C++: Put paths in the remaining LGTM-suite queries

Author: jbj

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -2,7 +2,7 @@
  * @name CGI script vulnerable to cross-site scripting
  * @description Writing user input directly to a web page
  *              allows for a cross-site scripting vulnerability.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cpp/cgi-xss
@@ -13,6 +13,7 @@
 import cpp
 import semmle.code.cpp.commons.Environment
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 /** A call that prints its arguments to `stdout`. */
 class PrintStdoutCall extends FunctionCall {
@@ -27,8 +28,13 @@ class QueryString extends EnvironmentRead {
   QueryString() { getEnvironmentVariable() = "QUERY_STRING" }
 }
 
-from QueryString query, PrintStdoutCall call, Element printedArg
-where
-  call.getAnArgument() = printedArg and
-  tainted(query, printedArg)
-select printedArg, "Cross-site scripting vulnerability due to $@.", query, "this query data"
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(PrintStdoutCall call | call.getAnArgument() = tainted)
+  }
+}
+
+from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode
+where taintedWithPath(query, printedArg, sourceNode, sinkNode)
+select printedArg, sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.", query,
+  "this query data"

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -3,7 +3,7 @@
  * @description Including user-supplied data in a SQL query without
  *              neutralizing special elements can make code vulnerable
  *              to SQL Injection.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cpp/sql-injection
@@ -15,18 +15,27 @@ import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 class SQLLikeFunction extends FunctionWithWrappers {
   SQLLikeFunction() { sqlArgument(this.getName(), _) }
 
   override predicate interestingArg(int arg) { sqlArgument(this.getName(), arg) }
 }
 
-from SQLLikeFunction runSql, Expr taintedArg, Expr taintSource, string taintCause, string callChain
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(SQLLikeFunction runSql | runSql.outermostWrapperFunctionCall(tainted, _))
+  }
+}
+
+from
+  SQLLikeFunction runSql, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
+  string taintCause, string callChain
 where
   runSql.outermostWrapperFunctionCall(taintedArg, callChain) and
-  tainted(taintSource, taintedArg) and
+  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
   isUserInput(taintSource, taintCause)
-select taintedArg,
+select taintedArg, sourceNode, sinkNode,
   "This argument to a SQL query function is derived from $@ and then passed to " + callChain,
   taintSource, "user input (" + taintCause + ")"

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -3,7 +3,7 @@
  * @description Using externally controlled strings in a process
  *              operation can allow an attacker to execute malicious
  *              commands.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/uncontrolled-process-operation
@@ -14,13 +14,24 @@
 import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
-from string processOperation, int processOperationArg, FunctionCall call, Expr arg, Element source
+predicate isProcessOperationExplanation(Expr arg, string processOperation) {
+  exists(int processOperationArg, FunctionCall call |
+    isProcessOperationArgument(processOperation, processOperationArg) and
+    call.getTarget().getName() = processOperation and
+    call.getArgument(processOperationArg) = arg
+  )
+}
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
+}
+
+from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
 where
-  isProcessOperationArgument(processOperation, processOperationArg) and
-  call.getTarget().getName() = processOperation and
-  call.getArgument(processOperationArg) = arg and
-  tainted(source, arg)
-select arg,
+  isProcessOperationExplanation(arg, processOperation) and
+  taintedWithPath(source, arg, sourceNode, sinkNode)
+select arg, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being passed to " + processOperation, source,
   source.toString()

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -2,7 +2,7 @@
  * @name Unbounded write
  * @description Buffer write operations that do not control the length
  *              of data written may overflow.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision medium
  * @id cpp/unbounded-write
@@ -16,6 +16,7 @@
 import semmle.code.cpp.security.BufferWrite
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 /*
  * --- Summary of CWE-120 alerts ---
@@ -54,32 +55,48 @@ predicate isUnboundedWrite(BufferWrite bw) {
  * }
  */
 
+/**
+ * Holds if `e` is a source buffer going into an unbounded write `bw` or a
+ * qualifier of (a qualifier of ...) such a source.
+ */
+predicate unboundedWriteSource(Expr e, BufferWrite bw) {
+  isUnboundedWrite(bw) and e = bw.getASource()
+  or
+  exists(FieldAccess fa | unboundedWriteSource(fa, bw) and e = fa.getQualifier())
+}
+
 /*
  * --- user input reach ---
  */
 
-/**
- * Identifies expressions that are potentially tainted with user
- * input.  Most of the work for this is actually done by the
- * TaintTracking library.
- */
-predicate tainted2(Expr expr, Expr inputSource, string inputCause) {
-  taintedIncludingGlobalVars(inputSource, expr, _) and
-  inputCause = inputSource.toString()
-  or
-  exists(Expr e | tainted2(e, inputSource, inputCause) |
-    // field accesses of a tainted struct are tainted
-    e = expr.(FieldAccess).getQualifier()
-  )
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) { unboundedWriteSource(tainted, _) }
+
+  override predicate taintThroughGlobals() { any() }
 }
 
 /*
  * --- put it together ---
  */
 
-from BufferWrite bw, Expr inputSource, string inputCause
+/*
+ * An unbounded write is, for example `strcpy(..., tainted)`. We're looking
+ * for a tainted source buffer of an unbounded write, where this source buffer
+ * is a sink in the taint-tracking analysis.
+ *
+ * In the case of `gets` and `scanf`, where the source buffer is implicit, the
+ * `BufferWrite` library reports the source buffer to be the same as the
+ * destination buffer. Since those destination-buffer arguments are also
+ * modeled in the taint-tracking library as being _sources_ of taint, they are
+ * in practice reported as being tainted because the `security.TaintTracking`
+ * library does not distinguish between taint going into an argument and out of
+ * an argument. Thus, we get the desired alerts.
+ */
+
+from BufferWrite bw, Expr inputSource, Expr tainted, PathNode sourceNode, PathNode sinkNode
 where
-  isUnboundedWrite(bw) and
-  tainted2(bw.getASource(), inputSource, inputCause)
-select bw, "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.",
-  inputSource, inputCause
+  taintedWithPath(inputSource, tainted, sourceNode, sinkNode) and
+  unboundedWriteSource(tainted, bw)
+select bw, sourceNode, sinkNode,
+  "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.", inputSource,
+  inputSource.toString()

cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql

@@ -3,7 +3,7 @@
  * @description Authentication by checking that the peer's address
  *              matches a known IP or web address is unsafe as it is
  *              vulnerable to spoofing attacks.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/user-controlled-bypass
@@ -12,6 +12,7 @@
  */
 
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 predicate hardCodedAddressOrIP(StringLiteral txt) {
   exists(string s | s = txt.getValueText() |
@@ -102,16 +103,21 @@ predicate useOfHardCodedAddressOrIP(Expr use) {
  * untrusted input then it might be vulnerable to a spoofing
  * attack.
  */
-predicate hardCodedAddressInCondition(Expr source, Expr condition) {
-  // One of the sub-expressions of the condition is tainted.
-  exists(Expr taintedExpr | taintedExpr.getParent+() = condition | tainted(source, taintedExpr)) and
+predicate hardCodedAddressInCondition(Expr subexpression, Expr condition) {
+  subexpression = condition.getAChild+() and
   // One of the sub-expressions of the condition is a hard-coded
   // IP or web-address.
-  exists(Expr use | use.getParent+() = condition | useOfHardCodedAddressOrIP(use)) and
+  exists(Expr use | use = condition.getAChild+() | useOfHardCodedAddressOrIP(use)) and
   condition = any(IfStmt ifStmt).getCondition()
 }
 
-from Expr source, Expr condition
-where hardCodedAddressInCondition(source, condition)
-select condition, "Untrusted input $@ might be vulnerable to a spoofing attack.", source,
-  source.toString()
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element sink) { hardCodedAddressInCondition(sink, _) }
+}
+
+from Expr subexpression, Expr source, Expr condition, PathNode sourceNode, PathNode sinkNode
+where
+  hardCodedAddressInCondition(subexpression, condition) and
+  taintedWithPath(source, subexpression, sourceNode, sinkNode)
+select condition, sourceNode, sinkNode,
+  "Untrusted input $@ might be vulnerable to a spoofing attack.", source, source.toString()

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

@@ -2,7 +2,7 @@
  * @name Cleartext storage of sensitive information in buffer
  * @description Storing sensitive information in cleartext can expose it
  *              to an attacker.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/cleartext-storage-buffer
@@ -14,12 +14,20 @@ import cpp
 import semmle.code.cpp.security.BufferWrite
 import semmle.code.cpp.security.TaintTracking
 import semmle.code.cpp.security.SensitiveExprs
+import TaintedWithPath
 
-from BufferWrite w, Expr taintedArg, Expr taintSource, string taintCause, SensitiveExpr dest
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) { exists(BufferWrite w | w.getASource() = tainted) }
+}
+
+from
+  BufferWrite w, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
+  string taintCause, SensitiveExpr dest
 where
-  tainted(taintSource, taintedArg) and
+  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
   isUserInput(taintSource, taintCause) and
   w.getASource() = taintedArg and
   dest = w.getDest()
-select w, "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
+select w, sourceNode, sinkNode,
+  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
   taintSource, "user input (" + taintCause + ")"

cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql

@@ -3,7 +3,7 @@
  * @description Using untrusted inputs in a statement that makes a
  *              security decision makes code vulnerable to
  *              attack.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/tainted-permissions-check
@@ -12,22 +12,29 @@
  */
 
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
-/**
- * Holds if there is an 'if' statement whose condition `condition`
- * is influenced by tainted data `source`, and the body contains
- * `raise` which escalates privilege.
- */
-predicate cwe807violation(Expr source, Expr condition, Expr raise) {
-  tainted(source, condition) and
+predicate sensitiveCondition(Expr condition, Expr raise) {
   raisesPrivilege(raise) and
   exists(IfStmt ifstmt |
     ifstmt.getCondition() = condition and
     raise.getEnclosingStmt().getParentStmt*() = ifstmt
   )
 }
 
-from Expr source, Expr condition, Expr raise
-where cwe807violation(source, condition, raise)
-select condition, "Reliance on untrusted input $@ to raise privilege at $@", source,
-  source.toString(), raise, raise.toString()
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) { sensitiveCondition(tainted, _) }
+}
+
+/*
+ * Produce an alert if there is an 'if' statement whose condition `condition`
+ * is influenced by tainted data `source`, and the body contains
+ * `raise` which escalates privilege.
+ */
+
+from Expr source, Expr condition, Expr raise, PathNode sourceNode, PathNode sinkNode
+where
+  taintedWithPath(source, condition, sourceNode, sinkNode) and
+  sensitiveCondition(condition, raise)
+select condition, sourceNode, sinkNode, "Reliance on untrusted input $@ to raise privilege at $@",
+  source, source.toString(), raise, raise.toString()

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -1,2 +1,30 @@
-| search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
-| search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+edges
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:45:17:45:25 | raw_query | search.c:14:24:14:28 | query |
+| search.c:47:17:47:25 | raw_query | search.c:22:24:22:28 | query |
+nodes
+| search.c:14:24:14:28 | query | semmle.label | query |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:22:24:22:28 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:45:17:45:25 | raw_query | semmle.label | raw_query |
+| search.c:47:17:47:25 | raw_query | semmle.label | raw_query |
+#select
+| search.c:17:8:17:12 | query | search.c:41:21:41:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+| search.c:23:39:23:43 | query | search.c:41:21:41:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -1,2 +1,25 @@
-| test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
-| test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
+edges
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:42:18:42:23 | call to getenv | test.cpp:24:30:24:36 | command |
+| test.cpp:42:18:42:34 | (const char *)... | test.cpp:24:30:24:36 | command |
+| test.cpp:43:18:43:23 | call to getenv | test.cpp:29:30:29:36 | command |
+| test.cpp:43:18:43:34 | (const char *)... | test.cpp:29:30:29:36 | command |
+nodes
+| test.cpp:24:30:24:36 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:29:30:29:36 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:43:18:43:34 | (const char *)... | semmle.label | (const char *)... |
+#select
+| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
+| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected

@@ -0,0 +1,3 @@
+edges
+nodes
+#select