C++: Modernize cpp/cleartext-storage-buffer.

geoffw0 · geoffw0 · commit 340b40e8f316 · 2022-01-25T13:54:42.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -13,21 +13,32 @@
 
 import cpp
 import semmle.code.cpp.security.BufferWrite
-import semmle.code.cpp.security.TaintTracking
 import semmle.code.cpp.security.SensitiveExprs
-import TaintedWithPath
+import semmle.code.cpp.security.Security
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) { exists(BufferWrite w | w.getASource() = tainted) }
+/**
+ * Taint flow from user input to a buffer write.
+ */
+class ToBufferConfiguration extends TaintTracking::Configuration {
+  ToBufferConfiguration() { this = "ToBufferConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(BufferWrite w | w.getASource() = sink.asExpr())
+  }
 }
 
 from
-  BufferWrite w, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
-  string taintCause, SensitiveExpr dest
+  ToBufferConfiguration config, BufferWrite w, Expr taintSource, DataFlow::PathNode sourceNode,
+  DataFlow::PathNode sinkNode, string taintCause, SensitiveExpr dest
 where
-  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
+  config.hasFlowPath(sourceNode, sinkNode) and
+  taintSource = sourceNode.getNode().asExpr() and
+  w.getASource() = sinkNode.getNode().asExpr() and
   isUserInput(taintSource, taintCause) and
-  w.getASource() = taintedArg and
   dest = w.getDest()
 select w, sourceNode, sinkNode,
   "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
@@ -1,18 +1,8 @@
 edges
 | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
-subpaths
 nodes
 | test.cpp:54:17:54:20 | argv | semmle.label | argv |
-| test.cpp:54:17:54:20 | argv | semmle.label | argv |
-| test.cpp:58:25:58:29 | input | semmle.label | input |
 | test.cpp:58:25:58:29 | input | semmle.label | input |
-| test.cpp:58:25:58:29 | input | semmle.label | input |
-| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
-| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
+subpaths
 #select
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
