C++: Add a 'call' column to 'hasRemoteFlowSource' and 'hasLocalFlowSource' to support modeling of 'scanf_s'.

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -73,19 +73,27 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
  * The standard function `scanf` and its assorted variants
  */
 private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
+  override predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
+    exists(ScanfFunctionCall scanfCall, int n | call = scanfCall |
+      scanfCall.getScanfFunction() = this and
+      exists(scanfCall.getOutputArgument(n)) and
+      output.isParameterDeref(this.getNumberOfParameters() + n) and
+      description = "value read by " + this.getName()
+    )
   }
 }
 
 /**
  * The standard function `fscanf` and its assorted variants
  */
 private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
+  override predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
+    exists(ScanfFunctionCall scanfCall, int n | call = scanfCall |
+      scanfCall.getScanfFunction() = this and
+      exists(scanfCall.getOutputArgument(n)) and
+      output.isParameterDeref(this.getNumberOfParameters() + n) and
+      description = "value read by " + this.getName()
+    )
   }
 
   override predicate hasSocketInput(FunctionInput input) {

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -18,7 +18,14 @@ abstract class RemoteFlowSourceFunction extends Function {
   /**
    * Holds if remote data described by `description` flows from `output` of a call to this function.
    */
-  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
+  predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    this.hasRemoteFlowSource(_, output, description)
+  }
+
+  predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
+    call.getTarget() = this and
+    this.hasRemoteFlowSource(output, description)
+  }
 
   /**
    * Holds if remote data from this source comes from a socket or stream
@@ -35,7 +42,14 @@ abstract class LocalFlowSourceFunction extends Function {
   /**
    * Holds if data described by `description` flows from `output` of a call to this function.
    */
-  abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
+  predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    this.hasLocalFlowSource(_, output, description)
+  }
+
+  predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
+    call.getTarget() = this and
+    this.hasLocalFlowSource(output, description)
+  }
 }
 
 /** A library function that sends data over a network connection. */

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -28,8 +28,7 @@ private class RemoteModelSource extends RemoteFlowSource {
 
   RemoteModelSource() {
     exists(CallInstruction call, RemoteFlowSourceFunction func, FunctionOutput output |
-      call.getStaticCallTarget() = func and
-      func.hasRemoteFlowSource(output, sourceType) and
+      func.hasRemoteFlowSource(call.getConvertedResultExpression(), output, sourceType) and
       this = callOutput(call, output)
     )
   }
@@ -46,7 +45,7 @@ private class LocalModelSource extends LocalFlowSource {
   LocalModelSource() {
     exists(CallInstruction call, LocalFlowSourceFunction func, FunctionOutput output |
       call.getStaticCallTarget() = func and
-      func.hasLocalFlowSource(output, sourceType) and
+      func.hasLocalFlowSource(call.getConvertedResultExpression(), output, sourceType) and
       this = callOutput(call, output)
     )
   }

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -44,10 +44,7 @@ class ExternalApiDataNode extends DataFlow::Node {
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    exists(RemoteFlowSourceFunction remoteFlow |
-      remoteFlow = source.asExpr().(Call).getTarget() and
-      remoteFlow.hasRemoteFlowSource(_, _)
-    )
+    any(RemoteFlowSourceFunction remoteFlow).hasRemoteFlowSource(source.asExpr(), _, _)
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -94,9 +94,8 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
   }
 
   override Expr getDataExpr(Call call) {
-    call.getTarget() = this and
     exists(FunctionOutput output, int arg |
-      super.hasRemoteFlowSource(output, _) and
+      super.hasRemoteFlowSource(call, output, _) and
       output.isParameterDeref(arg) and
       result = call.getArgument(arg)
     )