hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Prepare 'CleartextSqliteDatabase.ql' for use-use flow.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2022-12-16 17:09:58 +00:00
parent 33649ed7d3
commit 1d80e94bb4
1 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
View File

@@ -36,16 +36,29 @@ Field getRecField(Class c) {
result = getRecField(c.getAField().getUnspecifiedType().stripType()) result = getRecField(c.getAField().getUnspecifiedType().stripType())
} }
/**
* Holds if `source` is a use of a sensitive expression `sensitive`, or
* if `source` is the output argument (with a sensitive name) of a function.
*/
predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) {
[source.asExpr(), source.asDefiningArgument()] = sensitive
}
/** Holds if `sink` is an argument to an Sqlite function call `c`. */
predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c) {
[sink.asExpr(), sink.asIndirectExpr()] = c.getASource()
}
/** /**
* A taint flow configuration for flow from a sensitive expression to a `SqliteFunctionCall` sink. * A taint flow configuration for flow from a sensitive expression to a `SqliteFunctionCall` sink.
*/ */
class FromSensitiveConfiguration extends TaintTracking::Configuration { class FromSensitiveConfiguration extends TaintTracking::Configuration {
FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" } FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr } override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
override predicate isSink(DataFlow::Node sink) { override predicate isSink(DataFlow::Node sink) {
any(SqliteFunctionCall c).getASource() = sink.asExpr() and isSinkImpl(sink, _) and
not sqlite_encryption_used() not sqlite_encryption_used()
} }
@@ -58,7 +71,7 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
this.isSink(node) and this.isSink(node) and
// constrain `content` to a field inside the node. // constrain `content` to a field inside the node.
exists(Class c | exists(Class c |
node.asExpr().getUnspecifiedType().stripType() = c and node.getType().getUnspecifiedType().stripType() = c and
content.(DataFlow::FieldContent).getField() = getRecField(c) content.(DataFlow::FieldContent).getField() = getRecField(c)
) )
or or
@@ -72,8 +85,8 @@ from
DataFlow::PathNode sink, SqliteFunctionCall sqliteCall DataFlow::PathNode sink, SqliteFunctionCall sqliteCall
where where
config.hasFlowPath(source, sink) and config.hasFlowPath(source, sink) and
source.getNode().asExpr() = sensitive and isSourceImpl(source.getNode(), sensitive) and
sqliteCall.getASource() = sink.getNode().asExpr() isSinkImpl(sink.getNode(), sqliteCall)
select sqliteCall, source, sink, select sqliteCall, source, sink,
"This SQLite call may store $@ in a non-encrypted SQLite database.", sensitive, "This SQLite call may store $@ in a non-encrypted SQLite database.", sensitive,
"sensitive information" "sensitive information"