Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f1d6234

Browse files
committed
C++: Add more information about registry query parameters.
1 parent 4316026 commit f1d6234

1 file changed

Lines changed: 24 additions & 6 deletions

File tree

cpp/ql/src/Security/CWE/CWE-497/SystemData.qll

Lines changed: 24 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -236,15 +236,26 @@ class LogonUser extends SystemData {
236236
override predicate isSensitive() { any() }
237237
}
238238

239-
private predicate regQuery(FunctionCall source, VariableAccess use) {
239+
private newtype TRegQueryParameter =
240+
TSubKeyName(Expr e) or
241+
TValueName(Expr e) or
242+
TReturnData(Expr e)
243+
244+
/**
245+
* Registry query call (`source`) with information about parameters (`param`).
246+
*/
247+
private predicate regQuery(FunctionCall source, TRegQueryParameter param) {
240248
// LONG WINAPI RegQueryValue(
241249
// _In_ HKEY hKey,
242250
// _In_opt_ LPCTSTR lpSubKey,
243251
// _Out_opt_ LPTSTR lpValue,
244252
// _Inout_opt_ PLONG lpcbValue
245253
// );
246254
source.getTarget().hasGlobalName(["RegQueryValue", "RegQueryValueA", "RegQueryValueW"]) and
247-
use = source.getArgument(2)
255+
(
256+
param = TSubKeyName(source.getArgument(1)) or
257+
param = TReturnData(source.getArgument(2))
258+
)
248259
or
249260
// LONG WINAPI RegQueryMultipleValues(
250261
// _In_ HKEY hKey,
@@ -258,7 +269,7 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
258269
.hasGlobalName([
259270
"RegQueryMultipleValues", "RegQueryMultipleValuesA", "RegQueryMultipleValuesW"
260271
]) and
261-
use = source.getArgument(3)
272+
param = TReturnData(source.getArgument(3))
262273
or
263274
// LONG WINAPI RegQueryValueEx(
264275
// _In_ HKEY hKey,
@@ -269,7 +280,10 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
269280
// _Inout_opt_ LPDWORD lpcbData
270281
// );
271282
source.getTarget().hasGlobalName(["RegQueryValueEx", "RegQueryValueExA", "RegQueryValueExW"]) and
272-
use = source.getArgument(4)
283+
(
284+
param = TValueName(source.getArgument(1)) or
285+
param = TReturnData(source.getArgument(4))
286+
)
273287
or
274288
// LONG WINAPI RegGetValue(
275289
// _In_ HKEY hkey,
@@ -281,7 +295,11 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
281295
// _Inout_opt_ LPDWORD pcbData
282296
// );
283297
source.getTarget().hasGlobalName(["RegGetValue", "RegGetValueA", "RegGetValueW"]) and
284-
use = source.getArgument(5)
298+
(
299+
param = TSubKeyName(source.getArgument(1)) or
300+
param = TValueName(source.getArgument(2)) or
301+
param = TReturnData(source.getArgument(5))
302+
)
285303
}
286304

287305
/**
@@ -290,7 +308,7 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
290308
class RegQuery extends SystemData {
291309
RegQuery() { regQuery(this, _) }
292310

293-
override Expr getAnExpr() { regQuery(this, result) }
311+
override Expr getAnExpr() { regQuery(this, TReturnData(result)) }
294312

295313
override predicate isSensitive() {
296314
this.(FunctionCall).getAnArgument().getValue().toLowerCase().regexpMatch(".*(pass|token|key).*")

0 commit comments

Comments
 (0)