Merge pull request #264 from raulgarciamsft/users/raulga/c6276

C++: incorrect string type conversion
2026-04-30 03:05:15 +02:00 · 2018-10-04 21:06:07 +02:00
parent 03f2d8f605 3873cbdde0
commit 4720c5ab60
6 changed files with 107 additions and 0 deletions
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.cpp
@@ -0,0 +1,3 @@
+wchar_t* pSrc;
+
+pSrc = (wchar_t*)"a"; // casting a byte-string literal "a" to a wide-character string
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>This rule indicates a potentially incorrect cast from an byte string (<code>char *</code>) to a wide-character string (<code>wchar_t *</code>).</p>
+  <p>This cast might yield strings that are not correctly terminated; including potential buffer overruns when using such strings with some dangerous APIs.</p>
+</overview>
+
+<recommendation>
+  <p>Do not explicitly cast byte strings to wide-character strings.</p>
+  <p>For string literals, prepend the literal string with the letter "L" to indicate that the string is a wide-character string (<code>wchar_t *</code>).</p>
+  <p>For converting a byte literal to a wide-character string literal, you would need to use the appropriate conversion function for the platform you are using. Please see the references section for options according to your platform.</p>
+</recommendation>
+
+<example>
+<p>In the following example, an byte string literal (<code>"a"</code>) is cast to a wide-character string.</p>
+<sample src="WcharCharConversion.cpp" />
+
+<p>To fix this issue, prepend the literal with the letter "L" (<code>L"a"</code>) to define it as a wide-character string.</p>
+</example>
+
+<references>
+  <li>
+    General resources:
+    <a href="https://en.cppreference.com/w/cpp/string/multibyte/mbstowcs">std::mbstowcs</a>
+  </li>
+  <li>
+    Microsoft specific resources:
+    <a href="https://docs.microsoft.com/en-us/windows/desktop/Intl/security-considerations--international-features">Security Considerations: International Features</a>
+  </li>
+</references>
+
+</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -0,0 +1,29 @@
+/**
+ * @name Cast from char* to wchar_t*
+ * @description Casting a byte string to a wide-character string is likely 
+ *              to yield a string that is incorrectly terminated or aligned. 
+ *              This can lead to undefined behavior, including buffer overruns.
+ * @kind problem
+ * @id cpp/incorrect-string-type-conversion
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-704
+ *       external/microsoft/c/c6276
+ */
+import cpp
+
+class WideCharPointerType extends PointerType {
+  WideCharPointerType() { 
+    this.getBaseType() instanceof WideCharType 
+  }
+}
+
+from Expr e1, Cast e2
+where 
+  e2 = e1.getConversion() and
+  exists(WideCharPointerType w, CharPointerType c |
+    w = e2.getType().getUnspecifiedType().(PointerType) and
+    c = e1.getType().getUnspecifiedType().(PointerType)
+  )
+select e1, "Conversion from " + e1.getType().toString() + " to " +  e2.getType().toString() + ". Use of invalid string can lead to undefined behavior."