Merge pull request #10128 from MathiasVP/add-cleartext-sanitizer

MathiasVP · web-flow · commit 0ac8b7ce650b · 2022-08-22T17:13:22.000+01:00
C++: Add a sanitizer to `cpp/cleartext-storage-buffer`
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -26,6 +26,10 @@ class ToBufferConfiguration extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
 
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().getUnspecifiedType() instanceof IntegralType
+  }
+
   override predicate isSink(DataFlow::Node sink) {
     exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
   }
diff --git a/cpp/ql/src/change-notes/2022-08-22-cleartext-buffer-write-sanitizer.md b/cpp/ql/src/change-notes/2022-08-22-cleartext-buffer-write-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Cleartext storage of sensitive information in buffer" (`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives.

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,10 @@ class ToBufferConfiguration extends TaintTracking::Configuration {`
`26`	`26`
`27`	`27`	`override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }`
`28`	`28`
	`29`	`+ override predicate isSanitizer(DataFlow::Node node) {`
	`30`	`+ node.asExpr().getUnspecifiedType() instanceof IntegralType`
	`31`	`+ }`
	`32`	`+`
`29`	`33`	`override predicate isSink(DataFlow::Node sink) {`
`30`	`34`	`exists(BufferWrite::BufferWrite w \| w.getASource() = sink.asExpr())`
`31`	`35`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The "Cleartext storage of sensitive information in buffer" (`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives.