C++: Modernize flow sources.

2026-05-01 19:55:15 +02:00 · 2022-01-27 13:08:57 +00:00
parent 1bf9c19638
commit 2e1b09fd75
2 changed files with 8 additions and 17 deletions
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -14,25 +14,17 @@
 import cpp
 import semmle.code.cpp.security.BufferWrite as BufferWrite
 import semmle.code.cpp.security.SensitiveExprs
-import semmle.code.cpp.security.Security
+import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import DataFlow::PathGraph

-Expr exprForNode(DataFlow::Node n) {
-  n = DataFlow::exprNode(result)
-  or
-  // (similar to DefaultTaintTracking's `getNodeForExpr`)
-  n = DataFlow::definitionByReferenceNodeFromArgument(result) and
-  not argv(result.(VariableAccess).getTarget())
-}
-
 /**
 * Taint flow from user input to a buffer write.
 */
 class ToBufferConfiguration extends TaintTracking::Configuration {
  ToBufferConfiguration() { this = "ToBufferConfiguration" }

-  override predicate isSource(DataFlow::Node source) { isUserInput(exprForNode(source), _) }
+  override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }

  override predicate isSink(DataFlow::Node sink) {
    exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
@@ -40,14 +32,13 @@ class ToBufferConfiguration extends TaintTracking::Configuration {
 }

 from
-  ToBufferConfiguration config, BufferWrite::BufferWrite w, Expr taintSource,
-  DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string taintCause, SensitiveExpr dest
+  ToBufferConfiguration config, BufferWrite::BufferWrite w, DataFlow::PathNode sourceNode,
+  DataFlow::PathNode sinkNode, FlowSource source, SensitiveExpr dest
 where
  config.hasFlowPath(sourceNode, sinkNode) and
-  taintSource = exprForNode(sourceNode.getNode()) and
+  sourceNode.getNode() = source and
  w.getASource() = sinkNode.getNode().asExpr() and
-  isUserInput(taintSource, taintCause) and
  dest = w.getDest()
 select w, sourceNode, sinkNode,
-  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@",
-  taintSource, "user input (" + taintCause + ")"
+  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@", source,
+  "user input (" + source.getSourceType() + ")"