hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Prepare 'CleartextSqliteDatabase.ql' for use-use flow.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2022-12-16 17:09:58 +00:00
parent 33649ed7d3
commit 1d80e94bb4
1 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
View File

@@ -36,16 +36,29 @@ Field getRecField(Class c) {
result = getRecField(c.getAField().getUnspecifiedType().stripType())
}
/**
* Holds if `source` is a use of a sensitive expression `sensitive`, or
* if `source` is the output argument (with a sensitive name) of a function.
*/
predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) {
[source.asExpr(), source.asDefiningArgument()] = sensitive
}
/** Holds if `sink` is an argument to an Sqlite function call `c`. */
predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c) {
[sink.asExpr(), sink.asIndirectExpr()] = c.getASource()
}
/**
* A taint flow configuration for flow from a sensitive expression to a `SqliteFunctionCall` sink.
*/
class FromSensitiveConfiguration extends TaintTracking::Configuration {
FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
override predicate isSink(DataFlow::Node sink) {
any(SqliteFunctionCall c).getASource() = sink.asExpr() and
isSinkImpl(sink, _) and
not sqlite_encryption_used()
}
@@ -58,7 +71,7 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
this.isSink(node) and
// constrain `content` to a field inside the node.
exists(Class c |
node.asExpr().getUnspecifiedType().stripType() = c and
node.getType().getUnspecifiedType().stripType() = c and
content.(DataFlow::FieldContent).getField() = getRecField(c)
)
or
@@ -72,8 +85,8 @@ from
DataFlow::PathNode sink, SqliteFunctionCall sqliteCall
where
config.hasFlowPath(source, sink) and
source.getNode().asExpr() = sensitive and
sqliteCall.getASource() = sink.getNode().asExpr()
isSourceImpl(source.getNode(), sensitive) and
isSinkImpl(sink.getNode(), sqliteCall)
select sqliteCall, source, sink,
"This SQLite call may store $@ in a non-encrypted SQLite database.", sensitive,
"sensitive information"