C++: Make sure we use an indirect sink only for the sinks that receive a

MathiasVP · MathiasVP · commit 8836cbae5b66 · 2023-03-06T11:22:58.000Z
pointer to the data. Also fix a bug where we used 'asExpr' instead
of 'asIndirectExpr'.
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
@@ -39,7 +39,17 @@ class PotentiallyExposedSystemDataConfiguration extends TaintTracking::Configura
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(OutputWrite ow | ow.getASource().getAChild*() = sink.asIndirectExpr())
+    exists(OutputWrite ow, Expr child | child = ow.getASource().getAChild*() |
+      // Most sinks receive a pointer as an argument (for example `printf`),
+      // and we use an indirect sink for those.
+      // However, some sinks (for example `puts`) receive receive a single
+      // character as an argument. For those we have to use a direct sink.
+      if
+        child.getUnspecifiedType() instanceof PointerType or
+        child.getUnspecifiedType() instanceof ArrayType
+      then child = sink.asIndirectExpr()
+      else child = sink.asExpr()
+    )
   }
 }
 
diff --git a/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll b/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll
@@ -72,7 +72,7 @@ private predicate sqlConnectInfo(FunctionCall source, Expr use) {
 class SqlConnectInfo extends SystemData {
   SqlConnectInfo() { sqlConnectInfo(this, _) }
 
-  override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asExpr()) }
+  override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asIndirectExpr(1)) }
 
   override predicate isSensitive() { any() }
 }

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,17 @@ class PotentiallyExposedSystemDataConfiguration extends TaintTracking::Configura`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`override predicate isSink(DataFlow::Node sink) {`
`42`		`- exists(OutputWrite ow \| ow.getASource().getAChild*() = sink.asIndirectExpr())`
	`42`	`+ exists(OutputWrite ow, Expr child \| child = ow.getASource().getAChild*() \|`
	`43`	+ // Most sinks receive a pointer as an argument (for example `printf`),
	`44`	`+ // and we use an indirect sink for those.`
	`45`	+ // However, some sinks (for example `puts`) receive receive a single
	`46`	`+ // character as an argument. For those we have to use a direct sink.`
	`47`	`+ if`
	`48`	`+ child.getUnspecifiedType() instanceof PointerType or`
	`49`	`+ child.getUnspecifiedType() instanceof ArrayType`
	`50`	`+ then child = sink.asIndirectExpr()`
	`51`	`+ else child = sink.asExpr()`
	`52`	`+ )`
`43`	`53`	`}`
`44`	`54`	`}`
`45`	`55`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ private predicate sqlConnectInfo(FunctionCall source, Expr use) {`
`72`	`72`	`class SqlConnectInfo extends SystemData {`
`73`	`73`	`SqlConnectInfo() { sqlConnectInfo(this, _) }`
`74`	`74`
`75`		`- override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asExpr()) }`
	`75`	`+ override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asIndirectExpr(1)) }`
`76`	`76`
`77`	`77`	`override predicate isSensitive() { any() }`
`78`	`78`	`}`