hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Use StrcpyFunction model in UsingStrcpyAsBoolean.ql.

Browse Source
This commit is contained in:
Geoffrey White
2019-06-26 16:47:51 +01:00
parent d2f8029625
commit 39be9c3125
2 changed files with 3 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
View File

@@ -12,20 +12,9 @@
*/
import cpp
import semmle.code.cpp.models.implementations.Strcpy
import semmle.code.cpp.dataflow.DataFlow
predicate isStringComparisonFunction(string functionName) {
functionName = "strcpy" or
functionName = "wcscpy" or
functionName = "_mbscpy" or
functionName = "strncpy" or
functionName = "_strncpy_l" or
functionName = "wcsncpy" or
functionName = "_wcsncpy_l" or
functionName = "_mbsncpy" or
functionName = "_mbsncpy_l"
}
predicate isBoolean(Expr e1) {
exists(Type t1 |
t1 = e1.getType() and
@@ -36,12 +25,12 @@ predicate isBoolean(Expr e1) {
predicate isStringCopyCastedAsBoolean(FunctionCall func, Expr expr1, string msg) {
DataFlow::localFlow(DataFlow::exprNode(func), DataFlow::exprNode(expr1)) and
isBoolean(expr1.getConversion*()) and
isStringComparisonFunction(func.getTarget().getName()) and
func.getTarget() instanceof StrcpyFunction and
msg = "Return value of " + func.getTarget().getName() + " used as a Boolean."
}
predicate isStringCopyUsedInLogicalOperationOrCondition(FunctionCall func, Expr expr1, string msg) {
isStringComparisonFunction(func.getTarget().getName()) and
func.getTarget() instanceof StrcpyFunction and
(
(
// it is being used in an equality or logical operation

3
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected
View File

@@ -19,9 +19,6 @@
| test.cpp:103:9:103:15 | call to strncpy | Return value of strncpy used directly in a conditional expression. |
| test.cpp:107:9:107:15 | call to wcsncpy | Return value of wcsncpy used directly in a conditional expression. |
| test.cpp:111:9:111:16 | call to _mbsncpy | Return value of _mbsncpy used directly in a conditional expression. |
| test.cpp:115:9:115:18 | call to _strncpy_l | Return value of _strncpy_l used directly in a conditional expression. |
| test.cpp:119:9:119:18 | call to _wcsncpy_l | Return value of _wcsncpy_l used directly in a conditional expression. |
| test.cpp:123:9:123:18 | call to _mbsncpy_l | Return value of _mbsncpy_l used directly in a conditional expression. |
| test.cpp:127:9:127:37 | ! ... | Return value of strncpy used in a logical operation. |
| test.cpp:131:14:131:20 | call to strncpy | Return value of strncpy used as a Boolean. |
| test.cpp:133:19:133:47 | ! ... | Return value of strncpy used in a logical operation. |