Add files via upload

2026-04-30 11:15:13 +02:00 · 2021-04-25 22:34:41 +03:00
parent a7030c7fed
commit 50c63a88c3
3 changed files with 102 additions and 0 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
@@ -0,0 +1,14 @@
+while(intIndex > 2)
+{
+  ...
+  intIndex--;
+  ...
+} // GOOD: coreten cycle
+...
+while(intIndex > 2)
+{
+  ...
+  int intIndex;
+  intIndex--;
+  ...
+} // BAD: the variable used in the condition does not change.
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Using variables with the same name is dangerous. However, such a situation inside the while loop can lead to a violation of the accessibility of the program. Requires the attention of developers.</p>
+
+</overview>
+<recommendation>
+<p>We recommend not to use local variables inside a loop if their names are the same as the variables in the condition of this loop.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates an erroneous and corrected use of a local variable within a loop.</p>
+<sample src="DeclarationOfVariableWithUnnecessarilyWideScope.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL01-C.+Do+not+reuse+variable+names+in+subscopes">DCL01-C. Do not reuse variable names in subscopes</a>.
+</li>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -0,0 +1,62 @@
+/**
+ * @name Errors When Using Variable Declaration Inside Loop
+ * @description Using variables with the same name is dangerous.
+ *              However, such a situation inside the while loop can lead to a violation of the accessibility of the program.
+ *              Requires the attention of developers.
+ * @kind problem
+ * @id cpp/errors-when-using-variable-declaration-inside-loop
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-1126
+ */
+
+import cpp
+
+/**
+ * Errors when using a variable declaration inside a loop.
+ */
+class DangerousWhileLoop extends WhileStmt {
+  Expr exp;
+  Declaration dl;
+
+  DangerousWhileLoop() {
+    this = dl.getParentScope().(BlockStmt).getParent*() and
+    exp = this.getCondition().getAChild*() and
+    not exp instanceof PointerFieldAccess and
+    not exp instanceof ValueFieldAccess and
+    exp.toString() = dl.getName() and
+    not exp.getParent*() instanceof CrementOperation and
+    not exp.getParent*() instanceof Assignment and
+    not exp.getParent*() instanceof FunctionCall
+  }
+
+  Declaration getDeclaration() { result = dl }
+
+  /** Holds when there are changes to the variables involved in the condition. */
+  predicate isUseThisVariable() {
+    exists(Variable v |
+      this.getCondition().getAChild*().(VariableAccess).getTarget() = v and
+      (
+        exists(Assignment aexp |
+          aexp = this.getStmt().getAChild*() and
+          (
+            aexp.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
+            or
+            aexp.getLValue().(VariableAccess).getTarget() = v
+          )
+        )
+        or
+        exists(CrementOperation crm |
+          crm = this.getStmt().getAChild*() and
+          crm.getOperand().(VariableAccess).getTarget() = v
+        )
+      )
+    )
+  }
+}
+
+from DangerousWhileLoop lp
+where not lp.isUseThisVariable()
+select lp.getDeclaration(), "A variable with this name is used in the loop condition."