hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add support for 'data' in the query.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2023-11-28 12:57:59 +00:00
parent 7b8d164692
commit 2b36ba33f0
4 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll
View File

@@ -114,9 +114,11 @@ private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
/**
* The `std::string` function `data`.
*/
private class StdStringData extends StdStringTaintFunction {
class StdStringData extends MemberFunction {
StdStringData() { this.getClassAndName("data") instanceof StdBasicString }
}
private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
// flow from string itself (qualifier) to return value
input.isQualifierObject() and

4
cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
View File

@@ -22,6 +22,8 @@ import semmle.code.cpp.models.implementations.StdContainer
* a temporary object.
*/
predicate isTemporary(Expr e) {
e instanceof TemporaryObjectExpr
or
e.isPRValueCategory() and
e.getUnspecifiedType() instanceof Class and
not e.hasLValueToRValueConversion()
@@ -92,7 +94,7 @@ from Call c
where
outlivesFullExpr(c) and
not c.isFromUninstantiatedTemplate(_) and
c.getTarget() instanceof StdStringCStr and
(c.getTarget() instanceof StdStringCStr or c.getTarget() instanceof StdStringData) and
isTemporary(c.getQualifier().getFullyConverted())
select c,
"The underlying string object is destroyed after the call to '" + c.getTarget() + "' returns."

6
cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.expected
View File

@@ -5,4 +5,8 @@
| test.cpp:178:37:178:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
| test.cpp:181:39:181:43 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
| test.cpp:183:37:183:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
| test.cpp:187:31:187:35 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
| test.cpp:187:34:187:37 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
| test.cpp:188:39:188:42 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
| test.cpp:189:44:189:47 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
| test.cpp:191:29:191:32 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
| test.cpp:193:31:193:35 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |

6
cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp
View File

@@ -184,6 +184,12 @@ const char* test1(bool b1, bool b2) {
char c = std::string("hello").c_str()[0]; // GOOD
auto s6 = std::string("hello").data(); // BAD
auto s7 = b1 ? std::string("hello").data() : ""; // BAD
auto s8 = b2 ? "" : std::string("hello").data(); // BAD
char* s9;
s9 = std::string("hello").data(); // BAD
return std::string("hello").c_str(); // BAD
}