C++: Path explanations in the last two queries

jbj · jbj · commit 58366b19e920 · 2020-04-04T16:47:06.000+02:00
For some reason I thought that these two queries were special because
they manipulate `SecurityOptions` to change the taint-tracking sources.
It turns out it was just the opposite: the queries used to be special
because they invalidated the cache for the `tainted` predicate, but that
predicate is no longer used, so these queries are no longer special.
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -2,7 +2,7 @@
  * @name Uncontrolled data in arithmetic expression
  * @description Arithmetic operations on uncontrolled data that is not
  *              validated can cause overflows.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/uncontrolled-arithmetic
@@ -15,6 +15,7 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
 
@@ -40,29 +41,40 @@ class SecurityOptionsArith extends SecurityOptions {
   }
 }
 
-predicate taintedVarAccess(Expr origin, VariableAccess va) {
-  isUserInput(origin, _) and
-  tainted(origin, va)
+predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
+
+predicate missingGuard(VariableAccess va, string effect) {
+  exists(Operation op | op.getAnOperand() = va |
+    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
+    or
+    missingGuardAgainstOverflow(op, va) and effect = "overflow"
+  )
+}
+
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element e) {
+    isDiv(e)
+    or
+    missingGuard(e, _)
+  }
 }
 
 /**
  * A value that undergoes division is likely to be bounded within a safe
  * range.
  */
 predicate guardedByAssignDiv(Expr origin) {
-  isUserInput(origin, _) and
-  exists(AssignDivExpr div, VariableAccess va | tainted(origin, va) and div.getLValue() = va)
+  exists(VariableAccess va |
+    taintedWithPath(origin, va, _, _) and
+    isDiv(va)
+  )
 }
 
-from Expr origin, Operation op, VariableAccess va, string effect
+from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
 where
-  taintedVarAccess(origin, va) and
-  op.getAnOperand() = va and
-  (
-    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
-    or
-    missingGuardAgainstOverflow(op, va) and effect = "overflow"
-  ) and
+  taintedWithPath(origin, va, sourceNode, sinkNode) and
+  missingGuard(va, effect) and
   not guardedByAssignDiv(origin)
-select va, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  origin, "Uncontrolled value"
+select va, sourceNode, sinkNode,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
+  "Uncontrolled value"
diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -2,7 +2,7 @@
  * @name Cleartext storage of sensitive information in an SQLite database
  * @description Storing sensitive information in a non-encrypted
  *              database can expose it to an attacker.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision medium
  * @id cpp/cleartext-storage-database
@@ -13,6 +13,7 @@
 import cpp
 import semmle.code.cpp.security.SensitiveExprs
 import semmle.code.cpp.security.TaintTracking
+import TaintedWithPath
 
 class UserInputIsSensitiveExpr extends SecurityOptions {
   override predicate isUserInput(Expr expr, string cause) {
@@ -32,10 +33,21 @@ predicate sqlite_encryption_used() {
   any(FunctionCall fc).getTarget().getName().matches("sqlite%\\_key\\_%")
 }
 
-from SensitiveExpr taintSource, Expr taintedArg, SqliteFunctionCall sqliteCall
+class Configuration extends TaintTrackingConfiguration {
+  override predicate isSink(Element taintedArg) {
+    exists(SqliteFunctionCall sqliteCall |
+      taintedArg = sqliteCall.getASource() and
+      not sqlite_encryption_used()
+    )
+  }
+}
+
+from
+  SensitiveExpr taintSource, Expr taintedArg, SqliteFunctionCall sqliteCall, PathNode sourceNode,
+  PathNode sinkNode
 where
-  tainted(taintSource, taintedArg) and
-  taintedArg = sqliteCall.getASource() and
-  not sqlite_encryption_used()
-select sqliteCall, "This SQLite call may store $@ in a non-encrypted SQLite database", taintSource,
+  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
+  taintedArg = sqliteCall.getASource()
+select sqliteCall, sourceNode, sinkNode,
+  "This SQLite call may store $@ in a non-encrypted SQLite database", taintSource,
   "sensitive information"
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -1,9 +1,112 @@
-| test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
-| test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
-| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
-| test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
-| test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
-| test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
-| test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
+edges
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
+| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
+| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
+| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
+| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
+nodes
+| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
+| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:21:17:21:17 | r | semmle.label | r |
+| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
+| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:35:5:35:5 | r | semmle.label | r |
+| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
+| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:40:5:40:5 | r | semmle.label | r |
+| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
+| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:45:5:45:5 | r | semmle.label | r |
+| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
+| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:56:5:56:5 | r | semmle.label | r |
+| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
+| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:61:5:61:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:62:5:62:5 | r | semmle.label | r |
+| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
+| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:67:5:67:5 | r | semmle.label | r |
+| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
+| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
+| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.c:100:5:100:5 | r | semmle.label | r |
+| test.cpp:8:9:8:12 | Store | semmle.label | Store |
+| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
+| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
+| test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+| test.cpp:25:7:25:7 | r | semmle.label | r |
+#select
+| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
+| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
+| test.c:40:5:40:5 | r | test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
+| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
+| test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
+| test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
+| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
+| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
