C++: Add models-as-data models for ZMQ networking library + wiring.

geoffw0 · geoffw0 · commit fa26b5545282 · 2024-03-28T21:50:07.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/Models.qll b/cpp/ql/lib/semmle/code/cpp/models/Models.qll
@@ -41,3 +41,4 @@ private import implementations.SqLite3
 private import implementations.PostgreSql
 private import implementations.System
 private import implementations.StructuredExceptionHandling
+private import implementations.ZMQ
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll
@@ -0,0 +1,36 @@
+/**
+ * Provides implementation classes modeling the ZeroMQ networking library.
+ */
+
+import semmle.code.cpp.models.interfaces.FlowSource
+
+/**
+ * Remote flow sources.
+ */
+private class ZMQSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";;false;zmq_recv;;;Argument[*1];remote",
+        ";;false;zmq_recvmsg;;;Argument[*1];remote",
+        ";;false;zmq_msg_recv;;;Argument[*0];remote",
+      ]
+  }
+}
+
+/**
+ * Remote flow sinks.
+ */
+private class ZMQSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        ";;false;zmq_send;;;Argument[*1];remote-sink",
+        ";;false;zmq_msg_init_data;;;Argument[*1];remote-sink",
+        ";;false;zmq_sendmsg;;;Argument[*1];remote-sink",
+        ";;false;zmq_msg_send;;;Argument[*0];remote-sink",
+      ]
+  }
+}
+
+        // TODO: flow into / through zmq_msg_data ?
diff --git a/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll b/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
@@ -93,6 +93,9 @@ abstract class RemoteFlowSink extends DataFlow::Node {
   abstract string getSinkType();
 }
 
+/**
+ * A remote flow sink derived from the `RemoteFlowSinkFunction` model.
+ */
 private class RemoteParameterSink extends RemoteFlowSink {
   string sourceType;
 
@@ -106,3 +109,12 @@ private class RemoteParameterSink extends RemoteFlowSink {
 
   override string getSinkType() { result = sourceType }
 }
+
+/**
+ * A remote flow sink defined in a CSV model.
+ */
+private class RemoteFlowFromCSVSink extends RemoteFlowSink {
+  RemoteFlowFromCSVSink() { sinkNode(this, "remote-sink") }
+
+  override string getSinkType() { result = "remote flow sink" }
+}
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -16,17 +16,20 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.models.interfaces.FlowSource
 import semmle.code.cpp.models.implementations.Memset
+import semmle.code.cpp.security.FlowSources
 import ExposedSystemData::PathGraph
 import SystemData
 
 module ExposedSystemDataConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source = any(SystemData sd).getAnExpr() }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(FunctionCall fc, FunctionInput input, int arg |
-      fc.getTarget().(RemoteFlowSinkFunction).hasRemoteFlowSink(input, _) and
-      input.isParameterDeref(arg) and
-      fc.getArgument(arg).getAChild*() = sink.asIndirectExpr()
+    sink instanceof RemoteFlowSink
+    or
+    // workaround for cases where the sink contains the tainted thing as a child; this could
+    // probably be handled better with taint inheriting content or similar modelling.
+    exists(RemoteFlowSink sinkNode |
+      sinkNode.asIndirectExpr().getAChild*() = sink.asIndirectExpr()
     )
   }
 
diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp
@@ -101,17 +101,17 @@ void test_zmc(void *socket) {
   zmq_msg_t msg1, msg2;
   char buffer[1024];
 
-  if (zmq_recv(socket, buffer, sizeof(buffer), 0) >= 0) { // $ MISSING: remote_source
+  if (zmq_recv(socket, buffer, sizeof(buffer), 0) >= 0) { // $ remote_source
     // ...
   }
 
   zmq_msg_init(&msg1);
-  if (zmq_msg_recv(&msg1, socket, 0) >= 0) { // $ MISSING: remote_source
+  if (zmq_msg_recv(&msg1, socket, 0) >= 0) { // $ remote_source
     // ...
   }
 
   zmq_msg_init(&msg2);
-  if (zmq_recvmsg(socket, &msg2, 0) >= 0) { // $ MISSING: remote_source
+  if (zmq_recvmsg(socket, &msg2, 0) >= 0) { // $ remote_source
     // ...
   }
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -10,6 +10,8 @@ edges
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance |  |
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance |  |
 | tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance |  |
+| tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | provenance |  |
+| tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:143:34:143:45 | *message_data | provenance |  |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance |  |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance |  |
 | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | provenance |  |
@@ -36,6 +38,9 @@ nodes
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | semmle.label | *c1 [*ptr] |
 | tests2.cpp:111:14:111:19 | *ptr | semmle.label | *ptr |
 | tests2.cpp:111:17:111:19 | *ptr | semmle.label | *ptr |
+| tests2.cpp:134:17:134:22 | *call to getenv | semmle.label | *call to getenv |
+| tests2.cpp:138:23:138:34 | *message_data | semmle.label | *message_data |
+| tests2.cpp:143:34:143:45 | *message_data | semmle.label | *message_data |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | semmle.label | *call to getenv |
 | tests_sockets.cpp:39:19:39:22 | *path | semmle.label | *path |
 | tests_sockets.cpp:43:20:43:23 | *path | semmle.label | *path |
@@ -56,6 +61,8 @@ subpaths
 | tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
 | tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
 | tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
+| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:143:34:143:45 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
 | tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
 | tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
 | tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
@@ -135,16 +135,16 @@ void test_zmq(void *remoteSocket)
 	message_len = strlen(message_data) + 1;
 
 	// send as data
-	if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable [NOT DETECTED]
+	if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable
 		// ...
 	}
 
 	// send as message
 	if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
-		if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED]
+		if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable (detected above)
 			// ...
 		}
-		if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED]
+		if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable (detected above)
 			// ...
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -101,17 +101,17 @@ void test_zmc(void *socket) {`
`101`	`101`	`zmq_msg_t msg1, msg2;`
`102`	`102`	`char buffer[1024];`
`103`	`103`
`104`		`- if (zmq_recv(socket, buffer, sizeof(buffer), 0) >= 0) { // $ MISSING: remote_source`
	`104`	`+ if (zmq_recv(socket, buffer, sizeof(buffer), 0) >= 0) { // $ remote_source`
`105`	`105`	`// ...`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`zmq_msg_init(&msg1);`
`109`		`- if (zmq_msg_recv(&msg1, socket, 0) >= 0) { // $ MISSING: remote_source`
	`109`	`+ if (zmq_msg_recv(&msg1, socket, 0) >= 0) { // $ remote_source`
`110`	`110`	`// ...`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`zmq_msg_init(&msg2);`
`114`		`- if (zmq_recvmsg(socket, &msg2, 0) >= 0) { // $ MISSING: remote_source`
	`114`	`+ if (zmq_recvmsg(socket, &msg2, 0) >= 0) { // $ remote_source`
`115`	`115`	`// ...`
`116`	`116`	`}`
`117`	`117`	`}`
Original file line number	Diff line number	Diff line change
`@@ -135,16 +135,16 @@ void test_zmq(void *remoteSocket)`
`135`	`135`	`message_len = strlen(message_data) + 1;`
`136`	`136`
`137`	`137`	`// send as data`
`138`		`- if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable [NOT DETECTED]`
	`138`	`+ if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable`
`139`	`139`	`// ...`
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`// send as message`
`143`	`143`	`if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {`
`144`		`- if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED]`
	`144`	`+ if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable (detected above)`
`145`	`145`	`// ...`
`146`	`146`	`}`
`147`		`- if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED]`
	`147`	`+ if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable (detected above)`
`148`	`148`	`// ...`
`149`	`149`	`}`
`150`	`150`	`}`