C++: Use isSource in queries. These were the only queries that restrict the source after dataflow terminates.

MathiasVP · MathiasVP · commit f4f96fe2575c · 2020-12-21T16:35:35.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -29,6 +29,8 @@ class QueryString extends EnvironmentRead {
 }
 
 class Configuration extends TaintTrackingConfiguration {
+  override predicate isSource(Expr source) { source instanceof QueryString }
+
   override predicate isSink(Element tainted) {
     exists(PrintStdoutCall call | call.getAnArgument() = tainted)
   }
diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -34,6 +34,10 @@ predicate sqlite_encryption_used() {
 }
 
 class Configuration extends TaintTrackingConfiguration {
+  override predicate isSource(Expr source) {
+    super.isSource(source) and source instanceof SensitiveExpr
+  }
+
   override predicate isSink(Element taintedArg) {
     exists(SqliteFunctionCall sqliteCall |
       taintedArg = sqliteCall.getASource() and

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@ class QueryString extends EnvironmentRead {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`class Configuration extends TaintTrackingConfiguration {`
	`32`	`+ override predicate isSource(Expr source) { source instanceof QueryString }`
	`33`	`+`
`32`	`34`	`override predicate isSink(Element tainted) {`
`33`	`35`	`exists(PrintStdoutCall call \| call.getAnArgument() = tainted)`
`34`	`36`	`}`