C++: Fix queries. Since there's no longer indirect -> direct flow in

taint-tracking we need to make sure the affected sink definitions also
handle indirect flow.

Author: MathiasVP

cpp/ql/src/Critical/OverflowDestination.ql

@@ -71,7 +71,7 @@ class OverflowDestinationConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asConvertedExpr()) }
+  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asIndirectConvertedExpr()) }
 
   override predicate isSanitizer(DataFlow::Node node) {
     exists(Variable checkedVar |
@@ -91,6 +91,6 @@ from
   DataFlow::PathNode sink
 where
   conf.hasFlowPath(source, sink) and
-  sourceSized(fc, sink.getNode().asConvertedExpr())
+  sourceSized(fc, sink.getNode().asIndirectConvertedExpr())
 select fc, source, sink,
   "To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size."

cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql

@@ -57,9 +57,12 @@ predicate underscoreMacro(Expr e) {
  */
 predicate cannotContainString(Type t, boolean isIndirect) {
   isIndirect = false and
-  (
-    t.getUnspecifiedType() instanceof BuiltInType or
-    t.getUnspecifiedType() instanceof IntegralOrEnumType
+  exists(Type unspecified |
+    unspecified = t.getUnspecifiedType() and
+    not unspecified instanceof UnknownType
+  |
+    unspecified instanceof BuiltInType or
+    unspecified instanceof IntegralOrEnumType
   )
 }
 
@@ -124,6 +127,11 @@ predicate isSanitizerNode(DataFlow::Node node) {
   cannotContainString(node.getType(), false)
 }
 
+predicate isSinkImpl(DataFlow::Node sink, Expr formatString) {
+  [sink.asExpr(), sink.asIndirectExpr()] = formatString and
+  exists(FormattingFunctionCall fc | formatString = fc.getArgument(fc.getFormatParameterIndex()))
+}
+
 class NonConstFlow extends TaintTracking::Configuration {
   NonConstFlow() { this = "NonConstFlow" }
 
@@ -135,9 +143,7 @@ class NonConstFlow extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(FormattingFunctionCall fc | sink.asExpr() = fc.getArgument(fc.getFormatParameterIndex()))
-  }
+  override predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
 
   override predicate isSanitizer(DataFlow::Node node) { isSanitizerNode(node) }
 }
@@ -147,7 +153,7 @@ where
   call.getArgument(call.getFormatParameterIndex()) = formatString and
   exists(NonConstFlow cf, DataFlow::Node sink |
     cf.hasFlowTo(sink) and
-    sink.asExpr() = formatString
+    isSinkImpl(sink, formatString)
   )
 select formatString,
   "The format string argument to " + call.getTarget().getName() +

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

@@ -48,9 +48,11 @@ class ToBufferConfiguration extends TaintTracking::Configuration {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(SensitiveBufferWrite w | w.getASource() = sink.asExpr())
-  }
+  override predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
+}
+
+predicate isSinkImpl(DataFlow::Node sink, SensitiveBufferWrite w) {
+  w.getASource() = sink.asIndirectExpr()
 }
 
 from
@@ -59,7 +61,7 @@ from
 where
   config.hasFlowPath(sourceNode, sinkNode) and
   sourceNode.getNode() = source and
-  w.getASource() = sinkNode.getNode().asExpr()
+  isSinkImpl(sinkNode.getNode(), w)
 select w, sourceNode, sinkNode,
   "This write into buffer '" + w.getDest().toString() + "' may contain unencrypted data from $@.",
   source, "user input (" + source.getSourceType() + ")"

cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql

@@ -26,15 +26,32 @@ import DataFlow::PathGraph
 class FromSensitiveConfiguration extends TaintTracking::Configuration {
   FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+  override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
 
-  override predicate isSink(DataFlow::Node sink) { any(FileWrite w).getASource() = sink.asExpr() }
+  override predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _, _) }
 
   override predicate isSanitizer(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
 }
 
+predicate isSinkImpl(DataFlow::Node sink, FileWrite w, Expr dest) {
+  exists(Expr e |
+    e = [sink.asExpr(), sink.asIndirectExpr()] and
+    w.getASource() = e and
+    dest = w.getDest() and
+    // ignore things written with other conversion characters
+    not exists(string convChar | convChar = w.getSourceConvChar(e) | not convChar = ["s", "S"]) and
+    // exclude calls with standard streams
+    not dest.(VariableAccess).getTarget().getName() = ["stdin", "stdout", "stderr"]
+  )
+}
+
+predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) {
+  not isFileName(globalValueNumber(sensitive)) and // file names are not passwords
+  source.asExpr() = sensitive
+}
+
 /**
  * An operation on a filename.
  */
@@ -61,17 +78,12 @@ predicate isFileName(GVN gvn) {
 }
 
 from
-  FromSensitiveConfiguration config, SensitiveExpr source, DataFlow::PathNode sourceNode, Expr mid,
+  FromSensitiveConfiguration config, SensitiveExpr source, DataFlow::PathNode sourceNode,
   DataFlow::PathNode midNode, FileWrite w, Expr dest
 where
   config.hasFlowPath(sourceNode, midNode) and
-  sourceNode.getNode().asExpr() = source and
-  midNode.getNode().asExpr() = mid and
-  mid = w.getASource() and
-  dest = w.getDest() and
-  not dest.(VariableAccess).getTarget().getName() = ["stdin", "stdout", "stderr"] and // exclude calls with standard streams
-  not isFileName(globalValueNumber(source)) and // file names are not passwords
-  not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
+  isSourceImpl(sourceNode.getNode(), source) and
+  isSinkImpl(midNode.getNode(), w, dest)
 select w, sourceNode, midNode,
   "This write into file '" + dest.toString() + "' may contain unencrypted data from $@.", source,
   "this source."

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -208,7 +208,7 @@ class Encrypted extends Expr {
  * operation `nsr`.
  */
 predicate isSinkSendRecv(DataFlow::Node sink, NetworkSendRecv nsr) {
-  sink.asConvertedExpr() = nsr.getDataExpr().getFullyConverted()
+  [sink.asIndirectConvertedExpr(), sink.asConvertedExpr()] = nsr.getDataExpr().getFullyConverted()
 }
 
 /**

cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql

@@ -59,11 +59,11 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node src) {
     // Sources are strings containing an HTTP URL not in a private domain.
-    src.asExpr() instanceof HttpStringLiteral and
+    src.asIndirectExpr() instanceof HttpStringLiteral and
     // block taint starting at `strstr`, which is likely testing an existing URL, rather than constructing an HTTP URL.
     not exists(FunctionCall fc |
       fc.getTarget().getName() = ["strstr", "strcasestr"] and
-      fc.getArgument(1) = globalValueNumber(src.asExpr()).getAnExpr()
+      fc.getArgument(1) = globalValueNumber(src.asIndirectExpr()).getAnExpr()
     )
   }
 
@@ -77,16 +77,16 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
               "system", "gethostbyname", "gethostbyname2", "gethostbyname_r", "getaddrinfo",
               "X509_load_http", "X509_CRL_load_http"
             ]) and
-      sink.asExpr() = fc.getArgument(0)
+      sink.asIndirectExpr() = fc.getArgument(0)
       or
       fc.getTarget().hasGlobalOrStdName(["send", "URLDownloadToFile", "URLDownloadToCacheFile"]) and
-      sink.asExpr() = fc.getArgument(1)
+      sink.asIndirectExpr() = fc.getArgument(1)
       or
       fc.getTarget().hasGlobalOrStdName(["curl_easy_setopt", "getnameinfo"]) and
-      sink.asExpr() = fc.getArgument(2)
+      sink.asIndirectExpr() = fc.getArgument(2)
       or
       fc.getTarget().hasGlobalOrStdName(["ShellExecute", "ShellExecuteA", "ShellExecuteW"]) and
-      sink.asExpr() = fc.getArgument(3)
+      sink.asIndirectExpr() = fc.getArgument(3)
     )
   }
 }
@@ -96,5 +96,5 @@ from
   HttpStringLiteral str
 where
   config.hasFlowPath(source, sink) and
-  str = source.getNode().asExpr()
+  str = source.getNode().asIndirectExpr()
 select str, source, sink, "This URL may be constructed with the HTTP protocol."

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -27,7 +27,7 @@ class ExposedSystemDataConfiguration extends TaintTracking::Configuration {
     exists(FunctionCall fc, FunctionInput input, int arg |
       fc.getTarget().(RemoteFlowSinkFunction).hasRemoteFlowSink(input, _) and
       input.isParameterDeref(arg) and
-      fc.getArgument(arg).getAChild*() = sink.asExpr()
+      fc.getArgument(arg).getAChild*() = sink.asIndirectExpr()
     )
   }
 }
@@ -39,7 +39,7 @@ where
     DataFlow::Node alt // remove duplicate results on conversions
   |
     config.hasFlow(source.getNode(), alt) and
-    alt.asConvertedExpr() = sink.getNode().asExpr() and
+    alt.asConvertedExpr() = sink.getNode().asIndirectExpr() and
     alt != sink.getNode()
   )
 select sink, source, sink, "This operation exposes system data from $@.", source,

cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql

@@ -39,7 +39,7 @@ class PotentiallyExposedSystemDataConfiguration extends TaintTracking::Configura
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(OutputWrite ow | ow.getASource().getAChild*() = sink.asExpr())
+    exists(OutputWrite ow | ow.getASource().getAChild*() = sink.asIndirectExpr())
   }
 }
 

cpp/ql/src/Security/CWE/CWE-497/SystemData.qll

@@ -34,7 +34,7 @@ class EnvData extends SystemData {
         .regexpMatch(".*(user|host|admin|root|home|path|http|ssl|snmp|sock|port|proxy|pass|token|crypt|key).*")
   }
 
-  override DataFlow::Node getAnExpr() { result.asConvertedExpr() = this }
+  override DataFlow::Node getAnExpr() { result.asIndirectConvertedExpr() = this }
 
   override predicate isSensitive() {
     this.(EnvironmentRead)
@@ -50,7 +50,7 @@ class EnvData extends SystemData {
 class SqlClientInfo extends SystemData {
   SqlClientInfo() { this.(FunctionCall).getTarget().hasName("mysql_get_client_info") }
 
-  override DataFlow::Node getAnExpr() { result.asConvertedExpr() = this }
+  override DataFlow::Node getAnExpr() { result.asIndirectConvertedExpr() = this }
 
   override predicate isSensitive() { any() }
 }
@@ -72,7 +72,7 @@ private predicate sqlConnectInfo(FunctionCall source, Expr use) {
 class SqlConnectInfo extends SystemData {
   SqlConnectInfo() { sqlConnectInfo(this, _) }
 
-  override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asConvertedExpr()) }
+  override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asExpr()) }
 
   override predicate isSensitive() { any() }
 }
@@ -114,7 +114,7 @@ private predicate posixPWInfo(FunctionCall source, DataFlow::Node use) {
   source
       .getTarget()
       .hasName(["getpwnam", "getpwuid", "getpwent", "getgrnam", "getgrgid", "getgrent"]) and
-  use.asConvertedExpr() = source
+  use.asIndirectExpr() = source
   or
   // int getpwnam_r(const char *name, struct passwd *pwd,
   //                char *buf, size_t buflen, struct passwd **result);
@@ -126,7 +126,7 @@ private predicate posixPWInfo(FunctionCall source, DataFlow::Node use) {
   //                char *buf, size_t buflen, struct group **result);
   source.getTarget().hasName(["getpwnam_r", "getpwuid_r", "getgrgid_r", "getgrnam_r"]) and
   (
-    use.asConvertedExpr() = source.getArgument([1, 2]) or
+    use.asExpr() = source.getArgument([1, 2]) or
     use.asDefiningArgument() = source.getArgument(4)
   )
   or
@@ -136,7 +136,7 @@ private predicate posixPWInfo(FunctionCall source, DataFlow::Node use) {
   //                size_t buflen, struct group **gbufp);
   source.getTarget().hasName(["getpwent_r", "getgrent_r"]) and
   (
-    use.asConvertedExpr() = source.getArgument([0, 1]) or
+    use.asExpr() = source.getArgument([0, 1]) or
     use.asDefiningArgument() = source.getArgument(3)
   )
 }
@@ -155,7 +155,7 @@ class PosixPWInfo extends SystemData {
 private predicate windowsSystemInfo(FunctionCall source, DataFlow::Node use) {
   // DWORD WINAPI GetVersion(void);
   source.getTarget().hasGlobalName("GetVersion") and
-  use.asConvertedExpr() = source
+  use.asExpr() = source
   or
   // BOOL WINAPI GetVersionEx(_Inout_ LPOSVERSIONINFO lpVersionInfo);
   // void WINAPI GetSystemInfo(_Out_ LPSYSTEM_INFO lpSystemInfo);
@@ -236,7 +236,7 @@ class WindowsFolderPath extends SystemData {
   override DataFlow::Node getAnExpr() { windowsFolderPath(this, result.asDefiningArgument()) }
 }
 
-private predicate logonUser(FunctionCall source, VariableAccess use) {
+private predicate logonUser(FunctionCall source, Expr use) {
   source.getTarget().hasGlobalName(["LogonUser", "LogonUserW", "LogonUserA"]) and
   use = source.getAnArgument()
 }
@@ -247,7 +247,7 @@ private predicate logonUser(FunctionCall source, VariableAccess use) {
 class LogonUser extends SystemData {
   LogonUser() { logonUser(this, _) }
 
-  override DataFlow::Node getAnExpr() { logonUser(this, result.asConvertedExpr()) }
+  override DataFlow::Node getAnExpr() { logonUser(this, result.asIndirectExpr()) }
 
   override predicate isSensitive() { any() }
 }