C++: Pragmatic solution to include more sinks (plus autoformat changes).

cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql

@@ -296,17 +296,20 @@ class ExposedSystemDataConfiguration extends TaintTracking::Configuration {
     exists(FunctionCall fc, FunctionInput input, int arg |
       fc.getTarget().(RemoteFlowSinkFunction).hasRemoteFlowSink(input, _) and
       input.isParameterDeref(arg) and
-      fc.getArgument(arg) = sink.asExpr()
+      fc.getArgument(arg).getAChild*() = sink.asExpr()
     )
   }
 }
 
 from ExposedSystemDataConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-and not exists(DataFlow::Node alt | // remove duplicate results on conversions
-  config.hasFlow(source.getNode(), alt) and
-  alt.asConvertedExpr() = sink.getNode().asExpr() and
-  alt != sink.getNode()
-)
+where
+  config.hasFlowPath(source, sink) and
+  not exists(
+    DataFlow::Node alt // remove duplicate results on conversions
+  |
+    config.hasFlow(source.getNode(), alt) and
+    alt.asConvertedExpr() = sink.getNode().asExpr() and
+    alt != sink.getNode()
+  )
 select sink, source, sink, "This operation exposes system data from $@.", source,
   source.getNode().toString()

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected

@@ -6,6 +6,7 @@ edges
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info |
 | tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 |
+| tests2.cpp:99:8:99:15 | call to getpwuid | tests2.cpp:100:14:100:15 | pw |
 | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | tests2.cpp:109:14:109:15 | c1 [read] [ptr] |
 | tests2.cpp:107:6:107:8 | ptr [post update] | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] |
 | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:107:6:107:8 | ptr [post update] |
@@ -26,6 +27,8 @@ nodes
 | tests2.cpp:79:14:79:19 | (const char *)... | semmle.label | (const char *)... |
 | tests2.cpp:89:42:89:45 | str1 | semmle.label | str1 |
 | tests2.cpp:91:14:91:17 | str1 | semmle.label | str1 |
+| tests2.cpp:99:8:99:15 | call to getpwuid | semmle.label | call to getpwuid |
+| tests2.cpp:100:14:100:15 | pw | semmle.label | pw |
 | tests2.cpp:107:3:107:4 | c1 [post update] [ptr] | semmle.label | c1 [post update] [ptr] |
 | tests2.cpp:107:6:107:8 | ptr [post update] | semmle.label | ptr [post update] |
 | tests2.cpp:107:12:107:17 | call to getenv | semmle.label | call to getenv |
@@ -40,4 +43,5 @@ subpaths
 | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:79:14:79:19 | (const char *)... | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | tests2.cpp:79:14:79:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:76:18:76:38 | call to mysql_get_client_info | call to mysql_get_client_info |
 | tests2.cpp:91:14:91:17 | str1 | tests2.cpp:89:42:89:45 | str1 | tests2.cpp:91:14:91:17 | str1 | This operation exposes system data from $@. | tests2.cpp:89:42:89:45 | str1 | str1 |
+| tests2.cpp:100:14:100:15 | pw | tests2.cpp:99:8:99:15 | call to getpwuid | tests2.cpp:100:14:100:15 | pw | This operation exposes system data from $@. | tests2.cpp:99:8:99:15 | call to getpwuid | call to getpwuid |
 | tests2.cpp:109:14:109:19 | (const char *)... | tests2.cpp:107:12:107:17 | call to getenv | tests2.cpp:109:14:109:19 | (const char *)... | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp

@@ -97,7 +97,7 @@ void test1()
 		passwd *pw;
 
 		pw = getpwuid(val());
-		send(sock, pw->pw_passwd, val(), val()); // BAD [NOT DETECTED]
+		send(sock, pw->pw_passwd, val(), val()); // BAD
 	}
 
 	// tests for containers