hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Use [,] more in models.

Browse Source
This commit is contained in:
Geoffrey White
2020-12-03 17:27:31 +00:00
parent 254072dd6d
commit 2a4fba0ff9
11 changed files with 171 additions and 377 deletions
Download Patch File Download Diff File Expand all files Collapse all files

240
cpp/ql/src/semmle/code/cpp/models/implementations/Allocation.qll
View File

@@ -14,95 +14,49 @@ private class MallocAllocationFunction extends AllocationFunction {
int sizeArg;
MallocAllocationFunction() {
exists(string name |
hasGlobalOrStdName(name) and
// malloc(size)
(name = "malloc" and sizeArg = 0)
or
hasGlobalName(name) and
(
// ExAllocatePool(type, size)
name = "ExAllocatePool" and sizeArg = 1
or
// ExAllocatePool(type, size, tag)
name = "ExAllocatePoolWithTag" and sizeArg = 1
or
// ExAllocatePoolWithTagPriority(type, size, tag, priority)
name = "ExAllocatePoolWithTagPriority" and sizeArg = 1
or
// ExAllocatePoolWithQuota(type, size)
name = "ExAllocatePoolWithQuota" and sizeArg = 1
or
// ExAllocatePoolWithQuotaTag(type, size, tag)
name = "ExAllocatePoolWithQuotaTag" and sizeArg = 1
or
// IoAllocateMdl(address, size, flag, flag, irp)
name = "IoAllocateMdl" and sizeArg = 1
or
// IoAllocateErrorLogEntry(object, size)
name = "IoAllocateErrorLogEntry" and sizeArg = 1
or
// MmAllocateContiguousMemory(size, maxaddress)
name = "MmAllocateContiguousMemory" and sizeArg = 0
or
// MmAllocateContiguousNodeMemory(size, minaddress, maxaddress, bound, flag, prefer)
name = "MmAllocateContiguousNodeMemory" and sizeArg = 0
or
// MmAllocateContiguousMemorySpecifyCache(size, minaddress, maxaddress, bound, type)
name = "MmAllocateContiguousMemorySpecifyCache" and sizeArg = 0
or
// MmAllocateContiguousMemorySpecifyCacheNode(size, minaddress, maxaddress, bound, type, prefer)
name = "MmAllocateContiguousMemorySpecifyCacheNode" and sizeArg = 0
or
// MmAllocateNonCachedMemory(size)
name = "MmAllocateNonCachedMemory" and sizeArg = 0
or
// MmAllocateMappingAddress(size, tag)
name = "MmAllocateMappingAddress" and sizeArg = 0
or
// MmAllocatePagesForMdl(minaddress, maxaddress, skip, size)
name = "MmAllocatePagesForMdl" and sizeArg = 3
or
// MmAllocatePagesForMdlEx(minaddress, maxaddress, skip, size, type, flags)
name = "MmAllocatePagesForMdlEx" and sizeArg = 3
or
// MmAllocateNodePagesForMdlEx(minaddress, maxaddress, skip, size, type, prefer, flags)
name = "MmAllocateNodePagesForMdlEx" and sizeArg = 3
or
// LocalAlloc(flags, size)
name = "LocalAlloc" and sizeArg = 1
or
// GlobalAlloc(flags, size)
name = "GlobalAlloc" and sizeArg = 1
or
// HeapAlloc(heap, flags, size)
name = "HeapAlloc" and sizeArg = 2
or
// VirtualAlloc(address, size, type, flag)
name = "VirtualAlloc" and sizeArg = 1
or
// CoTaskMemAlloc(size)
name = "CoTaskMemAlloc" and sizeArg = 0
or
// kmem_alloc(size, flags)
name = "kmem_alloc" and sizeArg = 0
or
// kmem_zalloc(size, flags)
name = "kmem_zalloc" and sizeArg = 0
or
// CRYPTO_malloc(size_t num, const char *file, int line)
name = "CRYPTO_malloc" and sizeArg = 0
or
// CRYPTO_zalloc(size_t num, const char *file, int line)
name = "CRYPTO_zalloc" and sizeArg = 0
or
// CRYPTO_secure_malloc(size_t num, const char *file, int line)
name = "CRYPTO_secure_malloc" and sizeArg = 0
or
// CRYPTO_secure_zalloc(size_t num, const char *file, int line)
name = "CRYPTO_secure_zalloc" and sizeArg = 0
)
)
hasGlobalOrStdName("malloc") and // malloc(size)
sizeArg = 0
or
hasGlobalName([
"MmAllocateContiguousMemory", // MmAllocateContiguousMemory(size, maxaddress)
"MmAllocateContiguousNodeMemory", // MmAllocateContiguousNodeMemory(size, minaddress, maxaddress, bound, flag, prefer)
"MmAllocateContiguousMemorySpecifyCache", // MmAllocateContiguousMemorySpecifyCache(size, minaddress, maxaddress, bound, type)
"MmAllocateContiguousMemorySpecifyCacheNode", // MmAllocateContiguousMemorySpecifyCacheNode(size, minaddress, maxaddress, bound, type, prefer)
"MmAllocateNonCachedMemory", // MmAllocateNonCachedMemory(size)
"MmAllocateMappingAddress", // MmAllocateMappingAddress(size, tag)
"CoTaskMemAlloc", // CoTaskMemAlloc(size)
"kmem_alloc", // kmem_alloc(size, flags)
"kmem_zalloc", // kmem_zalloc(size, flags)
"CRYPTO_malloc", // CRYPTO_malloc(size_t num, const char *file, int line)
"CRYPTO_zalloc", // CRYPTO_zalloc(size_t num, const char *file, int line)
"CRYPTO_secure_malloc", // CRYPTO_secure_malloc(size_t num, const char *file, int line)
"CRYPTO_secure_zalloc" // CRYPTO_secure_zalloc(size_t num, const char *file, int line)
]) and
sizeArg = 0
or
hasGlobalName([
"ExAllocatePool", // ExAllocatePool(type, size)
"ExAllocatePoolWithTag", // ExAllocatePool(type, size, tag)
"ExAllocatePoolWithTagPriority", // ExAllocatePoolWithTagPriority(type, size, tag, priority)
"ExAllocatePoolWithQuota", // ExAllocatePoolWithQuota(type, size)
"ExAllocatePoolWithQuotaTag", // ExAllocatePoolWithQuotaTag(type, size, tag)
"IoAllocateMdl", // IoAllocateMdl(address, size, flag, flag, irp)
"IoAllocateErrorLogEntry", // IoAllocateErrorLogEntry(object, size)
"LocalAlloc", // LocalAlloc(flags, size)
"GlobalAlloc", // GlobalAlloc(flags, size)
"VirtualAlloc" // VirtualAlloc(address, size, type, flag)
]) and
sizeArg = 1
or
hasGlobalName(["HeapAlloc"]) and // HeapAlloc(heap, flags, size)
sizeArg = 2
or
hasGlobalName([
"MmAllocatePagesForMdl", // MmAllocatePagesForMdl(minaddress, maxaddress, skip, size)
"MmAllocatePagesForMdlEx", // MmAllocatePagesForMdlEx(minaddress, maxaddress, skip, size, type, flags)
"MmAllocateNodePagesForMdlEx" // MmAllocateNodePagesForMdlEx(minaddress, maxaddress, skip, size, type, prefer, flags)
]) and
sizeArg = 3
}
override int getSizeArg() { result = sizeArg }
@@ -116,16 +70,11 @@ private class AllocaAllocationFunction extends AllocationFunction {
int sizeArg;
AllocaAllocationFunction() {
exists(string name |
hasGlobalName(name) and
(
// alloca(size)
name = "alloca" and sizeArg = 0
or
// __builtin_alloca(size)
name = "__builtin_alloca" and sizeArg = 0
)
)
hasGlobalName([
"alloca", // // alloca(size)
"__builtin_alloca" // __builtin_alloca(size)
]) and
sizeArg = 0
}
override int getSizeArg() { result = sizeArg }
@@ -142,11 +91,9 @@ private class CallocAllocationFunction extends AllocationFunction {
int multArg;
CallocAllocationFunction() {
exists(string name |
hasGlobalOrStdName(name) and
// calloc(num, size)
(name = "calloc" and sizeArg = 1 and multArg = 0)
)
hasGlobalOrStdName("calloc") and // calloc(num, size)
sizeArg = 1 and
multArg = 0
}
override int getSizeArg() { result = sizeArg }
@@ -163,29 +110,22 @@ private class ReallocAllocationFunction extends AllocationFunction {
int reallocArg;
ReallocAllocationFunction() {
exists(string name |
hasGlobalOrStdName(name) and
// realloc(ptr, size)
(name = "realloc" and sizeArg = 1 and reallocArg = 0)
or
hasGlobalName(name) and
(
// LocalReAlloc(ptr, size, flags)
name = "LocalReAlloc" and sizeArg = 1 and reallocArg = 0
or
// GlobalReAlloc(ptr, size, flags)
name = "GlobalReAlloc" and sizeArg = 1 and reallocArg = 0
or
// HeapReAlloc(heap, flags, ptr, size)
name = "HeapReAlloc" and sizeArg = 3 and reallocArg = 2
or
// CoTaskMemRealloc(ptr, size)
name = "CoTaskMemRealloc" and sizeArg = 1 and reallocArg = 0
or
// CRYPTO_realloc(void *addr, size_t num, const char *file, int line);
name = "CRYPTO_realloc" and sizeArg = 1 and reallocArg = 0
)
)
hasGlobalOrStdName("realloc") and // realloc(ptr, size)
sizeArg = 1 and
reallocArg = 0
or
hasGlobalName([
"LocalReAlloc", // LocalReAlloc(ptr, size, flags)
"GlobalReAlloc", // GlobalReAlloc(ptr, size, flags)
"CoTaskMemRealloc", // CoTaskMemRealloc(ptr, size)
"CRYPTO_realloc" // CRYPTO_realloc(void *addr, size_t num, const char *file, int line)
]) and
sizeArg = 1 and
reallocArg = 0
or
hasGlobalName("HeapReAlloc") and // HeapReAlloc(heap, flags, ptr, size)
sizeArg = 3 and
reallocArg = 2
}
override int getSizeArg() { result = sizeArg }
@@ -199,40 +139,18 @@ private class ReallocAllocationFunction extends AllocationFunction {
*/
private class SizelessAllocationFunction extends AllocationFunction {
SizelessAllocationFunction() {
exists(string name |
hasGlobalName(name) and
(
// ExAllocateFromLookasideListEx(list)
name = "ExAllocateFromLookasideListEx"
or
// ExAllocateFromPagedLookasideList(list)
name = "ExAllocateFromPagedLookasideList"
or
// ExAllocateFromNPagedLookasideList(list)
name = "ExAllocateFromNPagedLookasideList"
or
// ExAllocateTimer(callback, context, attributes)
name = "ExAllocateTimer"
or
// IoAllocateWorkItem(object)
name = "IoAllocateWorkItem"
or
// MmMapLockedPagesWithReservedMapping(address, tag, list, type)
name = "MmMapLockedPagesWithReservedMapping"
or
// MmMapLockedPages(list, mode)
name = "MmMapLockedPages"
or
// MmMapLockedPagesSpecifyCache(list, mode, type, address, flag, flag)
name = "MmMapLockedPagesSpecifyCache"
or
// pool_get(pool, flags)
name = "pool_get"
or
// pool_cache_get(pool, flags)
name = "pool_cache_get"
)
)
hasGlobalName([
"ExAllocateFromLookasideListEx", // ExAllocateFromLookasideListEx(list)
"ExAllocateFromPagedLookasideList", // ExAllocateFromPagedLookasideList(list)
"ExAllocateFromNPagedLookasideList", // ExAllocateFromNPagedLookasideList(list)
"ExAllocateTimer", // ExAllocateTimer(callback, context, attributes)
"IoAllocateWorkItem", // IoAllocateWorkItem(object)
"MmMapLockedPagesWithReservedMapping", // MmMapLockedPagesWithReservedMapping(address, tag, list, type)
"MmMapLockedPages", // MmMapLockedPages(list, mode)
"MmMapLockedPagesSpecifyCache", // MmMapLockedPagesSpecifyCache(list, mode, type, address, flag, flag)
"pool_get", // pool_get(pool, flags)
"pool_cache_get" // pool_cache_get(pool, flags)
])
}
}

88
cpp/ql/src/semmle/code/cpp/models/implementations/Deallocation.qll
View File

@@ -14,75 +14,27 @@ private class StandardDeallocationFunction extends DeallocationFunction {
StandardDeallocationFunction() {
exists(string name |
hasGlobalName(name) and
(
name = "free" and freedArg = 0
or
name = "realloc" and freedArg = 0
or
name = "CRYPTO_free" and freedArg = 0
or
name = "CRYPTO_secure_free" and freedArg = 0
)
hasGlobalName(["free", "realloc", "CRYPTO_free", "CRYPTO_secure_free"]) and
freedArg = 0
or
hasGlobalOrStdName(name) and
(
name = "ExFreePoolWithTag" and freedArg = 0
or
name = "ExFreeToLookasideListEx" and freedArg = 1
or
name = "ExFreeToPagedLookasideList" and freedArg = 1
or
name = "ExFreeToNPagedLookasideList" and freedArg = 1
or
name = "ExDeleteTimer" and freedArg = 0
or
name = "IoFreeMdl" and freedArg = 0
or
name = "IoFreeWorkItem" and freedArg = 0
or
name = "IoFreeErrorLogEntry" and freedArg = 0
or
name = "MmFreeContiguousMemory" and freedArg = 0
or
name = "MmFreeContiguousMemorySpecifyCache" and freedArg = 0
or
name = "MmFreeNonCachedMemory" and freedArg = 0
or
name = "MmFreeMappingAddress" and freedArg = 0
or
name = "MmFreePagesFromMdl" and freedArg = 0
or
name = "MmUnmapReservedMapping" and freedArg = 0
or
name = "MmUnmapLockedPages" and freedArg = 0
or
name = "LocalFree" and freedArg = 0
or
name = "GlobalFree" and freedArg = 0
or
name = "HeapFree" and freedArg = 2
or
name = "VirtualFree" and freedArg = 0
or
name = "CoTaskMemFree" and freedArg = 0
or
name = "SysFreeString" and freedArg = 0
or
name = "LocalReAlloc" and freedArg = 0
or
name = "GlobalReAlloc" and freedArg = 0
or
name = "HeapReAlloc" and freedArg = 2
or
name = "CoTaskMemRealloc" and freedArg = 0
or
name = "kmem_free" and freedArg = 0
or
name = "pool_put" and freedArg = 1
or
name = "pool_cache_put" and freedArg = 1
)
hasGlobalOrStdName([
"ExFreePoolWithTag", "ExDeleteTimer", "IoFreeMdl", "IoFreeWorkItem",
"IoFreeErrorLogEntry", "MmFreeContiguousMemory", "MmFreeContiguousMemorySpecifyCache",
"MmFreeNonCachedMemory", "MmFreeMappingAddress", "MmFreePagesFromMdl",
"MmUnmapReservedMapping", "MmUnmapLockedPages", "LocalFree", "GlobalFree", "VirtualFree",
"CoTaskMemFree", "SysFreeString", "LocalReAlloc", "GlobalReAlloc", "CoTaskMemRealloc",
"kmem_free"
]) and
freedArg = 0
or
hasGlobalOrStdName([
"ExFreeToLookasideListEx", "ExFreeToPagedLookasideList", "ExFreeToNPagedLookasideList",
"pool_put", "pool_cache_put"
]) and
freedArg = 1
or
hasGlobalOrStdName(["HeapFree", "HeapReAlloc"]) and
freedArg = 2
)
}

6
cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll
View File

@@ -31,11 +31,7 @@ private class IteratorTraits extends Class {
*/
private class IteratorByTypedefs extends Iterator, Class {
IteratorByTypedefs() {
this.getAMember().(TypedefType).hasName("difference_type") and
this.getAMember().(TypedefType).hasName("value_type") and
this.getAMember().(TypedefType).hasName("pointer") and
this.getAMember().(TypedefType).hasName("reference") and
this.getAMember().(TypedefType).hasName("iterator_category") and
this.getAMember().(TypedefType).hasName(["difference_type", "value_type", "pointer", "reference", "iterator_category"]) and
not this.hasQualifiedName("std", "iterator_traits")
}
}

9
cpp/ql/src/semmle/code/cpp/models/implementations/Memset.qll
View File

@@ -15,13 +15,8 @@ import semmle.code.cpp.models.interfaces.SideEffect
private class MemsetFunction extends ArrayFunction, DataFlowFunction, AliasFunction,
SideEffectFunction {
MemsetFunction() {
hasGlobalName("memset") or
hasGlobalName("wmemset") or
hasGlobalName("bzero") or
hasGlobalName("__builtin_memset") or
hasGlobalName("__builtin_memset_chk") or
hasQualifiedName("std", "memset") or
hasQualifiedName("std", "wmemset")
hasGlobalName(["memset", "wmemset", "bzero", "__builtin_memset", "__builtin_memset_chk"]) or
hasQualifiedName("std", ["memset", "wmemset"])
}
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }

91
cpp/ql/src/semmle/code/cpp/models/implementations/Printf.qll
View File

@@ -15,11 +15,8 @@ private class Printf extends FormattingFunction, AliasFunction {
Printf() {
this instanceof TopLevelFunction and
(
hasGlobalOrStdName("printf") or
hasGlobalName("printf_s") or
hasGlobalOrStdName("wprintf") or
hasGlobalName("wprintf_s") or
hasGlobalName("g_printf")
hasGlobalOrStdName(["printf", "wprintf"]) or
hasGlobalName(["printf_s", "wprintf_s", "g_printf"])
) and
not exists(getDefinition().getFile().getRelativePath())
}
@@ -47,8 +44,7 @@ private class Fprintf extends FormattingFunction {
Fprintf() {
this instanceof TopLevelFunction and
(
hasGlobalOrStdName("fprintf") or
hasGlobalOrStdName("fwprintf") or
hasGlobalOrStdName(["fprintf", "fwprintf"]) or
hasGlobalName("g_fprintf")
) and
not exists(getDefinition().getFile().getRelativePath())
@@ -68,26 +64,18 @@ private class Sprintf extends FormattingFunction {
Sprintf() {
this instanceof TopLevelFunction and
(
// sprintf(dst, format, args...)
hasGlobalOrStdName("sprintf")
hasGlobalOrStdName([
"sprintf", // sprintf(dst, format, args...)
"wsprintf" // wsprintf(dst, format, args...)
])
or
// _sprintf_l(dst, format, locale, args...)
hasGlobalName("_sprintf_l")
or
// __swprintf_l(dst, format, locale, args...)
hasGlobalName("__swprintf_l")
or
// wsprintf(dst, format, args...)
hasGlobalOrStdName("wsprintf")
or
// g_strdup_printf(format, ...)
hasGlobalName("g_strdup_printf")
or
// g_sprintf(dst, format, ...)
hasGlobalName("g_sprintf")
or
// __builtin___sprintf_chk(dst, flag, os, format, ...)
hasGlobalName("__builtin___sprintf_chk")
hasGlobalName([
"_sprintf_l", // _sprintf_l(dst, format, locale, args...)
"__swprintf_l", // __swprintf_l(dst, format, locale, args...)
"g_strdup_printf", // g_strdup_printf(format, ...)
"g_sprintf", // g_sprintf(dst, format, ...)
"__builtin___sprintf_chk" // __builtin___sprintf_chk(dst, flag, os, format, ...)
])
) and
not exists(getDefinition().getFile().getRelativePath())
}
@@ -106,8 +94,7 @@ private class Sprintf extends FormattingFunction {
or
hasGlobalName("__builtin___sprintf_chk") and result = 3
or
getName() != "g_strdup_printf" and
getName() != "__builtin___sprintf_chk" and
not getName() = ["g_strdup_printf", "__builtin___sprintf_chk"] and
result = 1
}
@@ -129,26 +116,18 @@ private class SnprintfImpl extends Snprintf {
SnprintfImpl() {
this instanceof TopLevelFunction and
(
hasGlobalOrStdName("snprintf") or // C99 defines snprintf
hasGlobalOrStdName("swprintf") or // The s version of wide-char printf is also always the n version
hasGlobalOrStdName([
"snprintf", // C99 defines snprintf
"swprintf" // The s version of wide-char printf is also always the n version
])
or
// Microsoft has _snprintf as well as several other variations
hasGlobalName("sprintf_s") or
hasGlobalName("snprintf_s") or
hasGlobalName("swprintf_s") or
hasGlobalName("_snprintf") or
hasGlobalName("_snprintf_s") or
hasGlobalName("_snprintf_l") or
hasGlobalName("_snprintf_s_l") or
hasGlobalName("_snwprintf") or
hasGlobalName("_snwprintf_s") or
hasGlobalName("_snwprintf_l") or
hasGlobalName("_snwprintf_s_l") or
hasGlobalName("_sprintf_s_l") or
hasGlobalName("_swprintf_l") or
hasGlobalName("_swprintf_s_l") or
hasGlobalName("g_snprintf") or
hasGlobalName("wnsprintf") or
hasGlobalName("__builtin___snprintf_chk")
hasGlobalName([
"sprintf_s", "snprintf_s", "swprintf_s", "_snprintf", "_snprintf_s", "_snprintf_l",
"_snprintf_s_l", "_snwprintf", "_snwprintf_s", "_snwprintf_l", "_snwprintf_s_l",
"_sprintf_s_l", "_swprintf_l", "_swprintf_s_l", "g_snprintf", "wnsprintf",
"__builtin___snprintf_chk"
])
) and
not exists(getDefinition().getFile().getRelativePath())
}
@@ -186,9 +165,7 @@ private class SnprintfImpl extends Snprintf {
override predicate returnsFullFormatLength() {
(
hasGlobalOrStdName("snprintf") or
hasGlobalName("g_snprintf") or
hasGlobalName("__builtin___snprintf_chk") or
hasGlobalName("snprintf_s")
hasGlobalName(["g_snprintf", "__builtin___snprintf_chk", "snprintf_s"])
) and
not exists(getDefinition().getFile().getRelativePath())
}
@@ -202,16 +179,10 @@ private class SnprintfImpl extends Snprintf {
private class StringCchPrintf extends FormattingFunction {
StringCchPrintf() {
this instanceof TopLevelFunction and
(
hasGlobalName("StringCchPrintf") or
hasGlobalName("StringCchPrintfEx") or
hasGlobalName("StringCchPrintf_l") or
hasGlobalName("StringCchPrintf_lEx") or
hasGlobalName("StringCbPrintf") or
hasGlobalName("StringCbPrintfEx") or
hasGlobalName("StringCbPrintf_l") or
hasGlobalName("StringCbPrintf_lEx")
) and
hasGlobalName([
"StringCchPrintf", "StringCchPrintfEx", "StringCchPrintf_l", "StringCchPrintf_lEx",
"StringCbPrintf", "StringCbPrintfEx", "StringCbPrintf_l", "StringCbPrintf_lEx"
]) and
not exists(getDefinition().getFile().getRelativePath())
}

15
cpp/ql/src/semmle/code/cpp/models/implementations/StdContainer.qll
View File

@@ -69,10 +69,8 @@ private class StdSequenceContainerData extends TaintFunction {
*/
private class StdSequenceContainerPush extends TaintFunction {
StdSequenceContainerPush() {
this.hasQualifiedName("std", "vector", "push_back") or
this.hasQualifiedName("std", "deque", ["push_back", "push_front"]) or
this.hasQualifiedName("std", "list", ["push_back", "push_front"]) or
this.hasQualifiedName("std", "forward_list", "push_front")
this.hasQualifiedName("std", ["vector", "deque", "list"], "push_back") or
this.hasQualifiedName("std", ["deque", "list", "forward_list"], "push_front")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -87,11 +85,8 @@ private class StdSequenceContainerPush extends TaintFunction {
*/
private class StdSequenceContainerFrontBack extends TaintFunction {
StdSequenceContainerFrontBack() {
this.hasQualifiedName("std", "array", ["front", "back"]) or
this.hasQualifiedName("std", "vector", ["front", "back"]) or
this.hasQualifiedName("std", "deque", ["front", "back"]) or
this.hasQualifiedName("std", "list", ["front", "back"]) or
this.hasQualifiedName("std", "forward_list", "front")
this.hasQualifiedName("std", ["array", "vector", "deque", "list", "forward_list"], "front") or
this.hasQualifiedName("std", ["array", "vector", "deque", "list"], "back")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -107,7 +102,7 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
private class StdSequenceContainerInsert extends TaintFunction {
StdSequenceContainerInsert() {
this.hasQualifiedName("std", ["vector", "deque", "list"], "insert") or
this.hasQualifiedName("std", ["forward_list"], "insert_after")
this.hasQualifiedName("std", "forward_list", "insert_after")
}
/**

5
cpp/ql/src/semmle/code/cpp/models/implementations/StdString.qll
View File

@@ -256,10 +256,7 @@ private class StdStringSubstr extends TaintFunction {
* The standard functions `std::string.swap` and `std::stringstream::swap`.
*/
private class StdStringSwap extends TaintFunction {
StdStringSwap() {
this.hasQualifiedName("std", "basic_string", "swap") or
this.hasQualifiedName("std", "basic_stringstream", "swap")
}
StdStringSwap() { this.hasQualifiedName("std", ["basic_string", "basic_stringstream"], "swap") }
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// str1.swap(str2)

40
cpp/ql/src/semmle/code/cpp/models/implementations/Strcat.qll
View File

@@ -13,15 +13,16 @@ import semmle.code.cpp.models.interfaces.SideEffect
*/
class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
StrcatFunction() {
exists(string name | name = getName() |
name = "strcat" or // strcat(dst, src)
name = "strncat" or // strncat(dst, src, max_amount)
name = "wcscat" or // wcscat(dst, src)
name = "_mbscat" or // _mbscat(dst, src)
name = "wcsncat" or // wcsncat(dst, src, max_amount)
name = "_mbsncat" or // _mbsncat(dst, src, max_amount)
name = "_mbsncat_l" // _mbsncat_l(dst, src, max_amount, locale)
)
getName() =
[
"strcat", // strcat(dst, src)
"strncat", // strncat(dst, src, max_amount)
"wcscat", // wcscat(dst, src)
"_mbscat", // _mbscat(dst, src)
"wcsncat", // wcsncat(dst, src, max_amount)
"_mbsncat", // _mbsncat(dst, src, max_amount)
"_mbsncat_l" // _mbsncat_l(dst, src, max_amount, locale)
]
}
/**
@@ -45,20 +46,13 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
exists(string name | name = getName() |
(
name = "strncat" or
name = "wcsncat" or
name = "_mbsncat" or
name = "_mbsncat_l"
) and
input.isParameter(2) and
output.isParameterDeref(0)
or
name = "_mbsncat_l" and
input.isParameter(3) and
output.isParameterDeref(0)
)
getName() = ["strncat", "wcsncat", "_mbsncat", "_mbsncat_l"] and
input.isParameter(2) and
output.isParameterDeref(0)
or
getName() = "_mbsncat_l" and
input.isParameter(3) and
output.isParameterDeref(0)
or
input.isParameterDeref(0) and
output.isParameterDeref(0)

26
cpp/ql/src/semmle/code/cpp/models/implementations/Strdup.qll
View File

@@ -13,25 +13,13 @@ import semmle.code.cpp.models.interfaces.Taint
*/
private class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction {
StrdupFunction() {
exists(string name |
hasGlobalName(name) and
(
// strdup(str)
name = "strdup"
or
// wcsdup(str)
name = "wcsdup"
or
// _strdup(str)
name = "_strdup"
or
// _wcsdup(str)
name = "_wcsdup"
or
// _mbsdup(str)
name = "_mbsdup"
)
)
hasGlobalName([
"strdup", // strdup(str)
"wcsdup", // wcsdup(str)
"_strdup", // _strdup(str)
"_wcsdup", // _wcsdup(str)
"_mbsdup" // _mbsdup(str)
])
}
override predicate hasArrayInput(int bufParam) { bufParam = 0 }

14
cpp/ql/src/semmle/code/cpp/models/interfaces/Allocation.qll
View File

@@ -93,16 +93,10 @@ abstract class AllocationExpr extends Expr {
*/
class OperatorNewAllocationFunction extends AllocationFunction {
OperatorNewAllocationFunction() {
exists(string name |
hasGlobalName(name) and
(
// operator new(bytes, ...)
name = "operator new"
or
// operator new[](bytes, ...)
name = "operator new[]"
)
)
hasGlobalName([
"operator new", // operator new(bytes, ...)
"operator new[]" // operator new[](bytes, ...)
])
}
override int getSizeArg() { result = 0 }

14
cpp/ql/src/semmle/code/cpp/models/interfaces/Deallocation.qll
View File

@@ -38,16 +38,10 @@ abstract class DeallocationExpr extends Expr {
*/
class OperatorDeleteDeallocationFunction extends DeallocationFunction {
OperatorDeleteDeallocationFunction() {
exists(string name |
hasGlobalName(name) and
(
// operator delete(pointer, ...)
name = "operator delete"
or
// operator delete[](pointer, ...)
name = "operator delete[]"
)
)
hasGlobalName([
"operator delete", // operator delete(pointer, ...)
"operator delete[]" // operator delete[](pointer, ...)
])
}
override int getFreedArg() { result = 0 }