C++: Exclude results that are used as file names.

geoffw0 · geoffw0 · commit f8fed263e634 · 2021-07-22T17:40:25.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -15,10 +15,37 @@ import cpp
 import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.security.FileWrite
 import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * An operation on a filename.
+ */
+predicate filenameOperation(FunctionCall op, Expr path) {
+  exists(string name | name = op.getTarget().getName() |
+    name =
+      [
+        "remove", "unlink", "rmdir", "rename", "fopen", "open", "freopen", "_open", "_wopen",
+        "_wfopen", "_fsopen", "_wfsopen", "chmod", "chown", "stat", "lstat", "fstat", "access", "_access", "_waccess", "_access_s", "_waccess_s"
+      ] and
+      path = op.getArgument(0)
+    or
+    name = ["fopen_s", "wfopen_s", "rename"] and
+    path = op.getArgument(1)
+  )
+}
+
+predicate isFileName(GVN gvn)
+{
+  exists(FunctionCall op, Expr path |
+    filenameOperation(op, path) and
+    gvn = globalValueNumber(path)
+  )
+}
 
 from FileWrite w, SensitiveExpr source, Expr dest
 where
   DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(w.getASource())) and
-  dest = w.getDest()
+  dest = w.getDest() and
+  not isFileName(globalValueNumber(source)) // file names are not passwords
 select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
   source, "this source."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -6,7 +6,6 @@
 | test2.cpp:57:2:57:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:57:39:57:49 | call to getPassword | this source. |
 | test2.cpp:65:3:65:9 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:62:18:62:25 | password | this source. |
 | test2.cpp:79:2:79:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:79:36:79:43 | password | this source. |
-| test2.cpp:84:4:84:10 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:84:50:84:63 | passwd_config2 | this source. |
 | test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp
@@ -81,7 +81,7 @@ void tests(FILE *log, myStruct &s)
 	{
 		if (fopen(s.passwd_config2, "rt") == 0)
 		{
-			fprintf(log, "could not open file '%s'.\n", s.passwd_config2); // GOOD [FALSE POSITIVE]
+			fprintf(log, "could not open file '%s'.\n", s.passwd_config2); // GOOD
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ void tests(FILE *log, myStruct &s)`
`81`	`81`	`{`
`82`	`82`	`if (fopen(s.passwd_config2, "rt") == 0)`
`83`	`83`	`{`
`84`		`- fprintf(log, "could not open file '%s'.\n", s.passwd_config2); // GOOD [FALSE POSITIVE]`
	`84`	`+ fprintf(log, "could not open file '%s'.\n", s.passwd_config2); // GOOD`
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`