Merge pull request #8580 from geoffw0/privdata

C++: Port PrivateData.qll from C# and use it in cpp/cleartext-transmission
2026-04-30 19:26:02 +02:00 · 2022-03-31 10:12:46 +01:00
parent 15c54f6100 e04298d532
commit 146318dbc1
9 changed files with 233 additions and 69 deletions
--- a/cpp/ql/lib/change-notes/2022-03-28-private-data.md
+++ b/cpp/ql/lib/change-notes/2022-03-28-private-data.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A new library `semmle.code.cpp.security.PrivateData` has been added. The new library heuristically detects variables and functions dealing with sensitive private data, such as e-mail addresses and credit card numbers.
--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
@@ -4,7 +4,7 @@

 import cpp
 import semmle.code.cpp.dataflow.TaintTracking
-import experimental.semmle.code.cpp.security.PrivateData
+import semmle.code.cpp.security.PrivateData
 import semmle.code.cpp.security.FileWrite
 import semmle.code.cpp.security.BufferWrite

--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll
@@ -1,52 +0,0 @@
-/**
- * Provides classes and predicates for identifying private data and functions for security.
- *
- * 'Private' data in general is anything that would compromise user privacy if exposed. This
- * library tries to guess where private data may either be stored in a variable or produced by a
- * function.
- *
- * This library is not concerned with credentials. See `SensitiveActions` for expressions related
- * to credentials.
- */
-
-import cpp
-
-/** A string for `match` that identifies strings that look like they represent private data. */
-private string privateNames() {
-  result =
-    [
-      // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
-      // Government identifiers, such as Social Security Numbers
-      "%social%security%number%",
-      // Contact information, such as home addresses and telephone numbers
-      "%postcode%", "%zipcode%",
-      // result = "%telephone%" or
-      // Geographic location - where the user is (or was)
-      "%latitude%", "%longitude%",
-      // Financial data - such as credit card numbers, salary, bank accounts, and debts
-      "%creditcard%", "%salary%", "%bankaccount%",
-      // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
-      // result = "%email%" or
-      // result = "%mobile%" or
-      "%employer%",
-      // Health - medical conditions, insurance status, prescription records
-      "%medical%"
-    ]
-}
-
-/** An expression that might contain private data. */
-abstract class PrivateDataExpr extends Expr { }
-
-/** A functiond call that might produce private data. */
-class PrivateFunctionCall extends PrivateDataExpr, FunctionCall {
-  PrivateFunctionCall() {
-    exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
-  }
-}
-
-/** An access to a variable that might contain private data. */
-class PrivateVariableAccess extends PrivateDataExpr, VariableAccess {
-  PrivateVariableAccess() {
-    exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll
@@ -0,0 +1,67 @@
+/**
+ * Provides classes for heuristically identifying variables and functions that
+ * might contain or return sensitive private data.
+ *
+ * 'Private' data in general is anything that would compromise user privacy if
+ * exposed. This library tries to guess where private data may either be stored
+ * in a variable or returned by a function call.
+ *
+ * This library is not concerned with credentials. See `SensitiveExprs.qll` for
+ * expressions related to credentials.
+ */
+
+import cpp
+
+/**
+ * A string for `regexpMatch` that identifies strings that look like they
+ * represent private data.
+ */
+private string privateNames() {
+  result =
+    ".*(" +
+      // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
+      // Government identifiers, such as Social Security Numbers
+      "social.?security|" +
+      // Contact information, such as home addresses and telephone numbers
+      "post.?code|zip.?code|telephone|" +
+      // Geographic location - where the user is (or was)
+      "latitude|longitude|" +
+      // Financial data - such as credit card numbers, salary, bank accounts, and debts
+      "credit.?card|salary|bank.?account|" +
+      // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
+      "email|mobile|employer|" +
+      // Health - medical conditions, insurance status, prescription records
+      "medical" +
+      // ---
+      ").*"
+}
+
+/**
+ * A variable that might contain sensitive private information.
+ */
+class PrivateDataVariable extends Variable {
+  PrivateDataVariable() {
+    this.getName().toLowerCase().regexpMatch(privateNames()) and
+    not this.getUnspecifiedType() instanceof IntegralType
+  }
+}
+
+/**
+ * A function that might return sensitive private information.
+ */
+class PrivateDataFunction extends Function {
+  PrivateDataFunction() {
+    this.getName().toLowerCase().regexpMatch(privateNames()) and
+    not this.getUnspecifiedType() instanceof IntegralType
+  }
+}
+
+/**
+ * An expression whose value might be sensitive private information.
+ */
+class PrivateDataExpr extends Expr {
+  PrivateDataExpr() {
+    this.(VariableAccess).getTarget() instanceof PrivateDataVariable or
+    this.(FunctionCall).getTarget() instanceof PrivateDataFunction
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/security/SensitiveExprs.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/SensitiveExprs.qll
@@ -1,13 +1,16 @@
 /**
 * Provides classes for heuristically identifying variables and functions that
- * might contain or return a password or other sensitive information.
+ * might contain or return a password or other credential.
+ *
+ * This library is not concerned with other kinds of sensitive private
+ * information. See `PrivateData.qll` for expressions related to that.
 */

 import cpp

 /**
 * Holds if the name `s` suggests something might contain or return a password
- * or other sensitive information.
+ * or other credential.
 */
 bindingset[s]
 private predicate suspicious(string s) {
@@ -16,7 +19,7 @@ private predicate suspicious(string s) {
 }

 /**
- * A variable that might contain a password or other sensitive information.
+ * A variable that might contain a password or other credential.
 */
 class SensitiveVariable extends Variable {
  SensitiveVariable() {
@@ -26,7 +29,7 @@ class SensitiveVariable extends Variable {
 }

 /**
- * A function that might return a password or other sensitive information.
+ * A function that might return a password or other credential.
 */
 class SensitiveFunction extends Function {
  SensitiveFunction() {
@@ -36,7 +39,7 @@ class SensitiveFunction extends Function {
 }

 /**
- * An expression whose value might be a password or other sensitive information.
+ * An expression whose value might be a password or other credential.
 */
 class SensitiveExpr extends Expr {
  SensitiveExpr() {