Merge pull request #11768 from MathiasVP/fix-implicit-reads-in-cleartext-sqlite-database

C++: Fix implicit reads on `cpp/cleartext-storage-database`
2025-12-23 20:26:32 +01:00 · 2022-12-22 13:47:10 +00:00
parent e86e3ec3ec 273af3cbf1
commit 83d751b287
1 changed files with 11 additions and 11 deletions
--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -45,8 +45,12 @@ predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) {
 }

 /** Holds if `sink` is an argument to an Sqlite function call `c`. */
-predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c) {
-  [sink.asExpr(), sink.asIndirectExpr()] = c.getASource()
+predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c, Type t) {
+  exists(Expr e |
+    e = c.getASource() and
+    e = [sink.asExpr(), sink.asIndirectExpr()] and
+    t = e.getUnspecifiedType()
+  )
 }

 /**
@@ -58,7 +62,7 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }

  override predicate isSink(DataFlow::Node sink) {
-    isSinkImpl(sink, _) and
+    isSinkImpl(sink, _, _) and
    not sqlite_encryption_used()
  }

@@ -68,15 +72,11 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {

  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet content) {
    // flow out from fields at the sink (only).
-    this.isSink(node) and
    // constrain `content` to a field inside the node.
-    exists(Class c |
-      node.getType().getUnspecifiedType().stripType() = c and
-      content.(DataFlow::FieldContent).getField() = getRecField(c)
+    exists(Type t |
+      isSinkImpl(node, _, t) and
+      content.(DataFlow::FieldContent).getField() = getRecField(t.stripType())
    )
-    or
-    // any default implicit reads
-    super.allowImplicitRead(node, content)
  }
 }

@@ -86,7 +86,7 @@ from
 where
  config.hasFlowPath(source, sink) and
  isSourceImpl(source.getNode(), sensitive) and
-  isSinkImpl(sink.getNode(), sqliteCall)
+  isSinkImpl(sink.getNode(), sqliteCall, _)
 select sqliteCall, source, sink,
  "This SQLite call may store $@ in a non-encrypted SQLite database.", sensitive,
  "sensitive information"