C++: rename and add description to hasFlowSource

rdmarsh2 · rdmarsh2 · commit d0bb5ad4e2a0 · 2020-04-20T13:25:31.000-07:00
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Fread.qll
@@ -13,7 +13,8 @@ class Fread extends AliasFunction, RemoteFlowFunction {
 
   override predicate parameterIsAlwaysReturned(int n) { none() }
 
-  override predicate hasFlowSource(FunctionOutput output) {
-    output.isParameterDeref(0)
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "String read by " + this.getName()
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/Gets.qll
@@ -44,7 +44,8 @@ class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, Alias
     mustWrite = true
   }
 
-  override predicate hasFlowSource(FunctionOutput output) {
-    output.isParameterDeref(0)
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(0) and
+    description = "String read by " + this.getName()
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -14,5 +14,8 @@ import semmle.code.cpp.models.Models
  * A library function which returns data read from a network connection.
  */
 abstract class RemoteFlowFunction extends Function {
-  abstract predicate hasFlowSource(FunctionOutput output);
+  /**
+   * Holds if remote data described by `description` flows from `output` of a call to this function.
+   */
+  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
 }
diff --git a/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/src/semmle/code/cpp/security/FlowSources.qll
@@ -9,26 +9,38 @@ import semmle.code.cpp.models.interfaces.FlowSource
 
 /** A data flow source of remote user input. */
 abstract class RemoteFlowSource extends DataFlow::Node {
+  /** Gets a string that describes the type of this remote flow source. */
+  abstract string getSourceType();
 }
 
 private class TaintedReturnSource extends RemoteFlowSource {
+  string sourceType;
   TaintedReturnSource() {
     exists(RemoteFlowFunction func, CallInstruction instr, FunctionOutput output |
       asInstruction() = instr and
       instr.getStaticCallTarget() = func and
-      func.hasFlowSource(output) and
+      func.hasRemoteFlowSource(output, sourceType) and
       output.isReturnValue()
     )
   }
+
+  override string getSourceType() {
+    result = sourceType
+  }
 }
 
 private class TaintedParameterSource extends RemoteFlowSource {
+  string sourceType;
   TaintedParameterSource() {
     exists(RemoteFlowFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
       asInstruction() = instr and
       instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
-      func.hasFlowSource(output) and
+      func.hasRemoteFlowSource(output, sourceType) and
       output.isParameterDeref(instr.getIndex())
     )
   }
+
+  override string getSourceType() {
+    result = sourceType
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,8 @@ class Fread extends AliasFunction, RemoteFlowFunction {`
`13`	`13`
`14`	`14`	`override predicate parameterIsAlwaysReturned(int n) { none() }`
`15`	`15`
`16`		`- override predicate hasFlowSource(FunctionOutput output) {`
`17`		`- output.isParameterDeref(0)`
	`16`	`+ override predicate hasRemoteFlowSource(FunctionOutput output, string description) {`
	`17`	`+ output.isParameterDeref(0) and`
	`18`	`+ description = "String read by " + this.getName()`
`18`	`19`	`}`
`19`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ class GetsFunction extends DataFlowFunction, TaintFunction, ArrayFunction, Alias`
`44`	`44`	`mustWrite = true`
`45`	`45`	`}`
`46`	`46`
`47`		`- override predicate hasFlowSource(FunctionOutput output) {`
`48`		`- output.isParameterDeref(0)`
	`47`	`+ override predicate hasRemoteFlowSource(FunctionOutput output, string description) {`
	`48`	`+ output.isParameterDeref(0) and`
	`49`	`+ description = "String read by " + this.getName()`
`49`	`50`	`}`
`50`	`51`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,26 +9,38 @@ import semmle.code.cpp.models.interfaces.FlowSource`
`9`	`9`
`10`	`10`	`/** A data flow source of remote user input. */`
`11`	`11`	`abstract class RemoteFlowSource extends DataFlow::Node {`
	`12`	`+ /** Gets a string that describes the type of this remote flow source. */`
	`13`	`+ abstract string getSourceType();`
`12`	`14`	`}`
`13`	`15`
`14`	`16`	`private class TaintedReturnSource extends RemoteFlowSource {`
	`17`	`+ string sourceType;`
`15`	`18`	`TaintedReturnSource() {`
`16`	`19`	`exists(RemoteFlowFunction func, CallInstruction instr, FunctionOutput output \|`
`17`	`20`	`asInstruction() = instr and`
`18`	`21`	`instr.getStaticCallTarget() = func and`
`19`		`- func.hasFlowSource(output) and`
	`22`	`+ func.hasRemoteFlowSource(output, sourceType) and`
`20`	`23`	`output.isReturnValue()`
`21`	`24`	`)`
`22`	`25`	`}`
	`26`	`+`
	`27`	`+ override string getSourceType() {`
	`28`	`+ result = sourceType`
	`29`	`+ }`
`23`	`30`	`}`
`24`	`31`
`25`	`32`	`private class TaintedParameterSource extends RemoteFlowSource {`
	`33`	`+ string sourceType;`
`26`	`34`	`TaintedParameterSource() {`
`27`	`35`	`exists(RemoteFlowFunction func, WriteSideEffectInstruction instr, FunctionOutput output \|`
`28`	`36`	`asInstruction() = instr and`
`29`	`37`	`instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and`
`30`		`- func.hasFlowSource(output) and`
	`38`	`+ func.hasRemoteFlowSource(output, sourceType) and`
`31`	`39`	`output.isParameterDeref(instr.getIndex())`
`32`	`40`	`)`
`33`	`41`	`}`
	`42`	`+`
	`43`	`+ override string getSourceType() {`
	`44`	`+ result = sourceType`
	`45`	`+ }`
`34`	`46`	`}`