@@ -252,14 +252,14 @@ class LogonUser extends SystemData {
252252 * the `regQuery` predicate concisely.
253253 */
254254private newtype TRegQueryParameter =
255- TSubKeyName ( Expr e ) or
256- TValueName ( Expr e ) or
257- TReturnData ( Expr e )
255+ TSubKeyName ( ) or
256+ TValueName ( ) or
257+ TReturnData ( )
258258
259259/**
260260 * Registry query call (`source`) with information about parameters (`param`).
261261 */
262- private predicate regQuery ( FunctionCall source , TRegQueryParameter param ) {
262+ private predicate regQuery ( FunctionCall source , TRegQueryParameter paramType , Expr param ) {
263263 // LONG WINAPI RegQueryValue(
264264 // _In_ HKEY hKey,
265265 // _In_opt_ LPCTSTR lpSubKey,
@@ -268,8 +268,9 @@ private predicate regQuery(FunctionCall source, TRegQueryParameter param) {
268268 // );
269269 source .getTarget ( ) .hasGlobalName ( [ "RegQueryValue" , "RegQueryValueA" , "RegQueryValueW" ] ) and
270270 (
271- param = TSubKeyName ( source .getArgument ( 1 ) ) or
272- param = TReturnData ( source .getArgument ( 2 ) )
271+ paramType = TSubKeyName ( ) and param = source .getArgument ( 1 )
272+ or
273+ paramType = TReturnData ( ) and param = source .getArgument ( 2 )
273274 )
274275 or
275276 // LONG WINAPI RegQueryMultipleValues(
@@ -284,7 +285,8 @@ private predicate regQuery(FunctionCall source, TRegQueryParameter param) {
284285 .hasGlobalName ( [
285286 "RegQueryMultipleValues" , "RegQueryMultipleValuesA" , "RegQueryMultipleValuesW"
286287 ] ) and
287- param = TReturnData ( source .getArgument ( 3 ) )
288+ paramType = TReturnData ( ) and
289+ param = source .getArgument ( 3 )
288290 or
289291 // LONG WINAPI RegQueryValueEx(
290292 // _In_ HKEY hKey,
@@ -296,8 +298,9 @@ private predicate regQuery(FunctionCall source, TRegQueryParameter param) {
296298 // );
297299 source .getTarget ( ) .hasGlobalName ( [ "RegQueryValueEx" , "RegQueryValueExA" , "RegQueryValueExW" ] ) and
298300 (
299- param = TValueName ( source .getArgument ( 1 ) ) or
300- param = TReturnData ( source .getArgument ( 4 ) )
301+ paramType = TValueName ( ) and param = source .getArgument ( 1 )
302+ or
303+ paramType = TReturnData ( ) and param = source .getArgument ( 4 )
301304 )
302305 or
303306 // LONG WINAPI RegGetValue(
@@ -311,25 +314,27 @@ private predicate regQuery(FunctionCall source, TRegQueryParameter param) {
311314 // );
312315 source .getTarget ( ) .hasGlobalName ( [ "RegGetValue" , "RegGetValueA" , "RegGetValueW" ] ) and
313316 (
314- param = TSubKeyName ( source .getArgument ( 1 ) ) or
315- param = TValueName ( source .getArgument ( 2 ) ) or
316- param = TReturnData ( source .getArgument ( 5 ) )
317+ paramType = TSubKeyName ( ) and param = source .getArgument ( 1 )
318+ or
319+ paramType = TValueName ( ) and param = source .getArgument ( 2 )
320+ or
321+ paramType = TReturnData ( ) and param = source .getArgument ( 5 )
317322 )
318323}
319324
320325/**
321326 * Data read from the Windows registry.
322327 */
323328class RegQuery extends SystemData {
324- RegQuery ( ) { regQuery ( this , _) }
329+ RegQuery ( ) { regQuery ( this , _, _ ) }
325330
326- override DataFlow:: Node getAnExpr ( ) { regQuery ( this , TReturnData ( result .asDefiningArgument ( ) ) ) }
331+ override DataFlow:: Node getAnExpr ( ) { regQuery ( this , TReturnData ( ) , result .asDefiningArgument ( ) ) }
327332
328333 override predicate isSensitive ( ) {
329334 exists ( Expr e |
330335 (
331- regQuery ( this , TSubKeyName ( e ) ) or
332- regQuery ( this , TValueName ( e ) )
336+ regQuery ( this , TSubKeyName ( ) , e ) or
337+ regQuery ( this , TValueName ( ) , e )
333338 ) and
334339 e .getValue ( ) .toLowerCase ( ) .regexpMatch ( ".*(pass|token|key).*" )
335340 )
0 commit comments