hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Modernize cpp/cleartext-storage-database.

Browse Source
This commit is contained in:
Geoffrey White
2022-09-05 16:46:45 +01:00
parent 946456acc2
commit 008d583da8
1 changed files with 22 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
View File

@@ -13,14 +13,8 @@
import cpp import cpp
import semmle.code.cpp.security.SensitiveExprs import semmle.code.cpp.security.SensitiveExprs
import semmle.code.cpp.security.TaintTracking import semmle.code.cpp.dataflow.TaintTracking
import TaintedWithPath import DataFlow::PathGraph
class UserInputIsSensitiveExpr extends SecurityOptions {
override predicate isUserInput(Expr expr, string cause) {
expr instanceof SensitiveExpr and cause = "sensitive information"
}
}
class SqliteFunctionCall extends FunctionCall { class SqliteFunctionCall extends FunctionCall {
SqliteFunctionCall() { this.getTarget().getName().matches("sqlite%") } SqliteFunctionCall() { this.getTarget().getName().matches("sqlite%") }
@@ -34,25 +28,30 @@ predicate sqlite_encryption_used() {
any(FunctionCall fc).getTarget().getName().matches("sqlite%\\_key\\_%") any(FunctionCall fc).getTarget().getName().matches("sqlite%\\_key\\_%")
} }
class Configuration extends TaintTrackingConfiguration { /**
override predicate isSource(Expr source) { * Taint flow from a sensitive expression to a `SqliteFunctionCall` sink.
super.isSource(source) and source instanceof SensitiveExpr */
class FromSensitiveConfiguration extends TaintTracking::Configuration {
FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
override predicate isSink(DataFlow::Node sink) {
any(SqliteFunctionCall c).getASource() = sink.asExpr() and
not sqlite_encryption_used()
} }
override predicate isSink(Element taintedArg) { override predicate isSanitizer(DataFlow::Node node) {
exists(SqliteFunctionCall sqliteCall | node.asExpr().getUnspecifiedType() instanceof IntegralType
taintedArg = sqliteCall.getASource() and
not sqlite_encryption_used()
)
} }
} }
from from
SensitiveExpr taintSource, Expr taintedArg, SqliteFunctionCall sqliteCall, PathNode sourceNode, FromSensitiveConfiguration config, SensitiveExpr sensitive, DataFlow::PathNode source,
PathNode sinkNode DataFlow::PathNode sink, SqliteFunctionCall sqliteCall
where where
taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and config.hasFlowPath(source, sink) and
taintedArg = sqliteCall.getASource() source.getNode().asExpr() = sensitive and
select sqliteCall, sourceNode, sinkNode, sqliteCall.getASource() = sink.getNode().asExpr()
"This SQLite call may store $@ in a non-encrypted SQLite database", taintSource, select sqliteCall, source, sink, "This SQLite call may store $@ in a non-encrypted SQLite database",
"sensitive information" sensitive, "sensitive information"