C++: Modernize cpp/cleartext-storage-database.

geoffw0 · geoffw0 · commit 008d583da81f · 2022-09-05T16:47:14.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -13,14 +13,8 @@
 
 import cpp
 import semmle.code.cpp.security.SensitiveExprs
-import semmle.code.cpp.security.TaintTracking
-import TaintedWithPath
-
-class UserInputIsSensitiveExpr extends SecurityOptions {
-  override predicate isUserInput(Expr expr, string cause) {
-    expr instanceof SensitiveExpr and cause = "sensitive information"
-  }
-}
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
 
 class SqliteFunctionCall extends FunctionCall {
   SqliteFunctionCall() { this.getTarget().getName().matches("sqlite%") }
@@ -34,25 +28,30 @@ predicate sqlite_encryption_used() {
   any(FunctionCall fc).getTarget().getName().matches("sqlite%\\_key\\_%")
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSource(Expr source) {
-    super.isSource(source) and source instanceof SensitiveExpr
+/**
+ * Taint flow from a sensitive expression to a `SqliteFunctionCall` sink.
+ */
+class FromSensitiveConfiguration extends TaintTracking::Configuration {
+  FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node sink) {
+    any(SqliteFunctionCall c).getASource() = sink.asExpr() and
+    not sqlite_encryption_used()
   }
 
-  override predicate isSink(Element taintedArg) {
-    exists(SqliteFunctionCall sqliteCall |
-      taintedArg = sqliteCall.getASource() and
-      not sqlite_encryption_used()
-    )
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
 }
 
 from
-  SensitiveExpr taintSource, Expr taintedArg, SqliteFunctionCall sqliteCall, PathNode sourceNode,
-  PathNode sinkNode
+  FromSensitiveConfiguration config, SensitiveExpr sensitive, DataFlow::PathNode source,
+  DataFlow::PathNode sink, SqliteFunctionCall sqliteCall
 where
-  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
-  taintedArg = sqliteCall.getASource()
-select sqliteCall, sourceNode, sinkNode,
-  "This SQLite call may store $@ in a non-encrypted SQLite database", taintSource,
-  "sensitive information"
+  config.hasFlowPath(source, sink) and
+  source.getNode().asExpr() = sensitive and
+  sqliteCall.getASource() = sink.getNode().asExpr()
+select sqliteCall, source, sink, "This SQLite call may store $@ in a non-encrypted SQLite database",
+  sensitive, "sensitive information"
