hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7737 from geoffw0/clrtxt5

Browse Source 
C++: Upgrade cpp/cleartext-storage-file
This commit is contained in:
Geoffrey White
2022-01-25 15:09:13 +00:00
committed by GitHub
parent cc527bdecd e42d3e540a
commit 63ff17b3c1
4 changed files with 78 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
View File

@@ -2,7 +2,7 @@
* @name Cleartext storage of sensitive information in file
* @description Storing sensitive information in cleartext can expose it
* to an attacker.
* @kind problem
* @kind path-problem
* @problem.severity warning
* @security-severity 7.5
* @precision high
@@ -17,6 +17,19 @@ import semmle.code.cpp.security.SensitiveExprs
import semmle.code.cpp.security.FileWrite
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
/**
* Taint flow from a sensitive expression to a `FileWrite` sink.
*/
class FromSensitiveConfiguration extends TaintTracking::Configuration {
FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
override predicate isSink(DataFlow::Node sink) { any(FileWrite w).getASource() = sink.asExpr() }
}
/**
* An operation on a filename.
@@ -43,12 +56,17 @@ predicate isFileName(GVN gvn) {
)
}
from FileWrite w, SensitiveExpr source, Expr mid, Expr dest
from
FromSensitiveConfiguration config, SensitiveExpr source, DataFlow::PathNode sourceNode, Expr mid,
DataFlow::PathNode midNode, FileWrite w, Expr dest
where
DataFlow::localFlow(DataFlow::exprNode(source), DataFlow::exprNode(mid)) and
config.hasFlowPath(sourceNode, midNode) and
sourceNode.getNode().asExpr() = source and
midNode.getNode().asExpr() = mid and
mid = w.getASource() and
dest = w.getDest() and
not isFileName(globalValueNumber(source)) and // file names are not passwords
not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
select w, "This write into file '" + dest.toString() + "' may contain unencrypted data from $@",
source, "this source."
select w, sourceNode, midNode,
"This write into file '" + dest.toString() + "' may contain unencrypted data from $@", source,
"this source."

4
cpp/ql/src/change-notes/2022-01-24-cleartext-storage-file.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `cpp/cleartext-storage-file` query has been upgraded with non-local taint flow and has been converted to a `path-problem` query.