cpp - Using the return value of a strcpy or related string copy function in an if statement

cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.cpp

@@ -0,0 +1,4 @@
+if(strcpy(szbuf1, "Manager") == 0) // most likely strcmp was intended instead of strcpy
+{
+	// ...
+}

cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>This rule finds uses of the string copy function calls that return the <code>destination</code> parameter, 
+and that do not have a return value reserved to indicate an error.</p>
+
+<p>The rule flags occurrences using such string copy functions as the conditional of an <code>if</code> statement, either directly, as part of an equality operator or a logical operator.</p>
+  
+<p>The string copy functions that the rule takes into consideration are: 
+<li>strcpy</li>
+<li>wcscpy</li>
+<li>_mbscpy</li>
+<li>strncpy</li>
+<li>_strncpy_l</li>
+<li>wcsncpy</li>
+<li>_wcsncpy_l</li>
+<li>_mbsncpy</li>
+<li>_mbsncpy_l</li>
+</p>
+
+<p>NOTE: It is highly recommended to consider using a more secure version of string manipulation functions suchas as <code>strcpy_s</code>.</p>
+
+</overview>
+<recommendation>
+  <p>Check to ensure that the flagged expressions are not typos.</p>
+  <p>If a string comparison is intended, change the function to the appropriate string comparison function.</p>
+  <p>If a string copy is really intended, very likely a secure version of the string copy function such as <code>strcpy_s</code> was intended instead of the insecure version of the string copy function.</p>
+
+</recommendation>
+<example><sample src="UsingStrcpyInConditional.cpp" />
+</example>
+
+<references>
+<li>Microsoft Books on Line: <a href="https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/ccf4h9w8(v=vs.110)">C6324</a></li>
+<li>Microsoft Books on Line: <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strcpy-wcscpy-mbscpy?view=vs-2017">strcpy, wcscpy, _mbscpy</a></li>
+<li>US-CERT: <a href="https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/strcpy_s-and-strcat_s">strncpy_s() and strncat_s()</a></li>
+
+</references>
+</qhelp>

cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.ql

@@ -0,0 +1,45 @@
+/**
+ * @name Using the return value of a strcpy or related string copy function in an if statement
+ * @description The return value for strcpy or related string copy functions have no reserved return value to indicate an error.
+ *              Using these functions as part of an if statement condition indicates a logic error.
+ *              Either the intent was to use a more secure version of a string copy function (such as strcpy_s), 
+ *              or a string compare function (such as strcmp).
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/string-copy-function-in-if-condition
+ * @tags external/microsoft/C6324
+ */
+
+import cpp
+
+predicate isStringComparisonFunction(string functionName) {
+  functionName = "strcpy"
+  or functionName = "wcscpy"
+  or functionName = "_mbscpy"
+  or functionName = "strncpy"
+  or functionName = "_strncpy_l"
+  or functionName = "wcsncpy"
+  or functionName = "_wcsncpy_l"
+  or functionName = "_mbsncpy"
+  or functionName = "_mbsncpy_l"
+}
+
+from IfStmt ifs,  
+FunctionCall func
+where isStringComparisonFunction( func.getTarget().getQualifiedName() )
+  and ( func = ifs.getCondition() 
+    or exists( UnaryLogicalOperation ule |
+      ule = ifs.getCondition()
+      and func = ule.getAChild()
+    )
+    or exists( BinaryLogicalOperation ble |
+      ble = ifs.getCondition()
+      and func = ble.getAChild()
+    )
+    or exists( EqualityOperation eop |
+      eop = ifs.getCondition()
+      and func = eop.getAChild()
+    )
+  )
+select func, "Incorrect use of function " + func.getTarget().getQualifiedName() + ". Verify the logic and replace with a secure string copy function, or a string comparison function."