C++: Exclude functions that don't involve buffers.

cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

@@ -110,7 +110,25 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
   ) and
   // exclude calls from templates as this is rarely the right place to flag an
   // issue
-  not fc.isFromTemplateInstantiation(_)
+  not fc.isFromTemplateInstantiation(_) and
+  (
+    // the function should have an input that looks like a non-constant buffer
+    exists(Expr e |
+      fc.getAnArgument() = e and
+      (
+        e.getUnspecifiedType() instanceof PointerType or
+        e.getUnspecifiedType() instanceof ReferenceType or
+        e.getUnspecifiedType() instanceof ArrayType
+      ) and
+      not e.getType().isDeeplyConstBelow() and
+      not e.isConstant()
+    )
+    or
+    // or be a non-const member function of an object
+    fc.getTarget() instanceof MemberFunction and
+    not fc.getTarget() instanceof ConstMemberFunction and
+    not fc.getTarget().isStatic()
+  )
 }
 
 /**

cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected

@@ -3,8 +3,6 @@
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:66:31:66:38 | ALGO_DES | invocation of macro ALGO_DES |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:128:4:128:24 | call to my_des_implementation | call to my_des_implementation |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:148:27:148:29 | DES | access of enum constant DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:176:28:176:35 | ALGO_DES | invocation of macro ALGO_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:179:28:179:34 | USE_DES | access of enum constant USE_DES |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:186:38:186:45 | ALGO_DES | invocation of macro ALGO_DES |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:189:38:189:44 | USE_DES | access of enum constant USE_DES |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:242:2:242:20 | call to encrypt | call to encrypt |
@@ -12,12 +10,6 @@
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:304:20:304:37 | call to desEncryptor | call to desEncryptor |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:308:5:308:19 | call to doDesEncryption | call to doDesEncryption |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:309:9:309:23 | call to doDesEncryption | call to doDesEncryption |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:325:2:325:57 | ALGO_DES | invocation of macro ALGO_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:340:24:340:42 | ENCRYPTION_DES_NAME | invocation of macro ENCRYPTION_DES_NAME |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:362:24:362:43 | call to getEncryptionNameDES | call to getEncryptionNameDES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:377:10:377:29 | call to getEncryptionNameDES | call to getEncryptionNameDES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:387:42:387:49 | ALGO_DES | invocation of macro ALGO_DES |
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:403:26:403:45 | call to getEncryptionNameDES | call to getEncryptionNameDES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | invocation of macro ENCRYPT_WITH_DES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | invocation of macro ENCRYPT_WITH_RC2 |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | invocation of macro ENCRYPT_WITH_3DES |
@@ -31,5 +23,3 @@
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:91:2:91:12 | call to encrypt3DES | call to encrypt3DES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:92:2:92:17 | call to encryptTripleDES | call to encryptTripleDES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:101:2:101:15 | call to do_des_encrypt | call to do_des_encrypt |
-| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:102:2:102:12 | call to DES_Set_Key | call to DES_Set_Key |
-| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:121:2:121:24 | INIT_ENCRYPT_WITH_DES() | invocation of macro INIT_ENCRYPT_WITH_DES |

cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp

@@ -99,7 +99,7 @@ void test_functions(void *data, size_t amount, const char *str)
 	DoDESEncryption(data, amount); // BAD [NOT DETECTED]
 	encryptDes(data, amount); // BAD [NOT DETECTED]
 	do_des_encrypt(data, amount); // BAD
-	DES_Set_Key(str); // BAD
+	DES_Set_Key(str); // BAD [NOT DETECTED]
 	DESSetKey(str); // BAD [NOT DETECTED]
 
 	Des(); // GOOD (probably nothing to do with encryption)
@@ -118,7 +118,7 @@ void my_implementation8();
 
 void test_macros2()
 {
-	INIT_ENCRYPT_WITH_DES(); // BAD
+	INIT_ENCRYPT_WITH_DES(); // BAD [NOT DETECTED]
 	INIT_ENCRYPT_WITH_AES(); // GOOD (good algorithm)
 	
 	// ...

cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp

@@ -173,10 +173,10 @@ const char *get_algorithm3();
 
 void do_unseen_encrypts(char *data, size_t amount, keytype key)
 {
-	set_encryption_algorithm1(ALGO_DES); // BAD
+	set_encryption_algorithm1(ALGO_DES); // BAD [NOT DETECTED]
 	set_encryption_algorithm1(ALGO_AES); // GOOD
 
-	set_encryption_algorithm2(USE_DES); // BAD
+	set_encryption_algorithm2(USE_DES); // BAD [NOT DETECTED]
 	set_encryption_algorithm2(USE_AES); // GOOD
 
 	set_encryption_algorithm3("DES"); // BAD [NOT DETECTED]
@@ -322,7 +322,7 @@ const algorithmInfo *getEncryptionAlgorithmInfo(int algo);
 void test_assert(int algo, algorithmInfo *algoInfo)
 {
 	assert(algo != ALGO_DES); // GOOD
-	assert(algoInfo != getEncryptionAlgorithmInfo(ALGO_DES)); // GOOD [FALSE POSITIVE]
+	assert(algoInfo != getEncryptionAlgorithmInfo(ALGO_DES)); // GOOD
 
 	// ...
 }
@@ -337,7 +337,7 @@ void abort(void);
 
 void test_string_comparisons1(const char *algo_name)
 {
-	if (strcmp(algo_name, ENCRYPTION_DES_NAME) == 0) // GOOD [FALSE POSITIVE]
+	if (strcmp(algo_name, ENCRYPTION_DES_NAME) == 0) // GOOD
 	{
 		abort();
 	}
@@ -359,7 +359,7 @@ const char *getEncryptionNameAES()
 
 void test_string_comparisons2(const char *algo_name)
 {
-	if (strcmp(algo_name, getEncryptionNameDES()) == 0) // GOOD [FALSE POSITIVE]
+	if (strcmp(algo_name, getEncryptionNameDES()) == 0) // GOOD
 	{
 		abort();
 	}
@@ -374,7 +374,7 @@ const char *getEncryptionName(int algo)
 	switch (algo)
 	{
 	case ALGO_DES:
-		return getEncryptionNameDES(); // GOOD [FALSE POSITIVE]
+		return getEncryptionNameDES(); // GOOD
 	case ALGO_AES:
 		return getEncryptionNameAES(); // GOOD
 	default:
@@ -384,7 +384,7 @@ const char *getEncryptionName(int algo)
 
 void test_string_comparisons3(const char *algo_name)
 {
-	if (strcmp(algo_name, getEncryptionName(ALGO_DES)) == 0) // GOOD [FALSE POSITIVE]
+	if (strcmp(algo_name, getEncryptionName(ALGO_DES)) == 0) // GOOD
 	{
 		abort();
 	}
@@ -400,6 +400,6 @@ void doEncryption(char *data, size_t len, const char *algorithmName);
 
 void test_fn_in_fn(char *data, size_t len)
 {
-	doEncryption(data, len, getEncryptionNameDES()); // BAD
+	doEncryption(data, len, getEncryptionNameDES()); // BAD [NOT DETECTED]
 	doEncryption(data, len, getEncryptionNameAES()); // GOOD
 }