Skip to content

Commit 7819a7d

Browse files
MathiasVPMathiasVP
committed
C++: Severely restrict the set of sinks in 'cpp/cleartext-storage-database'. This reduces the number of sinks considered on the 'sysown/proxysql' from > 62000 sinks to ~1000 sinks.
1 parent fadd23a commit 7819a7d

1 file changed

Lines changed: 48 additions & 3 deletions

File tree

cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql

Lines changed: 48 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,55 @@ import semmle.code.cpp.security.SensitiveExprs
1616
import semmle.code.cpp.ir.dataflow.TaintTracking
1717
import FromSensitiveFlow::PathGraph
1818

19-
class SqliteFunctionCall extends FunctionCall {
20-
SqliteFunctionCall() { this.getTarget().getName().matches("sqlite%") }
19+
abstract class SqliteFunctionCall extends FunctionCall {
20+
abstract Expr getASource();
21+
}
22+
23+
class SqliteFunctionPrepareCall extends SqliteFunctionCall {
24+
SqliteFunctionPrepareCall() { this.getTarget().getName().matches("sqlite3\\_prepare%") }
25+
26+
override Expr getASource() { result = this.getArgument(1) }
27+
}
28+
29+
class SqliteFunctionExecCall extends SqliteFunctionCall {
30+
SqliteFunctionExecCall() { this.getTarget().hasName("sqlite3_exec") }
31+
32+
override Expr getASource() { result = this.getArgument(1) }
33+
}
34+
35+
class SqliteFunctionAppendfCall extends SqliteFunctionCall {
36+
SqliteFunctionAppendfCall() {
37+
this.getTarget().getName().matches(["sqlite3_str_appendf", "sqlite3_str_vappendf"])
38+
}
39+
40+
override Expr getASource() { result = this.getArgument(any(int n | n > 0)) }
41+
}
42+
43+
class SqliteFunctionAppendNonCharCall extends SqliteFunctionCall {
44+
SqliteFunctionAppendNonCharCall() {
45+
this.getTarget().getName().matches(["sqlite3_str_append", "sqlite3_str_appendall"])
46+
}
47+
48+
override Expr getASource() { result = this.getArgument(1) }
49+
}
50+
51+
class SqliteFunctionAppendCharCall extends SqliteFunctionCall {
52+
SqliteFunctionAppendCharCall() { this.getTarget().hasName("sqlite3_str_appendchar") }
53+
54+
override Expr getASource() { result = this.getArgument(2) }
55+
}
56+
57+
class SqliteFunctionBindCall extends SqliteFunctionCall {
58+
SqliteFunctionBindCall() {
59+
this.getTarget()
60+
.getName()
61+
.matches([
62+
"sqlite3_bind_blob", "sqlite3_bind_blob64", "sqlite3_bind_text", "sqlite3_bind_text16",
63+
"sqlite3_bind_text64", "sqlite3_bind_value", "sqlite3_bind_pointer"
64+
])
65+
}
2166

22-
Expr getASource() { result = this.getAnArgument() }
67+
override Expr getASource() { result = this.getArgument(2) }
2368
}
2469

2570
predicate sqlite_encryption_used() {

0 commit comments

Comments
 (0)