hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Update UnsafeDaclSecurityDescriptor with DataFlow::ConfigSig

Browse Source
This commit is contained in:
Jeroen Ketema
2023-03-08 14:55:03 +01:00
parent 7fe1a9431c
commit 8253f2d343
1 changed files with 13 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
View File

@@ -15,7 +15,6 @@
import cpp
import semmle.code.cpp.ir.dataflow.DataFlow
import semmle.code.cpp.ir.dataflow.DataFlow2
/**
* A function call to SetSecurityDescriptorDacl to set the ACL, specified by (2nd argument) bDaclPresent = TRUE
@@ -30,26 +29,24 @@ class SetSecurityDescriptorDaclFunctionCall extends FunctionCall {
/**
* Dataflow that detects a call to SetSecurityDescriptorDacl with a NULL DACL as the pDacl argument
*/
class NullDaclConfig extends DataFlow::Configuration {
NullDaclConfig() { this = "NullDaclConfig" }
module NullDaclConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NullValue }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NullValue }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
exists(SetSecurityDescriptorDaclFunctionCall call, VariableAccess val | val = sink.asExpr() |
val = call.getArgument(2)
)
}
}
module NullDaclFlow = DataFlow::Make<NullDaclConfig>;
/**
* Dataflow that detects a call to SetSecurityDescriptorDacl with a pDacl
* argument that's _not_ likely to be NULL.
*/
class NonNullDaclConfig extends DataFlow2::Configuration {
NonNullDaclConfig() { this = "NonNullDaclConfig" }
override predicate isSource(DataFlow::Node source) {
module NonNullDaclConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.getType().getUnspecifiedType().(PointerType).getBaseType() =
any(Type t | t.getName() = "ACL").getUnspecifiedType() and
(
@@ -68,11 +65,13 @@ class NonNullDaclConfig extends DataFlow2::Configuration {
)
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
exists(SetSecurityDescriptorDaclFunctionCall call | sink.asExpr() = call.getArgument(2))
}
}
module NonNullDaclFlow = DataFlow::Make<NonNullDaclConfig>;
from SetSecurityDescriptorDaclFunctionCall call, string message
where
exists(NullValue nullExpr |
@@ -83,13 +82,13 @@ where
call.getArgument(2) = nullExpr
)
or
exists(VariableAccess var, NullDaclConfig nullDaclConfig, NonNullDaclConfig nonNullDaclConfig |
exists(VariableAccess var |
message =
"Setting a DACL to NULL in a SECURITY_DESCRIPTOR using variable " + var +
" that is set to NULL will result in an unprotected object."
|
var = call.getArgument(2) and
nullDaclConfig.hasFlowToExpr(var) and
not nonNullDaclConfig.hasFlowToExpr(var)
NullDaclFlow::hasFlowToExpr(var) and
not NonNullDaclFlow::hasFlowToExpr(var)
)
select call, message