predicate isSink(DataFlow::Node sink, Expr condition) {
+  hardCodedAddressInCondition([sink.asExpr(), sink.asIndirectExpr()], condition)
 }
 
-from Expr subexpression, Expr source, Expr condition, PathNode sourceNode, PathNode sinkNode
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isSource(source, _) }
+
+  predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+from
+  Expr subexpression, Expr condition, Flow::PathNode source, Flow::PathNode sink, string sourceType
 where
   hardCodedAddressInCondition(subexpression, condition) and
-  taintedWithPath(source, subexpression, sourceNode, sinkNode)
-select condition, sourceNode, sinkNode,
-  "Untrusted input $@ might be vulnerable to a spoofing attack.", source, source.toString()
+  isSource(source.getNode(), sourceType) and
+  Flow::flowPath(source, sink) and
+  isSink(sink.getNode(), condition)
+select condition, source, sink, "Untrusted input $@ might be vulnerable to a spoofing attack.",
+  source, sourceType
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected
@@ -1,54 +1,26 @@
 edges
-| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
-| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
-| test.cpp:16:25:16:42 | call to getenv | test.cpp:20:14:20:20 | address |
-| test.cpp:16:25:16:42 | call to getenv | test.cpp:20:14:20:20 | address |
-| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
-| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
-| test.cpp:27:25:27:42 | call to getenv | test.cpp:31:14:31:20 | address |
-| test.cpp:27:25:27:42 | call to getenv | test.cpp:31:14:31:20 | address |
-| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
-| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
-| test.cpp:38:25:38:42 | call to getenv | test.cpp:42:14:42:20 | address |
-| test.cpp:38:25:38:42 | call to getenv | test.cpp:42:14:42:20 | address |
-| test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address |
-| test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address |
-| test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address |
-| test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address |
-| test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address |
-| test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address |
-| test.cpp:49:25:49:42 | call to getenv | test.cpp:52:14:52:20 | address |
-| test.cpp:49:25:49:42 | call to getenv | test.cpp:52:14:52:20 | address |
-| test.cpp:49:25:49:42 | call to getenv | test.cpp:56:14:56:20 | address |
-| test.cpp:49:25:49:42 | call to getenv | test.cpp:56:14:56:20 | address |
-| test.cpp:49:25:49:42 | call to getenv | test.cpp:60:14:60:20 | address |
-| test.cpp:49:25:49:42 | call to getenv | test.cpp:60:14:60:20 | address |
-subpaths
+| test.cpp:16:25:16:42 | call to getenv indirection | test.cpp:20:14:20:20 | address indirection |
+| test.cpp:27:25:27:42 | call to getenv indirection | test.cpp:31:14:31:20 | address indirection |
+| test.cpp:38:25:38:42 | call to getenv indirection | test.cpp:42:14:42:20 | address indirection |
+| test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:52:14:52:20 | address indirection |
+| test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:56:14:56:20 | address indirection |
+| test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:60:14:60:20 | address indirection |
 nodes
-| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
-| test.cpp:16:25:16:42 | call to getenv | semmle.label | call to getenv |
-| test.cpp:20:14:20:20 | address | semmle.label | address |
-| test.cpp:20:14:20:20 | address | semmle.label | address |
-| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
-| test.cpp:27:25:27:42 | call to getenv | semmle.label | call to getenv |
-| test.cpp:31:14:31:20 | address | semmle.label | address |
-| test.cpp:31:14:31:20 | address | semmle.label | address |
-| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
-| test.cpp:38:25:38:42 | call to getenv | semmle.label | call to getenv |
-| test.cpp:42:14:42:20 | address | semmle.label | address |
-| test.cpp:42:14:42:20 | address | semmle.label | address |
-| test.cpp:49:25:49:30 | call to getenv | semmle.label | call to getenv |
-| test.cpp:49:25:49:42 | call to getenv | semmle.label | call to getenv |
-| test.cpp:52:14:52:20 | address | semmle.label | address |
-| test.cpp:52:14:52:20 | address | semmle.label | address |
-| test.cpp:56:14:56:20 | address | semmle.label | address |
-| test.cpp:56:14:56:20 | address | semmle.label | address |
-| test.cpp:60:14:60:20 | address | semmle.label | address |
-| test.cpp:60:14:60:20 | address | semmle.label | address |
+| test.cpp:16:25:16:42 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:20:14:20:20 | address indirection | semmle.label | address indirection |
+| test.cpp:27:25:27:42 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:31:14:31:20 | address indirection | semmle.label | address indirection |
+| test.cpp:38:25:38:42 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
+| test.cpp:49:25:49:42 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:52:14:52:20 | address indirection | semmle.label | address indirection |
+| test.cpp:56:14:56:20 | address indirection | semmle.label | address indirection |
+| test.cpp:60:14:60:20 | address indirection | semmle.label | address indirection |
+subpaths
 #select
-| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
-| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
-| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |
-| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
-| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
-| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
+| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | call to getenv indirection | test.cpp:20:14:20:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | call to getenv indirection | an environment variable |
+| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | call to getenv indirection | test.cpp:31:14:31:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | call to getenv indirection | an environment variable |
+| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | call to getenv indirection | test.cpp:42:14:42:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | call to getenv indirection | an environment variable |
+| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:52:14:52:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | call to getenv indirection | an environment variable |
+| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:56:14:56:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | call to getenv indirection | an environment variable |
+| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | call to getenv indirection | test.cpp:60:14:60:20 | address indirection | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | call to getenv indirection | an environment variable |
