Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6901d9d

Browse files
geoffw0geoffw0
committed
C++: Add and use getRemoteSocket predicates.
1 parent 9f59bc8 commit 6901d9d

4 files changed

Lines changed: 35 additions & 3 deletions

File tree

cpp/ql/lib/semmle/code/cpp/models/implementations/Recv.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,4 +85,8 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction,
8585
) and
8686
description = "Buffer read by " + this.getName()
8787
}
88+
89+
override predicate hasSocketInput(FunctionInput input) {
90+
input.isParameter(0)
91+
}
8892
}

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,4 +60,8 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
6060
override predicate hasRemoteFlowSink(FunctionInput input, string description) {
6161
input.isParameterDeref(1) and description = "Buffer sent by " + this.getName()
6262
}
63+
64+
override predicate hasSocketInput(FunctionInput input) {
65+
input.isParameter(0)
66+
}
6367
}

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,12 @@ abstract class RemoteFlowSourceFunction extends Function {
1818
* Holds if remote data described by `description` flows from `output` of a call to this function.
1919
*/
2020
abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
21+
22+
/**
23+
* Holds if remote data from this source comes from a socket described by
24+
* `input`. There is no result if a socket is not specified.
25+
*/
26+
predicate hasSocketInput(FunctionInput input) { none() }
2127
}
2228

2329
/**
@@ -51,4 +57,10 @@ abstract class RemoteFlowSinkFunction extends Function {
5157
* send over a network connection.
5258
*/
5359
abstract predicate hasRemoteFlowSink(FunctionInput input, string description);
60+
61+
/**
62+
* Holds if data put into this sink is transmitted through a socket described
63+
* by `input`. There is no result if a socket is not specified.
64+
*/
65+
predicate hasSocketInput(FunctionInput input) { none() }
5466
}

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,13 @@ class NetworkSend extends NetworkSendRecv {
4343

4444
NetworkSend() { target = this.getTarget() }
4545

46-
override Expr getSocketExpr() { result = this.getArgument(0) }
46+
override Expr getSocketExpr() {
47+
exists(FunctionInput input, int arg |
48+
target.hasSocketInput(input) and
49+
input.isParameter(arg) and
50+
result = this.getArgument(arg)
51+
)
52+
}
4753

4854
override Expr getDataExpr() {
4955
exists(FunctionInput input, int arg |
@@ -62,7 +68,13 @@ class NetworkRecv extends NetworkSendRecv {
6268

6369
NetworkRecv() { target = this.getTarget() }
6470

65-
override Expr getSocketExpr() { result = this.getArgument(0) }
71+
override Expr getSocketExpr() {
72+
exists(FunctionInput input, int arg |
73+
target.hasSocketInput(input) and
74+
input.isParameter(arg) and
75+
result = this.getArgument(arg)
76+
)
77+
}
6678

6779
override Expr getDataExpr() {
6880
exists(FunctionOutput output, int arg |
@@ -85,7 +97,7 @@ class SensitiveSendRecvConfiguration extends TaintTracking::Configuration {
8597
override predicate isSink(DataFlow::Node sink) {
8698
exists(NetworkSendRecv transmission |
8799
sink.asExpr() = transmission.getDataExpr() and
88-
// a zero file descriptor is standard input, which is not interesting for this query.
100+
// a zero socket descriptor is standard input, which is not interesting for this query.
89101
not exists(Zero zero |
90102
DataFlow::localFlow(DataFlow::exprNode(zero),
91103
DataFlow::exprNode(transmission.getSocketExpr()))

0 commit comments

Comments
 (0)