From d42ee7d27908f1aff202e1e45f57ea5d66df0027 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 4 Apr 2022 16:46:56 +0100 Subject: [PATCH 1/3] C++: Extend tests. --- .../CWE/CWE-311/semmle/tests/test3.cpp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp index 8af46a3921f..7eae1fdd503 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp @@ -559,3 +559,21 @@ void tests2(person_info *pi) send(val(), buffer, strlen(buffer), val()); // BAD } } + +const char *get_home_phone(); +const char *get_home(); +const char *get_home_address(); + +void tests3() +{ + const char *str; + + str = get_home_phone(); + send(val(), str, strlen(str), val()); // BAD [NOT DETECTED] + + str = get_home(); + send(val(), str, strlen(str), val()); // GOOD (probably not personal info) + + str = get_home_address(); + send(val(), str, strlen(str), val()); // BAD [NOT DETECTED] +} From d2e7f22d1ba46d98c1dcd31a387c2bb41aa10bee Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 4 Apr 2022 16:07:06 +0100 Subject: [PATCH 2/3] C++: Group all phone number related exprs together. --- cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll b/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll index faca0d8513e..d3ebe4446d0 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll @@ -22,14 +22,16 @@ private string privateNames() { // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html // Government identifiers, such as Social Security Numbers "social.?security|" + - // Contact information, such as home addresses and telephone numbers - "post.?code|zip.?code|telephone|" + + // Contact information, such as home addresses + "post.?code|zip.?code|" + + // and telephone numbers + "telephone|mobile|" + // Geographic location - where the user is (or was) "latitude|longitude|" + // Financial data - such as credit card numbers, salary, bank accounts, and debts "credit.?card|salary|bank.?account|" + // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc. - "email|mobile|employer|" + + "email|employer|" + // Health - medical conditions, insurance status, prescription records "medical" + // --- From 04b8306f064f34644fd2765c777f12b27732b8fc Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 4 Apr 2022 16:21:48 +0100 Subject: [PATCH 3/3] C++: Add some more patterns. --- .../lib/semmle/code/cpp/security/PrivateData.qll | 14 ++++++++------ .../semmle/tests/CleartextTransmission.expected | 8 ++++++++ .../Security/CWE/CWE-311/semmle/tests/test3.cpp | 4 ++-- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll b/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll index d3ebe4446d0..7bb05a25a3c 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/PrivateData.qll @@ -21,19 +21,21 @@ private string privateNames() { ".*(" + // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html // Government identifiers, such as Social Security Numbers - "social.?security|" + + "social.?security|national.?insurance|" + // Contact information, such as home addresses - "post.?code|zip.?code|" + + "post.?code|zip.?code|home.?address|" + // and telephone numbers - "telephone|mobile|" + + "telephone|home.?phone|mobile|fax.?no|fax.?number|" + // Geographic location - where the user is (or was) "latitude|longitude|" + // Financial data - such as credit card numbers, salary, bank accounts, and debts - "credit.?card|salary|bank.?account|" + + "credit.?card|debit.?card|salary|bank.?account|" + // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc. - "email|employer|" + + "email|" + // Health - medical conditions, insurance status, prescription records - "medical" + + "birthday|birth.?date|date.?of.?birth|medical|" + + // Relationships - work and family + "employer|spouse" + // --- ").*" } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected index e1a72ea5152..1f169ec05d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected @@ -96,6 +96,8 @@ edges | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer | | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | buffer | | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | buffer | +| test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | +| test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | | test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:21:48:27 | call to encrypt | | test.cpp:41:23:41:43 | cleartext password! | test.cpp:48:29:48:39 | thePassword | | test.cpp:66:23:66:43 | cleartext password! | test.cpp:76:21:76:27 | call to encrypt | @@ -245,6 +247,10 @@ nodes | test3.cpp:552:15:552:20 | buffer | semmle.label | buffer | | test3.cpp:556:19:556:30 | salaryString | semmle.label | salaryString | | test3.cpp:559:15:559:20 | buffer | semmle.label | buffer | +| test3.cpp:571:8:571:21 | call to get_home_phone | semmle.label | call to get_home_phone | +| test3.cpp:572:14:572:16 | str | semmle.label | str | +| test3.cpp:577:8:577:23 | call to get_home_address | semmle.label | call to get_home_address | +| test3.cpp:578:14:578:16 | str | semmle.label | str | | test.cpp:41:23:41:43 | cleartext password! | semmle.label | cleartext password! | | test.cpp:48:21:48:27 | call to encrypt | semmle.label | call to encrypt | | test.cpp:48:29:48:39 | thePassword | semmle.label | thePassword | @@ -294,3 +300,5 @@ subpaths | test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:532:45:532:58 | home_longitude | home_longitude | | test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:551:47:551:58 | salaryString | salaryString | | test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:556:19:556:30 | salaryString | salaryString | +| test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@ | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone | +| test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@ | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp index 7eae1fdd503..70630bbb4c4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp @@ -569,11 +569,11 @@ void tests3() const char *str; str = get_home_phone(); - send(val(), str, strlen(str), val()); // BAD [NOT DETECTED] + send(val(), str, strlen(str), val()); // BAD str = get_home(); send(val(), str, strlen(str), val()); // GOOD (probably not personal info) str = get_home_address(); - send(val(), str, strlen(str), val()); // BAD [NOT DETECTED] + send(val(), str, strlen(str), val()); // BAD }