hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Autoformat UsingStrcpyAsBoolean.ql

Browse Source
This commit is contained in:
Jonas Jensen
2019-01-09 11:50:11 +01:00
parent 9219214d64
commit 563f8158d7
1 changed files with 50 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
View File

@@ -14,64 +14,71 @@ import cpp
import semmle.code.cpp.dataflow.DataFlow
predicate isStringComparisonFunction(string functionName) {
functionName = "strcpy"
or functionName = "wcscpy"
or functionName = "_mbscpy"
or functionName = "strncpy"
or functionName = "_strncpy_l"
or functionName = "wcsncpy"
or functionName = "_wcsncpy_l"
or functionName = "_mbsncpy"
or functionName = "_mbsncpy_l"
functionName = "strcpy" or
functionName = "wcscpy" or
functionName = "_mbscpy" or
functionName = "strncpy" or
functionName = "_strncpy_l" or
functionName = "wcsncpy" or
functionName = "_wcsncpy_l" or
functionName = "_mbsncpy" or
functionName = "_mbsncpy_l"
}
predicate isBoolean( Expr e1 )
{
exists ( Type t1 |
predicate isBoolean(Expr e1) {
exists(Type t1 |
t1 = e1.getType() and
(t1.hasName("bool") or t1.hasName("BOOL") or t1.hasName("_Bool"))
)
}
predicate isStringCopyCastedAsBoolean( FunctionCall func, Expr expr1, string msg ) {
DataFlow::localFlow(DataFlow::exprNode(func), DataFlow::exprNode(expr1))
and isBoolean( expr1.getConversion*())
and isStringComparisonFunction( func.getTarget().getQualifiedName())
and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used as boolean."
predicate isStringCopyCastedAsBoolean(FunctionCall func, Expr expr1, string msg) {
DataFlow::localFlow(DataFlow::exprNode(func), DataFlow::exprNode(expr1)) and
isBoolean(expr1.getConversion*()) and
isStringComparisonFunction(func.getTarget().getQualifiedName()) and
msg = "Return Value of " + func.getTarget().getQualifiedName() + " used as boolean."
}
predicate isStringCopyUsedInLogicalOperationOrCondition( FunctionCall func, Expr expr1, string msg ) {
isStringComparisonFunction( func.getTarget().getQualifiedName() )
and (((
// it is being used in an equality or logical operation
exists( EqualityOperation eop |
eop = expr1
and func = eop.getAChild()
)
or exists( UnaryLogicalOperation ule |
expr1 = ule
and func = ule.getAChild()
)
or exists( BinaryLogicalOperation ble |
expr1 = ble
and func = ble.getAChild()
)
)
and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used in a logical operation."
predicate isStringCopyUsedInLogicalOperationOrCondition(FunctionCall func, Expr expr1, string msg) {
isStringComparisonFunction(func.getTarget().getQualifiedName()) and
(
(
(
// it is being used in an equality or logical operation
exists(EqualityOperation eop |
eop = expr1 and
func = eop.getAChild()
)
or
exists(UnaryLogicalOperation ule |
expr1 = ule and
func = ule.getAChild()
)
or
exists(BinaryLogicalOperation ble |
expr1 = ble and
func = ble.getAChild()
)
) and
msg = "Return Value of " + func.getTarget().getQualifiedName() +
" used in a logical operation."
)
or
exists( ConditionalStmt condstmt |
condstmt.getAChild() = expr1 |
exists(ConditionalStmt condstmt | condstmt.getAChild() = expr1 |
// or the string copy function is used directly as the conditional expression
func = condstmt.getChild(0)
and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used directly in a conditional expression."
))
func = condstmt.getChild(0) and
msg = "Return Value of " + func.getTarget().getQualifiedName() +
" used directly in a conditional expression."
)
)
}
from FunctionCall func, Expr expr1, string msg
where
( isStringCopyCastedAsBoolean(func, expr1, msg) and
where
(
isStringCopyCastedAsBoolean(func, expr1, msg) and
not isStringCopyUsedInLogicalOperationOrCondition(func, expr1, _)
)
or isStringCopyUsedInLogicalOperationOrCondition(func, expr1, msg)
or
isStringCopyUsedInLogicalOperationOrCondition(func, expr1, msg)
select expr1, msg