C++: Refactor ExecTainted.ql to need concatenation

Robert Marsh · Robert Marsh · commit 6f408f949cd0 · 2021-09-15T10:55:49.000-07:00
This makes ExecTainted report results only when the tainted value does
not become the start of the string which is eventually run as a shell
command. The theory is that those cases are likely to be deliberate, and
part of the expected threat model of the program (e.g. $CC in make).
This lines up better with the results I considered fixable true
positives in LGTM testing
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -253,6 +253,13 @@ class FormattingFunctionCall extends Expr {
     // format arguments must be known
     exists(getTarget().(FormattingFunction).getFirstFormatArgumentIndex())
   }
+
+  /**
+   * 
+   */
+  Expr getOutputArgument(boolean isStream) {
+    result = this.(Call).getArgument(this.(Call).getTarget().(FormattingFunction).getOutputParameterIndex(isStream))
+  }
 }
 
 /**
diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.c b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.c
@@ -9,7 +9,7 @@ int main(int argc, char** argv) {
     system(command1);
   }
 
-  {  
+  {
     // GOOD: the user string is encoded by a library routine.
     char userNameQuoted[1000] = {0};
     encodeShellString(userNameQuoted, 1000, userName); 
diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -3,7 +3,7 @@
  * @description Using user-supplied data in an OS command, without
  *              neutralizing special elements, can make code vulnerable
  *              to command injection.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @security-severity 9.8
  * @precision low
@@ -16,13 +16,113 @@
 import cpp
 import semmle.code.cpp.security.CommandExecution
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.TaintTracking2
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.models.implementations.Strcat
 
-from Expr taintedArg, Expr taintSource, string taintCause, string callChain
+Expr sinkAsArgumentIndirection(DataFlow::Node sink) {
+  result =
+    sink.asOperand()
+        .(SideEffectOperand)
+        .getAddressOperand()
+        .getAnyDef()
+        .getUnconvertedResultExpression()
+}
+
+predicate interestingConcatenation(DataFlow::Node fst, DataFlow::Node snd) {
+  exists(FormattingFunctionCall call, int index, FormatLiteral literal |
+    sinkAsArgumentIndirection(fst) = call.getConversionArgument(index) and
+    snd.asDefiningArgument() = call.getOutputArgument(false) and
+    literal = call.getFormat() and
+    not literal.getConvSpecOffset(index) = 0 and
+    (
+      literal.getConversionType(index) instanceof CharPointerType
+      or
+      literal.getConversionType(index).(PointerType).getBaseType() instanceof Wchar_t
+    )
+  )
+  or
+  // strcat and friends
+  exists(StrcatFunction strcatFunc, CallInstruction call, ReadSideEffectInstruction rse |
+    call.getStaticCallTarget() = strcatFunc and
+    rse.getArgumentDef() = call.getArgument(strcatFunc.getParamSrc()) and
+    fst.asOperand() = rse.getSideEffectOperand() and
+    snd.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
+        call.getArgument(strcatFunc.getParamDest())
+  )
+  or
+  exists(CallInstruction call, Operator op, ReadSideEffectInstruction rse |
+    call.getStaticCallTarget() = op and
+    op.hasQualifiedName("std", "operator+") and
+    op.getType().(UserType).hasQualifiedName("std", "basic_string") and
+    call.getArgument(1) = rse.getArgumentOperand().getAnyDef() and // left operand
+    fst.asOperand() = rse.getSideEffectOperand() and
+    call =
+      snd.asInstruction()
+  )
+}
+
+// TODO: maybe we can drop this?
+class TaintToConcatenationConfiguration extends TaintTracking::Configuration {
+  TaintToConcatenationConfiguration() { this = "TaintToConcatenationConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof FlowSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    interestingConcatenation(sink, _)
+  }
+
+  override int explorationLimit() {
+    result = 10
+  }
+}
+
+class ExecTaintConfiguration extends TaintTracking::Configuration {
+  ExecTaintConfiguration() { this = "ExecTaintConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    interestingConcatenation(_, source)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    shellCommand(sinkAsArgumentIndirection(sink), _)
+  }
+
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    isSink(node) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
+  }
+}
+
+query predicate nodes = DataFlow::PathGraph::nodes/3;
+
+query predicate edges(DataFlow::PathNode a, DataFlow::PathNode b) {
+  DataFlow::PathGraph::edges(a, b) or
+  interestingConcatenation(a.getNode(), b.getNode()) and
+  a.getConfiguration() instanceof TaintToConcatenationConfiguration and
+  b.getConfiguration() instanceof ExecTaintConfiguration
+}
+
+query predicate pathExplore(DataFlow::PartialPathNode source, DataFlow::PartialPathNode node, int dist) {
+  any(TaintToConcatenationConfiguration cfg).hasPartialFlow(source, node, dist)
+}
+
+query predicate pathExploreRev(DataFlow::PartialPathNode node, DataFlow::PartialPathNode sink, int dist) {
+  any(TaintToConcatenationConfiguration cfg).hasPartialFlowRev(node, sink, dist)
+}
+
+from
+  DataFlow::PathNode sourceNode, DataFlow::PathNode concatSink, DataFlow::PathNode concatSource, DataFlow::PathNode sinkNode, string taintCause, string callChain,
+  TaintToConcatenationConfiguration conf1, ExecTaintConfiguration conf2
 where
-  shellCommand(taintedArg, callChain) and
-  tainted(taintSource, taintedArg) and
-  isUserInput(taintSource, taintCause)
-select taintedArg,
-  "This argument to an OS command is derived from $@ and then passed to " + callChain, taintSource,
-  "user input (" + taintCause + ")"
+  taintCause = sourceNode.getNode().(FlowSource).getSourceType() and
+  conf1.hasFlowPath(sourceNode, concatSink) and // TODO: can we link these better?
+  interestingConcatenation(concatSink.getNode(), concatSource.getNode()) and
+  conf2.hasFlowPath(concatSource, sinkNode) and
+  shellCommand(sinkAsArgumentIndirection(sinkNode.getNode()), callChain)
+select sinkAsArgumentIndirection(sinkNode.getNode()), sourceNode, sinkNode,
+  "This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to " + callChain, sourceNode,
+  "user input (" + taintCause + ")", concatSource, concatSource.toString()
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

Original file line number	Diff line number	Diff line change
`@@ -253,6 +253,13 @@ class FormattingFunctionCall extends Expr {`
`253`	`253`	`// format arguments must be known`
`254`	`254`	`exists(getTarget().(FormattingFunction).getFirstFormatArgumentIndex())`
`255`	`255`	`}`
	`256`	`+`
	`257`	`+ /**`
	`258`	`+ *`
	`259`	`+ */`
	`260`	`+ Expr getOutputArgument(boolean isStream) {`
	`261`	`+ result = this.(Call).getArgument(this.(Call).getTarget().(FormattingFunction).getOutputParameterIndex(isStream))`
	`262`	`+ }`
`256`	`263`	`}`
`257`	`264`
`258`	`265`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ int main(int argc, char** argv) {`
`9`	`9`	`system(command1);`
`10`	`10`	`}`
`11`	`11`
`12`		`- {`
	`12`	`+ {`
`13`	`13`	`// GOOD: the user string is encoded by a library routine.`
`14`	`14`	`char userNameQuoted[1000] = {0};`
`15`	`15`	`encodeShellString(userNameQuoted, 1000, userName);`