Add cpp packs

Author: Alvaro Muñoz

.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'csharp', 'go', 'java', 'python', 'ruby' ]
+        language: [ 'cpp', 'csharp', 'go', 'java', 'python', 'ruby' ]
 
     steps:
       - uses: actions/checkout@v3

.github/workflows/publish.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3
@@ -54,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3

codeql-workspace.yml

@@ -1,4 +1,5 @@
 provide:
+- cpp/**/qlpack.yml
 - csharp/**/qlpack.yml
 - go/**/qlpack.yml
 - java/**/qlpack.yml

cpp/lib/applications/.gitkeep

@@ -0,0 +1,5 @@
+library: true 
+name: githubsecuritylab/codeql-cpp-libs
+version: 0.0.1
+dependencies:
+  codeql/cpp-all: '*'

cpp/lib/frameworks/.gitkeep

@@ -0,0 +1,14 @@
+/**
+ * @name External dependencies
+ * @description Count the number of dependencies that a Java project has on external packages.
+ * @kind treemap
+ * @id githubsecuritylab/external-dependencies
+ * @metricType externalDependency
+ * @tags audit
+ */
+
+import Metrics.Dependencies.ExternalDependencies
+
+from File file, int num, string encodedDependency
+where encodedDependencies(file, encodedDependency, num)
+select encodedDependency, num order by num desc

cpp/lib/github/.gitkeep

@@ -0,0 +1,13 @@
+/**
+ * @name Files
+ * @description List of all files in the repository
+ * @kind table
+ * @id githubsecuritylab/files
+ * @tags audit
+ */
+
+import cpp
+
+from File f
+where f.getExtension() = ["c", "cpp"] and not f.getRelativePath().matches("%/test/%")
+select f.getRelativePath()

cpp/lib/qlpack.yml

@@ -0,0 +1,66 @@
+/**
+ * @name Hotspots
+ * @description Interesting places to review manually
+ * @kind problem
+ * @precision low
+ * @id seclab/cpp-hotspots
+ * @tags audit
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+import Critical.OverflowDestination as Pb864640c // cpp/overflow-destination
+import Likely_Bugs.Conversion.CastArrayPointerArithmetic as P0f6faebc // cpp/upcast-array-pointer-arithmetic
+import Security.CWE.CWE_022.TaintedPath as Pe668a5ba // cpp/path-injection
+import Security.CWE.CWE_078.ExecTainted as P84280c45 // cpp/command-line-injection
+import Security.CWE.CWE_129.ImproperArrayIndexValidation as Pfd2dfbd5 // cpp/unclear-array-index-validation
+import Security.CWE.CWE_190.ArithmeticUncontrolled as P2c62b1f9 // cpp/uncontrolled-arithmetic
+import Security.CWE.CWE_190.TaintedAllocationSize as Pbf19fcaf // cpp/uncontrolled-allocation-size
+import Security.CWE.CWE_311.CleartextBufferWrite as P9e90c5a1 // cpp/cleartext-storage-buffer
+import Security.CWE.CWE_311.CleartextFileWrite as Pcc67a29f // cpp/cleartext-storage-file
+import Security.CWE.CWE_311.CleartextTransmission as P6be8d893 // cpp/cleartext-transmission
+import Security.CWE.CWE_313.CleartextSqliteDatabase as P7a820024 // cpp/cleartext-storage-database
+import Security.CWE.CWE_319.UseOfHttp as Pa582973e // cpp/non-https-url
+import Security.CWE.CWE_326.InsufficientKeySize as Pcd949cd0 // cpp/insufficient-key-size
+import Security.CWE.CWE_611.XXE as P7c0fe853 // cpp/external-entity-expansion
+import experimental.Security.CWE.CWE_078.WordexpTainted as Pd969e4a8 // cpp/wordexp-injection
+import experimental.Security.CWE.CWE_190.AllocMultiplicationOverflow as P5eab2d42 // cpp/multiplication-overflow-in-alloc
+import experimental.Security.CWE.CWE_193.InvalidPointerDeref as P7597eda8 // cpp/invalid-pointer-deref
+import experimental.semmle.code.cpp.security.PrivateCleartextWrite as Pe6180bae // cpp/private-cleartext-write
+
+Expr getSinkExpr(DataFlow::Node n) { result = n.asExpr() }
+
+string getPath(DataFlow::Node n) { result = n.getLocation().getFile().getRelativePath() }
+
+int getStartLine(DataFlow::Node n) { result = n.getLocation().getStartLine() }
+
+int getEndLine(DataFlow::Node n) { result = n.getLocation().getEndLine() }
+
+int getStartColumn(DataFlow::Node n) { result = n.getLocation().getStartColumn() }
+
+int getEndColumn(DataFlow::Node n) { result = n.getLocation().getEndColumn() }
+
+
+from DataFlow::Node n, string type
+where
+  P0f6faebc::CastToPointerArithFlowConfig::isSink(n, _) and type = "cpp/upcast-array-pointer-arithmetic" or
+  P2c62b1f9::UncontrolledArithConfig::isSink(n) and type = "cpp/uncontrolled-arithmetic" or
+  P5eab2d42::MultToAllocConfig::isSink(n) and type = "cpp/multiplication-overflow-in-alloc" or
+  P6be8d893::FromSensitiveConfig::isSink(n) and type = "cpp/cleartext-transmission" or
+  P7597eda8::FinalConfig::isSink(n, _) and type = "cpp/invalid-pointer-deref" or
+  P7a820024::FromSensitiveConfig::isSink(n) and type = "cpp/cleartext-storage-database" or
+  P7c0fe853::XxeConfig::isSink(n, _) and type = "cpp/external-entity-expansion" or
+  P84280c45::ExecTaintConfig::isSink(n, _) and type = "cpp/command-line-injection" or
+  P9e90c5a1::ToBufferConfig::isSink(n) and type = "cpp/cleartext-storage-buffer" or
+  Pa582973e::HttpStringToUrlOpenConfig::isSink(n) and type = "cpp/non-https-url" or
+  Pb864640c::OverflowDestinationConfig::isSink(n) and type = "cpp/overflow-destination" or
+  Pbf19fcaf::TaintedAllocationSizeConfig::isSink(n) and type = "cpp/uncontrolled-allocation-size" or
+  Pcc67a29f::FromSensitiveConfig::isSink(n) and type = "cpp/cleartext-storage-file" or
+  Pcd949cd0::KeyStrengthFlowConfig::isSink(n) and type = "cpp/insufficient-key-size" or
+  Pd969e4a8::WordexpTaintConfig::isSink(n) and type = "cpp/wordexp-injection" or
+  Pe6180bae::PrivateCleartextWrite::WriteConfig::isSink(n) and type = "cpp/private-cleartext-write" or
+  Pe668a5ba::TaintedPathConfig::isSink(n) and type = "cpp/path-injection" or
+  Pfd2dfbd5::ImproperArrayIndexValidationConfig::isSink(n) and type = "cpp/unclear-array-index-validation"
+select getSinkExpr(n),
+  type + " @ " + getPath(n).toString() + ":" + getStartLine(n).toString() + "," +
+    getEndLine(n).toString() + "," + getStartColumn(n).toString() + "," + getEndColumn(n)

cpp/src/CVEs/.gitkeep

@@ -0,0 +1,16 @@
+/**
+ * @name Attack Surface
+ * @description Application attack surface
+ * @kind table
+ * @id githubsecuritylab/attack-surface
+ * @tags audit
+ */
+
+import cpp
+import semmle.code.cpp.models.interfaces.FlowSource
+
+from RemoteFlowSourceFunction source
+where not source.getLocation().getFile().getRelativePath().matches("%/test/%")
+select source, "remote", source.getLocation().getFile().getRelativePath(),
+  source.getLocation().getStartLine(), source.getLocation().getEndLine(),
+  source.getLocation().getStartColumn(), source.getLocation().getEndColumn()

cpp/src/audit/explore/Dependencies.ql

@@ -0,0 +1,34 @@
+/**
+ * @name Backwards Partial Dataflow
+ * @description Backwards Partial Dataflow
+ * @kind table
+ * @id githubsecuritylab/backwards-partial-dataflow
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import PartialFlow::PartialPathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { none() }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Define the sink to run the backwards partial dataflow from. Eg:
+    // exists(Call c |
+    //   c.getTarget().hasName("sink") and
+    //   c.getAnArgument() = sink.asExpr()
+    // )
+    none()
+  }
+}
+
+private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+
+from PartialFlow::PartialPathNode n, int dist
+where PartialFlow::partialFlowRev(n, _, dist)
+select dist, n

cpp/src/audit/explore/Files.ql

@@ -0,0 +1,39 @@
+/**
+ * @name DataFlow configuration
+ * @description DataFlow TaintTracking configuration
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
+ * @id githubsecuritylab/dataflow-query
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import MyFlow::PathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // Define your source nodes here
+    // exists(Call c |
+    //   c.getTarget().hasName("source") and
+    //   c = source.asExpr()
+    // )
+    none()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Define your sink nodes here
+    // exists(Call c |
+    //   c.getTarget().hasName("sink") and
+    //   c.getAnArgument() = sink.asExpr()
+    // )
+    none()
+  }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "Sample TaintTracking query"

cpp/src/audit/explore/Hotspots.ql

@@ -0,0 +1,34 @@
+/**
+ * @name Forward Partial Dataflow
+ * @description Forward Partial Dataflow
+ * @kind table
+ * @id githubsecuritylab/forward-partial-dataflow
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import PartialFlow::PartialPathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // Define the source to run the forward partial dataflow from. Eg:
+    // exists(Call c |
+    //   c.getTarget().hasName("source") and
+    //   c = source.asExpr()
+    // )
+    none()
+  }
+
+  predicate isSink(DataFlow::Node sink) { none() }
+}
+
+private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+
+from PartialFlow::PartialPathNode n, int dist
+where PartialFlow::partialFlow(_, n, dist)
+select dist, n

cpp/src/audit/explore/RemoteFlowSources.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Sink Hoisting to method parameter
+ * @description Hoist a sink using partial dataflow
+ * @kind table
+ * @id githubsecuritylab/sink-hoister
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import PartialFlow::PartialPathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { none() }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Define the sink to be hoisted here. eg:
+    // exists(Call c |
+    //   c.getTarget().hasName("sink") and
+    //   c.getAnArgument() = sink.asExpr()
+    // )
+    none()
+  }
+}
+
+private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+
+from PartialFlow::PartialPathNode n, int dist
+where
+  PartialFlow::partialFlowRev(n, _, dist) and
+  n.getNode() instanceof DataFlow::ParameterNode
+select dist, n

cpp/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -0,0 +1,8 @@
+library: false
+name: githubsecuritylab/codeql-cpp-queries
+version: 0.0.1
+defaultSuiteFile: suites/cpp.qls
+dependencies:
+  codeql/cpp-all: '*'
+  codeql/cpp-queries: '*'
+  githubsecuritylab/codeql-cpp-libs: 0.0.1

cpp/src/audit/templates/DataFlowConfiguration.ql

@@ -0,0 +1,9 @@
+- description: "GitHub's Community Packs Ruby Extended Suite"
+
+- qlpack: github-queries-ruby
+
+- import: codeql-suites/ruby-security-extended.qls
+  from: codeql/ruby-queries
+- exclude:
+    id:
+      - rb/hardcoded-credentials

cpp/src/audit/templates/ForwardPartialDataflow.ql

@@ -0,0 +1,9 @@
+name: githubsecurtylab/codeql-cpp-tests
+groups: [cpp, test]
+dependencies:
+    codeql/cpp-all: '*'
+    codeql/cpp-queries: '*'
+    githubsecuritylab/codeql-cpp-queries: '*'
+    githubsecuritylab/codeql-cpp-libs: '*'
+extractor: cpp
+tests: .