C++: Apply the sanitizer improvement from cpp/cleartext-storage-buffer in cpp/cleartext-storage-file and cpp/cleartext-transmission.

geoffw0 · geoffw0 · commit 946456acc244 · 2022-09-05T14:44:33.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -29,6 +29,10 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
 
   override predicate isSink(DataFlow::Node sink) { any(FileWrite w).getASource() = sink.asExpr() }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().getUnspecifiedType() instanceof IntegralType
+  }
 }
 
 /**
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -234,6 +234,10 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
     // flow through encryption functions to the return value (in case we can reach other sinks)
     node2.asExpr().(Encrypted).(FunctionCall).getAnArgument() = node1.asExpr()
   }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().getUnspecifiedType() instanceof IntegralType
+  }
 }
 
 from
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,5 +1,4 @@
 edges
-| test2.cpp:52:44:52:57 | password_tries | test2.cpp:52:40:52:58 | * ... |
 | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
 | test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf |
 | test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf |
@@ -9,8 +8,6 @@ nodes
 | test2.cpp:44:37:44:45 | thepasswd | semmle.label | thepasswd |
 | test2.cpp:45:38:45:47 | accountkey | semmle.label | accountkey |
 | test2.cpp:50:41:50:53 | passwd_config | semmle.label | passwd_config |
-| test2.cpp:52:40:52:58 | * ... | semmle.label | * ... |
-| test2.cpp:52:44:52:57 | password_tries | semmle.label | password_tries |
 | test2.cpp:54:41:54:52 | widepassword | semmle.label | widepassword |
 | test2.cpp:55:40:55:51 | widepassword | semmle.label | widepassword |
 | test2.cpp:57:39:57:49 | call to getPassword | semmle.label | call to getPassword |

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,10 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {`
`29`	`29`	`override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }`
`30`	`30`
`31`	`31`	`override predicate isSink(DataFlow::Node sink) { any(FileWrite w).getASource() = sink.asExpr() }`
	`32`	`+`
	`33`	`+ override predicate isSanitizer(DataFlow::Node node) {`
	`34`	`+ node.asExpr().getUnspecifiedType() instanceof IntegralType`
	`35`	`+ }`
`32`	`36`	`}`
`33`	`37`
`34`	`38`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -234,6 +234,10 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {`
`234`	`234`	`// flow through encryption functions to the return value (in case we can reach other sinks)`
`235`	`235`	`node2.asExpr().(Encrypted).(FunctionCall).getAnArgument() = node1.asExpr()`
`236`	`236`	`}`
	`237`	`+`
	`238`	`+ override predicate isSanitizer(DataFlow::Node node) {`
	`239`	`+ node.asExpr().getUnspecifiedType() instanceof IntegralType`
	`240`	`+ }`
`237`	`241`	`}`
`238`	`242`
`239`	`243`	`from`