hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into promote-sql-pqxx

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2021-09-14 15:29:37 +01:00
parent 90633b9ce1 31739cdae6
commit 44dca68463
4873 changed files with 308393 additions and 68657 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
View File

@@ -24,6 +24,8 @@
| test.cpp:126:8:126:9 | i2 |
| test.cpp:127:8:127:9 | i3 |
| test.cpp:128:15:128:16 | v4 |
| test.cpp:185:10:185:12 | cpy |
| test.cpp:199:10:199:12 | cpy |
| virtual.cpp:18:10:18:10 | a |
| virtual.cpp:19:10:19:10 | c |
| virtual.cpp:38:10:38:10 | b |

2
cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.expected
View File

@@ -10,4 +10,4 @@
| test.cpp:89:18:89:23 | call to malloc | This memory is never freed |
| test.cpp:156:3:156:26 | new | This memory is never freed |
| test.cpp:157:3:157:26 | new[] | This memory is never freed |
| test.cpp:167:14:167:19 | call to strdup | This memory is never freed |
| test.cpp:169:14:169:19 | call to strdup | This memory is never freed |

30
cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp
View File

@@ -155,6 +155,8 @@ int overloadedNew() {
new(std::nothrow) int(3); // BAD
new(std::nothrow) int[2]; // BAD
return 0;
}
// --- strdup ---
@@ -168,3 +170,31 @@ void test_strdup() {
output_msg(cpy);
}
// --- strdupa ---
char *strdupa(const char *s1);
void test_strdupa_no_dealloc() {
char msg[] = "OctoCat";
char *cpy = strdupa(msg); // GOOD
}
void test_strdupa_dealloc() {
char msg[] = "OctoCat";
char *cpy = strdupa(msg);
free(cpy); // BAD [NOT DETECTED]
}
// --- strndupa ---
char *strndupa(const char *s1, size_t maxsize);
void test_strndupa_no_dealloc() {
char msg[] = "OctoCat";
char *cpy = strndupa(msg, 4); // GOOD
}
void test_strndupa_dealloc() {
char msg[] = "OctoCat";
char *cpy = strndupa(msg, 4);
free(cpy); // BAD [NOT DETECTED]
}

10
cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp
View File

@@ -46,3 +46,13 @@ void f2(char *src)
ptr = &(buffer[1]);
memcpy(ptr, src, 100); // BAD [NOT DETECTED]
}
void f3() {
int i;
char buffer[5];
for (i=0; i<10; i++) {
if (i < 5) {
buffer[i] = 0; // GOOD
}
}
}

2
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c
View File

@@ -115,7 +115,7 @@ int twoReasons(int a, int b) {
if (a <= 0 && b > 5) {
return a < b;
}
if (a <= 100 && b > 105) {
if (a <= 100 && b > 105) { // BUG [Not detected - this clause is always false]
return a > b;
}
return 0;

1
cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected
View File

@@ -34,6 +34,7 @@ nodes
| test.cpp:88:21:88:22 | d2 | semmle.label | d2 |
| test.cpp:95:21:95:21 | d | semmle.label | d |
| test.cpp:96:21:96:23 | dss | semmle.label | dss |
subpaths
#select
| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | Pointer arithmetic here may be done with the wrong type because of the cast $@. | test.cpp:57:19:57:19 | d | here |
| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | Pointer arithmetic here may be done with the wrong type because of the cast $@. | test.cpp:74:19:74:21 | dss | here |

1
cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.expected
View File

@@ -1 +1,2 @@
| test.cpp:10:11:10:11 | x | Implicit downcast of bitfield $@ | test.cpp:2:6:2:6 | x | x |
| test.cpp:26:25:26:25 | x | Implicit downcast of bitfield $@ | test.cpp:2:6:2:6 | x | x |

30
cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp
View File

@@ -3,21 +3,41 @@ typedef struct {
} my_struct;
int getX1(my_struct m) {
return m.x;
return m.x; // GOOD
}
short getX2(my_struct m) {
return m.x;
return m.x; // BAD
}
short getX3(my_struct m) {
return (short) m.x;
return (short) m.x; // GOOD
}
bool getX4(my_struct m) {
return m.x;
return m.x; // GOOD
}
short getX5(my_struct m) {
return (char) m.x;
return (char) m.x; // GOOD
}
const char& getx6(my_struct& m) {
const char& result = m.x; // BAD
return result;
}
const short& getx7(my_struct& m) {
const short& result = (short) m.x; // GOOD
return result;
}
const int& getx8(my_struct& m) {
const int& result = m.x; // GOOD
return result;
}
const bool& getx9(my_struct& m) {
const bool& result = m.x; // GOOD
return result;
}

4
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.expected
View File

@@ -3,12 +3,8 @@
| tests.cpp:21:15:21:21 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
| tests.cpp:21:15:21:21 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
| tests.cpp:26:17:26:24 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
| tests.cpp:27:17:27:24 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
| tests.cpp:29:17:29:23 | Hello | This argument should be of type 'wchar_t *' but is of type 'char *' |
| tests.cpp:30:17:30:24 | Hello | This argument should be of type 'wchar_t *' but is of type 'char16_t *' |
| tests.cpp:34:36:34:43 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
| tests.cpp:35:36:35:43 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |
| tests.cpp:37:36:37:42 | Hello | This argument should be of type 'char16_t *' but is of type 'char *' |
| tests.cpp:39:36:39:43 | Hello | This argument should be of type 'char16_t *' but is of type 'wchar_t *' |
| tests.cpp:42:37:42:44 | Hello | This argument should be of type 'char *' but is of type 'char16_t *' |
| tests.cpp:43:37:43:44 | Hello | This argument should be of type 'char *' but is of type 'wchar_t *' |

8
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp
View File

@@ -24,17 +24,17 @@ void tests() {
wprintf(L"%s", "Hello"); // GOOD
wprintf(L"%s", u"Hello"); // BAD: expecting char
wprintf(L"%s", L"Hello"); // BAD: expecting char
wprintf(L"%s", L"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms]
wprintf(L"%S", "Hello"); // BAD: expecting wchar_t
wprintf(L"%S", "Hello"); // BAD: expecting wchar_t [NOT DETECTED; correct on Microsoft platforms]
wprintf(L"%S", u"Hello"); // BAD: expecting wchar_t
wprintf(L"%S", L"Hello"); // GOOD
swprintf(buffer, BUF_SIZE, u"%s", "Hello"); // GOOD
swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // BAD: expecting char
swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms]
swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char
swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // BAD: expecting char16_t
swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // BAD: expecting char16_t [NOT DETECTED; correct on Microsoft platforms]
swprintf(buffer, BUF_SIZE, u"%S", u"Hello"); // GOOD
swprintf(buffer, BUF_SIZE, u"%S", L"Hello"); // BAD: expecting char16_t

1
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.expected
View File

@@ -1,3 +1,2 @@
| printf.cpp:31:31:31:37 | test | This argument should be of type 'char *' but is of type 'char16_t *' |
| printf.cpp:43:29:43:35 | test | This argument should be of type 'char *' but is of type 'char16_t *' |
| printf.cpp:50:29:50:35 | test | This argument should be of type 'char16_t *' but is of type 'wchar_t *' |

2
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp
View File

@@ -28,7 +28,7 @@ int sprintf(char *dest, char *format, ...);
void test1() {
WCHAR string[20];
swprintf(string, u"test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string
swprintf(string, u"test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string [NOT DETECTED; correct on Microsoft platforms]
}
void test2() {

2
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.expected
View File

@@ -11,8 +11,6 @@
| printf1.h:45:18:45:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
| printf1.h:46:18:46:20 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
| printf1.h:130:18:130:18 | 0 | This argument should be of type 'void *' but is of type 'int' |
| printf1.h:154:18:154:19 | wc | This argument should be of type 'char *' but is of type 'wchar_t *' |
| printf1.h:155:18:155:18 | c | This argument should be of type 'wchar_t *' but is of type 'char *' |
| printf1.h:168:19:168:19 | i | This argument should be of type 'long long' but is of type 'int' |
| printf1.h:169:19:169:20 | ui | This argument should be of type 'unsigned long long' but is of type 'unsigned int' |
| real_world.h:61:21:61:22 | & ... | This argument should be of type 'int *' but is of type 'short *' |

4
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h
View File

@@ -151,8 +151,8 @@ void test_chars(char c, wchar_t wc, wint_t wt)
void test_ws(char *c, wchar_t *wc)
{
wprintf(L"%s", c); // GOOD
wprintf(L"%s", wc); // BAD
wprintf(L"%S", c); // BAD
wprintf(L"%s", wc); // BAD [NOT DETECTED; correct on Microsoft platforms]
wprintf(L"%S", c); // BAD [NOT DETECTED; correct on Microsoft platforms]
wprintf(L"%S", wc); // GOOD
}

2
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.expected
View File

@@ -19,8 +19,6 @@
| printf1.h:116:16:116:24 | myString3 | This argument should be of type '__wchar_t *' but is of type 'int *' |
| printf1.h:117:16:117:24 | myString4 | This argument should be of type '__wchar_t *' but is of type 'int *' |
| printf1.h:130:18:130:18 | 0 | This argument should be of type 'void *' but is of type 'int' |
| printf1.h:153:18:153:18 | c | This argument should be of type '__wchar_t *' but is of type 'char *' |
| printf1.h:156:18:156:19 | wc | This argument should be of type 'char *' but is of type '__wchar_t *' |
| printf1.h:181:21:181:22 | ll | This argument should be of type 'int' but is of type 'long long' |
| printf1.h:182:21:182:23 | ull | This argument should be of type 'unsigned int' but is of type 'unsigned long long' |
| printf1.h:185:21:185:23 | i64 | This argument should be of type 'int' but is of type 'long long' |

4
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h
View File

@@ -150,10 +150,10 @@ void test_chars(char c, wchar_t wc, wint_t wt)
void test_ws(char *c, wchar_t *wc, wint_t *wt)
{
wprintf(L"%s", c); // BAD
wprintf(L"%s", c); // BAD [NOT DETECTED; correct on non-Microsoft platforms]
wprintf(L"%s", wc); // GOOD
wprintf(L"%S", c); // GOOD
wprintf(L"%S", wc); // BAD
wprintf(L"%S", wc); // BAD [NOT DETECTED; correct on non-Microsoft platforms]
}
void fun4()

25
cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.expected Normal file
View File

@@ -0,0 +1,25 @@
| test.cpp:25:10:25:16 | buffer1 | Variable $@ may not be null terminated. | test.cpp:22:8:22:14 | buffer1 | buffer1 |
| test.cpp:26:10:26:16 | buffer2 | Variable $@ may not be null terminated. | test.cpp:23:8:23:14 | buffer2 | buffer2 |
| test.cpp:39:10:39:16 | buffer2 | Variable $@ may not be null terminated. | test.cpp:35:8:35:14 | buffer2 | buffer2 |
| test.cpp:59:10:59:13 | ptr1 | Variable $@ may not be null terminated. | test.cpp:56:9:56:12 | ptr1 | ptr1 |
| test.cpp:69:10:69:16 | buffer1 | Variable $@ may not be null terminated. | test.cpp:64:8:64:14 | buffer1 | buffer1 |
| test.cpp:70:10:70:12 | ptr | Variable $@ may not be null terminated. | test.cpp:64:8:64:14 | buffer1 | buffer1 |
| test.cpp:81:10:81:16 | buffer2 | Variable $@ may not be null terminated. | test.cpp:65:8:65:14 | buffer2 | buffer2 |
| test.cpp:82:10:82:12 | ptr | Variable $@ may not be null terminated. | test.cpp:65:8:65:14 | buffer2 | buffer2 |
| test.cpp:93:10:93:15 | buffer | Variable $@ may not be null terminated. | test.cpp:86:8:86:13 | buffer | buffer |
| test.cpp:116:10:116:15 | buffer | Variable $@ may not be null terminated. | test.cpp:109:8:109:13 | buffer | buffer |
| test.cpp:130:14:130:19 | buffer | Variable $@ may not be null terminated. | test.cpp:127:7:127:12 | buffer | buffer |
| test.cpp:139:10:139:15 | buffer | Variable $@ may not be null terminated. | test.cpp:136:8:136:13 | buffer | buffer |
| test.cpp:147:14:147:19 | buffer | Variable $@ may not be null terminated. | test.cpp:143:8:143:13 | buffer | buffer |
| test.cpp:182:10:182:15 | buffer | Variable $@ may not be null terminated. | test.cpp:178:8:178:13 | buffer | buffer |
| test.cpp:234:10:234:15 | buffer | Variable $@ may not be null terminated. | test.cpp:232:8:232:13 | buffer | buffer |
| test.cpp:262:10:262:15 | buffer | Variable $@ may not be null terminated. | test.cpp:259:8:259:13 | buffer | buffer |
| test.cpp:283:10:283:15 | buffer | Variable $@ may not be null terminated. | test.cpp:280:8:280:13 | buffer | buffer |
| test.cpp:300:10:300:16 | buffer2 | Variable $@ may not be null terminated. | test.cpp:295:8:295:14 | buffer2 | buffer2 |
| test.cpp:312:10:312:15 | buffer | Variable $@ may not be null terminated. | test.cpp:308:8:308:13 | buffer | buffer |
| test.cpp:327:18:327:23 | buffer | Variable $@ may not be null terminated. | test.cpp:326:8:326:13 | buffer | buffer |
| test.cpp:346:11:346:16 | buffer | Variable $@ may not be null terminated. | test.cpp:341:8:341:13 | buffer | buffer |
| test.cpp:355:11:355:16 | buffer | Variable $@ may not be null terminated. | test.cpp:350:8:350:13 | buffer | buffer |
| test.cpp:365:19:365:25 | buffer2 | Variable $@ may not be null terminated. | test.cpp:363:8:363:14 | buffer2 | buffer2 |
| test.cpp:392:17:392:22 | buffer | Variable $@ may not be null terminated. | test.cpp:390:8:390:13 | buffer | buffer |
| test.cpp:398:18:398:23 | buffer | Variable $@ may not be null terminated. | test.cpp:396:8:396:13 | buffer | buffer |

1
cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref Normal file
View File

@@ -0,0 +1 @@
Likely Bugs/Memory Management/ImproperNullTermination.ql

2
cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.expected Normal file
View File

@@ -0,0 +1,2 @@
| test.cpp:410:10:410:15 | buffer | $@ flows to here and may not be null terminated. | test.cpp:409:18:409:23 | buffer | User-provided value |
| test.cpp:425:10:425:15 | buffer | $@ flows to here and may not be null terminated. | test.cpp:424:9:424:14 | buffer | User-provided value |

1
cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-170/ImproperNullTerminationTainted.ql

435
cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp Normal file
View File

@@ -0,0 +1,435 @@
typedef unsigned int size_t;
typedef signed int ssize_t;
typedef struct {} FILE;
size_t strlen(const char *s);
char *strcpy(char *s1, const char *s2);
char *strcat(char *s1, const char *s2);
char *strdup(const char *s1);
void *malloc(size_t size);
void *memset(void *s, int c, size_t n);
void *memcpy(void *s1, const void *s2, size_t n);
void read(int src, void *out, int num);
size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
ssize_t readlink(const char *path, char *buffer, size_t buffer_size);
ssize_t readlinkat(int fd, const char *path, char *buffer, size_t buffer_size);
bool cond();
void test_unassigned()
{
{
char buffer1[1024];
char buffer2[1024];
strdup(buffer1); // BAD
strdup(buffer2); // BAD
memcpy(buffer2, buffer1, sizeof(buffer2));
strdup(buffer1); // BAD [NOT DETECTED]
strdup(buffer2); // BAD [NOT DETECTED]
}
{
char buffer1[1024];
char buffer2[1024];
strcpy(buffer1, "content");
strdup(buffer1); // GOOD
strdup(buffer2); // BAD
memcpy(buffer2, buffer1, sizeof(buffer2));
strdup(buffer1); // GOOD
strdup(buffer2); // GOOD
}
{
char buffer1[1024] = {0};
char buffer2[1024];
memset(buffer2, 0, sizeof(buffer2));
strdup(buffer1); // GOOD
strdup(buffer2); // GOOD
}
{
char *ptr1;
char *ptr2 = "content";
strdup(ptr1); // BAD
strdup(ptr2); // GOOD
}
{
char buffer1[1024];
char buffer2[1024];
char *ptr;
ptr = buffer1;
strdup(buffer1); // BAD
strdup(ptr); // BAD
strcpy(buffer1, "content");
strdup(buffer1); // GOOD
strdup(ptr); // GOOD
ptr = buffer1;
strdup(buffer1); // GOOD
strdup(ptr); // GOOD
ptr = buffer2;
strdup(buffer2); // BAD
strdup(ptr); // BAD
}
{
char buffer[1024];
if (cond())
{
strcpy(buffer, "content");
strdup(buffer); // GOOD
}
strdup(buffer); // BAD
}
{
char buffer[1024];
if (cond())
{
strcpy(buffer, "content");
} else {
strcpy(buffer, "alternative");
}
strdup(buffer); // GOOD
}
{
char buffer[1024];
while (cond())
{
strcpy(buffer, "content");
strdup(buffer); // GOOD
}
strdup(buffer); // BAD
}
}
void test_callee(char *p1, char *p2)
{
strdup(p1);
}
void test_caller()
{
char buffer[1024];
test_callee("content", buffer); // GOOD
test_callee(buffer, "content"); // BAD
}
void test_readlink(int fd, const char *path, size_t sz)
{
{
char buffer[1024];
readlink(path, buffer, sizeof(buffer));
strdup(buffer); // BAD
}
{
char buffer[1024];
int v;
readlinkat(fd, path, buffer, sizeof(buffer));
v = strlen(buffer); // BAD
}
{
char buffer[1024] = {0};
readlink(path, buffer, sizeof(buffer) - 1);
strdup(buffer); // GOOD
}
{
char buffer[1024];
ssize_t len;
len = readlink(path, buffer, sizeof(buffer));
if (len >= 0)
{
buffer[len - 1] = 0;
strdup(buffer); // GOOD
}
}
{
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
readlink(path, buffer, sizeof(buffer) - 1);
strdup(buffer); // GOOD
}
{
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
readlink(path, buffer, sizeof(buffer));
strdup(buffer); // BAD
}
{
char buffer[1024];
memset(buffer, 0, sizeof(buffer));
readlink(path, buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = 0;
strdup(buffer); // GOOD
}
{
char *buffer = (char *)malloc(1024);
readlink(path, buffer, 1024);
strdup(buffer); // BAD [NOT DETECTED]
}
{
char *buffer = (char *)malloc(1024);
buffer[1023] = 0;
readlink(path, buffer, 1023);
strdup(buffer); // GOOD
}
{
char *buffer = (char *)malloc(sz);
readlink(path, buffer, sz);
strdup(buffer); // BAD [NOT DETECTED]
}
{
char *buffer = (char *)malloc(sz);
memset(buffer, 0, sz);
readlink(path, buffer, sz - 1);
strdup(buffer); // GOOD
}
}
void doNothing(char *data) { };
void doNothing2(const char *data);
void clearBuffer(char *data, size_t size);
void test_strcat()
{
{
char buffer[1024];
strcat(buffer, "content"); // BAD
}
{
char buffer[1024];
buffer[0] = 0;
strcat(buffer, "content"); // GOOD
}
{
char buffer[1024];
buffer[10] = 0;
strcat(buffer, "content"); // GOOD
}
{
char buffer[1024];
buffer[0] = '\0';
strcat(buffer, "content"); // GOOD
}
{
char buffer[1024];
buffer[0] = 'a';
strcat(buffer, "content"); // BAD
}
{
char buffer[1024];
*buffer = 0;
strcat(buffer, "content"); // GOOD
}
{
char buffer[1024];
strcpy(buffer, "con");
strcat(buffer, "tent"); // GOOD
}
{
char buffer[1024];
doNothing(buffer);
strcat(buffer, "content"); // BAD
}
{
char buffer[1024];
doNothing2(buffer);
strcat(buffer, "content"); // BAD [NOT DETECTED]
}
{
char buffer1[1024];
char buffer2[1024];
char *buffer_ptr = buffer1;
*buffer_ptr = 0;
strcat(buffer1, "content"); // GOOD
strcat(buffer2, "content"); // BAD
strcat(buffer_ptr, "content"); // GOOD
buffer_ptr = buffer2;
strcat(buffer_ptr, "content"); // BAD [NOT DETECTED]
}
{
char buffer[1024];
char *buffer_ptr = buffer;
*buffer_ptr = 'a';
strcat(buffer, "content"); // BAD
}
{
char buffer[1024];
clearBuffer(buffer, 1024);
strcat(buffer, "content"); // GOOD
}
}
void test_strlen(bool cond1, bool cond2)
{
{
char buffer[1024];
int i = strlen(buffer); // BAD
}
{
char buffer[1024] = {0};
int i = strlen(buffer); // GOOD
}
{
char *ptr = "content";
int i = strlen(ptr); // GOOD
}
{
char buffer[1024];
if (cond1)
buffer[0] = 0;
if (cond1)
strlen(buffer); // GOOD [FALSE POSITIVE]
}
{
char buffer[1024];
if (cond1)
buffer[0] = 0;
if (cond2)
strlen(buffer); // BAD
}
}
void test_strcpy()
{
{
char buffer1[1024];
char buffer2[1024];
strcpy(buffer1, buffer2); // BAD
}
{
char buffer1[1024];
char buffer2[1024];
strcpy(buffer2, "content"); // GOOD
strcpy(buffer1, buffer2); // GOOD
}
}
void strcatWrapper(char *data, const char *with)
{
strcat(data, with);
}
void strcatWrapper2(char *data, const char *with)
{
strcatWrapper(data, with);
}
void test_wrappers()
{
{
char buffer[1024];
strcatWrapper(buffer, "content"); // BAD
}
{
char buffer[1024];
strcatWrapper2(buffer, "content"); // BAD
}
}
void test_read_fread(int read_src, FILE *s)
{
const size_t buffer_size = 80;
{
char buffer[buffer_size];
read(read_src, buffer, buffer_size * sizeof(char));
strlen(buffer); // BAD
}
{
char buffer[buffer_size];
read(read_src, buffer, buffer_size * sizeof(char));
buffer[buffer_size - 1] = 0;
strlen(buffer); // GOOD
}
{
char buffer[buffer_size];
fread(buffer, sizeof(char), buffer_size, s);
strlen(buffer); // BAD
}
{
char buffer[buffer_size];
fread(buffer, sizeof(char), buffer_size, s);
buffer[buffer_size - 1] = 0;
strlen(buffer); // GOOD
}
}

39
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/test_buffer_overrun.cpp Normal file
View File

@@ -0,0 +1,39 @@
typedef unsigned char uint8_t;
#define SIZE (32)
void test_buffer_overrun_in_for_loop()
{
uint8_t data[SIZE] = {0};
for (int x = 0; x < SIZE * 2; x++) {
data[x] = 0x41; // BAD [NOT DETECTED]
}
}
void test_buffer_overrun_in_while_loop_using_pointer_arithmetic()
{
uint8_t data[SIZE] = {0};
int offset = 0;
while (offset < SIZE * 2) {
*(data + offset) = 0x41; // BAD [NOT DETECTED]
offset++;
}
}
void test_buffer_overrun_in_while_loop_using_array_indexing()
{
uint8_t data[SIZE] = {0};
int offset = 0;
while (offset < SIZE * 2) {
data[offset] = 0x41; // BAD [NOT DETECTED]
offset++;
}
}
int main(int argc, char *argv[])
{
test_buffer_overrun_in_for_loop();
test_buffer_overrun_in_while_loop_using_pointer_arithmetic();
test_buffer_overrun_in_while_loop_using_array_indexing();
return 0;
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
View File

@@ -114,7 +114,7 @@ void test6(bool cond)
c = 100;
buffer[c] = 'x'; // BAD: over-write [NOT DETECTED]
ch = buffer[c]; // BAD: under-read [NOT DETECTED]
ch = buffer[c]; // BAD: over-read [NOT DETECTED]
d = 0;
d = 1000;

18
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
View File

@@ -1,4 +1,5 @@
edges
| argvLocal.c:9:25:9:31 | correct | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | (const char *)... |
| argvLocal.c:95:9:95:12 | argv | argvLocal.c:95:9:95:15 | access to array |
@@ -13,6 +14,7 @@ edges
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
| argvLocal.c:96:15:96:18 | argv | argvLocal.c:96:15:96:21 | access to array indirection |
| argvLocal.c:96:15:96:21 | access to array indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | (const char *)... |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:101:9:101:10 | i1 |
@@ -41,6 +43,7 @@ edges
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
| argvLocal.c:100:7:100:10 | argv | argvLocal.c:145:15:145:16 | i7 indirection |
| argvLocal.c:102:15:102:16 | i1 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | (const char *)... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:106:9:106:13 | access to array |
@@ -69,6 +72,8 @@ edges
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
| argvLocal.c:105:14:105:17 | argv | argvLocal.c:111:15:111:17 | * ... indirection |
| argvLocal.c:107:15:107:19 | access to array indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:111:15:111:17 | * ... indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | (const char *)... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:116:9:116:10 | i3 |
@@ -113,7 +118,9 @@ edges
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
| argvLocal.c:115:13:115:16 | argv | argvLocal.c:136:15:136:18 | -- ... indirection |
| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:9:25:9:31 | correct |
| argvLocal.c:117:2:117:13 | i3 | argvLocal.c:117:15:117:16 | printWrapper output argument |
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:117:15:117:16 | i3 indirection | argvLocal.c:117:15:117:16 | printWrapper output argument |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | (const char *)... |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:121:9:121:10 | i4 |
@@ -129,7 +136,9 @@ edges
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... |
| argvLocal.c:117:15:117:16 | printWrapper output argument | argvLocal.c:136:15:136:18 | -- ... indirection |
| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:9:25:9:31 | correct |
| argvLocal.c:122:2:122:13 | i4 | argvLocal.c:122:15:122:16 | printWrapper output argument |
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:122:15:122:16 | i4 indirection | argvLocal.c:122:15:122:16 | printWrapper output argument |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | (const char *)... |
| argvLocal.c:122:15:122:16 | printWrapper output argument | argvLocal.c:135:9:135:12 | ... ++ |
@@ -165,7 +174,9 @@ edges
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
| argvLocal.c:126:10:126:13 | argv | argvLocal.c:132:15:132:20 | ... + ... indirection |
| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:9:25:9:31 | correct |
| argvLocal.c:128:2:128:13 | i5 | argvLocal.c:128:15:128:16 | printWrapper output argument |
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:128:15:128:16 | i5 indirection | argvLocal.c:128:15:128:16 | printWrapper output argument |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | (const char *)... |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:131:9:131:14 | ... + ... |
@@ -173,6 +184,9 @@ edges
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... |
| argvLocal.c:128:15:128:16 | printWrapper output argument | argvLocal.c:132:15:132:20 | ... + ... indirection |
| argvLocal.c:132:15:132:20 | ... + ... indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:136:15:136:18 | -- ... indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:145:15:145:16 | i7 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | (const char *)... |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:150:9:150:10 | i8 |
@@ -187,6 +201,7 @@ edges
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
| argvLocal.c:149:11:149:14 | argv | argvLocal.c:151:15:151:16 | i8 indirection |
| argvLocal.c:151:15:151:16 | i8 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | (const char *)... |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:157:9:157:10 | i9 |
@@ -199,6 +214,7 @@ edges
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
| argvLocal.c:156:23:156:26 | argv | argvLocal.c:158:15:158:16 | i9 indirection |
| argvLocal.c:158:15:158:16 | i9 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | (const char *)... |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:164:9:164:11 | i91 |
@@ -211,6 +227,7 @@ edges
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
| argvLocal.c:163:22:163:25 | argv | argvLocal.c:165:15:165:17 | i91 indirection |
| argvLocal.c:165:15:165:17 | i91 indirection | argvLocal.c:9:25:9:31 | *correct |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (char *)... |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:169:9:169:20 | (const char *)... |
@@ -229,6 +246,7 @@ edges
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:168:18:168:21 | argv | argvLocal.c:170:24:170:26 | i10 |
| argvLocal.c:170:15:170:26 | i10 indirection | argvLocal.c:9:25:9:31 | *correct |
nodes
| argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |
| argvLocal.c:9:25:9:31 | *correct | semmle.label | *correct |

142
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected Normal file
View File

@@ -0,0 +1,142 @@
edges
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
| test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r |
| test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r |
| test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r |
| test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r |
| test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r |
| test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
| test.cpp:13:2:13:15 | Chi [[]] | test.cpp:30:13:30:14 | get_rand2 output argument [[]] |
| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [[]] |
| test.cpp:18:2:18:14 | Chi [[]] | test.cpp:36:13:36:13 | get_rand3 output argument [[]] |
| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [[]] |
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
| test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
| test.cpp:30:13:30:14 | get_rand2 output argument [[]] | test.cpp:30:13:30:14 | Chi |
| test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
| test.cpp:36:13:36:13 | get_rand3 output argument [[]] | test.cpp:36:13:36:13 | Chi |
| test.cpp:62:19:62:22 | call to rand | test.cpp:65:9:65:9 | x |
| test.cpp:62:19:62:24 | (unsigned int)... | test.cpp:65:9:65:9 | x |
| test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x |
| test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x |
| test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y |
| test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b |
| test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | (int)... |
| test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y |
| test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x |
| test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x |
| test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x |
| test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y |
| test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y |
| test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y |
| test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x |
| test.cpp:223:20:223:23 | call to rand | test.cpp:227:8:227:8 | x |
| test.cpp:223:20:223:25 | (unsigned int)... | test.cpp:227:8:227:8 | x |
nodes
| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
| test.c:21:17:21:17 | r | semmle.label | r |
| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
| test.c:77:9:77:9 | r | semmle.label | r |
| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
| test.c:83:9:83:9 | r | semmle.label | r |
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
| test.c:100:5:100:5 | r | semmle.label | r |
| test.c:125:13:125:16 | call to rand | semmle.label | call to rand |
| test.c:127:9:127:9 | r | semmle.label | r |
| test.c:131:13:131:16 | call to rand | semmle.label | call to rand |
| test.c:133:5:133:5 | r | semmle.label | r |
| test.c:137:13:137:16 | call to rand | semmle.label | call to rand |
| test.c:139:10:139:10 | r | semmle.label | r |
| test.c:155:22:155:25 | call to rand | semmle.label | call to rand |
| test.c:155:22:155:27 | (unsigned int)... | semmle.label | (unsigned int)... |
| test.c:157:9:157:9 | r | semmle.label | r |
| test.cpp:8:9:8:12 | Store | semmle.label | Store |
| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
| test.cpp:13:2:13:15 | Chi [[]] | semmle.label | Chi [[]] |
| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
| test.cpp:18:2:18:14 | Chi [[]] | semmle.label | Chi [[]] |
| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
| test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
| test.cpp:25:7:25:7 | r | semmle.label | r |
| test.cpp:30:13:30:14 | Chi | semmle.label | Chi |
| test.cpp:30:13:30:14 | get_rand2 output argument [[]] | semmle.label | get_rand2 output argument [[]] |
| test.cpp:31:7:31:7 | r | semmle.label | r |
| test.cpp:36:13:36:13 | Chi | semmle.label | Chi |
| test.cpp:36:13:36:13 | get_rand3 output argument [[]] | semmle.label | get_rand3 output argument [[]] |
| test.cpp:37:7:37:7 | r | semmle.label | r |
| test.cpp:62:19:62:22 | call to rand | semmle.label | call to rand |
| test.cpp:62:19:62:24 | (unsigned int)... | semmle.label | (unsigned int)... |
| test.cpp:65:9:65:9 | x | semmle.label | x |
| test.cpp:86:10:86:13 | call to rand | semmle.label | call to rand |
| test.cpp:90:10:90:10 | x | semmle.label | x |
| test.cpp:98:10:98:13 | call to rand | semmle.label | call to rand |
| test.cpp:102:10:102:10 | x | semmle.label | x |
| test.cpp:137:10:137:13 | call to rand | semmle.label | call to rand |
| test.cpp:146:9:146:9 | y | semmle.label | y |
| test.cpp:151:10:151:13 | call to rand | semmle.label | call to rand |
| test.cpp:154:10:154:10 | b | semmle.label | b |
| test.cpp:169:11:169:14 | call to rand | semmle.label | call to rand |
| test.cpp:171:11:171:16 | (int)... | semmle.label | (int)... |
| test.cpp:171:16:171:16 | y | semmle.label | y |
| test.cpp:189:10:189:13 | call to rand | semmle.label | call to rand |
| test.cpp:190:10:190:13 | call to rand | semmle.label | call to rand |
| test.cpp:196:7:196:7 | x | semmle.label | x |
| test.cpp:198:7:198:7 | x | semmle.label | x |
| test.cpp:199:7:199:7 | x | semmle.label | x |
| test.cpp:204:7:204:7 | y | semmle.label | y |
| test.cpp:205:7:205:7 | y | semmle.label | y |
| test.cpp:208:7:208:7 | y | semmle.label | y |
| test.cpp:215:11:215:14 | call to rand | semmle.label | call to rand |
| test.cpp:219:8:219:8 | x | semmle.label | x |
| test.cpp:223:20:223:23 | call to rand | semmle.label | call to rand |
| test.cpp:223:20:223:25 | (unsigned int)... | semmle.label | (unsigned int)... |
| test.cpp:227:8:227:8 | x | semmle.label | x |
subpaths
#select
| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | Uncontrolled value |
| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | Uncontrolled value |
| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | Uncontrolled value |
| test.c:157:9:157:9 | r | test.c:155:22:155:25 | call to rand | test.c:157:9:157:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | Uncontrolled value |
| test.c:157:9:157:9 | r | test.c:155:22:155:27 | (unsigned int)... | test.c:157:9:157:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | Uncontrolled value |
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:22 | call to rand | test.cpp:65:9:65:9 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | Uncontrolled value |
| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | (unsigned int)... | test.cpp:65:9:65:9 | x | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | Uncontrolled value |
| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | Uncontrolled value |
| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | Uncontrolled value |
| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | Uncontrolled value |
| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | Uncontrolled value |
| test.cpp:171:11:171:16 | (int)... | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | (int)... | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | Uncontrolled value |
| test.cpp:171:16:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:16:171:16 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | Uncontrolled value |
| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | Uncontrolled value |
| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | Uncontrolled value |
| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | Uncontrolled value |
| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | Uncontrolled value |
| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | Uncontrolled value |
| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | Uncontrolled value |
| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | Uncontrolled value |
| test.cpp:227:8:227:8 | x | test.cpp:223:20:223:23 | call to rand | test.cpp:227:8:227:8 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:223:20:223:23 | call to rand | Uncontrolled value |
| test.cpp:227:8:227:8 | x | test.cpp:223:20:223:25 | (unsigned int)... | test.cpp:227:8:227:8 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:223:20:223:23 | call to rand | Uncontrolled value |

0
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.qlref → cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref
View File

71
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c → cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c
View File

@@ -3,12 +3,12 @@
int rand(void);
void trySlice(int start, int end);
void add_100(int);
#define RAND() rand()
#define RANDN(n) (rand() % n)
#define RAND2() (rand() ^ rand())
#define RAND_MAX 32767
@@ -74,29 +74,86 @@ void randomTester() {
{
int r = RAND2();
r = r - 100; // BAD
r = r + 100; // BAD
}
{
int r = (rand() ^ rand());
r = r - 100; // BAD [NOT DETECTED]
r = r + 100; // BAD
}
{
int r = RAND2() - 100; // BAD [NOT DETECTED]
int r = RAND2() + 100; // BAD [NOT DETECTED]
}
{
int r = RAND();
int *ptr_r = &r;
*ptr_r -= 100; // BAD [NOT DETECTED]
*ptr_r += 100; // BAD [NOT DETECTED]
}
{
int r = 0;
int *ptr_r = &r;
*ptr_r = RAND();
r -= 100; // BAD
r += 100; // BAD
}
{
int r = rand();
r = ((2.0 / (RAND_MAX + 1)) * r - 1.0);
add_100(r);
}
}
void add_100(int r) {
r += 100; // GOOD
}
void randomTester2(int bound, int min, int max) {
int r1 = rand() % bound;
r1 += 100; // GOOD (`bound` may possibly be MAX_INT in which case this could
// still overflow, but it's most likely fine)
int r2 = (rand() % (max - min + 1)) + min;
r2 += 100; // GOOD (This is a common way to clamp the random value between [min, max])
}
void moreTests() {
{
int r = rand();
r = r * 100; // BAD
}
{
int r = rand();
r *= 100; // BAD
}
{
int r = rand();
int v = 100;
v *= r; // BAD
}
{
int r = rand();
r <<= 8; // BAD [NOT DETECTED]
}
{
int r = rand();
r = r - 100; // GOOD
}
{
unsigned int r = rand();
r = r - 100; // BAD
}
}

229
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp Normal file
View File

@@ -0,0 +1,229 @@
// Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
// Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html
int rand(void);
int get_rand()
{
return rand();
}
void get_rand2(int *dest)
{
*dest = rand();
}
void get_rand3(int &dest)
{
dest = rand();
}
void randomTester2()
{
{
int r = get_rand();
r = r + 100; // BAD
}
{
int r;
get_rand2(&r);
r = r + 100; // BAD
}
{
int r;
get_rand3(r);
r = r + 100; // BAD
}
}
int rand(int min, int max);
unsigned rand(int max);
void test_with_bounded_randomness() {
int r = rand(0, 10);
r++; // GOOD
unsigned unsigned_r = rand(10);
unsigned_r++; // GOOD
}
int test_remainder_subtract()
{
int x = rand();
int y = x % 100; // y <= x
return x - y; // GOOD (as y <= x)
}
unsigned int test_remainder_subtract_unsigned()
{
unsigned int x = rand();
unsigned int y = x % 100; // y <= x
return x - y; // GOOD (as y <= x) [FALSE POSITIVE]
}
typedef unsigned long size_t;
int snprintf(char *s, size_t n, const char *format, ...);
int test_buffer(char *buf_start, char *buf_end)
{
int len = buf_end - buf_start;
return len * 2; // GOOD
}
int test_snprintf(char *buf, size_t buf_sz)
{
snprintf(buf, buf_sz, "my random number: %i\n", rand());
test_buffer(buf, buf + buf_sz);
}
int test_else_1()
{
int x = rand();
if (x > 100)
{
return x * 10; // BAD
} else {
return x * 10; // GOOD (as x <= 100)
}
}
int test_else_2()
{
int x = rand();
if (x > 100)
{
return x * 10; // BAD
}
return x * 10; // GOOD (as x <= 100)
}
int test_conditional_assignment_1()
{
int x = rand();
int y = 100;
if (x < y)
{
y = x;
return y * 10; // GOOD (as y <= 100)
} else {
return y * 10; // GOOD (as y = 100)
}
}
int test_conditional_assignment_2()
{
int x = rand();
int y = 100;
if (x < y)
{
y = x;
}
return y * 10; // GOOD (as y <= 100)
}
int test_conditional_assignment_3()
{
int x = rand();
int y = 100;
int c = 10;
if (x < y)
{
y = x;
}
return y * c; // GOOD (as y <= 100) [FALSE POSITIVE]
}
int test_underflow()
{
int x = rand();
int a = -x; // GOOD
int b = 10 - x; // GOOD
int c = b * 2; // BAD
}
int test_cast()
{
int x = rand();
short a = x; // BAD [NOT DETECTED]
short b = -x; // BAD [NOT DETECTED]
long long c = x; // GOOD
long long d = -x; // GOOD
}
void test_float()
{
{
int x = rand();
float y = x; // GOOD
int z = (int)y * 5; // BAD
}
{
int x = rand();
float y = x * 5.0f; // GOOD
int z = y; // BAD [NOT DETECTED]
}
{
int x = rand();
float y = x / 10.0f; // GOOD
int z = (int)y * 5; // GOOD
}
}
void test_if_const_bounded()
{
int x = rand();
int y = rand();
int c = 10;
if (x < 1000)
{
x = x * 2; // GOOD
x = x * c; // GOOD [FALSE POSITIVE]
} else {
x = x * 2; // BAD
x = x * c; // BAD
}
if (y > 1000)
{
y = y * 2; // BAD
y = y * c; // BAD
} else {
y = y * 2; // GOOD
y = y * c; // GOOD [FALSE POSITIVE]
}
}
void test_mod_limit()
{
{
int x = rand();
int y = 100;
int z;
z = (x + y) % 1000; // BAD
}
{
unsigned int x = rand();
unsigned int y = 100;
unsigned int z;
z = (x + y) % 1000; // DUBIOUS (this could overflow but the result is controlled) [REPORTED]
}
}

0
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected → cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.expected
View File

0
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.qlref → cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref
View File

0
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c → cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c
View File

18
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
View File

@@ -59,20 +59,20 @@ edges
| test.cpp:237:24:237:37 | (const char *)... | test.cpp:247:2:247:8 | local_size |
| test.cpp:245:2:245:9 | local_size | test.cpp:224:23:224:23 | s |
| test.cpp:247:2:247:8 | local_size | test.cpp:230:21:230:21 | s |
| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:289:17:289:20 | get_size output argument [array content] |
| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:305:18:305:21 | get_size output argument [array content] |
| test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:32 | Chi [array content] |
| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:32 | Chi [array content] |
| test.cpp:251:2:251:32 | Chi [[]] | test.cpp:289:17:289:20 | get_size output argument [[]] |
| test.cpp:251:2:251:32 | Chi [[]] | test.cpp:305:18:305:21 | get_size output argument [[]] |
| test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:32 | Chi [[]] |
| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:32 | Chi [[]] |
| test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
| test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
| test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
| test.cpp:289:17:289:20 | get_size output argument [array content] | test.cpp:289:17:289:20 | Chi |
| test.cpp:289:17:289:20 | get_size output argument [[]] | test.cpp:289:17:289:20 | Chi |
| test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
| test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
| test.cpp:305:18:305:21 | get_size output argument [array content] | test.cpp:305:18:305:21 | Chi |
| test.cpp:305:18:305:21 | get_size output argument [[]] | test.cpp:305:18:305:21 | Chi |
nodes
| test.cpp:40:21:40:24 | argv | semmle.label | argv |
| test.cpp:40:21:40:24 | argv | semmle.label | argv |
@@ -136,7 +136,7 @@ nodes
| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
| test.cpp:245:2:245:9 | local_size | semmle.label | local_size |
| test.cpp:247:2:247:8 | local_size | semmle.label | local_size |
| test.cpp:251:2:251:32 | Chi [array content] | semmle.label | Chi [array content] |
| test.cpp:251:2:251:32 | Chi [[]] | semmle.label | Chi [[]] |
| test.cpp:251:2:251:32 | ChiPartial | semmle.label | ChiPartial |
| test.cpp:251:18:251:23 | call to getenv | semmle.label | call to getenv |
| test.cpp:251:18:251:31 | (const char *)... | semmle.label | (const char *)... |
@@ -146,12 +146,12 @@ nodes
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
| test.cpp:289:17:289:20 | Chi | semmle.label | Chi |
| test.cpp:289:17:289:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
| test.cpp:289:17:289:20 | get_size output argument [[]] | semmle.label | get_size output argument [[]] |
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
| test.cpp:305:18:305:21 | Chi | semmle.label | Chi |
| test.cpp:305:18:305:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
| test.cpp:305:18:305:21 | get_size output argument [[]] | semmle.label | get_size output argument [[]] |
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |

77
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
View File

@@ -1,9 +1,68 @@
| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
| test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
| test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
| test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
| test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
| test.c:54:7:54:10 | len3 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:51:17:51:20 | argv | User-provided value |
edges
| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
| test2.cpp:25:22:25:23 | & ... | test2.cpp:27:2:27:11 | v |
| test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:2:27:11 | v |
| test2.cpp:27:2:27:11 | v | test2.cpp:12:21:12:21 | v |
| test5.cpp:9:7:9:9 | buf | test5.cpp:10:9:10:27 | Store |
| test5.cpp:9:7:9:9 | gets output argument | test5.cpp:10:9:10:27 | Store |
| test5.cpp:10:9:10:27 | Store | test5.cpp:17:6:17:18 | call to getTaintedInt |
| test5.cpp:10:9:10:27 | Store | test5.cpp:17:6:17:18 | call to getTaintedInt |
| test5.cpp:10:9:10:27 | Store | test5.cpp:18:6:18:18 | call to getTaintedInt |
| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
nodes
| test2.cpp:12:21:12:21 | v | semmle.label | v |
| test2.cpp:14:11:14:11 | v | semmle.label | v |
| test2.cpp:14:11:14:11 | v | semmle.label | v |
| test2.cpp:14:11:14:11 | v | semmle.label | v |
| test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
| test2.cpp:25:22:25:23 | fscanf output argument | semmle.label | fscanf output argument |
| test2.cpp:27:2:27:11 | v | semmle.label | v |
| test5.cpp:9:7:9:9 | buf | semmle.label | buf |
| test5.cpp:9:7:9:9 | gets output argument | semmle.label | gets output argument |
| test5.cpp:10:9:10:27 | Store | semmle.label | Store |
| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
| test5.cpp:18:6:18:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
| test5.cpp:19:6:19:6 | y | semmle.label | y |
| test5.cpp:19:6:19:6 | y | semmle.label | y |
| test5.cpp:19:6:19:6 | y | semmle.label | y |
| test.c:11:29:11:32 | argv | semmle.label | argv |
| test.c:11:29:11:32 | argv | semmle.label | argv |
| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
| test.c:41:17:41:20 | argv | semmle.label | argv |
| test.c:41:17:41:20 | argv | semmle.label | argv |
| test.c:44:7:44:10 | len2 | semmle.label | len2 |
| test.c:44:7:44:10 | len2 | semmle.label | len2 |
| test.c:44:7:44:10 | len2 | semmle.label | len2 |
| test.c:51:17:51:20 | argv | semmle.label | argv |
| test.c:51:17:51:20 | argv | semmle.label | argv |
| test.c:54:7:54:10 | len3 | semmle.label | len3 |
| test.c:54:7:54:10 | len3 | semmle.label | len3 |
| test.c:54:7:54:10 | len3 | semmle.label | len3 |
#select
| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | buf | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
| test.c:44:7:44:10 | len2 | test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
| test.c:54:7:54:10 | len3 | test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:51:17:51:20 | argv | User-provided value |

8
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml
View File

@@ -1,6 +1,8 @@
# This directory has its own qlpack for reasons detailed in commit 2550788598010fa2117274607c9d58f64f997f34
name: codeql-cpp-tests-cwe-190-tainted
version: 0.0.0
libraryPathDependencies: codeql-cpp
name: codeql/cpp-tests-cwe-190-tainted
version: 0.0.2
dependencies:
codeql/cpp-all: "*"
codeql/cpp-queries: "*"
extractor: cpp
tests: .

98
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
View File

@@ -1,98 +0,0 @@
edges
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
| test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
| test.cpp:13:2:13:15 | Chi [array content] | test.cpp:30:13:30:14 | get_rand2 output argument [array content] |
| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] |
| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [array content] |
| test.cpp:18:2:18:14 | Chi [array content] | test.cpp:36:13:36:13 | get_rand3 output argument [array content] |
| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] |
| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [array content] |
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
| test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
| test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | test.cpp:30:13:30:14 | Chi |
| test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
| test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | test.cpp:36:13:36:13 | Chi |
nodes
| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
| test.c:21:17:21:17 | r | semmle.label | r |
| test.c:21:17:21:17 | r | semmle.label | r |
| test.c:21:17:21:17 | r | semmle.label | r |
| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:35:5:35:5 | r | semmle.label | r |
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:45:5:45:5 | r | semmle.label | r |
| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
| test.c:77:9:77:9 | r | semmle.label | r |
| test.c:77:9:77:9 | r | semmle.label | r |
| test.c:77:9:77:9 | r | semmle.label | r |
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
| test.c:100:5:100:5 | r | semmle.label | r |
| test.c:100:5:100:5 | r | semmle.label | r |
| test.c:100:5:100:5 | r | semmle.label | r |
| test.cpp:8:9:8:12 | Store | semmle.label | Store |
| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
| test.cpp:13:2:13:15 | Chi [array content] | semmle.label | Chi [array content] |
| test.cpp:13:2:13:15 | ChiPartial | semmle.label | ChiPartial |
| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
| test.cpp:18:2:18:14 | Chi [array content] | semmle.label | Chi [array content] |
| test.cpp:18:2:18:14 | ChiPartial | semmle.label | ChiPartial |
| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
| test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
| test.cpp:25:7:25:7 | r | semmle.label | r |
| test.cpp:25:7:25:7 | r | semmle.label | r |
| test.cpp:25:7:25:7 | r | semmle.label | r |
| test.cpp:30:13:30:14 | Chi | semmle.label | Chi |
| test.cpp:30:13:30:14 | get_rand2 output argument [array content] | semmle.label | get_rand2 output argument [array content] |
| test.cpp:31:7:31:7 | r | semmle.label | r |
| test.cpp:31:7:31:7 | r | semmle.label | r |
| test.cpp:31:7:31:7 | r | semmle.label | r |
| test.cpp:36:13:36:13 | Chi | semmle.label | Chi |
| test.cpp:36:13:36:13 | get_rand3 output argument [array content] | semmle.label | get_rand3 output argument [array content] |
| test.cpp:37:7:37:7 | r | semmle.label | r |
| test.cpp:37:7:37:7 | r | semmle.label | r |
| test.cpp:37:7:37:7 | r | semmle.label | r |
#select
| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |

50
cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
View File

@@ -1,50 +0,0 @@
// Semmle test case for rule ArithmeticUncontrolled.ql (Uncontrolled data in arithmetic expression).
// Associated with CWE-190: Integer Overflow or Wraparound. http://cwe.mitre.org/data/definitions/190.html
int rand(void);
int get_rand()
{
return rand();
}
void get_rand2(int *dest)
{
*dest = rand();
}
void get_rand3(int &dest)
{
dest = rand();
}
void randomTester2()
{
{
int r = get_rand();
r = r + 100; // BAD
}
{
int r;
get_rand2(&r);
r = r + 100; // BAD
}
{
int r;
get_rand3(r);
r = r + 100; // BAD
}
}
int rand(int min, int max);
unsigned rand(int max);
void test_with_bounded_randomness() {
int r = rand(0, 10);
r++; // GOOD
unsigned unsigned_r = rand(10);
unsigned_r++; // GOOD
}

7
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
View File

@@ -1,3 +1,10 @@
| test2.cpp:43:2:43:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:43:36:43:43 | password | this source. |
| test2.cpp:44:2:44:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:44:37:44:45 | thepasswd | this source. |
| test2.cpp:50:2:50:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:50:41:50:53 | passwd_config | this source. |
| test2.cpp:54:2:54:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:54:41:54:52 | widepassword | this source. |
| test2.cpp:55:2:55:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:55:40:55:51 | widepassword | this source. |
| test2.cpp:57:2:57:8 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:57:39:57:49 | call to getPassword | this source. |
| test2.cpp:65:3:65:9 | call to fprintf | This write into file 'log' may contain unencrypted data from $@ | test2.cpp:62:18:62:25 | password | this source. |
| test.cpp:45:3:45:7 | call to fputs | This write into file 'file' may contain unencrypted data from $@ | test.cpp:45:9:45:19 | thePassword | this source. |
| test.cpp:70:35:70:35 | call to operator<< | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:70:38:70:48 | thePassword | this source. |
| test.cpp:73:37:73:41 | call to write | This write into file 'mystream' may contain unencrypted data from $@ | test.cpp:73:43:73:53 | thePassword | this source. |

94
cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp Normal file
View File

@@ -0,0 +1,94 @@
#define FILE int
typedef unsigned long size_t;
FILE *fopen(const char *filename, const char *mode);
int snprintf(char *s, size_t n, const char *format, ...);
int fprintf(FILE *stream, const char *format, ...);
char *strcpy(char *s1, const char *s2);
char *crypt(char *input);
struct myStruct
{
// sensitive
char *password;
char *thepasswd;
char *accountkey;
wchar_t *widepassword;
// encrypted
char password_hash[64];
char *encrypted_passwd;
// not sensitive
char *password_file;
char *password_path;
int num_passwords;
int *password_tries;
bool have_passwd;
// dubious
char *passwd_config;
char *passwd_config2;
};
char *getPassword();
char *getPasswordHash();
int getPasswordMaxChars();
void tests(FILE *log, myStruct &s)
{
fprintf(log, "password = %s\n", s.password); // BAD
fprintf(log, "thepasswd = %s\n", s.thepasswd); // BAD
fprintf(log, "accountkey = %s\n", s.accountkey); // DUBIOUS [NOT REPORTED]
fprintf(log, "password_hash = %s\n", s.password_hash); // GOOD
fprintf(log, "encrypted_passwd = %s\n", s.encrypted_passwd); // GOOD
fprintf(log, "password_file = %s\n", s.password_file); // GOOD
fprintf(log, "password_path = %s\n", s.password_path); // GOOD
fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED]
fprintf(log, "num_passwords = %i\n", s.num_passwords); // GOOD
fprintf(log, "password_tries = %i\n", *(s.password_tries)); // GOOD
fprintf(log, "have_passwd = %i\n", s.have_passwd); // GOOD
fprintf(log, "widepassword = %ls\n", s.widepassword); // BAD
fprintf(log, "widepassword = %S\n", s.widepassword); // BAD
fprintf(log, "getPassword() = %s\n", getPassword()); // BAD
fprintf(log, "getPasswordHash() = %s\n", getPasswordHash()); // GOOD
fprintf(log, "getPasswordMaxChars() = %i\n", getPasswordMaxChars()); // GOOD
{
char *cpy1 = s.password;
char *cpy2 = crypt(s.password);
fprintf(log, "cpy1 = %s\n", cpy1); // BAD
fprintf(log, "cpy2 = %s\n", cpy2); // GOOD
}
{
char buf[1024];
strcpy(buf, s.password);
fprintf(log, "buf = %s\n", buf); // BAD [NOT DETECTED]
strcpy(buf, s.password_hash);
fprintf(log, "buf = %s\n", buf); // GOOD
}
fprintf(log, "password = %p\n", s.password); // GOOD
{
if (fopen(s.passwd_config2, "rt") == 0)
{
fprintf(log, "could not open file '%s'.\n", s.passwd_config2); // GOOD
}
}
{
char buffer[1024];
snprintf(buffer, 1024, "password = %s", s.password);
fprintf(log, "log: %s", buffer); // BAD [NOT DETECTED]
}
}

16
cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected
View File

@@ -1,3 +1,13 @@
| test.cpp:21:3:21:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:21:10:21:14 | file1 | filename | test.cpp:19:7:19:12 | call to rename | checked |
| test.cpp:35:3:35:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:35:10:35:14 | file1 | filename | test.cpp:32:7:32:12 | call to rename | checked |
| test.cpp:49:3:49:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:49:10:49:14 | file1 | filename | test.cpp:47:7:47:12 | call to rename | checked |
| test2.cpp:69:7:69:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:69:13:69:16 | path | filename | test2.cpp:67:6:67:9 | call to stat | checked |
| test2.cpp:83:7:83:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:83:13:83:16 | path | filename | test2.cpp:81:6:81:8 | buf | checked |
| test2.cpp:98:7:98:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:98:13:98:16 | path | filename | test2.cpp:96:6:96:12 | buf_ptr | checked |
| test2.cpp:115:7:115:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:115:13:115:16 | path | filename | test2.cpp:113:22:113:24 | buf | checked |
| test2.cpp:130:7:130:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:130:13:130:16 | path | filename | test2.cpp:128:21:128:27 | buf_ptr | checked |
| test2.cpp:157:7:157:10 | call to open | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:157:12:157:15 | path | filename | test2.cpp:155:6:155:9 | call to stat | checked |
| test2.cpp:170:7:170:10 | call to open | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:170:12:170:15 | path | filename | test2.cpp:168:6:168:10 | call to lstat | checked |
| test2.cpp:245:3:245:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:245:9:245:12 | path | filename | test2.cpp:238:6:238:10 | call to fopen | checked |
| test2.cpp:277:7:277:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:277:13:277:16 | path | filename | test2.cpp:275:6:275:11 | call to access | checked |
| test2.cpp:303:7:303:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:303:13:303:16 | path | filename | test2.cpp:301:7:301:12 | call to access | checked |
| test2.cpp:317:7:317:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:317:13:317:16 | path | filename | test2.cpp:313:6:313:11 | call to access | checked |
| test2.cpp:348:3:348:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:348:9:348:12 | path | filename | test2.cpp:341:6:341:10 | call to fopen | checked |
| test2.cpp:356:3:356:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:356:9:356:13 | path2 | filename | test2.cpp:354:7:354:12 | call to rename | checked |

6
cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test.cpp
View File

@@ -18,7 +18,7 @@ void test1()
create(file1);
if (!rename(file1, file2))
{
remove(file1); // BAD
remove(file1); // DUBIOUS (bad but perhaps not exploitable)
}
}
@@ -32,7 +32,7 @@ void test2()
if (!rename(file1, file2))
{
file1.set("d.txt");
remove(file1); // GOOD [FALSE POSITIVE]
remove(file1); // GOOD
}
}
@@ -46,6 +46,6 @@ void test3()
create(file1);
if (!rename(file1, file2))
{
remove(file1); // BAD
remove(file1); // DUBIOUS (bad but perhaps not exploitable)
}
}

358
cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp Normal file
View File

@@ -0,0 +1,358 @@
// More test cases. Some of these are inspired by real-world cases, others are synthetic or variations.
#define NULL 0
typedef struct {} FILE;
typedef struct {
int foo;
} stat_data;
FILE *fopen(const char *filename, const char *mode);
int fclose(FILE *stream);
int open(const char *filename, int arg);
int creat(const char *filename, int arg);
int openat(int dir, const char *filename, int arg);
int close(int file);
bool stat(const char *path, stat_data *buf);
bool fstat(int file, stat_data *buf);
bool lstat(const char *path, stat_data *buf);
bool fstatat(int dir, const char *path, stat_data *buf);
void chmod(const char *path, int setting);
int rename(const char *from, const char *to);
bool remove(const char *path);
bool access(const char *path);
// --- open -> open ---
void test1_1(const char *path)
{
FILE *f = NULL;
f = fopen(path, "r");
if (f == NULL)
{
// retry
f = fopen(path, "r"); // GOOD (this is just trying again)
}
// ...
}
void test1_2(const char *path)
{
FILE *f = NULL;
// try until we succeed
while (f == NULL)
{
f = fopen(path, "r"); // GOOD (this is just trying again)
// ...
}
// ...
}
// --- stat -> open ---
void test2_1(const char *path)
{
FILE *f = NULL;
stat_data buf;
if (stat(path, &buf))
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_2(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat(path, &buf);
if (buf.foo > 0)
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_3(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat_data *buf_ptr = &buf;
stat(path, buf_ptr);
if (buf_ptr->foo > 0)
{
f = fopen(path, "r"); // BAD
}
// ...
}
bool stat_condition(const stat_data *buf);
bool other_condition();
void test2_4(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat(path, &buf);
if (stat_condition(&buf))
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_5(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat_data *buf_ptr = &buf;
stat(path, buf_ptr);
if (stat_condition(buf_ptr))
{
f = fopen(path, "r"); // BAD
}
// ...
}
void test2_6(const char *path)
{
FILE *f = NULL;
stat_data buf;
stat(path, &buf);
if (other_condition())
{
f = fopen(path, "r"); // GOOD (does not depend on the result of stat)
}
// ...
}
void test2_7(const char *path, int arg)
{
stat_data buf;
int f;
if (stat(path, &buf))
{
f = open(path, arg); // BAD
}
// ...
}
void test2_8(const char *path, int arg)
{
stat_data buf;
int f;
if (lstat(path, &buf))
{
f = open(path, arg); // BAD
}
// ...
}
void test2_9(const char *path, int arg)
{
stat_data buf;
int f;
if (stat(path, &buf))
{
f = creat(path, arg); // BAD [NOT DETECTED]
}
// ...
}
void test2_10(int dir, const char *path, int arg)
{
stat_data buf;
int f;
if (fstatat(dir, path, &buf))
{
f = openat(dir, path, arg); // BAD [NOT DETECTED]
}
// ...
}
// --- open -> stat ---
void test3_1(const char *path, int arg)
{
stat_data buf;
int f;
f = open(path, arg);
if (stat(path, &buf)) // BAD [NOT DETECTED]
{
// ...
}
// ...
}
void test3_2(const char *path, int arg)
{
stat_data buf;
int f;
f = open(path, arg);
if (fstat(f, &buf)) // GOOD (uses file descriptor, not path)
{
// ...
}
// ...
}
// --- open -> chmod ---
void test4_1(const char *path)
{
FILE *f = NULL;
f = fopen(path, "w");
if (f)
{
// ...
fclose(f);
chmod(path, 0); // BAD
}
}
// --- rename -> remove / open ---
void test5_1(const char *path1, const char *path2)
{
if (rename(path1, path2))
{
remove(path1); // DUBIOUS (bad but perhaps not exploitable)
}
}
void test5_2(const char *path1, const char *path2)
{
FILE *f = NULL;
if (!rename(path1, path2))
{
f = fopen(path2, "r"); // BAD [NOT DETECTED]
}
}
// --- access -> open ---
void test6_1(const char *path)
{
FILE *f = NULL;
if (access(path))
{
f = fopen(path, "r"); // BAD
// ...
}
}
void test6_2(const char *path)
{
FILE *f = NULL;
if (access(path))
{
// ...
}
f = fopen(path, "r"); // GOOD (appears not to be intended to depend on the access check)
// ...
}
void test6_3(const char *path)
{
FILE *f = NULL;
if (!access(path))
{
f = fopen(path, "r"); // BAD
// ...
}
}
void test6_4(const char *path)
{
FILE *f = NULL;
if (access(path))
{
// ...
} else {
f = fopen(path, "r"); // BAD
// ...
}
}
void test6_5(const char *path1, const char *path2)
{
FILE *f = NULL;
if (access(path1))
{
f = fopen(path2, "r"); // GOOD (different file)
// ...
}
}
// --- open / rename -> chmod ---
void test7_1(const char *path)
{
FILE *f;
f = fopen(path, "wt");
if (f != 0)
{
// ...
fclose(f);
chmod(path, 1234); // BAD
}
}
void test7_1(const char *path1, const char *path2)
{
if (!rename(path1, path2))
{
chmod(path2, 1234); // BAD
}
}

10
cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp
View File

@@ -224,4 +224,12 @@ void good_new_catch_exception_in_conversion() {
try {
long* p = (long*) new int; // GOOD
} catch(const std::bad_alloc&) { }
}
}
// The 'n' parameter is just to distinquish it from the overload further up in this file.
void *operator new(std::size_t, int n, const std::nothrow_t &);
void test_operator_new_without_exception_spec() {
int* p = new(42, std::nothrow) int; // GOOD
if(p == nullptr) {}
}