C++: Filter noisiest sources.

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -32,7 +32,13 @@ abstract class SystemData extends Element {
  * Data originating from the environment.
  */
 class EnvData extends SystemData {
-  EnvData() { this instanceof EnvironmentRead }
+  EnvData() {
+    // identify risky looking environment variables only
+    this.(EnvironmentRead)
+        .getEnvironmentVariable()
+        .toLowerCase()
+        .regexpMatch(".*(user|host|admin|root|home|path|http|ssl|snmp|sock|port|proxy|pass|token|crypt|key).*")
+  }
 
   override Expr getAnExpr() { result = this }
 }
@@ -64,11 +70,6 @@ class SQLConnectInfo extends SystemData {
 }
 
 private predicate posixSystemInfo(FunctionCall source, Element use) {
-  // long sysconf(int name)
-  //  - various OS / system values and limits
-  source.getTarget().hasName("sysconf") and
-  use = source
-  or
   // size_t confstr(int name, char *buf, size_t len)
   //  - various OS / system strings, such as the libc version
   // int statvfs(const char *__path, struct statvfs *__buf)

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected

@@ -8,7 +8,6 @@ nodes
 | tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:64:13:64:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
-| tests2.cpp:66:13:66:18 | call to getenv | semmle.label | call to getenv |
 | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
 | tests2.cpp:79:14:79:19 | buffer | semmle.label | buffer |
@@ -22,7 +21,6 @@ subpaths
 | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
 | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
 | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
-| tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv | call to getenv |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:79:14:79:19 | buffer | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | buffer | This operation exposes system data from $@. | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:109:17:109:19 | ptr | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:109:17:109:19 | ptr | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp

@@ -63,7 +63,7 @@ void test1()
 	send(sock, getenv("HOME"), val(), val()); // BAD
 	send(sock, getenv("PATH"), val(), val()); // BAD
 	send(sock, getenv("USERNAME"), val(), val()); // BAD
-	send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information [FALSE POSITIVE]
+	send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information
 	send(sock, "HOME", val(), val()); // GOOD: not system data
 	send(sock, "PATH", val(), val()); // GOOD: not system data
 	send(sock, "USERNAME", val(), val()); // GOOD: not system data