file/buffer write dataflow queries complete

Author: dilanbhalla

cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextBufferWrite.qhelp

@@ -3,13 +3,13 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Private data that is stored unencrypted is accessible to an attacker who gains access to the
+<p>Private data that is stored in a file or buffer unencrypted is accessible to an attacker who gains access to the
 storage.</p>
 
 </overview>
 <recommendation>
 
-<p>Ensure that private data is always encrypted before being stored, especially before writing to a file.
+<p>Ensure that private data is always encrypted before being stored.
 It may be wise to encrypt information before it is put into a buffer that may be readable in memory.</p>
 
 <p>In general, decrypt private data only at the point where it is necessary for it to be used in

cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextBufferWrite.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Exposure of private information
+ * @description If private information is written to an external location, it may be accessible by
+ *              unauthorized persons.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/exposure-of-sensitive-information
+ * @tags security
+ *       external/cwe/cwe-359
+ */
+
+
+import cpp
+import experimental.semmle.code.cpp.security.PrivateCleartextWrite
+import experimental.semmle.code.cpp.security.PrivateCleartextWrite::PrivateCleartextWrite
+
+from WriteConfig b, DataFlow::Node source, DataFlow::Node sink
+where b.hasFlow(source, sink)
+select sink, "This write may contain unencrypted data"

cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextFileWrite.qhelp

@@ -0,0 +1,14 @@
+import cpp
+import semmle.code.cpp.security.BufferWrite
+import semmle.code.cpp.security.FileWrite
+
+/**
+ * A write, to either a file or a buffer
+ */
+abstract class ExternalLocationSink extends DataFlow::ExprNode { }
+
+class Temp extends ExternalLocationSink {
+  Temp() {
+      none()
+    }
+}

cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextFileWrite.ql

@@ -0,0 +1,66 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about private information flowing unencrypted to an external location.
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+import experimental.semmle.code.cpp.security.PrivateData
+import semmle.code.cpp.security.FileWrite
+import semmle.code.cpp.dataflow.TaintTracking
+import experimental.semmle.code.cpp.security.ExternalLocationSink
+
+module PrivateCleartextWrite {
+  /**
+   * A data flow source for private information flowing unencrypted to an external location.
+   */
+  abstract class Source extends DataFlow::ExprNode { }
+
+  /**
+   * A data flow sink for private information flowing unencrypted to an external location.
+   */
+  abstract class Sink extends DataFlow::ExprNode { }
+
+  /**
+   * A sanitizer for private information flowing unencrypted to an external location.
+   */
+  abstract class Sanitizer extends DataFlow::ExprNode { }
+
+  /** A call to any method whose name suggests that it encodes or encrypts the parameter. */
+  class ProtectSanitizer extends Sanitizer {
+    ProtectSanitizer() {
+      exists(Function m, string s |
+        this.getExpr().(FunctionCall).getTarget() = m and
+        m.getName().regexpMatch("(?i).*" + s + ".*")
+      |
+        s = "protect" or s = "encode" or s = "encrypt"
+      )
+    }
+  }
+
+  class WriteConfig extends TaintTracking::Configuration {
+    WriteConfig() { this = "Write configuration" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  }
+
+  class PrivateDataSource extends Source {
+    PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }
+  }
+
+  class WriteSink extends Sink {
+    WriteSink() {
+      exists(FileWrite f, BufferWrite b |
+        this.asExpr() = f.getASource()
+        or
+        this.asExpr() = b.getAChild()
+      )
+    }
+  }
+  // class ExternalLocation extends Sink {
+  //   ExternalLocation() { this instanceof ExternalLocationSink }
+  // }
+}