hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Also treat second argument to make (slice capacity) as an allocation size.

Browse Source
This commit is contained in:
Max Schaefer
2020-03-13 12:17:53 +00:00
parent 864c85e886
commit 39fa6052e6
3 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ql/src/semmle/go/security/AllocationSizeOverflowCustomizations.qll
View File

@@ -127,9 +127,11 @@ module AllocationSizeOverflow {
}
}
/** The first (non-type) argument to a call to `make`, considered as an allocation size. */
/**
* The first or second (non-type) argument to a call to `make`, considered as an allocation size.
*/
private class DefaultAllocationSize extends AllocationSize {
DefaultAllocationSize() { this = Builtin::make().getACall().getArgument(0) }
DefaultAllocationSize() { this = Builtin::make().getACall().getArgument([0 .. 1]) }
}
/** Holds if `t` is a type whose values are likely to marshal to relatively small blobs. */

6
ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.expected
View File

@@ -4,7 +4,7 @@ edges
| tst2.go:14:2:14:29 | ... := ...[0] : slice type | tst2.go:15:22:15:30 | call to len |
| tst.go:14:2:14:30 | ... = ...[0] : slice type | tst.go:15:22:15:34 | call to len |
| tst.go:20:2:20:31 | ... = ...[0] : slice type | tst.go:21:22:21:34 | call to len |
| tst.go:26:2:26:31 | ... = ...[0] : slice type | tst.go:27:22:27:34 | call to len |
| tst.go:26:2:26:31 | ... = ...[0] : slice type | tst.go:27:26:27:38 | call to len |
| tst.go:34:2:34:30 | ... = ...[0] : slice type | tst.go:35:22:35:34 | call to len |
nodes
| AllocationSizeOverflow.go:6:2:6:33 | ... := ...[0] : slice type | semmle.label | ... := ...[0] : slice type |
@@ -18,7 +18,7 @@ nodes
| tst.go:20:2:20:31 | ... = ...[0] : slice type | semmle.label | ... = ...[0] : slice type |
| tst.go:21:22:21:34 | call to len | semmle.label | call to len |
| tst.go:26:2:26:31 | ... = ...[0] : slice type | semmle.label | ... = ...[0] : slice type |
| tst.go:27:22:27:34 | call to len | semmle.label | call to len |
| tst.go:27:26:27:38 | call to len | semmle.label | call to len |
| tst.go:34:2:34:30 | ... = ...[0] : slice type | semmle.label | ... = ...[0] : slice type |
| tst.go:35:22:35:34 | call to len | semmle.label | call to len |
#select
@@ -27,5 +27,5 @@ nodes
| tst2.go:15:22:15:30 | call to len | tst2.go:14:2:14:29 | ... := ...[0] : slice type | tst2.go:15:22:15:30 | call to len | This operation, which is used in an $@, involves a potentially large $@ and might overflow. | tst2.go:15:22:15:32 | ...+... | allocation | tst2.go:14:2:14:29 | ... := ...[0] : slice type | value |
| tst.go:15:22:15:34 | call to len | tst.go:14:2:14:30 | ... = ...[0] : slice type | tst.go:15:22:15:34 | call to len | This operation, which is used in an $@, involves a potentially large $@ and might overflow. | tst.go:15:22:15:36 | ...+... | allocation | tst.go:14:2:14:30 | ... = ...[0] : slice type | value |
| tst.go:21:22:21:34 | call to len | tst.go:20:2:20:31 | ... = ...[0] : slice type | tst.go:21:22:21:34 | call to len | This operation, which is used in an $@, involves a potentially large $@ and might overflow. | tst.go:21:22:21:36 | ...+... | allocation | tst.go:20:2:20:31 | ... = ...[0] : slice type | value |
| tst.go:27:22:27:34 | call to len | tst.go:26:2:26:31 | ... = ...[0] : slice type | tst.go:27:22:27:34 | call to len | This operation, which is used in an $@, involves a potentially large $@ and might overflow. | tst.go:27:22:27:36 | ...+... | allocation | tst.go:26:2:26:31 | ... = ...[0] : slice type | value |
| tst.go:27:26:27:38 | call to len | tst.go:26:2:26:31 | ... = ...[0] : slice type | tst.go:27:26:27:38 | call to len | This operation, which is used in an $@, involves a potentially large $@ and might overflow. | tst.go:27:26:27:40 | ...+... | allocation | tst.go:26:2:26:31 | ... = ...[0] : slice type | value |
| tst.go:35:22:35:34 | call to len | tst.go:34:2:34:30 | ... = ...[0] : slice type | tst.go:35:22:35:34 | call to len | This operation, which is used in an $@, involves a potentially large $@ and might overflow. | tst.go:35:22:35:36 | ...+... | allocation | tst.go:34:2:34:30 | ... = ...[0] : slice type | value |

2
ql/test/query-tests/Security/CWE-190/tst.go
View File

@@ -24,7 +24,7 @@ func test(x int, s string, xs []int, ys [16]int, ss [16]string, h *header) {
ignore(make([]byte, len(jsonData)+1)) // OK: data is small
jsonData, _ = json.Marshal(ss)
ignore(make([]byte, len(jsonData)+1)) // NOT OK: data might be big
ignore(make([]byte, 10, len(jsonData)+1)) // NOT OK: data might be big
jsonData, _ = json.Marshal(h)
ignore(make([]byte, len(jsonData)+1)) // OK: data is small