diff --git a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll index 719c16281f2..c758b956695 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll +++ b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll @@ -3,7 +3,7 @@ */ import cpp -import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.TaintTracking import semmle.code.cpp.commons.DateTime /** @@ -246,26 +246,29 @@ class FiletimeYearArithmeticOperationCheckConfiguration extends DataFlow::Config } /** - * `DataFlow::Configuration` for finding an operation with hardcoded 365 that will flow into any known date/time field. + * Taint configuration for finding an operation with hardcoded 365 that will flow into any known date/time field. */ -class PossibleYearArithmeticOperationCheckConfiguration extends DataFlow::Configuration { +class PossibleYearArithmeticOperationCheckConfiguration extends TaintTracking::Configuration { PossibleYearArithmeticOperationCheckConfiguration() { this = "PossibleYearArithmeticOperationCheckConfiguration" } override predicate isSource(DataFlow::Node source) { - exists(Operation op | op = source.asExpr() | + exists(Operation op | op = source.asConvertedExpr() | op.getAChild*().getValue().toInt() = 365 and - not op.getParent() instanceof Expr + ( + not op.getParent() instanceof Expr or + op.getParent() instanceof Assignment + ) ) } - override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { // flow from anything on the RHS of an assignment to a time/date structure to that // assignment. - exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr, Expr e | + exists(StructLikeClass dds, FieldAccess fa, Assignment aexpr, Expr e | e = node1.asExpr() and - aexpr = node2.asExpr() + fa = node2.asExpr() | (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and fa.getQualifier().getUnderlyingType() = dds and @@ -275,7 +278,9 @@ class PossibleYearArithmeticOperationCheckConfiguration extends DataFlow::Config } override predicate isSink(DataFlow::Node sink) { - exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr | aexpr = sink.asExpr() | + exists(StructLikeClass dds, FieldAccess fa, AssignExpr aexpr | + aexpr.getRValue() = sink.asConvertedExpr() + | (dds instanceof PackedTimeType or dds instanceof UnpackedTimeType) and fa.getQualifier().getUnderlyingType() = dds and fa.isModified() and diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.expected b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.expected index e69de29bb2d..2d986e4b72f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.expected @@ -0,0 +1,5 @@ +| test.cpp:173:29:173:51 | ... & ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:170:16:170:47 | ... * ... | ... * ... | +| test.cpp:174:30:174:45 | ... >> ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:170:16:170:47 | ... * ... | ... * ... | +| test.cpp:193:15:193:24 | ... / ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:193:15:193:24 | ... / ... | ... / ... | +| test.cpp:217:29:217:51 | ... & ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:214:16:214:47 | ... * ... | ... * ... | +| test.cpp:218:30:218:45 | ... >> ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:214:16:214:47 | ... * ... | ... * ... |