Skip to content

Commit 3fed7bf

Browse files
committed
C++: Extend cpp/cleartext-transmission using PrivateData.qll.
1 parent 202b6d4 commit 3fed7bf

File tree

3 files changed

+55
-19
lines changed

3 files changed

+55
-19
lines changed

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -13,24 +13,38 @@
1313

1414
import cpp
1515
import semmle.code.cpp.security.SensitiveExprs
16+
import semmle.code.cpp.security.PrivateData
1617
import semmle.code.cpp.dataflow.TaintTracking
1718
import semmle.code.cpp.models.interfaces.FlowSource
1819
import semmle.code.cpp.commons.File
1920
import DataFlow::PathGraph
2021

22+
class SourceVariable extends Variable {
23+
SourceVariable() {
24+
this instanceof SensitiveVariable or
25+
this instanceof PrivateDataVariable
26+
}
27+
}
28+
29+
class SourceFunction extends Function {
30+
SourceFunction() {
31+
this instanceof SensitiveFunction or
32+
this instanceof PrivateDataFunction
33+
}
34+
}
35+
2136
/**
2237
* A DataFlow node corresponding to a variable or function call that
2338
* might contain or return a password or other sensitive information.
2439
*/
25-
class SensitiveNode extends DataFlow::Node {
26-
SensitiveNode() {
27-
this.asExpr() = any(SensitiveVariable sv).getInitializer().getExpr() or
28-
this.asExpr().(VariableAccess).getTarget() =
29-
any(SensitiveVariable sv).(GlobalOrNamespaceVariable) or
30-
this.asExpr().(VariableAccess).getTarget() = any(SensitiveVariable v | v instanceof Field) or
31-
this.asUninitialized() instanceof SensitiveVariable or
32-
this.asParameter() instanceof SensitiveVariable or
33-
this.asExpr().(FunctionCall).getTarget() instanceof SensitiveFunction
40+
class SourceNode extends DataFlow::Node {
41+
SourceNode() {
42+
this.asExpr() = any(SourceVariable sv).getInitializer().getExpr() or
43+
this.asExpr().(VariableAccess).getTarget() = any(SourceVariable sv).(GlobalOrNamespaceVariable) or
44+
this.asExpr().(VariableAccess).getTarget() = any(SourceVariable v | v instanceof Field) or
45+
this.asUninitialized() instanceof SourceVariable or
46+
this.asParameter() instanceof SourceVariable or
47+
this.asExpr().(FunctionCall).getTarget() instanceof SourceFunction
3448
}
3549
}
3650

@@ -207,7 +221,7 @@ class Encrypted extends Expr {
207221
class FromSensitiveConfiguration extends TaintTracking::Configuration {
208222
FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
209223

210-
override predicate isSource(DataFlow::Node source) { source instanceof SensitiveNode }
224+
override predicate isSource(DataFlow::Node source) { source instanceof SourceNode }
211225

212226
override predicate isSink(DataFlow::Node sink) {
213227
sink.asExpr() = any(NetworkSendRecv nsr).getDataExpr()

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,8 @@ edges
9292
| test3.cpp:398:18:398:25 | password | test3.cpp:400:33:400:40 | password |
9393
| test3.cpp:421:21:421:28 | password | test3.cpp:421:3:421:17 | call to decrypt_inplace |
9494
| test3.cpp:429:7:429:14 | password | test3.cpp:431:8:431:15 | password |
95+
| test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | buffer |
96+
| test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer |
9597
| test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:21:48:27 | call to encrypt |
9698
| test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:29:48:39 | thePassword |
9799
| test.cpp:66:23:66:43 | cleartext password! | test.cpp:76:21:76:27 | call to encrypt |
@@ -221,6 +223,17 @@ nodes
221223
| test3.cpp:421:21:421:28 | password | semmle.label | password |
222224
| test3.cpp:429:7:429:14 | password | semmle.label | password |
223225
| test3.cpp:431:8:431:15 | password | semmle.label | password |
226+
| test3.cpp:507:18:507:39 | social_security_number | semmle.label | social_security_number |
227+
| test3.cpp:509:18:509:29 | homePostCode | semmle.label | homePostCode |
228+
| test3.cpp:511:18:511:26 | telephone | semmle.label | telephone |
229+
| test3.cpp:512:18:512:36 | mobile_phone_number | semmle.label | mobile_phone_number |
230+
| test3.cpp:513:18:513:22 | email | semmle.label | email |
231+
| test3.cpp:516:18:516:29 | employerName | semmle.label | employerName |
232+
| test3.cpp:517:18:517:29 | medical_info | semmle.label | medical_info |
233+
| test3.cpp:526:44:526:54 | my_latitude | semmle.label | my_latitude |
234+
| test3.cpp:527:15:527:20 | buffer | semmle.label | buffer |
235+
| test3.cpp:532:45:532:58 | home_longitude | semmle.label | home_longitude |
236+
| test3.cpp:533:15:533:20 | buffer | semmle.label | buffer |
224237
| test.cpp:41:23:41:43 | cleartext password! | semmle.label | cleartext password! |
225238
| test.cpp:48:21:48:27 | call to encrypt | semmle.label | call to encrypt |
226239
| test.cpp:48:29:48:39 | thePassword | semmle.label | thePassword |
@@ -254,3 +267,12 @@ subpaths
254267
| test3.cpp:414:3:414:6 | call to recv | test3.cpp:414:17:414:24 | password | test3.cpp:414:17:414:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:414:17:414:24 | password | password |
255268
| test3.cpp:420:3:420:6 | call to recv | test3.cpp:420:17:420:24 | password | test3.cpp:420:17:420:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:420:17:420:24 | password | password |
256269
| test3.cpp:431:2:431:6 | call to fgets | test3.cpp:429:7:429:14 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:429:7:429:14 | password | password |
270+
| test3.cpp:507:2:507:5 | call to send | test3.cpp:507:18:507:39 | social_security_number | test3.cpp:507:18:507:39 | social_security_number | This operation transmits 'social_security_number', which may contain unencrypted sensitive data from $@ | test3.cpp:507:18:507:39 | social_security_number | social_security_number |
271+
| test3.cpp:509:2:509:5 | call to send | test3.cpp:509:18:509:29 | homePostCode | test3.cpp:509:18:509:29 | homePostCode | This operation transmits 'homePostCode', which may contain unencrypted sensitive data from $@ | test3.cpp:509:18:509:29 | homePostCode | homePostCode |
272+
| test3.cpp:511:2:511:5 | call to send | test3.cpp:511:18:511:26 | telephone | test3.cpp:511:18:511:26 | telephone | This operation transmits 'telephone', which may contain unencrypted sensitive data from $@ | test3.cpp:511:18:511:26 | telephone | telephone |
273+
| test3.cpp:512:2:512:5 | call to send | test3.cpp:512:18:512:36 | mobile_phone_number | test3.cpp:512:18:512:36 | mobile_phone_number | This operation transmits 'mobile_phone_number', which may contain unencrypted sensitive data from $@ | test3.cpp:512:18:512:36 | mobile_phone_number | mobile_phone_number |
274+
| test3.cpp:513:2:513:5 | call to send | test3.cpp:513:18:513:22 | email | test3.cpp:513:18:513:22 | email | This operation transmits 'email', which may contain unencrypted sensitive data from $@ | test3.cpp:513:18:513:22 | email | email |
275+
| test3.cpp:516:2:516:5 | call to send | test3.cpp:516:18:516:29 | employerName | test3.cpp:516:18:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@ | test3.cpp:516:18:516:29 | employerName | employerName |
276+
| test3.cpp:517:2:517:5 | call to send | test3.cpp:517:18:517:29 | medical_info | test3.cpp:517:18:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@ | test3.cpp:517:18:517:29 | medical_info | medical_info |
277+
| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:526:44:526:54 | my_latitude | my_latitude |
278+
| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:532:45:532:58 | home_longitude | home_longitude |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -504,17 +504,17 @@ struct person_info
504504
void tests2(person_info *pi)
505505
{
506506
// direct cases
507-
send(val(), pi->social_security_number, strlen(pi->social_security_number), val()); // BAD [NOT DETECTED]
507+
send(val(), pi->social_security_number, strlen(pi->social_security_number), val()); // BAD
508508
send(val(), pi->socialSecurityNo, strlen(pi->socialSecurityNo), val()); // BAD [NOT DETECTED]
509-
send(val(), pi->homePostCode, strlen(pi->homePostCode), val()); // BAD [NOT DETECTED]
509+
send(val(), pi->homePostCode, strlen(pi->homePostCode), val()); // BAD
510510
send(val(), pi->my_zip_code, strlen(pi->my_zip_code), val()); // BAD [NOT DETECTED]
511-
send(val(), pi->telephone, strlen(pi->telephone), val()); // BAD [NOT DETECTED]
512-
send(val(), pi->mobile_phone_number, strlen(pi->mobile_phone_number), val()); // BAD [NOT DETECTED]
513-
send(val(), pi->email, strlen(pi->email), val()); // BAD [NOT DETECTED]
511+
send(val(), pi->telephone, strlen(pi->telephone), val()); // BAD
512+
send(val(), pi->mobile_phone_number, strlen(pi->mobile_phone_number), val()); // BAD
513+
send(val(), pi->email, strlen(pi->email), val()); // BAD
514514
send(val(), pi->my_credit_card_number, strlen(pi->my_credit_card_number), val()); // BAD [NOT DETECTED]
515515
send(val(), pi->my_bank_account_no, strlen(pi->my_bank_account_no), val()); // BAD [NOT DETECTED]
516-
send(val(), pi->employerName, strlen(pi->employerName), val()); // BAD [NOT DETECTED]
517-
send(val(), pi->medical_info, strlen(pi->medical_info), val()); // BAD [NOT DETECTED]
516+
send(val(), pi->employerName, strlen(pi->employerName), val()); // BAD
517+
send(val(), pi->medical_info, strlen(pi->medical_info), val()); // BAD
518518
send(val(), pi->license_key, strlen(pi->license_key), val()); // BAD [NOT DETECTED]
519519
send(val(), pi->license_key_hash, strlen(pi->license_key_hash), val()); // GOOD
520520
send(val(), pi->my_zip_file, strlen(pi->my_zip_file), val()); // GOOD
@@ -524,13 +524,13 @@ void tests2(person_info *pi)
524524
char buffer[1024];
525525

526526
snprintf(buffer, 1024, "lat = %f\n", pi->my_latitude);
527-
send(val(), buffer, strlen(buffer), val()); // BAD [NOT DETECTED]
527+
send(val(), buffer, strlen(buffer), val()); // BAD
528528
}
529529
{
530530
char buffer[1024];
531531

532532
snprintf(buffer, 1024, "long = %f\n", pi->home_longitude);
533-
send(val(), buffer, strlen(buffer), val()); // BAD [NOT DETECTED]
533+
send(val(), buffer, strlen(buffer), val()); // BAD
534534
}
535535
{
536536
char buffer[1024];

0 commit comments

Comments
 (0)