Skip to content

Commit 8253f2d

Browse files
jketemajketema
committed
C++: Update UnsafeDaclSecurityDescriptor with DataFlow::ConfigSig 
1 parent 7fe1a94 commit 8253f2d

File tree

1 file changed

+13
-14
lines changed

1 file changed

+13
-14
lines changed

cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql

Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@
1515

1616
import cpp
1717
import semmle.code.cpp.ir.dataflow.DataFlow
18-
import semmle.code.cpp.ir.dataflow.DataFlow2
1918

2019
/**
2120
* A function call to SetSecurityDescriptorDacl to set the ACL, specified by (2nd argument) bDaclPresent = TRUE
@@ -30,26 +29,24 @@ class SetSecurityDescriptorDaclFunctionCall extends FunctionCall {
3029
/**
3130
* Dataflow that detects a call to SetSecurityDescriptorDacl with a NULL DACL as the pDacl argument
3231
*/
33-
class NullDaclConfig extends DataFlow::Configuration {
34-
NullDaclConfig() { this = "NullDaclConfig" }
32+
module NullDaclConfig implements DataFlow::ConfigSig {
33+
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NullValue }
3534

36-
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NullValue }
37-
38-
override predicate isSink(DataFlow::Node sink) {
35+
predicate isSink(DataFlow::Node sink) {
3936
exists(SetSecurityDescriptorDaclFunctionCall call, VariableAccess val | val = sink.asExpr() |
4037
val = call.getArgument(2)
4138
)
4239
}
4340
}
4441

42+
module NullDaclFlow = DataFlow::Make<NullDaclConfig>;
43+
4544
/**
4645
* Dataflow that detects a call to SetSecurityDescriptorDacl with a pDacl
4746
* argument that's _not_ likely to be NULL.
4847
*/
49-
class NonNullDaclConfig extends DataFlow2::Configuration {
50-
NonNullDaclConfig() { this = "NonNullDaclConfig" }
51-
52-
override predicate isSource(DataFlow::Node source) {
48+
module NonNullDaclConfig implements DataFlow::ConfigSig {
49+
predicate isSource(DataFlow::Node source) {
5350
source.getType().getUnspecifiedType().(PointerType).getBaseType() =
5451
any(Type t | t.getName() = "ACL").getUnspecifiedType() and
5552
(
@@ -68,11 +65,13 @@ class NonNullDaclConfig extends DataFlow2::Configuration {
6865
)
6966
}
7067

71-
override predicate isSink(DataFlow::Node sink) {
68+
predicate isSink(DataFlow::Node sink) {
7269
exists(SetSecurityDescriptorDaclFunctionCall call | sink.asExpr() = call.getArgument(2))
7370
}
7471
}
7572

73+
module NonNullDaclFlow = DataFlow::Make<NonNullDaclConfig>;
74+
7675
from SetSecurityDescriptorDaclFunctionCall call, string message
7776
where
7877
exists(NullValue nullExpr |
@@ -83,13 +82,13 @@ where
8382
call.getArgument(2) = nullExpr
8483
)
8584
or
86-
exists(VariableAccess var, NullDaclConfig nullDaclConfig, NonNullDaclConfig nonNullDaclConfig |
85+
exists(VariableAccess var |
8786
message =
8887
"Setting a DACL to NULL in a SECURITY_DESCRIPTOR using variable " + var +
8988
" that is set to NULL will result in an unprotected object."
9089
|
9190
var = call.getArgument(2) and
92-
nullDaclConfig.hasFlowToExpr(var) and
93-
not nonNullDaclConfig.hasFlowToExpr(var)
91+
NullDaclFlow::hasFlowToExpr(var) and
92+
not NonNullDaclFlow::hasFlowToExpr(var)
9493
)
9594
select call, message

0 commit comments

Comments
 (0)