Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1d80e94

Browse files
MathiasVPMathiasVP
committed
C++: Prepare 'CleartextSqliteDatabase.ql' for use-use flow.
1 parent 33649ed commit 1d80e94

1 file changed

Lines changed: 18 additions & 5 deletions

File tree

cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -36,16 +36,29 @@ Field getRecField(Class c) {
3636
result = getRecField(c.getAField().getUnspecifiedType().stripType())
3737
}
3838

39+
/**
40+
* Holds if `source` is a use of a sensitive expression `sensitive`, or
41+
* if `source` is the output argument (with a sensitive name) of a function.
42+
*/
43+
predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) {
44+
[source.asExpr(), source.asDefiningArgument()] = sensitive
45+
}
46+
47+
/** Holds if `sink` is an argument to an Sqlite function call `c`. */
48+
predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c) {
49+
[sink.asExpr(), sink.asIndirectExpr()] = c.getASource()
50+
}
51+
3952
/**
4053
* A taint flow configuration for flow from a sensitive expression to a `SqliteFunctionCall` sink.
4154
*/
4255
class FromSensitiveConfiguration extends TaintTracking::Configuration {
4356
FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
4457

45-
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
58+
override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
4659

4760
override predicate isSink(DataFlow::Node sink) {
48-
any(SqliteFunctionCall c).getASource() = sink.asExpr() and
61+
isSinkImpl(sink, _) and
4962
not sqlite_encryption_used()
5063
}
5164

@@ -58,7 +71,7 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
5871
this.isSink(node) and
5972
// constrain `content` to a field inside the node.
6073
exists(Class c |
61-
node.asExpr().getUnspecifiedType().stripType() = c and
74+
node.getType().getUnspecifiedType().stripType() = c and
6275
content.(DataFlow::FieldContent).getField() = getRecField(c)
6376
)
6477
or
@@ -72,8 +85,8 @@ from
7285
DataFlow::PathNode sink, SqliteFunctionCall sqliteCall
7386
where
7487
config.hasFlowPath(source, sink) and
75-
source.getNode().asExpr() = sensitive and
76-
sqliteCall.getASource() = sink.getNode().asExpr()
88+
isSourceImpl(source.getNode(), sensitive) and
89+
isSinkImpl(sink.getNode(), sqliteCall)
7790
select sqliteCall, source, sink,
7891
"This SQLite call may store $@ in a non-encrypted SQLite database.", sensitive,
7992
"sensitive information"

0 commit comments

Comments
 (0)