diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql index ec78e6b63fbf..6858dffbfa87 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql @@ -19,7 +19,25 @@ import semmle.code.cpp.ir.dataflow.TaintTracking import DataFlow::PathGraph /** - * A taint flow configuration for flow from user input to a buffer write. + * A buffer write into a sensitive expression. + */ +class SensitiveBufferWrite extends Expr instanceof BufferWrite::BufferWrite { + SensitiveBufferWrite() { super.getDest() instanceof SensitiveExpr } + + /** + * Gets a data source of this operation. + */ + Expr getASource() { result = super.getASource() } + + /** + * Gets the destination buffer of this operation. + */ + Expr getDest() { result = super.getDest() } +} + +/** + * A taint flow configuration for flow from user input to a buffer write + * into a sensitive expression. */ class ToBufferConfiguration extends TaintTracking::Configuration { ToBufferConfiguration() { this = "ToBufferConfiguration" } @@ -31,18 +49,17 @@ class ToBufferConfiguration extends TaintTracking::Configuration { } override predicate isSink(DataFlow::Node sink) { - exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr()) + exists(SensitiveBufferWrite w | w.getASource() = sink.asExpr()) } } from - ToBufferConfiguration config, BufferWrite::BufferWrite w, DataFlow::PathNode sourceNode, - DataFlow::PathNode sinkNode, FlowSource source, SensitiveExpr dest + ToBufferConfiguration config, SensitiveBufferWrite w, DataFlow::PathNode sourceNode, + DataFlow::PathNode sinkNode, FlowSource source where config.hasFlowPath(sourceNode, sinkNode) and sourceNode.getNode() = source and - w.getASource() = sinkNode.getNode().asExpr() and - dest = w.getDest() + w.getASource() = sinkNode.getNode().asExpr() select w, sourceNode, sinkNode, - "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@.", source, - "user input (" + source.getSourceType() + ")" + "This write into buffer '" + w.getDest().toString() + "' may contain unencrypted data from $@.", + source, "user input (" + source.getSourceType() + ")"