C++: Modernize cpp/cleartext-storage-database.

2025-12-22 03:36:30 +01:00 · 2022-09-05 16:46:45 +01:00
parent 946456acc2
commit 008d583da8
1 changed files with 22 additions and 23 deletions
--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -13,14 +13,8 @@

 import cpp
 import semmle.code.cpp.security.SensitiveExprs
-import semmle.code.cpp.security.TaintTracking
-import TaintedWithPath
-
-class UserInputIsSensitiveExpr extends SecurityOptions {
-  override predicate isUserInput(Expr expr, string cause) {
-    expr instanceof SensitiveExpr and cause = "sensitive information"
-  }
-}
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph

 class SqliteFunctionCall extends FunctionCall {
  SqliteFunctionCall() { this.getTarget().getName().matches("sqlite%") }
@@ -34,25 +28,30 @@ predicate sqlite_encryption_used() {
  any(FunctionCall fc).getTarget().getName().matches("sqlite%\\_key\\_%")
 }

-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSource(Expr source) {
-    super.isSource(source) and source instanceof SensitiveExpr
+/**
+ * Taint flow from a sensitive expression to a `SqliteFunctionCall` sink.
+ */
+class FromSensitiveConfiguration extends TaintTracking::Configuration {
+  FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+
+  override predicate isSink(DataFlow::Node sink) {
+    any(SqliteFunctionCall c).getASource() = sink.asExpr() and
+    not sqlite_encryption_used()
  }

-  override predicate isSink(Element taintedArg) {
-    exists(SqliteFunctionCall sqliteCall |
-      taintedArg = sqliteCall.getASource() and
-      not sqlite_encryption_used()
-    )
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().getUnspecifiedType() instanceof IntegralType
  }
 }

 from
-  SensitiveExpr taintSource, Expr taintedArg, SqliteFunctionCall sqliteCall, PathNode sourceNode,
-  PathNode sinkNode
+  FromSensitiveConfiguration config, SensitiveExpr sensitive, DataFlow::PathNode source,
+  DataFlow::PathNode sink, SqliteFunctionCall sqliteCall
 where
-  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
-  taintedArg = sqliteCall.getASource()
-select sqliteCall, sourceNode, sinkNode,
-  "This SQLite call may store $@ in a non-encrypted SQLite database", taintSource,
-  "sensitive information"
+  config.hasFlowPath(source, sink) and
+  source.getNode().asExpr() = sensitive and
+  sqliteCall.getASource() = sink.getNode().asExpr()
+select sqliteCall, source, sink, "This SQLite call may store $@ in a non-encrypted SQLite database",
+  sensitive, "sensitive information"