C++: Fix another expression of stdin / stdout we see in practice.

2026-04-30 11:15:13 +02:00 · 2021-10-11 11:17:36 +01:00
parent d77ba020f9
commit 9c2d961ae5
3 changed files with 13 additions and 6 deletions
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -105,8 +105,8 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
 * practice it usually isn't very important which query reports a result as
 * long as its reported exactly once.
 *
- * We do exclude function calls that specify a constant socket, which is
- * likely to mean standard input, standard output or a similar channel.
+ * We do exclude function calls that specify an apparently constant socket,
+ * which is likely to mean standard input, standard output or a similar channel.
 */
 abstract class NetworkSendRecv extends FunctionCall {
  SendRecv target;
@@ -125,6 +125,16 @@ abstract class NetworkSendRecv extends FunctionCall {
          v.getInitializer().getExpr() instanceof Literal and
          g = globalValueNumber(v.getAnAccess())
        )
+        or 
+        // result of a function call with literal inputs (likely constant)
+        exists(FunctionCall fc |
+          forex(Expr arg |
+            arg = fc.getAnArgument() |
+            arg instanceof Literal
+          ) and
+          g = globalValueNumber(fc)
+        )
+        // (this is far from exhaustive)
      )
    )
  }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
@@ -37,7 +37,6 @@ edges
 | test3.cpp:214:8:214:15 | password | test3.cpp:217:30:217:37 | password |
 | test3.cpp:214:8:214:15 | password | test3.cpp:219:15:219:26 | password_ptr |
 | test3.cpp:217:18:217:28 | call to rtn_encrypt | test3.cpp:219:15:219:26 | password_ptr |
-| test3.cpp:225:34:225:41 | password | test3.cpp:227:22:227:29 | password |
 | test3.cpp:225:34:225:41 | password | test3.cpp:228:26:228:33 | password |
 | test3.cpp:239:7:239:14 | password | test3.cpp:241:8:241:15 | password |
 | test3.cpp:239:7:239:14 | password | test3.cpp:242:8:242:15 | password |
@@ -147,7 +146,6 @@ nodes
 | test3.cpp:217:30:217:37 | password | semmle.label | password |
 | test3.cpp:219:15:219:26 | password_ptr | semmle.label | password_ptr |
 | test3.cpp:225:34:225:41 | password | semmle.label | password |
-| test3.cpp:227:22:227:29 | password | semmle.label | password |
 | test3.cpp:228:26:228:33 | password | semmle.label | password |
 | test3.cpp:239:7:239:14 | password | semmle.label | password |
 | test3.cpp:241:8:241:15 | password | semmle.label | password |
@@ -225,7 +223,6 @@ subpaths
 | test3.cpp:140:3:140:6 | call to send | test3.cpp:129:39:129:47 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:129:39:129:47 | password1 | password1 |
 | test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:126:9:126:23 | global_password | global_password |
 | test3.cpp:159:3:159:6 | call to send | test3.cpp:152:29:152:36 | password | test3.cpp:159:15:159:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:152:29:152:36 | password | password |
-| test3.cpp:227:2:227:5 | call to send | test3.cpp:225:34:225:41 | password | test3.cpp:227:22:227:29 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:225:34:225:41 | password | password |
 | test3.cpp:228:2:228:5 | call to send | test3.cpp:225:34:225:41 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:225:34:225:41 | password | password |
 | test3.cpp:241:2:241:6 | call to fgets | test3.cpp:239:7:239:14 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:239:7:239:14 | password | password |
 | test3.cpp:242:2:242:6 | call to fgets | test3.cpp:239:7:239:14 | password | test3.cpp:242:8:242:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:239:7:239:14 | password | password |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
@@ -224,7 +224,7 @@ int get_socket(int from);

 void test_more_stdio(const char *password)
 {
-	send(get_socket(1), password, 128, val()); // GOOD: `getsocket(1)` is probably standard output [FALSE POSITIVE]
+	send(get_socket(1), password, 128, val()); // GOOD: `getsocket(1)` is probably standard output
 	send(get_socket(val()), password, 128, val()); // BAD
 }