C++: Add and use getRemoteSocket predicates.

2026-05-03 12:45:27 +02:00 · 2021-09-24 14:55:28 +01:00
parent 9f59bc8f7b
commit 6901d9d9c2
4 changed files with 35 additions and 3 deletions
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -43,7 +43,13 @@ class NetworkSend extends NetworkSendRecv {

  NetworkSend() { target = this.getTarget() }

-  override Expr getSocketExpr() { result = this.getArgument(0) }
+  override Expr getSocketExpr() {
+    exists(FunctionInput input, int arg |
+      target.hasSocketInput(input) and
+      input.isParameter(arg) and
+      result = this.getArgument(arg)
+    )
+  }

  override Expr getDataExpr() {
    exists(FunctionInput input, int arg |
@@ -62,7 +68,13 @@ class NetworkRecv extends NetworkSendRecv {

  NetworkRecv() { target = this.getTarget() }

-  override Expr getSocketExpr() { result = this.getArgument(0) }
+  override Expr getSocketExpr() {
+    exists(FunctionInput input, int arg |
+      target.hasSocketInput(input) and
+      input.isParameter(arg) and
+      result = this.getArgument(arg)
+    )
+  }

  override Expr getDataExpr() {
    exists(FunctionOutput output, int arg |
@@ -85,7 +97,7 @@ class SensitiveSendRecvConfiguration extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) {
    exists(NetworkSendRecv transmission |
      sink.asExpr() = transmission.getDataExpr() and
-      // a zero file descriptor is standard input, which is not interesting for this query.
+      // a zero socket descriptor is standard input, which is not interesting for this query.
      not exists(Zero zero |
        DataFlow::localFlow(DataFlow::exprNode(zero),
          DataFlow::exprNode(transmission.getSocketExpr()))