C++: New query cpp/potential-system-data-exposure #8318
Conversation
geoffw0
added
C++
depends on internal PR
cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
Outdated
Show resolved
Hide resolved
cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
Outdated
Show resolved
Hide resolved
cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
Outdated
Show resolved
Hide resolved
|
DCA shows:
|
|
I think this is PR is ready, apart from merge conflicts and submodule stuff which I'll address tomorrow. |
|
LGTM! Do we want a docs review of these changes? |
Yeah, for the two @github/docs-content-codeql |
MathiasVP
added
the
ready-for-doc-review
|
|
📚 Thanks for the docs ping! 🛎️ This was added to our docs first-responder project board. A team member will be along shortly to respond. To request changes to the docs you can also open a 
|
Docs first responder here 👋 I've added this PR to our board for writer review. |
|
Not sure I'll get to reviewing this today. If not, I'll look at this tomorrow 👍🏻 |
There was a problem hiding this comment.
@geoffw0 - LGTM ✨
Approving this so that I don't block this work.
I've left a few suggestions and comments for your consideration. Feel free to ignore them if you don't agree 🙂
Also, I didn't see a change note about the new query, but I'm not sure whether all CodeQL teams are adding change notes for new queries.
cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
Outdated
Show resolved
Hide resolved
| "qhelp.dtd"> | ||
| <qhelp> | ||
| <overview> | ||
| <p>Exposing system data or debugging information may help an adversary to learn about the system and form an attack plan. An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in these technologies.</p> |
There was a problem hiding this comment.
I'd make the same changes to to this qhelp file that I suggested for the other qhelp file adversary -> malicious user, remove the to in may help an adversary to learn about, and possibly find a synonym for technologies.
I am a bit confused because the content for both seems to be exactly the same 😕
There was a problem hiding this comment.
Done.
We've essentially forked one query into two variations here, and ended up with two versions of the qhelp as well. There are slight differences reflecting the difference in focus between the two queries, most of the text remains identical.
There was a problem hiding this comment.
Thanks for explaining, it now makes more sense to me 🙂
All language teams should add a change-note for a new query. It's also done in this PR. See this commit. |
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
I think I've addressed all concerns / suggestions now. |
|
@MathiasVP - thanks for pointing the change note to me, I didn't see it at all 😞 |
This is a new query
cpp/potential-system-data-exposureclosely related to the existingcpp/system-data-exposure, both providing coverage of CWE-497. Roughly speaking, each result of the oldcpp/system-data-exposureis now either:cpp/system-data-exposure, if the information is exposed to a remote sink (this change was made in a previous PR).cpp/potential-system-data-exposure, if the above does not hold but the information exposed is considered especially sensitive (e.g. a password being output tostdout).This part is likely to remain
@precision medium, because some projects will consider standard output and similar channels to be safe from attackers.cpp/system-data-exposureis likely to be upgraded to@precision high, as most of those results will carry some real risk.Note that the diff is larger than the true number of changes because:
SystemData.qlllibrary, shared by both queries.LGTM results: https://lgtm.com/query/7993974152184061577/
I've also started a DCA run.