Merge pull request #12435 from jketema/more-config

C++: Convert a number of data flow based queries to use `ConfigSig`

Author: MathiasVP

cpp/ql/src/Critical/OverflowDestination.ql

@@ -17,7 +17,7 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.controlflow.IRGuards
 import semmle.code.cpp.security.FlowSources
-import DataFlow::PathGraph
+import OverflowDestination::PathGraph
 
 /**
  * Holds if `fc` is a call to a copy operation where the size argument contains
@@ -66,14 +66,12 @@ predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Va
   any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
 }
 
-class OverflowDestinationConfig extends TaintTracking::Configuration {
-  OverflowDestinationConfig() { this = "OverflowDestinationConfig" }
+module OverflowDestinationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
+  predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asIndirectConvertedExpr()) }
 
-  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asIndirectConvertedExpr()) }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     exists(Variable checkedVar |
       readsVariable(node.asInstruction(), checkedVar) and
       hasUpperBoundsCheck(checkedVar)
@@ -86,11 +84,11 @@ class OverflowDestinationConfig extends TaintTracking::Configuration {
   }
 }
 
-from
-  FunctionCall fc, OverflowDestinationConfig conf, DataFlow::PathNode source,
-  DataFlow::PathNode sink
+module OverflowDestination = TaintTracking::Make<OverflowDestinationConfig>;
+
+from FunctionCall fc, OverflowDestination::PathNode source, OverflowDestination::PathNode sink
 where
-  conf.hasFlowPath(source, sink) and
+  OverflowDestination::hasFlowPath(source, sink) and
   sourceSized(fc, sink.getNode().asIndirectConvertedExpr())
 select fc, source, sink,
   "To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size."

cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql

@@ -11,6 +11,6 @@
 import cpp
 import NtohlArrayNoBound
 
-from NetworkToBufferSizeConfiguration bufConfig, DataFlow::Node source, DataFlow::Node sink
-where bufConfig.hasFlow(source, sink)
+from DataFlow::Node source, DataFlow::Node sink
+where NetworkToBufferSizeFlow::hasFlow(source, sink)
 select sink, "Unchecked use of data from network function $@.", source, source.toString()

cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll

@@ -129,7 +129,7 @@ class NetworkFunctionCall extends FunctionCall {
   NetworkFunctionCall() { this.getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
 }
 
-class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
+deprecated class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
   NetworkToBufferSizeConfiguration() { this = "NetworkToBufferSizeConfiguration" }
 
   override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall }
@@ -146,3 +146,19 @@ class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
     )
   }
 }
+
+private module NetworkToBufferSizeConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall }
+
+  predicate isSink(DataFlow::Node node) { node.asExpr() = any(BufferAccess ba).getAccessedLength() }
+
+  predicate isBarrier(DataFlow::Node node) {
+    exists(GuardCondition gc, GVN gvn |
+      gc.getAChild*() = gvn.getAnExpr() and
+      globalValueNumber(node.asExpr()) = gvn and
+      gc.controls(node.asExpr().getBasicBlock(), _)
+    )
+  }
+}
+
+module NetworkToBufferSizeFlow = DataFlow::Make<NetworkToBufferSizeConfiguration>;

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll

@@ -10,12 +10,10 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { any(UntrustedDataToExternalApiConfig c).hasFlow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::hasFlow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
-  DataFlow::Node getAnUntrustedSource() {
-    any(UntrustedDataToExternalApiConfig c).hasFlow(result, this)
-  }
+  DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::hasFlow(result, this) }
 }
 
 /** DEPRECATED: Alias for UntrustedExternalApiDataNode */

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -45,7 +45,7 @@ class ExternalApiDataNode extends DataFlow::Node {
 deprecated class ExternalAPIDataNode = ExternalApiDataNode;
 
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
-class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
+deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfig" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -60,3 +60,17 @@ class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
 
 /** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
 deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
+
+/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(RemoteFlowSourceFunction remoteFlow |
+      remoteFlow = source.asExpr().(Call).getTarget() and
+      remoteFlow.hasRemoteFlowSource(_, _)
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+}
+
+module UntrustedDataToExternalApiFlow = TaintTracking::Make<UntrustedDataToExternalApiConfig>;

cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql

@@ -13,10 +13,10 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import ir.ExternalAPIs
 import semmle.code.cpp.security.FlowSources
-import DataFlow::PathGraph
+import UntrustedDataToExternalApiFlow::PathGraph
 
-from UntrustedDataToExternalApiConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from UntrustedDataToExternalApiFlow::PathNode source, UntrustedDataToExternalApiFlow::PathNode sink
+where UntrustedDataToExternalApiFlow::hasFlowPath(source, sink)
 select sink, source, sink,
   "Call to " + sink.getNode().(ExternalApiDataNode).getExternalFunction().toString() +
     " with untrusted data from $@.", source, source.getNode().(RemoteFlowSource).getSourceType()

cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql

@@ -12,10 +12,10 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import ExternalAPIs
-import DataFlow::PathGraph
+import UntrustedDataToExternalApiFlow::PathGraph
 
-from UntrustedDataToExternalApiConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from UntrustedDataToExternalApiFlow::PathNode source, UntrustedDataToExternalApiFlow::PathNode sink
+where UntrustedDataToExternalApiFlow::hasFlowPath(source, sink)
 select sink, source, sink,
   "Call to " + sink.getNode().(ExternalApiDataNode).getExternalFunction().toString() +
     " with untrusted data from $@.", source, source.toString()

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll

@@ -10,12 +10,10 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { any(UntrustedDataToExternalApiConfig c).hasFlow(_, this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::hasFlow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
-  DataFlow::Node getAnUntrustedSource() {
-    any(UntrustedDataToExternalApiConfig c).hasFlow(result, this)
-  }
+  DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::hasFlow(result, this) }
 }
 
 /** DEPRECATED: Alias for UntrustedExternalApiDataNode */

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll

@@ -45,7 +45,7 @@ class ExternalApiDataNode extends DataFlow::Node {
 deprecated class ExternalAPIDataNode = ExternalApiDataNode;
 
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
-class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
+deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
   UntrustedDataToExternalApiConfig() { this = "UntrustedDataToExternalAPIConfigIR" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -55,3 +55,12 @@ class UntrustedDataToExternalApiConfig extends TaintTracking::Configuration {
 
 /** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
 deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
+
+/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
+private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+}
+
+module UntrustedDataToExternalApiFlow = TaintTracking::Make<UntrustedDataToExternalApiConfig>;

cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql

@@ -17,7 +17,7 @@ import semmle.code.cpp.controlflow.IRGuards
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
-import DataFlow::PathGraph
+import ImproperArrayIndexValidation::PathGraph
 import semmle.code.cpp.security.Security
 
 predicate hasUpperBound(VariableAccess offsetExpr) {
@@ -65,12 +65,10 @@ predicate predictableInstruction(Instruction instr) {
   predictableInstruction(instr.(UnaryInstruction).getUnary())
 }
 
-class ImproperArrayIndexValidationConfig extends TaintTracking::Configuration {
-  ImproperArrayIndexValidationConfig() { this = "ImproperArrayIndexValidationConfig" }
+module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
 
-  override predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
-
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     hasUpperBound(node.asExpr())
     or
     // These barriers are ported from `DefaultTaintTracking` because this query is quite noisy
@@ -107,7 +105,7 @@ class ImproperArrayIndexValidationConfig extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(ArrayExpr arrayExpr, VariableAccess offsetExpr |
       offsetExpr = arrayExpr.getArrayOffset() and
       sink.asExpr() = offsetExpr and
@@ -116,11 +114,13 @@ class ImproperArrayIndexValidationConfig extends TaintTracking::Configuration {
   }
 }
 
+module ImproperArrayIndexValidation = TaintTracking::Make<ImproperArrayIndexValidationConfig>;
+
 from
-  ImproperArrayIndexValidationConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink,
+  ImproperArrayIndexValidation::PathNode source, ImproperArrayIndexValidation::PathNode sink,
   string sourceType
 where
-  conf.hasFlowPath(source, sink) and
+  ImproperArrayIndexValidation::hasFlowPath(source, sink) and
   isFlowSource(source.getNode(), sourceType)
 select sink.getNode(), source, sink,
   "An array indexing expression depends on $@ that might be outside the bounds of the array.",