C++: UnsafeDaclSecurityDescriptor

d10c · d10c · commit b54fad7d60a7 · 2025-07-11T14:42:47.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
@@ -38,16 +38,17 @@ module NullDaclConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)
-  }
+  predicate observeDiffInformedIncrementalMode() { any() }
 
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)
-  }
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)
+    exists(SetSecurityDescriptorDaclFunctionCall call | result = call.getLocation() |
+      call.getArgument(1).getValue().toInt() != 0 and
+      call.getArgument(2) instanceof NullValue
+      or
+      sink.asExpr() = call.getArgument(2)
+    )
   }
 }
 
@@ -82,15 +83,7 @@ module NonNullDaclConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 92 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)
-  }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 92 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)
-  }
-
-  Location getASelectedSinkLocation(DataFlow::Node sink) {
-    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 92 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)
+    none() // only used negatively
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -38,16 +38,17 @@ module NullDaclConfig implements DataFlow::ConfigSig {`
`38`	`38`	`)`
`39`	`39`	`}`
`40`	`40`
`41`		`- predicate observeDiffInformedIncrementalMode() {`
`42`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)`
`43`		`- }`
	`41`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`44`	`42`
`45`		`- Location getASelectedSourceLocation(DataFlow::Node source) {`
`46`		`- none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)`
`47`		`- }`
	`43`	`+ Location getASelectedSourceLocation(DataFlow::Node source) { none() }`
`48`	`44`
`49`	`45`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`50`		`- none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 91 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)`
	`46`	`+ exists(SetSecurityDescriptorDaclFunctionCall call \| result = call.getLocation() \|`
	`47`	`+ call.getArgument(1).getValue().toInt() != 0 and`
	`48`	`+ call.getArgument(2) instanceof NullValue`
	`49`	`+ or`
	`50`	`+ sink.asExpr() = call.getArgument(2)`
	`51`	`+ )`
`51`	`52`	`}`
`52`	`53`	`}`
`53`	`54`
`@@ -82,15 +83,7 @@ module NonNullDaclConfig implements DataFlow::ConfigSig {`
`82`	`83`	`}`
`83`	`84`
`84`	`85`	`predicate observeDiffInformedIncrementalMode() {`
`85`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 92 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)`
`86`		`- }`
`87`		`-`
`88`		`- Location getASelectedSourceLocation(DataFlow::Node source) {`
`89`		`- none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 92 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)`
`90`		`- }`
`91`		`-`
`92`		`- Location getASelectedSinkLocation(DataFlow::Node sink) {`
`93`		`- none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 92 (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql@94:8:94:11)`
	`86`	`+ none() // only used negatively`
`94`	`87`	`}`
`95`	`88`	`}`
`96`	`89`