Merge pull request #11768 from MathiasVP/fix-implicit-reads-in-cleartext-sqlite-database

MathiasVP · web-flow · commit 83d751b28700 · 2022-12-22T13:47:10.000Z
C++: Fix implicit reads on `cpp/cleartext-storage-database`
diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -45,8 +45,12 @@ predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) {
 }
 
 /** Holds if `sink` is an argument to an Sqlite function call `c`. */
-predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c) {
-  [sink.asExpr(), sink.asIndirectExpr()] = c.getASource()
+predicate isSinkImpl(DataFlow::Node sink, SqliteFunctionCall c, Type t) {
+  exists(Expr e |
+    e = c.getASource() and
+    e = [sink.asExpr(), sink.asIndirectExpr()] and
+    t = e.getUnspecifiedType()
+  )
 }
 
 /**
@@ -58,7 +62,7 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
 
   override predicate isSink(DataFlow::Node sink) {
-    isSinkImpl(sink, _) and
+    isSinkImpl(sink, _, _) and
     not sqlite_encryption_used()
   }
 
@@ -68,15 +72,11 @@ class FromSensitiveConfiguration extends TaintTracking::Configuration {
 
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet content) {
     // flow out from fields at the sink (only).
-    this.isSink(node) and
     // constrain `content` to a field inside the node.
-    exists(Class c |
-      node.getType().getUnspecifiedType().stripType() = c and
-      content.(DataFlow::FieldContent).getField() = getRecField(c)
+    exists(Type t |
+      isSinkImpl(node, _, t) and
+      content.(DataFlow::FieldContent).getField() = getRecField(t.stripType())
     )
-    or
-    // any default implicit reads
-    super.allowImplicitRead(node, content)
   }
 }
 
@@ -86,7 +86,7 @@ from
 where
   config.hasFlowPath(source, sink) and
   isSourceImpl(source.getNode(), sensitive) and
-  isSinkImpl(sink.getNode(), sqliteCall)
+  isSinkImpl(sink.getNode(), sqliteCall, _)
 select sqliteCall, source, sink,
   "This SQLite call may store $@ in a non-encrypted SQLite database.", sensitive,
   "sensitive information"
