C++: Use the same trick as in ExposedSystemData to catch a few more results.

cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql

@@ -39,7 +39,7 @@ class PotentiallyExposedSystemDataConfiguration extends TaintTracking::Configura
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(OutputWrite ow | ow.getASource() = sink.asExpr())
+    exists(OutputWrite ow | ow.getASource().getAChild*() = sink.asExpr())
   }
 }
 

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected

@@ -1,4 +1,11 @@
 edges
+| tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:18:29:18:31 | pwd |
+| tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:19:26:19:28 | pwd |
 nodes
+| tests_passwd.cpp:16:8:16:15 | call to getpwnam | semmle.label | call to getpwnam |
+| tests_passwd.cpp:18:29:18:31 | pwd | semmle.label | pwd |
+| tests_passwd.cpp:19:26:19:28 | pwd | semmle.label | pwd |
 subpaths
 #select
+| tests_passwd.cpp:18:29:18:31 | pwd | tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:18:29:18:31 | pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam | call to getpwnam |
+| tests_passwd.cpp:19:26:19:28 | pwd | tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:19:26:19:28 | pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam | call to getpwnam |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp

@@ -15,7 +15,7 @@ void test6(char *username)
 
 	pwd = getpwnam(username);
 
-	printf("pw_passwd = %s\n", pwd->pw_passwd); // BAD [NOT DETECTED]
-	printf("pw_dir = %s\n", pwd->pw_dir); // BAD [NOT DETECTED]
+	printf("pw_passwd = %s\n", pwd->pw_passwd); // BAD
+	printf("pw_dir = %s\n", pwd->pw_dir); // BAD
 	printf("sizeof(passwd) = %i\n", sizeof(passwd)); // GOOD
 }