Merge pull request github#3189 from jbj/DefaultTaintTracking-Configuration

C++: Path explanations in DefaultTaintTracking

Author: rdmarsh2

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled data used in path expression
  * @description Accessing paths influenced by users can allow an
  *              attacker to access unexpected resources.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/path-injection
@@ -17,6 +17,7 @@ import cpp
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 /**
  * A function for opening a file.
@@ -51,12 +52,19 @@ class FileFunction extends FunctionWithWrappers {
   override predicate interestingArg(int arg) { arg = 0 }
 }
 
+class TaintedPathConfiguration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(FileFunction fileFunction | fileFunction.outermostWrapperFunctionCall(tainted, _))
+  }
+}
+
 from
-  FileFunction fileFunction, Expr taintedArg, Expr taintSource, string taintCause, string callChain
+  FileFunction fileFunction, Expr taintedArg, Expr taintSource, PathNode sourceNode,
+  PathNode sinkNode, string taintCause, string callChain
 where
   fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
-  tainted(taintSource, taintedArg) and
+  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
   isUserInput(taintSource, taintCause)
-select taintedArg,
+select taintedArg, sourceNode, sinkNode,
   "This argument to a file access function is derived from $@ and then passed to " + callChain,
   taintSource, "user input (" + taintCause + ")"

cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql

@@ -2,7 +2,7 @@
  * @name CGI script vulnerable to cross-site scripting
  * @description Writing user input directly to a web page
  *              allows for a cross-site scripting vulnerability.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cpp/cgi-xss
@@ -13,6 +13,7 @@
 import cpp
 import semmle.code.cpp.commons.Environment
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 /** A call that prints its arguments to `stdout`. */
 class PrintStdoutCall extends FunctionCall {
@@ -27,8 +28,13 @@ class QueryString extends EnvironmentRead {
   QueryString() { getEnvironmentVariable() = "QUERY_STRING" }
 }
 
-from QueryString query, PrintStdoutCall call, Element printedArg
-where
-  call.getAnArgument() = printedArg and
-  tainted(query, printedArg)
-select printedArg, "Cross-site scripting vulnerability due to $@.", query, "this query data"
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(PrintStdoutCall call | call.getAnArgument() = tainted)
+  }
+}
+
+from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode
+where taintedWithPath(query, printedArg, sourceNode, sinkNode)
+select printedArg, sourceNode, sinkNode, "Cross-site scripting vulnerability due to $@.", query,
+  "this query data"

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -3,7 +3,7 @@
  * @description Including user-supplied data in a SQL query without
  *              neutralizing special elements can make code vulnerable
  *              to SQL Injection.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cpp/sql-injection
@@ -15,18 +15,27 @@ import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 class SQLLikeFunction extends FunctionWithWrappers {
   SQLLikeFunction() { sqlArgument(this.getName(), _) }
 
   override predicate interestingArg(int arg) { sqlArgument(this.getName(), arg) }
 }
 
-from SQLLikeFunction runSql, Expr taintedArg, Expr taintSource, string taintCause, string callChain
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(SQLLikeFunction runSql | runSql.outermostWrapperFunctionCall(tainted, _))
+  }
+}
+
+from
+  SQLLikeFunction runSql, Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode,
+  string taintCause, string callChain
 where
   runSql.outermostWrapperFunctionCall(taintedArg, callChain) and
-  tainted(taintSource, taintedArg) and
+  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
   isUserInput(taintSource, taintCause)
-select taintedArg,
+select taintedArg, sourceNode, sinkNode,
   "This argument to a SQL query function is derived from $@ and then passed to " + callChain,
   taintSource, "user input (" + taintCause + ")"

cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql

@@ -3,7 +3,7 @@
  * @description Using externally controlled strings in a process
  *              operation can allow an attacker to execute malicious
  *              commands.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/uncontrolled-process-operation
@@ -14,13 +14,24 @@
 import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
-from string processOperation, int processOperationArg, FunctionCall call, Expr arg, Element source
+predicate isProcessOperationExplanation(Expr arg, string processOperation) {
+  exists(int processOperationArg, FunctionCall call |
+    isProcessOperationArgument(processOperation, processOperationArg) and
+    call.getTarget().getName() = processOperation and
+    call.getArgument(processOperationArg) = arg
+  )
+}
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
+}
+
+from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
 where
-  isProcessOperationArgument(processOperation, processOperationArg) and
-  call.getTarget().getName() = processOperation and
-  call.getArgument(processOperationArg) = arg and
-  tainted(source, arg)
-select arg,
+  isProcessOperationExplanation(arg, processOperation) and
+  taintedWithPath(source, arg, sourceNode, sinkNode)
+select arg, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being passed to " + processOperation, source,
   source.toString()

cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql

@@ -2,7 +2,7 @@
  * @name Unbounded write
  * @description Buffer write operations that do not control the length
  *              of data written may overflow.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision medium
  * @id cpp/unbounded-write
@@ -16,6 +16,7 @@
 import semmle.code.cpp.security.BufferWrite
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 /*
  * --- Summary of CWE-120 alerts ---
@@ -54,32 +55,48 @@ predicate isUnboundedWrite(BufferWrite bw) {
  * }
  */
 
+/**
+ * Holds if `e` is a source buffer going into an unbounded write `bw` or a
+ * qualifier of (a qualifier of ...) such a source.
+ */
+predicate unboundedWriteSource(Expr e, BufferWrite bw) {
+  isUnboundedWrite(bw) and e = bw.getASource()
+  or
+  exists(FieldAccess fa | unboundedWriteSource(fa, bw) and e = fa.getQualifier())
+}
+
 /*
  * --- user input reach ---
  */
 
-/**
- * Identifies expressions that are potentially tainted with user
- * input.  Most of the work for this is actually done by the
- * TaintTracking library.
- */
-predicate tainted2(Expr expr, Expr inputSource, string inputCause) {
-  taintedIncludingGlobalVars(inputSource, expr, _) and
-  inputCause = inputSource.toString()
-  or
-  exists(Expr e | tainted2(e, inputSource, inputCause) |
-    // field accesses of a tainted struct are tainted
-    e = expr.(FieldAccess).getQualifier()
-  )
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) { unboundedWriteSource(tainted, _) }
+
+  override predicate taintThroughGlobals() { any() }
 }
 
 /*
  * --- put it together ---
  */
 
-from BufferWrite bw, Expr inputSource, string inputCause
+/*
+ * An unbounded write is, for example `strcpy(..., tainted)`. We're looking
+ * for a tainted source buffer of an unbounded write, where this source buffer
+ * is a sink in the taint-tracking analysis.
+ *
+ * In the case of `gets` and `scanf`, where the source buffer is implicit, the
+ * `BufferWrite` library reports the source buffer to be the same as the
+ * destination buffer. Since those destination-buffer arguments are also
+ * modeled in the taint-tracking library as being _sources_ of taint, they are
+ * in practice reported as being tainted because the `security.TaintTracking`
+ * library does not distinguish between taint going into an argument and out of
+ * an argument. Thus, we get the desired alerts.
+ */
+
+from BufferWrite bw, Expr inputSource, Expr tainted, PathNode sourceNode, PathNode sinkNode
 where
-  isUnboundedWrite(bw) and
-  tainted2(bw.getASource(), inputSource, inputCause)
-select bw, "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.",
-  inputSource, inputCause
+  taintedWithPath(inputSource, tainted, sourceNode, sinkNode) and
+  unboundedWriteSource(tainted, bw)
+select bw, sourceNode, sinkNode,
+  "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.", inputSource,
+  inputSource.toString()

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql

@@ -3,7 +3,7 @@
  * @description Using externally-controlled format strings in
  *              printf-style functions can lead to buffer overflows
  *              or data representation problems.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/tainted-format-string
@@ -16,12 +16,21 @@ import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
-from PrintfLikeFunction printf, Expr arg, string printfFunction, Expr userValue, string cause
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _))
+  }
+}
+
+from
+  PrintfLikeFunction printf, Expr arg, PathNode sourceNode, PathNode sinkNode,
+  string printfFunction, Expr userValue, string cause
 where
   printf.outermostWrapperFunctionCall(arg, printfFunction) and
-  tainted(userValue, arg) and
+  taintedWithPath(userValue, arg, sourceNode, sinkNode) and
   isUserInput(userValue, cause)
-select arg,
+select arg, sourceNode, sinkNode,
   "The value of this argument may come from $@ and is being used as a formatting argument to " +
     printfFunction, userValue, cause

cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql

@@ -3,7 +3,7 @@
  * @description Using externally-controlled format strings in
  *              printf-style functions can lead to buffer overflows
  *              or data representation problems.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/tainted-format-string-through-global
@@ -16,15 +16,24 @@ import cpp
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element tainted) {
+    exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _))
+  }
+
+  override predicate taintThroughGlobals() { any() }
+}
 
 from
-  PrintfLikeFunction printf, Expr arg, string printfFunction, Expr userValue, string cause,
-  string globalVar
+  PrintfLikeFunction printf, Expr arg, PathNode sourceNode, PathNode sinkNode,
+  string printfFunction, Expr userValue, string cause
 where
   printf.outermostWrapperFunctionCall(arg, printfFunction) and
-  not tainted(_, arg) and
-  taintedIncludingGlobalVars(userValue, arg, globalVar) and
+  not taintedWithoutGlobals(arg) and
+  taintedWithPath(userValue, arg, sourceNode, sinkNode) and
   isUserInput(userValue, cause)
-select arg,
-  "This value may flow through $@, originating from $@, and is a formatting argument to " +
-    printfFunction + ".", globalVarFromId(globalVar), globalVar, userValue, cause
+select arg, sourceNode, sinkNode,
+  "The value of this argument may come from $@ and is being used as a formatting argument to " +
+    printfFunction, userValue, cause

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled data in arithmetic expression
  * @description Arithmetic operations on uncontrolled data that is not
  *              validated can cause overflows.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/uncontrolled-arithmetic
@@ -15,6 +15,7 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
 
@@ -40,29 +41,40 @@ class SecurityOptionsArith extends SecurityOptions {
   }
 }
 
-predicate taintedVarAccess(Expr origin, VariableAccess va) {
-  isUserInput(origin, _) and
-  tainted(origin, va)
+predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
+
+predicate missingGuard(VariableAccess va, string effect) {
+  exists(Operation op | op.getAnOperand() = va |
+    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
+    or
+    missingGuardAgainstOverflow(op, va) and effect = "overflow"
+  )
+}
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element e) {
+    isDiv(e)
+    or
+    missingGuard(e, _)
+  }
 }
 
 /**
  * A value that undergoes division is likely to be bounded within a safe
  * range.
  */
 predicate guardedByAssignDiv(Expr origin) {
-  isUserInput(origin, _) and
-  exists(AssignDivExpr div, VariableAccess va | tainted(origin, va) and div.getLValue() = va)
+  exists(VariableAccess va |
+    taintedWithPath(origin, va, _, _) and
+    isDiv(va)
+  )
 }
 
-from Expr origin, Operation op, VariableAccess va, string effect
+from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
 where
-  taintedVarAccess(origin, va) and
-  op.getAnOperand() = va and
-  (
-    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
-    or
-    missingGuardAgainstOverflow(op, va) and effect = "overflow"
-  ) and
+  taintedWithPath(origin, va, sourceNode, sinkNode) and
+  missingGuard(va, effect) and
   not guardedByAssignDiv(origin)
-select va, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  origin, "Uncontrolled value"
+select va, sourceNode, sinkNode,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
+  "Uncontrolled value"