diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql index c1c70119551..36106b16c9f 100644 --- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql +++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql @@ -45,8 +45,12 @@ predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) { } /** Holds if `sink` is an argument to an Sqlite function call `c`. */ -predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c) { - [sink.asExpr(), sink.asIndirectExpr()] = c.getASource() +predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c, Type t) { + exists(Expr e | + e = c.getASource() and + e = [sink.asExpr(), sink.asIndirectExpr()] and + t = e.getUnspecifiedType() + ) } /** @@ -58,7 +62,7 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration { override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) } override predicate isSink(DataFlow::Node sink) { - isSinkImpl(sink, _) and + isSinkImpl(sink, _, _) and not sqlite_encryption_used() } @@ -68,15 +72,11 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration { override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet content) { // flow out from fields at the sink (only). - this.isSink(node) and // constrain `content` to a field inside the node. - exists(Class c | - node.getType().getUnspecifiedType().stripType() = c and - content.(DataFlow::FieldContent).getField() = getRecField(c) + exists(Type t | + isSinkImpl(node, _, t) and + content.(DataFlow::FieldContent).getField() = getRecField(t.stripType()) ) - or - // any default implicit reads - super.allowImplicitRead(node, content) } } @@ -86,7 +86,7 @@ from where config.hasFlowPath(source, sink) and isSourceImpl(source.getNode(), sensitive) and - isSinkImpl(sink.getNode(), sqliteCall) + isSinkImpl(sink.getNode(), sqliteCall, _) select sqliteCall, source, sink, "This SQLite call may store $@ in a non-encrypted SQLite database.", sensitive, "sensitive information"