Skip to content

Commit 2e1b09f

Browse files
geoffw0geoffw0
committed
C++: Modernize flow sources.
1 parent 1bf9c19 commit 2e1b09f

File tree

2 files changed

+8
-17
lines changed

2 files changed

+8
-17
lines changed

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

Lines changed: 7 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -14,40 +14,31 @@
1414
import cpp
1515
import semmle.code.cpp.security.BufferWrite as BufferWrite
1616
import semmle.code.cpp.security.SensitiveExprs
17-
import semmle.code.cpp.security.Security
17+
import semmle.code.cpp.security.FlowSources
1818
import semmle.code.cpp.ir.dataflow.TaintTracking
1919
import DataFlow::PathGraph
2020

21-
Expr exprForNode(DataFlow::Node n) {
22-
n = DataFlow::exprNode(result)
23-
or
24-
// (similar to DefaultTaintTracking's `getNodeForExpr`)
25-
n = DataFlow::definitionByReferenceNodeFromArgument(result) and
26-
not argv(result.(VariableAccess).getTarget())
27-
}
28-
2921
/**
3022
* Taint flow from user input to a buffer write.
3123
*/
3224
class ToBufferConfiguration extends TaintTracking::Configuration {
3325
ToBufferConfiguration() { this = "ToBufferConfiguration" }
3426

35-
override predicate isSource(DataFlow::Node source) { isUserInput(exprForNode(source), _) }
27+
override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
3628

3729
override predicate isSink(DataFlow::Node sink) {
3830
exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
3931
}
4032
}
4133

4234
from
43-
ToBufferConfiguration config, BufferWrite::BufferWrite w, Expr taintSource,
44-
DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string taintCause, SensitiveExpr dest
35+
ToBufferConfiguration config, BufferWrite::BufferWrite w, DataFlow::PathNode sourceNode,
36+
DataFlow::PathNode sinkNode, FlowSource source, SensitiveExpr dest
4537
where
4638
config.hasFlowPath(sourceNode, sinkNode) and
47-
taintSource = exprForNode(sourceNode.getNode()) and
39+
sourceNode.getNode() = source and
4840
w.getASource() = sinkNode.getNode().asExpr() and
49-
isUserInput(taintSource, taintCause) and
5041
dest = w.getDest()
5142
select w, sourceNode, sinkNode,
52-
"This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
53-
taintSource, "user input (" + taintCause + ")"
43+
"This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@", source,
44+
"user input (" + source.getSourceType() + ")"

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,4 @@ nodes
55
| test.cpp:58:25:58:29 | input | semmle.label | input |
66
subpaths
77
#select
8-
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
8+
| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (a command-line argument) |

0 commit comments

Comments
 (0)