Merge pull request #7742 from geoffw0/clrtxt6

MathiasVP · web-flow · commit b3f4357dc875 · 2022-01-27T14:40:40.000Z
C++: Upgrade cpp/cleartext-storage-buffer
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -1,3 +1,8 @@
+/**
+ * An IR taint tracking library that uses an IR DataFlow configuration to track
+ * taint from user inputs as defined by `semmle.code.cpp.security.Security`.
+ */
+
 import cpp
 import semmle.code.cpp.security.Security
 private import semmle.code.cpp.ir.dataflow.DataFlow
diff --git a/cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll
@@ -1,7 +1,10 @@
 /*
- * Support for tracking tainted data through the program.
+ * Support for tracking tainted data through the program. This is an alias for
+ * `semmle.code.cpp.ir.dataflow.DefaultTaintTracking` provided for backwards
+ * compatibility.
  *
- * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` when designing new queries.
+ * Prefer to use `semmle.code.cpp.dataflow.TaintTracking` or
+ * `semmle.code.cpp.ir.dataflow.TaintTracking` when designing new queries.
  */
 
 import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -12,23 +12,33 @@
  */
 
 import cpp
-import semmle.code.cpp.security.BufferWrite
-import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.security.BufferWrite as BufferWrite
 import semmle.code.cpp.security.SensitiveExprs
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import DataFlow::PathGraph
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) { exists(BufferWrite w | w.getASource() = tainted) }
+/**
+ * Taint flow from user input to a buffer write.
+ */
+class ToBufferConfiguration extends TaintTracking::Configuration {
+  ToBufferConfiguration() { this = "ToBufferConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
+  }
 }
 
 from
-  BufferWrite w, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
-  string taintCause, SensitiveExpr dest
+  ToBufferConfiguration config, BufferWrite::BufferWrite w, DataFlow::PathNode sourceNode,
+  DataFlow::PathNode sinkNode, FlowSource source, SensitiveExpr dest
 where
-  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
-  isUserInput(taintSource, taintCause) and
-  w.getASource() = taintedArg and
+  config.hasFlowPath(sourceNode, sinkNode) and
+  sourceNode.getNode() = source and
+  w.getASource() = sinkNode.getNode().asExpr() and
   dest = w.getDest()
 select w, sourceNode, sinkNode,
-  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
-  taintSource, "user input (" + taintCause + ")"
+  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@", source,
+  "user input (" + source.getSourceType() + ")"
diff --git a/cpp/ql/src/change-notes/2022-01-25-cleartext-storage-buffer.md b/cpp/ql/src/change-notes/2022-01-25-cleartext-storage-buffer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/cleartext-storage-buffer` query has been updated to use the `semmle.code.cpp.dataflow.TaintTracking` library.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
@@ -1,18 +1,8 @@
 edges
 | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
-| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input indirection |
-subpaths
 nodes
 | test.cpp:54:17:54:20 | argv | semmle.label | argv |
-| test.cpp:54:17:54:20 | argv | semmle.label | argv |
-| test.cpp:58:25:58:29 | input | semmle.label | input |
 | test.cpp:58:25:58:29 | input | semmle.label | input |
-| test.cpp:58:25:58:29 | input | semmle.label | input |
-| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
-| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
+subpaths
 #select
-| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (a command-line argument) |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The `cpp/cleartext-storage-buffer` query has been updated to use the `semmle.code.cpp.dataflow.TaintTracking` library.