hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch

Browse Source
This commit is contained in:
Tony Torralba
2021-06-17 14:54:25 +02:00
parent 8553ca1019 64001cc02c
commit 0c71393171
1571 changed files with 59898 additions and 14658 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.codeqlmanifest.json
View File

@@ -1,5 +1,6 @@
{ "provide": [ "*/ql/src/qlpack.yml",
"*/ql/test/qlpack.yml",
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
"*/ql/examples/qlpack.yml",
"*/upgrades/qlpack.yml",
"misc/legacy-support/*/qlpack.yml",

4
.github/workflows/check-change-note.yml vendored
View File

@@ -19,5 +19,5 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
grep true -c

42
.github/workflows/csv-coverage-timeseries.yml vendored Normal file
View File

@@ -0,0 +1,42 @@
name: Build framework coverage timeseries reports
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v2
with:
path: script
- name: Clone self (github/codeql) for analysis
uses: actions/checkout@v2
with:
path: codeqlModels
fetch-depth: 0
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Build modeled package list
run: |
CLI=$(realpath "codeql-cli/codeql")
echo $CLI
PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
- name: Upload timeseries CSV
uses: actions/upload-artifact@v2
with:
name: framework-coverage-timeseries
path: framework-coverage-timeseries-*.csv

49
.github/workflows/csv-coverage.yml vendored Normal file
View File

@@ -0,0 +1,49 @@
name: Build framework coverage reports
on:
workflow_dispatch:
inputs:
qlModelShaOverride:
description: 'github/codeql repo SHA used for looking up the CSV models'
required: false
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v2
with:
path: script
- name: Clone self (github/codeql) for analysis
uses: actions/checkout@v2
with:
path: codeqlModels
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Build modeled package list
run: |
PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
- name: Upload CSV package list
uses: actions/upload-artifact@v2
with:
name: framework-coverage-csv
path: framework-coverage-*.csv
- name: Upload RST package list
uses: actions/upload-artifact@v2
with:
name: framework-coverage-rst
path: framework-coverage-*.rst

10
config/identical-files.json
View File

@@ -250,6 +250,10 @@
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
"csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
],
"SSA PrintAliasAnalysis": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
],
"C++ SSA AliasAnalysisImports": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
@@ -439,6 +443,10 @@
],
"CryptoAlgorithms Python/JS": [
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
"python/ql/src/semmle/crypto/Crypto.qll"
"python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
],
"SensitiveDataHeuristics Python/JS": [
"javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
"python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
]
}

2
cpp/change-notes/2021-03-11-overflow-abs.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm
* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

2
cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.

0
cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md → cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md
View File

2
cpp/change-notes/2021-05-10-comparison-with-wider-type.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.

2
cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

2
cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm
* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

2
cpp/change-notes/2021-05-18-static-buffer-overflow.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm
* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

2
cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

2
cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm
* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

2
cpp/change-notes/2021-05-20-ref-qualifiers.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).

2
cpp/change-notes/2021-05-21-unsafe-strncat.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm
* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

4
cpp/change-notes/2021-06-10-std-types.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively.
* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure.
* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

1
cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/offset-use-before-range-check
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @tags reliability
* security

1
cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/descriptor-may-not-be-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/DescriptorNeverClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/descriptor-never-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/FileMayNotBeClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/file-may-not-be-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/FileNeverClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/file-never-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/GlobalUseBeforeInit.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/global-use-before-init
* @problem.severity warning
* @security-severity 6.9
* @tags reliability
* security
* external/cwe/cwe-457

1
cpp/ql/src/Critical/InconsistentNullnessTesting.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/inconsistent-nullness-testing
* @problem.severity warning
* @security-severity 3.6
* @tags reliability
* security
* external/cwe/cwe-476

1
cpp/ql/src/Critical/InitialisationNotRun.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/initialization-not-run
* @problem.severity warning
* @security-severity 6.4
* @tags reliability
* security
* external/cwe/cwe-456

1
cpp/ql/src/Critical/LateNegativeTest.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/late-negative-test
* @problem.severity warning
* @security-severity 10.0
* @tags reliability
* security
* external/cwe/cwe-823

1
cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/memory-may-not-be-freed
* @problem.severity warning
* @security-severity 3.6
* @tags efficiency
* security
* external/cwe/cwe-401

1
cpp/ql/src/Critical/MemoryNeverFreed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/memory-never-freed
* @problem.severity warning
* @security-severity 3.6
* @tags efficiency
* security
* external/cwe/cwe-401

1
cpp/ql/src/Critical/MissingNegativityTest.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/missing-negativity-test
* @problem.severity warning
* @security-severity 10.0
* @tags reliability
* security
* external/cwe/cwe-823

1
cpp/ql/src/Critical/MissingNullTest.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/missing-null-test
* @problem.severity recommendation
* @security-severity 3.6
* @tags reliability
* security
* external/cwe/cwe-476

1
cpp/ql/src/Critical/NewFreeMismatch.ql
View File

@@ -3,6 +3,7 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @precision high
* @id cpp/new-free-mismatch
* @tags reliability

1
cpp/ql/src/Critical/OverflowCalculated.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/overflow-calculated
* @problem.severity warning
* @security-severity 5.9
* @tags reliability
* security
* external/cwe/cwe-131

1
cpp/ql/src/Critical/OverflowDestination.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/overflow-destination
* @problem.severity warning
* @security-severity 10.0
* @precision low
* @tags reliability
* security

19
cpp/ql/src/Critical/OverflowStatic.ql
View File

@@ -4,6 +4,7 @@
* may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @precision medium
* @id cpp/static-buffer-overflow
* @tags reliability
@@ -14,6 +15,7 @@
import cpp
import semmle.code.cpp.commons.Buffer
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import LoopBounds
private predicate staticBufferBase(VariableAccess access, Variable v) {
@@ -51,6 +53,8 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
loop.limit() >= bufaccess.bufferSize() and
loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
// Ensure that we don't have an upper bound on the array index that's less than the buffer size.
not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
msg =
"Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -94,17 +98,22 @@ class CallWithBufferSize extends FunctionCall {
}
int statedSizeValue() {
exists(Expr statedSizeSrc |
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
result = statedSizeSrc.getValue().toInt()
)
// `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
// result in this case we pick the minimum value obtainable from dataflow and range analysis.
result =
upperBound(statedSizeExpr())
.minimum(min(Expr statedSizeSrc |
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
|
statedSizeSrc.getValue().toInt()
))
}
}
predicate wrongBufferSize(Expr error, string msg) {
exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
staticBuffer(call.buffer(), buf, bufsize) and
statedSize = min(call.statedSizeValue()) and
statedSize = call.statedSizeValue() and
statedSize > bufsize and
error = call.statedSizeExpr() and
msg =

1
cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/return-stack-allocated-object
* @problem.severity warning
* @security-severity 2.9
* @tags reliability
* security
* external/cwe/cwe-562

2
cpp/ql/src/Critical/ReturnValueIgnored.qhelp
View File

@@ -7,7 +7,7 @@
<overview>
<p>
This rule finds calls to a function that ignore the return value. A function call is only marked
as a violation if at least 80% of the total calls to that function check the return value. Not
as a violation if at least 90% of the total calls to that function check the return value. Not
checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
These functions return the status information and the return values should always be checked
to see if the operation succeeded before operating on any data modified or resources allocated by these functions.

2
cpp/ql/src/Critical/ReturnValueIgnored.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Return value of a function is ignored
* @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
* @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
* @kind problem
* @id cpp/return-value-ignored
* @problem.severity recommendation

1
cpp/ql/src/Critical/SizeCheck.ql
View File

@@ -4,6 +4,7 @@
* an instance of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/allocation-too-small
* @tags reliability

1
cpp/ql/src/Critical/SizeCheck2.ql
View File

@@ -4,6 +4,7 @@
* multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/suspicious-allocation-size
* @tags reliability

1
cpp/ql/src/Critical/UseAfterFree.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/use-after-free
* @problem.severity warning
* @security-severity 5.9
* @tags reliability
* security
* external/cwe/cwe-416

1
cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
View File

@@ -6,6 +6,7 @@
* to a larger type.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision very-high
* @id cpp/bad-addition-overflow-check
* @tags reliability

1
cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
View File

@@ -4,6 +4,7 @@
* be a sign that the result can overflow the type converted from.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @id cpp/integer-multiplication-cast-to-long
* @tags reliability

1
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
View File

@@ -5,6 +5,7 @@
* unsigned integer values.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @id cpp/signed-overflow-check
* @tags correctness

1
cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
View File

@@ -6,6 +6,7 @@
* use the width of the base type, leading to misaligned reads.
* @kind path-problem
* @problem.severity warning
* @security-severity 10.0
* @precision high
* @id cpp/upcast-array-pointer-arithmetic
* @tags correctness

1
cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
View File

@@ -6,6 +6,7 @@
* from an untrusted source, this can be used for exploits.
* @kind problem
* @problem.severity recommendation
* @security-severity 6.9
* @precision high
* @id cpp/non-constant-format
* @tags maintainability

1
cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
View File

@@ -3,6 +3,7 @@
* @description Using the return value from snprintf without proper checks can cause overflow.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @id cpp/overflowing-snprintf
* @tags reliability

1
cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
View File

@@ -4,6 +4,7 @@
* a source of security issues.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @precision high
* @id cpp/wrong-number-format-arguments
* @tags reliability

1
cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
View File

@@ -4,6 +4,7 @@
* behavior.
* @kind problem
* @problem.severity error
* @security-severity 6.4
* @precision high
* @id cpp/wrong-type-format-argument
* @tags reliability

1
cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/incorrect-not-operator-usage
* @problem.severity warning
* @security-severity 3.6
* @precision medium
* @tags security
* external/cwe/cwe-480

1
cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
View File

@@ -3,6 +3,7 @@
* @description Using alloca in a loop can lead to a stack overflow
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @precision high
* @id cpp/alloca-in-loop
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/improper-null-termination
* @problem.severity warning
* @security-severity 5.9
* @tags security
* external/cwe/cwe-170
* external/cwe/cwe-665

1
cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
View File

@@ -4,6 +4,7 @@
* on undefined behavior and may lead to memory corruption.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @precision high
* @id cpp/pointer-overflow-check
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/potential-buffer-overflow
* @problem.severity warning
* @security-severity 10.0
* @tags reliability
* security
* external/cwe/cwe-676

1
cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
View File

@@ -4,6 +4,7 @@
* as the third argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @precision medium
* @id cpp/bad-strncpy-size
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
View File

@@ -7,6 +7,7 @@
* @kind problem
* @id cpp/suspicious-call-to-memset
* @problem.severity recommendation
* @security-severity 10.0
* @precision medium
* @tags reliability
* correctness

4
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.cpp
View File

@@ -2,3 +2,7 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest.
//Also fails if dest is a pointer and not an array.
strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.

16
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp
View File

@@ -4,7 +4,17 @@
<qhelp>
<overview>
<p>The standard library function <code>strncat</code> appends a source string to a target string.
The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
The third argument defines the maximum number of characters to append and should be less than or equal
to the remaining space in the destination buffer.</p>
<p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
the third argument to the entire size of the destination buffer.
Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
<p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
byte to be written ouside the <code>dest</code> buffer.</p>
<p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
</overview>
<recommendation>
@@ -25,6 +35,10 @@ The third argument defines the maximum number of characters to append and should
<li>
M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
</li>
<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
</li>
</references>

59
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
View File

@@ -1,14 +1,15 @@
/**
* @name Potentially unsafe call to strncat
* @description Calling 'strncat' with the size of the destination buffer
* as the third argument may result in a buffer overflow.
* @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @precision medium
* @id cpp/unsafe-strncat
* @tags reliability
* correctness
* security
* external/cwe/cwe-788
* external/cwe/cwe-676
* external/cwe/cwe-119
* external/cwe/cwe-251
@@ -16,11 +17,53 @@
import cpp
import Buffer
import semmle.code.cpp.models.implementations.Strcat
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
from FunctionCall fc, VariableAccess va1, VariableAccess va2
where
fc.getTarget().(Function).hasName("strncat") and
va1 = fc.getArgument(0) and
va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
va1.getTarget() = va2.getTarget()
/**
* Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
* destination arguments, respectively.
*/
predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
exists(StrcatFunction strcat |
strcat = call.getTarget() and
sizeArg = call.getArgument(strcat.getParamSize()) and
destArg = call.getArgument(strcat.getParamDest())
)
}
/**
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
* argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
*/
predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
interestringCallWithArgs(fc, sizeArg, destArg) and
exists(VariableAccess va |
va = sizeArg.(BufferSizeExpr).getArg() and
destArg.getTarget() = va.getTarget()
)
}
/**
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
* argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
*/
predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
interestringCallWithArgs(fc, sizeArg, destArg) and
exists(SubExpr sub, int n |
// The destination buffer is an array of size n
destArg.getUnspecifiedType().(ArrayType).getSize() = n and
// The size argument is equivalent to a subtraction
globalValueNumber(sizeArg).getAnExpr() = sub and
// ... where the left side of the subtraction is the constant n
globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
// ... and the right side of the subtraction is a call to `strlen` where the argument is the
// destination buffer.
globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
globalValueNumber(destArg).getAnExpr()
)
}
from FunctionCall fc, Expr sizeArg, Expr destArg
where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
select fc, "Potentially unsafe call to strncat."

1
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
View File

@@ -5,6 +5,7 @@
* the machine pointer size.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/suspicious-sizeof
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/uninitialized-local
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @tags security
* external/cwe/cwe-665

1
cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
View File

@@ -4,6 +4,7 @@
* may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/unsafe-strcat
* @tags reliability

1
cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/self-assignment-check
* @problem.severity warning
* @security-severity 5.9
* @tags reliability
* security
* external/cwe/cwe-826

1
cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
View File

@@ -6,6 +6,7 @@
* @kind path-problem
* @id cpp/unsafe-use-of-this
* @problem.severity error
* @security-severity 3.6
* @precision very-high
* @tags correctness
* language-features

1
cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
View File

@@ -7,6 +7,7 @@
* undefined data.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @precision very-high
* @id cpp/too-few-arguments
* @tags correctness

1
cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/memset-may-be-deleted
* @problem.severity warning
* @security-severity 6.4
* @precision high
* @tags security
* external/cwe/cwe-14

1
cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
View File

@@ -5,6 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @security-severity 5.9
* @tags security external/cwe/cwe-20
*/

1
cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
View File

@@ -5,6 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @security-severity 5.9
* @tags security external/cwe/cwe-20
*/

1
cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -4,6 +4,7 @@
* attacker to access unexpected resources.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/path-injection
* @tags security

1
cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
View File

@@ -5,6 +5,7 @@
* to command injection.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision low
* @id cpp/command-line-injection
* @tags security

1
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
View File

@@ -4,6 +4,7 @@
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @security-severity 2.9
* @precision high
* @id cpp/cgi-xss
* @tags security

1
cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
View File

@@ -5,6 +5,7 @@
* to SQL Injection.
* @kind path-problem
* @problem.severity error
* @security-severity 6.4
* @precision high
* @id cpp/sql-injection
* @tags security

1
cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
View File

@@ -5,6 +5,7 @@
* commands.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.0
* @precision medium
* @id cpp/uncontrolled-process-operation
* @tags security

1
cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/overflow-buffer
* @problem.severity recommendation
* @security-severity 10.0
* @tags security
* external/cwe/cwe-119
* external/cwe/cwe-121

1
cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
View File

@@ -5,6 +5,7 @@
* overflow.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision high
* @id cpp/badly-bounded-write
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
View File

@@ -4,6 +4,7 @@
* of data written may overflow.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/overrunning-write
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
View File

@@ -5,6 +5,7 @@
* take extreme values.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/overrunning-write-with-float
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
View File

@@ -4,6 +4,7 @@
* of data written may overflow.
* @kind path-problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/unbounded-write
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
View File

@@ -5,6 +5,7 @@
* a specific value to terminate the argument list.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/unterminated-variadic-call
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/unclear-array-index-validation
* @problem.severity warning
* @security-severity 5.9
* @tags security
* external/cwe/cwe-129
*/

1
cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
View File

@@ -5,6 +5,7 @@
* terminator can cause a buffer overrun.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision high
* @id cpp/no-space-for-terminator
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
View File

@@ -5,6 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.9
* @precision high
* @id cpp/tainted-format-string
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
View File

@@ -5,6 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.9
* @precision high
* @id cpp/tainted-format-string-through-global
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/user-controlled-null-termination-tainted
* @problem.severity warning
* @security-severity 10.0
* @tags security
* external/cwe/cwe-170
*/

1
cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
View File

@@ -4,6 +4,7 @@
* not validated can cause overflows.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision low
* @id cpp/tainted-arithmetic
* @tags security

120
cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
View File

@@ -4,6 +4,7 @@
* validated can cause overflows.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/uncontrolled-arithmetic
* @tags security
@@ -15,34 +16,107 @@ import cpp
import semmle.code.cpp.security.Overflow
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import TaintedWithPath
predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
predicate isRandCallOrParent(Expr e) {
isRandCall(e) or
isRandCallOrParent(e.getAChild())
predicate isUnboundedRandCall(FunctionCall fc) {
exists(Function func | func = fc.getTarget() |
func.hasGlobalOrStdOrBslName("rand") and
not bounded(fc) and
func.getNumberOfParameters() = 0
)
}
predicate isRandValue(Expr e) {
isRandCall(e)
/**
* An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
* a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
*/
pragma[inline]
predicate boundedDiv(Expr e, Expr left) { e = left }
/**
* An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
* an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
* when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
* allowed by the result type of `rem`.
*/
pragma[inline]
predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
e = left and
upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
}
/**
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
*/
pragma[inline]
predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
operand1 != operand2 and
e = operand1 and
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
}
/**
* Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
* of possible values.
*/
predicate bounded(Expr e) {
// For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
// maximum possible value of the result type of the operation.
// For example, the function call `rand()` is considered bounded in the following program:
// ```
// int i = rand() % (UINT8_MAX + 1);
// ```
// but not in:
// ```
// unsigned char uc = rand() % (UINT8_MAX + 1);
// ```
exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
or
exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
or
exists(BitwiseAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
exists(AssignAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
// Optimitically assume that a division always yields a much smaller value.
boundedDiv(e, any(DivExpr div).getLeftOperand())
or
boundedDiv(e, any(AssignDivExpr div).getLValue())
or
boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
or
boundedDiv(e, any(AssignRShiftExpr div).getLValue())
}
predicate isUnboundedRandCallOrParent(Expr e) {
isUnboundedRandCall(e)
or
isUnboundedRandCallOrParent(e.getAChild())
}
predicate isUnboundedRandValue(Expr e) {
isUnboundedRandCall(e)
or
exists(MacroInvocation mi |
e = mi.getExpr() and
isRandCallOrParent(e)
isUnboundedRandCallOrParent(e)
)
}
class SecurityOptionsArith extends SecurityOptions {
override predicate isUserInput(Expr expr, string cause) {
isRandValue(expr) and
cause = "rand" and
not expr.getParent*() instanceof DivExpr
isUnboundedRandValue(expr) and
cause = "rand"
}
}
predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
predicate missingGuard(VariableAccess va, string effect) {
exists(Operation op | op.getAnOperand() = va |
missingGuardAgainstUnderflow(op, va) and effect = "underflow"
@@ -52,29 +126,15 @@ predicate missingGuard(VariableAccess va, string effect) {
}
class Configuration extends TaintTrackingConfiguration {
override predicate isSink(Element e) {
isDiv(e)
or
missingGuard(e, _)
}
}
override predicate isSink(Element e) { missingGuard(e, _) }
/**
* A value that undergoes division is likely to be bounded within a safe
* range.
*/
predicate guardedByAssignDiv(Expr origin) {
exists(VariableAccess va |
taintedWithPath(origin, va, _, _) and
isDiv(va)
)
override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
}
from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
where
taintedWithPath(origin, va, sourceNode, sinkNode) and
missingGuard(va, effect) and
not guardedByAssignDiv(origin)
missingGuard(va, effect)
select va, sourceNode, sinkNode,
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
"Uncontrolled value"

1
cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/arithmetic-with-extreme-values
* @problem.severity warning
* @security-severity 5.9
* @precision low
* @tags security
* reliability

5
cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
View File

@@ -5,6 +5,7 @@
* @id cpp/comparison-with-wider-type
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @tags reliability
* security
@@ -49,7 +50,9 @@ where
small = rel.getLesserOperand() and
large = rel.getGreaterOperand() and
rel = l.getCondition().getAChild*() and
upperBound(large).log2() > getComparisonSize(small) * 8 and
forall(Expr conv | conv = large.getConversion*() |
upperBound(conv).log2() > getComparisonSize(small) * 8
) and
// Ignore cases where the smaller type is int or larger
// These are still bugs, but you should need a very large string or array to
// trigger them. We will want to disable this for some applications, but it's

1
cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/integer-overflow-tainted
* @problem.severity warning
* @security-severity 5.9
* @precision low
* @tags security
* external/cwe/cwe-190

24
cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
View File

@@ -4,14 +4,17 @@
* user can result in integer overflow.
* @kind path-problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/uncontrolled-allocation-size
* @tags reliability
* security
* external/cwe/cwe-190
* external/cwe/cwe-789
*/
import cpp
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.security.TaintTracking
import TaintedWithPath
@@ -27,6 +30,27 @@ predicate allocSink(Expr alloc, Expr tainted) {
class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
override predicate isSink(Element tainted) { allocSink(_, tainted) }
override predicate isBarrier(Expr e) {
super.isBarrier(e)
or
// There can be two separate reasons for `convertedExprMightOverflow` not holding:
// 1. `e` really cannot overflow.
// 2. `e` isn't analyzable.
// If we didn't rule out case 2 we would place barriers on anything that isn't analyzable.
(
e instanceof UnaryArithmeticOperation or
e instanceof BinaryArithmeticOperation or
e instanceof AssignArithmeticOperation
) and
not convertedExprMightOverflow(e)
or
// Subtracting two pointers is either well-defined (and the result will likely be small), or
// terribly undefined and dangerous. Here, we assume that the programmer has ensured that the
// result is well-defined (i.e., the two pointers point to the same object), and thus the result
// will likely be small.
e = any(PointerDiffExpr diff).getAnOperand()
}
}
predicate taintedAllocSize(

63
cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/unsigned-difference-expression-compared-zero
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @tags security
* correctness
@@ -12,29 +13,60 @@
import cpp
import semmle.code.cpp.commons.Exclusions
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
import semmle.code.cpp.controlflow.Guards
import semmle.code.cpp.dataflow.DataFlow
/** Holds if `sub` is guarded by a condition which ensures that `left >= right`. */
/**
* Holds if `sub` is guarded by a condition which ensures that
* `left >= right`.
*/
pragma[noinline]
predicate isGuarded(SubExpr sub, Expr left, Expr right) {
exists(GuardCondition guard |
guard.controls(sub.getBasicBlock(), true) and
guard.ensuresLt(left, right, 0, sub.getBasicBlock(), false)
exists(GuardCondition guard, int k |
guard.controls(sub.getBasicBlock(), _) and
guard.ensuresLt(left, right, k, sub.getBasicBlock(), false) and
k >= 0
)
}
/** Holds if `sub` will never be negative. */
predicate nonNegative(SubExpr sub) {
not exprMightOverflowNegatively(sub.getFullyConverted())
/**
* Holds if `n` is known or suspected to be less than or equal to
* `sub.getLeftOperand()`.
*/
predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
n.asExpr() = sub.getLeftOperand()
or
// The subtraction is guarded by a check of the form `left >= right`.
exists(GVN left, GVN right |
// This is basically a poor man's version of a directional unbind operator.
strictcount([left, globalValueNumber(sub.getLeftOperand())]) = 1 and
strictcount([right, globalValueNumber(sub.getRightOperand())]) = 1 and
isGuarded(sub, left.getAnExpr(), right.getAnExpr())
exists(DataFlow::Node other |
// dataflow
exprIsSubLeftOrLess(sub, other) and
(
DataFlow::localFlowStep(n, other) or
DataFlow::localFlowStep(other, n)
)
)
or
exists(DataFlow::Node other |
// guard constraining `sub`
exprIsSubLeftOrLess(sub, other) and
isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
)
or
exists(DataFlow::Node other, float p, float q |
// linear access of `other`
exprIsSubLeftOrLess(sub, other) and
linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
p <= 1 and
q <= 0
)
or
exists(DataFlow::Node other, float p, float q |
// linear access of `n`
exprIsSubLeftOrLess(sub, other) and
linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
p >= 1 and
q >= 0
)
}
@@ -45,5 +77,6 @@ where
ro.getLesserOperand().getValue().toInt() = 0 and
ro.getGreaterOperand() = sub and
sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
not nonNegative(sub)
exprMightOverflowNegatively(sub.getFullyConverted()) and // generally catches false positives involving constants
not exprIsSubLeftOrLess(sub, DataFlow::exprNode(sub.getRightOperand())) // generally catches false positives where there's a relation between the left and right operands
select ro, "Unsigned subtraction can never be negative."

1
cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/hresult-boolean-conversion
* @problem.severity error
* @security-severity 4.2
* @precision high
* @tags security
* external/cwe/cwe-253

1
cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
View File

@@ -5,6 +5,7 @@
* vulnerable to spoofing attacks.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.8
* @precision medium
* @id cpp/user-controlled-bypass
* @tags security

1
cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
View File

@@ -4,6 +4,7 @@
* to an attacker.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/cleartext-storage-buffer
* @tags security

1
cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
View File

@@ -4,6 +4,7 @@
* to an attacker.
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/cleartext-storage-file
* @tags security

1
cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
View File

@@ -4,6 +4,7 @@
* database can expose it to an attacker.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/cleartext-storage-database
* @tags security

142
cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
View File

@@ -4,6 +4,7 @@
* an attacker to compromise security.
* @kind problem
* @problem.severity error
* @security-severity 5.2
* @precision medium
* @id cpp/weak-cryptographic-algorithm
* @tags security
@@ -13,39 +14,128 @@
import cpp
import semmle.code.cpp.security.Encryption
abstract class InsecureCryptoSpec extends Locatable {
abstract string description();
}
Function getAnInsecureFunction() {
result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
/**
* A function which may relate to an insecure encryption algorithm.
*/
Function getAnInsecureEncryptionFunction() {
(
isInsecureEncryption(result.getName()) or
isInsecureEncryption(result.getAParameter().getName()) or
isInsecureEncryption(result.getDeclaringType().getName())
) and
exists(result.getACallToThisFunction())
}
class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
InsecureFunctionCall() { this.getTarget() = getAnInsecureFunction() }
override string description() { result = "function call" }
override string toString() { result = FunctionCall.super.toString() }
override Location getLocation() { result = FunctionCall.super.getLocation() }
/**
* A function with additional evidence it is related to encryption.
*/
Function getAnAdditionalEvidenceFunction() {
(
isEncryptionAdditionalEvidence(result.getName()) or
isEncryptionAdditionalEvidence(result.getAParameter().getName())
) and
exists(result.getACallToThisFunction())
}
Macro getAnInsecureMacro() {
result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
/**
* A macro which may relate to an insecure encryption algorithm.
*/
Macro getAnInsecureEncryptionMacro() {
isInsecureEncryption(result.getName()) and
exists(result.getAnInvocation())
}
class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
InsecureMacroSpec() { this.getMacro() = getAnInsecureMacro() }
override string description() { result = "macro invocation" }
override string toString() { result = MacroInvocation.super.toString() }
override Location getLocation() { result = MacroInvocation.super.getLocation() }
/**
* A macro with additional evidence it is related to encryption.
*/
Macro getAnAdditionalEvidenceMacro() {
isEncryptionAdditionalEvidence(result.getName()) and
exists(result.getAnInvocation())
}
from InsecureCryptoSpec c
select c, "This " + c.description() + " specifies a broken or weak cryptographic algorithm."
/**
* An enum constant which may relate to an insecure encryption algorithm.
*/
EnumConstant getAnInsecureEncryptionEnumConst() { isInsecureEncryption(result.getName()) }
/**
* An enum constant with additional evidence it is related to encryption.
*/
EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(result.getName()) }
/**
* A function call we have a high confidence is related to use of an insecure encryption algorithm, along
* with an associated `Element` which might be the best point to blame, and a description of that element.
*/
predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
// find use of an insecure algorithm name
(
fc.getTarget() = getAnInsecureEncryptionFunction() and
blame = fc and
description = "call to " + fc.getTarget().getName()
or
exists(MacroInvocation mi |
(
mi.getAnExpandedElement() = fc or
mi.getAnExpandedElement() = fc.getAnArgument()
) and
mi.getMacro() = getAnInsecureEncryptionMacro() and
blame = mi and
description = "invocation of macro " + mi.getMacro().getName()
)
or
exists(EnumConstantAccess ec |
ec = fc.getAnArgument() and
ec.getTarget() = getAnInsecureEncryptionEnumConst() and
blame = ec and
description = "access of enum constant " + ec.getTarget().getName()
)
) and
// find additional evidence that this function is related to encryption.
(
fc.getTarget() = getAnAdditionalEvidenceFunction()
or
exists(MacroInvocation mi |
(
mi.getAnExpandedElement() = fc or
mi.getAnExpandedElement() = fc.getAnArgument()
) and
mi.getMacro() = getAnAdditionalEvidenceMacro()
)
or
exists(EnumConstantAccess ec |
ec = fc.getAnArgument() and
ec.getTarget() = getAdditionalEvidenceEnumConst()
)
)
}
/**
* An element that is the `blame` of an `InsecureFunctionCall`.
*/
class BlamedElement extends Element {
string description;
BlamedElement() { getInsecureEncryptionEvidence(_, this, description) }
/**
* Holds if this is the `num`-th `BlamedElement` in `f`.
*/
predicate hasFileRank(File f, int num) {
exists(int loc |
getLocation().charLoc(f, loc, _) and
loc =
rank[num](BlamedElement other, int loc2 | other.getLocation().charLoc(f, loc2, _) | loc2)
)
}
string getDescription() { result = description }
}
from File f, BlamedElement firstResult, BlamedElement thisResult
where
firstResult.hasFileRank(f, 1) and
thisResult.hasFileRank(f, _)
select firstResult,
"This file makes use of a broken or weak cryptographic algorithm (specified by $@).", thisResult,
thisResult.getDescription()

1
cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
View File

@@ -4,6 +4,7 @@
* attackers to retrieve portions of memory.
* @kind problem
* @problem.severity error
* @security-severity 5.2
* @precision very-high
* @id cpp/openssl-heartbleed
* @tags security

1
cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
View File

@@ -5,6 +5,7 @@
* the two operations.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/toctou-race-condition
* @tags security

1
cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
View File

@@ -4,6 +4,7 @@
* @id cpp/unsafe-create-process-call
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @msrc.severity important
* @tags security

1
cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
View File

@@ -5,6 +5,7 @@
* state, and reading the variable may result in undefined behavior.
* @kind problem
* @problem.severity warning
* @security-severity 6.9
* @opaque-id SM02313
* @id cpp/conditionally-uninitialized-variable
* @tags security

Some files were not shown because too many files have changed in this diff Show More