hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-31 12:48:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1

Browse Source
This commit is contained in:
Óscar San José
2026-03-30 10:51:12 +02:00
parent ce6e6d5db3 898d12b0be
commit 59eec7ffa2
765 changed files with 13826 additions and 27987 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
View File

@@ -52,5 +52,6 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

1
cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
View File

@@ -160,6 +160,7 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql

1
cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
View File

@@ -93,5 +93,6 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

4
cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

5
cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: feature
---
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

4
cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

22
cpp/ql/lib/ext/ZMQ.model.yml Normal file
View File

@@ -0,0 +1,22 @@
# ZeroMQ networking library models
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "zmq_recv", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "zmq_recvmsg", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "zmq_msg_recv", "", "", "Argument[*0]", "remote", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: sinkModel
data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
- ["", "", False, "zmq_send", "", "", "Argument[*1]", "remote-sink", "manual"]
- ["", "", False, "zmq_sendmsg", "", "", "Argument[*1]", "remote-sink", "manual"]
- ["", "", False, "zmq_msg_send", "", "", "Argument[*0]", "remote-sink", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["", "", False, "zmq_msg_init_data", "", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
- ["", "", False, "zmq_msg_data", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]

19
cpp/ql/lib/ext/getc.model.yml Normal file
View File

@@ -0,0 +1,19 @@
# Models for getc and similar character-reading functions
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "getc", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "getwc", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "_getc_nolock", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "_getwc_nolock", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "getch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getch_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwch_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "getchar", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "getwchar", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getchar_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwchar_nolock", "", "", "ReturnValue", "local", "manual"]

6
cpp/ql/lib/semmle/code/cpp/Function.qll
View File

@@ -524,6 +524,12 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
)
}
/**
* Holds if this function has an ambiguous return type, meaning that zero or multiple return
* types for this function are present in the database (this can occur in `build-mode: none`).
*/
predicate hasAmbiguousReturnType() { count(this.getType()) != 1 }
}
pragma[noinline]

15
cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
View File

@@ -163,12 +163,23 @@ predicate primitiveVariadicFormatter(
)
}
/**
* Gets a function call whose target is a variadic formatter with the given
* `type`, `format` parameter index and `output` parameter index.
*
* Join-order helper for `callsVariadicFormatter`.
*/
pragma[nomagic]
private predicate callsVariadicFormatterCall(FunctionCall fc, string type, int format, int output) {
variadicFormatter(fc.getTarget(), type, format, output)
}
private predicate callsVariadicFormatter(
Function f, string type, int formatParamIndex, int outputParamIndex
) {
// calls a variadic formatter with `formatParamIndex`, `outputParamIndex` linked
exists(FunctionCall fc, int format, int output |
variadicFormatter(pragma[only_bind_into](fc.getTarget()), type, format, output) and
callsVariadicFormatterCall(fc, type, format, output) and
fc.getEnclosingFunction() = f and
fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
fc.getArgument(output) = f.getParameter(outputParamIndex).getAnAccess()
@@ -176,7 +187,7 @@ private predicate callsVariadicFormatter(
or
// calls a variadic formatter with only `formatParamIndex` linked
exists(FunctionCall fc, string calledType, int format, int output |
variadicFormatter(pragma[only_bind_into](fc.getTarget()), calledType, format, output) and
callsVariadicFormatterCall(fc, calledType, format, output) and
fc.getEnclosingFunction() = f and
fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
not fc.getArgument(output) = f.getParameter(_).getAnAccess() and

160
cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
View File

@@ -1,9 +1,10 @@
/**
* INTERNAL use only. This is an experimental API subject to change without notice.
*
* Provides classes and predicates for dealing with flow models specified in CSV format.
* Provides classes and predicates for dealing with flow models specified
* in data extension files.
*
* The CSV specification has the following columns:
* The extensible relations have the following columns:
* - Sources:
* `namespace; type; subtypes; name; signature; ext; output; kind`
* - Sinks:
@@ -104,117 +105,9 @@ private import internal.FlowSummaryImpl::Private
private import internal.FlowSummaryImpl::Private::External
private import internal.ExternalFlowExtensions::Extensions as Extensions
private import codeql.mad.ModelValidation as SharedModelVal
private import codeql.util.Unit
private import codeql.mad.static.ModelsAsData as SharedMaD
/**
* A unit class for adding additional source model rows.
*
* Extend this class to add additional source definitions.
*/
class SourceModelCsv extends Unit {
/** Holds if `row` specifies a source definition. */
abstract predicate row(string row);
}
/**
* A unit class for adding additional sink model rows.
*
* Extend this class to add additional sink definitions.
*/
class SinkModelCsv extends Unit {
/** Holds if `row` specifies a sink definition. */
abstract predicate row(string row);
}
/**
* A unit class for adding additional summary model rows.
*
* Extend this class to add additional flow summary definitions.
*/
class SummaryModelCsv extends Unit {
/** Holds if `row` specifies a summary definition. */
abstract predicate row(string row);
}
/** Holds if `row` is a source model. */
predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
/** Holds if `row` is a sink model. */
predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
/** Holds if `row` is a summary model. */
predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
private module MadInput implements SharedMaD::InputSig {
/** Holds if a source model exists for the given parameters. */
predicate additionalSourceModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind, string provenance, string model
) {
exists(string row |
sourceModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = output and
row.splitAt(";", 7) = kind
) and
provenance = "manual" and
model = ""
}
/** Holds if a sink model exists for the given parameters. */
predicate additionalSinkModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind, string provenance, string model
) {
exists(string row |
sinkModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = kind
) and
provenance = "manual" and
model = ""
}
/**
* Holds if a summary model exists for the given parameters.
*
* This predicate does not expand `@` to `*`s.
*/
predicate additionalSummaryModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind, string provenance, string model
) {
exists(string row |
summaryModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = output and
row.splitAt(";", 8) = kind
) and
provenance = "manual" and
model = ""
}
string namespaceSegmentSeparator() { result = "::" }
}
@@ -250,8 +143,8 @@ predicate summaryModel(
)
}
/** Provides a query predicate to check the CSV data for validation errors. */
module CsvValidation {
/** Provides a query predicate to check the data for validation errors. */
module ModelValidation {
private string getInvalidModelInput() {
exists(string pred, AccessPath input, string part |
sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
@@ -294,40 +187,6 @@ module CsvValidation {
private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
private string getInvalidModelSubtype() {
exists(string pred, string row |
sourceModel(row) and pred = "source"
or
sinkModel(row) and pred = "sink"
or
summaryModel(row) and pred = "summary"
|
exists(string b |
b = row.splitAt(";", 2) and
not b = ["true", "false"] and
result = "Invalid boolean \"" + b + "\" in " + pred + " model."
)
)
}
private string getInvalidModelColumnCount() {
exists(string pred, string row, int expect |
sourceModel(row) and expect = 8 and pred = "source"
or
sinkModel(row) and expect = 8 and pred = "sink"
or
summaryModel(row) and expect = 9 and pred = "summary"
|
exists(int cols |
cols = 1 + max(int n | exists(row.splitAt(";", n))) and
cols != expect and
result =
"Wrong number of columns in " + pred + " model row, expected " + expect + ", got " + cols +
"."
)
)
}
private string getInvalidModelSignature() {
exists(string pred, string namespace, string type, string name, string signature, string ext |
sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
@@ -366,13 +225,12 @@ module CsvValidation {
)
}
/** Holds if some row in a CSV-based flow model appears to contain typos. */
/** Holds if some row in a MaD flow model appears to contain typos. */
query predicate invalidModelRow(string msg) {
msg =
[
getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind(),
getIncorrectConstructorSummaryOutput()
KindVal::getInvalidModelKind(), getIncorrectConstructorSummaryOutput()
]
}
}
@@ -1026,7 +884,7 @@ private module Cached {
}
/**
* Holds if `node` is specified as a source with the given kind in a CSV flow
* Holds if `node` is specified as a source with the given kind in a MaD flow
* model.
*/
cached
@@ -1037,7 +895,7 @@ private module Cached {
}
/**
* Holds if `node` is specified as a sink with the given kind in a CSV flow
* Holds if `node` is specified as a sink with the given kind in a MaD flow
* model.
*/
cached

26
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
View File

@@ -238,7 +238,12 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
private import TypeTracking<Location, TtInput>::TypeTrack<qualifierSource/1>::Graph<qualifierOfVirtualCall/1>
private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2)
private predicate isSource(PathNode n) { n.isSource() }
private predicate isSink(PathNode n) { n.isSink() }
private predicate edgePlus(PathNode n1, PathNode n2) =
doublyBoundedFastTC(edges/2, isSource/1, isSink/1)(n1, n2)
/**
* Gets the most specific implementation of `mf` that may be called when the
@@ -255,6 +260,15 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
)
}
pragma[nomagic]
private MemberFunction mostSpecificForSource(PathNode p1, MemberFunction mf) {
p1.isSource() and
exists(Class derived |
qualifierSourceImpl(p1.getNode(), derived) and
result = mostSpecific(mf, derived)
)
}
/**
* Gets a possible pair of end-points `(p1, p2)` where:
* - `p1` is a derived-to-base conversion that converts from some
@@ -264,16 +278,16 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
* - `callable` is the most specific implementation that may be called when
* the qualifier has type `derived`.
*/
bindingset[p1, p2]
pragma[inline_late]
private predicate pairCand(
PathNode p1, PathNode p2, DataFlowPrivate::DataFlowCallable callable,
DataFlowPrivate::DataFlowCall call
) {
exists(Class derived, MemberFunction mf |
qualifierSourceImpl(p1.getNode(), derived) and
p2.isSink() and
exists(MemberFunction mf |
qualifierOfVirtualCallImpl(p2.getNode(), call.asCallInstruction(), mf) and
p1.isSource() and
p2.isSink() and
callable.asSourceCallable() = mostSpecific(mf, derived)
callable.asSourceCallable() = mostSpecificForSource(p1, mf)
)
}

66
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
View File

@@ -321,6 +321,12 @@ module Public {
*/
Operand asIndirectOperand(int index) { hasOperandAndIndex(this, result, index) }
/**
* Gets the instruction that is indirectly tracked by this node behind
* `index` number of indirections.
*/
Instruction asIndirectInstruction(int index) { hasInstructionAndIndex(this, result, index) }
/**
* Holds if this node is at index `i` in basic block `block`.
*
@@ -617,6 +623,25 @@ module Public {
*/
LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }
/**
* Gets the uninitialized local variable corresponding to this node behind
* `index` number of indirections, if any.
*/
LocalVariable asIndirectUninitialized(int index) {
exists(IndirectUninitializedNode indirectUninitializedNode |
this = indirectUninitializedNode and
indirectUninitializedNode.getIndirectionIndex() = index
|
result = indirectUninitializedNode.getLocalVariable()
)
}
/**
* Gets the uninitialized local variable corresponding to this node behind
* a number indirections, if any.
*/
LocalVariable asIndirectUninitialized() { result = this.asIndirectUninitialized(_) }
/**
* Gets the positional parameter corresponding to the node that represents
* the value of the parameter after `index` number of loads, if any. For
@@ -761,16 +786,13 @@ module Public {
final override Type getType() { result = this.getPreUpdateNode().getType() }
}
/**
* The value of an uninitialized local variable, viewed as a node in a data
* flow graph.
*/
class UninitializedNode extends Node {
abstract private class AbstractUninitializedNode extends Node {
LocalVariable v;
int indirectionIndex;
UninitializedNode() {
AbstractUninitializedNode() {
exists(SsaImpl::Definition def, SsaImpl::SourceVariable sv |
def.getIndirectionIndex() = 0 and
def.getIndirectionIndex() = indirectionIndex and
def.getValue().asInstruction() instanceof UninitializedInstruction and
SsaImpl::defToNode(this, def, sv) and
v = sv.getBaseVariable().(SsaImpl::BaseIRVariable).getIRVariable().getAst()
@@ -781,6 +803,25 @@ module Public {
LocalVariable getLocalVariable() { result = v }
}
/**
* The value of an uninitialized local variable, viewed as a node in a data
* flow graph.
*/
class UninitializedNode extends AbstractUninitializedNode {
UninitializedNode() { indirectionIndex = 0 }
}
/**
* The value of an uninitialized local variable behind one or more levels of
* indirection, viewed as a node in a data flow graph.
*/
class IndirectUninitializedNode extends AbstractUninitializedNode {
IndirectUninitializedNode() { indirectionIndex > 0 }
/** Gets the indirection index of this node. */
int getIndirectionIndex() { result = indirectionIndex }
}
/**
* The value of a parameter at function entry, viewed as a node in a data
* flow graph. This includes both explicit parameters such as `x` in `f(x)`
@@ -795,6 +836,12 @@ module Public {
/** An explicit positional parameter, including `this`, but not `...`. */
final class DirectParameterNode = AbstractDirectParameterNode;
/**
* A node representing an indirection of a positional parameter,
* including `*this`, but not `*...`.
*/
final class IndirectParameterNode = AbstractIndirectParameterNode;
final class ExplicitParameterNode = AbstractExplicitParameterNode;
/** An implicit `this` parameter. */
@@ -954,11 +1001,6 @@ module Public {
private import Public
/**
* A node representing an indirection of a parameter.
*/
final class IndirectParameterNode = AbstractIndirectParameterNode;
/**
* A class that lifts pre-SSA dataflow nodes to regular dataflow nodes.
*/

1
cpp/ql/lib/semmle/code/cpp/models/Models.qll
View File

@@ -48,7 +48,6 @@ private import implementations.SqLite3
private import implementations.PostgreSql
private import implementations.System
private import implementations.StructuredExceptionHandling
private import implementations.ZMQ
private import implementations.Win32CommandExecution
private import implementations.CA2AEX
private import implementations.CComBSTR

18
cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
View File

@@ -112,21 +112,3 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
}
/**
* A model for `getc` and similar functions that are flow sources.
*/
private class GetcSource extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;getc;;;ReturnValue;remote", ";;false;getwc;;;ReturnValue;remote",
";;false;_getc_nolock;;;ReturnValue;remote", ";;false;_getwc_nolock;;;ReturnValue;remote",
";;false;getch;;;ReturnValue;local", ";;false;_getch;;;ReturnValue;local",
";;false;_getwch;;;ReturnValue;local", ";;false;_getch_nolock;;;ReturnValue;local",
";;false;_getwch_nolock;;;ReturnValue;local", ";;false;getchar;;;ReturnValue;local",
";;false;getwchar;;;ReturnValue;local", ";;false;_getchar_nolock;;;ReturnValue;local",
";;false;_getwchar_nolock;;;ReturnValue;local",
]
}
}

45
cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll
View File

@@ -1,45 +0,0 @@
/**
* Provides implementation classes modeling the ZeroMQ networking library.
*/
import semmle.code.cpp.models.interfaces.FlowSource
/**
* Remote flow sources.
*/
private class ZmqSource extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_recv;;;Argument[*1];remote", ";;false;zmq_recvmsg;;;Argument[*1];remote",
";;false;zmq_msg_recv;;;Argument[*0];remote",
]
}
}
/**
* Remote flow sinks.
*/
private class ZmqSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_send;;;Argument[*1];remote-sink",
";;false;zmq_sendmsg;;;Argument[*1];remote-sink",
";;false;zmq_msg_send;;;Argument[*0];remote-sink",
]
}
}
/**
* Flow steps.
*/
private class ZmqSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_msg_init_data;;;Argument[*1];Argument[*0];taint",
";;false;zmq_msg_data;;;Argument[*0];ReturnValue[*];taint",
]
}
}

4
cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
View File

@@ -218,7 +218,9 @@ where
// only report if we cannot prove that the result of the
// multiplication will be less (resp. greater) than the
// maximum (resp. minimum) number we can compute.
overflows(me, t1)
overflows(me, t1) and
// exclude cases where the expression type may not have been extracted accurately
not me.getParent().(Call).getTarget().hasAmbiguousReturnType()
select me,
"Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
+ me.getFullyConverted().getType().toString() + "'."

2
cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
View File

@@ -168,9 +168,11 @@ where
formatOtherArgType(ffc, n, expected, arg, actual) and
not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
) and
// Exclude some cases where we're less confident the result is correct / clear / valuable
not arg.isAffectedByMacro() and
not arg.isFromUninstantiatedTemplate(_) and
not actual.stripType() instanceof ErroneousType and
not arg.getType().stripType().(RoutineType).getReturnType() instanceof ErroneousType and
not arg.(Call).mayBeFromImplicitlyDeclaredFunction() and
// Make sure that the format function definition is consistent
count(ffc.getTarget().getFormatParameterIndex()) = 1

2
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
View File

@@ -4,7 +4,7 @@
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @security-severity 6.1
* @security-severity 7.8
* @precision high
* @id cpp/cgi-xss
* @tags security

20
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
View File

@@ -23,13 +23,31 @@ import Flow::PathGraph
predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
/**
* Holds if `f` is a printf-like function or a (possibly nested) wrapper
* that forwards a format-string parameter to one.
*
* Functions that *implement* printf-like behavior (e.g. a custom
* `vsnprintf` variant) internally parse the caller-supplied format string
* and build small, bounded, local format strings such as `"%d"` or `"%ld"`
* for inner `sprintf` calls. Taint that reaches those inner calls via the
* parsed format specifier is not exploitable, so sinks inside such
* functions should be excluded.
*/
private predicate isPrintfImplementation(Function f) {
f instanceof PrintfLikeFunction
or
exists(PrintfLikeFunction printf | printf.wrapperFunction(f, _, _))
}
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { isSource(node, _) }
predicate isSink(DataFlow::Node node) {
exists(PrintfLikeFunction printf |
printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
)
) and
not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())
}
private predicate isArithmeticNonCharType(ArithmeticType type) {

3
cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
View File

@@ -18,7 +18,8 @@ import IncorrectPointerScalingCommon
private predicate isCharSzPtrExpr(Expr e) {
exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
pt.getBaseType() instanceof CharType or
pt.getBaseType() instanceof VoidType
pt.getBaseType() instanceof VoidType or
pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation
)
}

48
cpp/ql/src/Telemetry/DatabaseQuality.qll Normal file
View File

@@ -0,0 +1,48 @@
import cpp
import codeql.util.ReportStats
/** A file that is included in the quality statistics. */
private class RelevantFile extends File {
RelevantFile() { this.fromSource() and exists(this.getRelativePath()) }
}
module CallTargetStats implements StatsSig {
private class RelevantCall extends Call {
RelevantCall() { this.getFile() instanceof RelevantFile }
}
// We assume that calls with an implicit target are calls that could not be
// resolved. This is accurate in the vast majority of cases, but is inaccurate
// for calls that deliberately rely on implicitly declared functions.
private predicate hasImplicitTarget(RelevantCall call) {
call.getTarget().getADeclarationEntry().isImplicit()
}
int getNumberOfOk() { result = count(RelevantCall call | not hasImplicitTarget(call)) }
int getNumberOfNotOk() { result = count(RelevantCall call | hasImplicitTarget(call)) }
string getOkText() { result = "calls with call target" }
string getNotOkText() { result = "calls with missing call target" }
}
private class SourceExpr extends Expr {
SourceExpr() { this.getFile() instanceof RelevantFile }
}
private predicate hasGoodType(Expr e) { not e.getType() instanceof ErroneousType }
module ExprTypeStats implements StatsSig {
int getNumberOfOk() { result = count(SourceExpr e | hasGoodType(e)) }
int getNumberOfNotOk() { result = count(SourceExpr e | not hasGoodType(e)) }
string getOkText() { result = "expressions with known type" }
string getNotOkText() { result = "expressions with unknown type" }
}
module CallTargetStatsReport = ReportStats<CallTargetStats>;
module ExprTypeStatsReport = ReportStats<ExprTypeStats>;

28
cpp/ql/src/Telemetry/ExtractorInformation.ql Normal file
View File

@@ -0,0 +1,28 @@
/**
* @name C/C++ extraction information
* @description Information about the extraction for a C/C++ database
* @kind metric
* @tags summary telemetry
* @id cpp/telemetry/extraction-information
*/
import cpp
import DatabaseQuality
from string key, float value
where
(
CallTargetStatsReport::numberOfOk(key, value) or
CallTargetStatsReport::numberOfNotOk(key, value) or
CallTargetStatsReport::percentageOfOk(key, value) or
ExprTypeStatsReport::numberOfOk(key, value) or
ExprTypeStatsReport::numberOfNotOk(key, value) or
ExprTypeStatsReport::percentageOfOk(key, value)
) and
/* Infinity */
value != 1.0 / 0.0 and
/* -Infinity */
value != -1.0 / 0.0 and
/* NaN */
value != 0.0 / 0.0
select key, value

4
cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: queryMetadata
---
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

4
cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.

2
cpp/ql/test/library-tests/dataflow/external-models/validatemodels.ql
View File

@@ -1,2 +1,2 @@
import cpp
import semmle.code.cpp.dataflow.ExternalFlow::CsvValidation
import semmle.code.cpp.dataflow.ExternalFlow::ModelValidation

20
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.ql
View File

@@ -1,20 +0,0 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
string describe(DataFlow::Node n) {
n instanceof ParameterNode and result = "ParameterNode"
or
n instanceof PostUpdateNode and result = "PostUpdateNode"
or
n instanceof ArgumentNode and result = "ArgumentNode"
or
n instanceof ReturnNode and result = "ReturnNode"
or
n instanceof OutNode and result = "OutNode"
}
from FlowSummaryNode n
select n, concat(describe(n), ", "), concat(n.getSummarizedCallable().toString(), ", "),
concat(n.getEnclosingCallable().toString(), ", ")

267
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.expected
View File

@@ -1,267 +0,0 @@
summaryCalls
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
summarizedCallables
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:471:5:471:17 | receive_array |
sourceCallables
| tests.cpp:3:5:3:10 | source |
| tests.cpp:4:6:4:14 | sourcePtr |
| tests.cpp:5:6:5:19 | sourceIndirect |
| tests.cpp:6:6:6:9 | sink |
| tests.cpp:6:15:6:17 | val |
| tests.cpp:7:6:7:9 | sink |
| tests.cpp:7:16:7:18 | ptr |
| tests.cpp:11:5:11:18 | localMadSource |
| tests.cpp:12:5:12:19 | remoteMadSource |
| tests.cpp:13:5:13:14 | notASource |
| tests.cpp:14:5:14:22 | localMadSourceVoid |
| tests.cpp:15:5:15:25 | localMadSourceHasBody |
| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
| tests.cpp:18:39:18:39 | x |
| tests.cpp:18:47:18:47 | y |
| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
| tests.cpp:19:39:19:39 | x |
| tests.cpp:19:47:19:47 | y |
| tests.cpp:20:5:20:22 | remoteMadSourceVar |
| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
| tests.cpp:31:6:31:19 | localMadSource |
| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
| tests.cpp:35:6:35:17 | test_sources |
| tests.cpp:50:6:50:6 | v |
| tests.cpp:51:7:51:16 | v_indirect |
| tests.cpp:52:6:52:13 | v_direct |
| tests.cpp:63:6:63:6 | a |
| tests.cpp:63:9:63:9 | b |
| tests.cpp:63:12:63:12 | c |
| tests.cpp:63:15:63:15 | d |
| tests.cpp:75:6:75:6 | e |
| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
| tests.cpp:85:32:85:32 | x |
| tests.cpp:92:6:92:16 | madSinkArg0 |
| tests.cpp:92:22:92:22 | x |
| tests.cpp:93:6:93:13 | notASink |
| tests.cpp:93:19:93:19 | x |
| tests.cpp:94:6:94:16 | madSinkArg1 |
| tests.cpp:94:22:94:22 | x |
| tests.cpp:94:29:94:29 | y |
| tests.cpp:95:6:95:17 | madSinkArg01 |
| tests.cpp:95:23:95:23 | x |
| tests.cpp:95:30:95:30 | y |
| tests.cpp:95:37:95:37 | z |
| tests.cpp:96:6:96:17 | madSinkArg02 |
| tests.cpp:96:23:96:23 | x |
| tests.cpp:96:30:96:30 | y |
| tests.cpp:96:37:96:37 | z |
| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
| tests.cpp:97:31:97:31 | x |
| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
| tests.cpp:98:38:98:38 | x |
| tests.cpp:99:5:99:14 | madSinkVar |
| tests.cpp:100:6:100:23 | madSinkVarIndirect |
| tests.cpp:102:6:102:15 | test_sinks |
| tests.cpp:116:6:116:6 | a |
| tests.cpp:117:7:117:11 | a_ptr |
| tests.cpp:132:6:132:18 | madSinkParam0 |
| tests.cpp:132:24:132:24 | x |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:18 | MyContainer |
| tests.cpp:139:6:139:10 | value |
| tests.cpp:140:6:140:11 | value2 |
| tests.cpp:141:7:141:9 | ptr |
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:144:25:144:25 | x |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:145:34:145:34 | x |
| tests.cpp:146:5:146:15 | notASummary |
| tests.cpp:146:21:146:21 | x |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:147:34:147:34 | x |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:148:34:148:34 | x |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:149:41:149:41 | x |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:150:37:150:37 | x |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:151:32:151:32 | x |
| tests.cpp:151:40:151:40 | y |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:152:47:152:47 | x |
| tests.cpp:152:55:152:55 | y |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:153:25:153:25 | a |
| tests.cpp:153:33:153:33 | b |
| tests.cpp:153:40:153:40 | c |
| tests.cpp:153:47:153:47 | d |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:154:20:154:20 | a |
| tests.cpp:154:28:154:28 | b |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:155:34:155:34 | a |
| tests.cpp:155:41:155:41 | b |
| tests.cpp:155:48:155:48 | c |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:160:38:160:39 | mc |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:161:47:161:48 | mc |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:162:46:162:47 | mc |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:163:38:163:38 | x |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:164:47:164:47 | x |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:165:46:165:46 | x |
| tests.cpp:167:13:167:30 | madFieldToFieldVar |
| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
| tests.cpp:171:6:171:19 | test_summaries |
| tests.cpp:174:6:174:6 | a |
| tests.cpp:174:9:174:9 | b |
| tests.cpp:174:12:174:12 | c |
| tests.cpp:174:15:174:15 | d |
| tests.cpp:174:18:174:18 | e |
| tests.cpp:175:7:175:11 | a_ptr |
| tests.cpp:218:14:218:16 | mc1 |
| tests.cpp:218:19:218:21 | mc2 |
| tests.cpp:237:15:237:18 | rtn1 |
| tests.cpp:240:14:240:17 | rtn2 |
| tests.cpp:241:7:241:14 | rtn2_ptr |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:13 | MyClass |
| tests.cpp:270:6:270:26 | memberRemoteMadSource |
| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
| tests.cpp:271:46:271:46 | x |
| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
| tests.cpp:273:7:273:21 | qualifierSource |
| tests.cpp:274:7:274:26 | qualifierFieldSource |
| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
| tests.cpp:277:29:277:29 | x |
| tests.cpp:278:6:278:21 | memberMadSinkVar |
| tests.cpp:279:7:279:19 | qualifierSink |
| tests.cpp:280:7:280:23 | qualifierArg0Sink |
| tests.cpp:280:29:280:29 | x |
| tests.cpp:281:7:281:24 | qualifierFieldSink |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:284:25:284:25 | x |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:286:6:286:16 | notASummary |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:287:26:287:26 | x |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:290:6:290:8 | val |
| tests.cpp:293:7:293:7 | MyDerivedClass |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:20 | MyDerivedClass |
| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
| tests.cpp:296:6:296:21 | subtypeNonSource |
| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
| tests.cpp:300:9:300:15 | source2 |
| tests.cpp:301:6:301:9 | sink |
| tests.cpp:301:19:301:20 | mc |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:14 | MyClass |
| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
| tests.cpp:307:39:307:39 | x |
| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
| tests.cpp:308:52:308:52 | x |
| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:317:22:317:28 | source3 |
| tests.cpp:319:6:319:23 | test_class_members |
| tests.cpp:320:10:320:11 | mc |
| tests.cpp:320:14:320:16 | mc2 |
| tests.cpp:320:19:320:21 | mc3 |
| tests.cpp:320:24:320:26 | mc4 |
| tests.cpp:320:29:320:31 | mc5 |
| tests.cpp:320:34:320:36 | mc6 |
| tests.cpp:320:39:320:41 | mc7 |
| tests.cpp:320:44:320:46 | mc8 |
| tests.cpp:320:49:320:51 | mc9 |
| tests.cpp:320:54:320:57 | mc10 |
| tests.cpp:320:60:320:63 | mc11 |
| tests.cpp:321:11:321:13 | ptr |
| tests.cpp:321:17:321:23 | mc4_ptr |
| tests.cpp:322:17:322:19 | mdc |
| tests.cpp:323:23:323:25 | mnc |
| tests.cpp:323:28:323:31 | mnc2 |
| tests.cpp:324:24:324:31 | mnc2_ptr |
| tests.cpp:330:6:330:6 | a |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:14 | intPair |
| tests.cpp:430:6:430:10 | first |
| tests.cpp:431:6:431:11 | second |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:434:37:434:43 | fun_ptr |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:46:435:52 | fun_ptr |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:436:34:436:40 | fun_ptr |
| tests.cpp:436:53:436:57 | value |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:437:45:437:51 | fun_ptr |
| tests.cpp:437:64:437:68 | value |
| tests.cpp:439:5:439:14 | getTainted |
| tests.cpp:440:6:440:13 | useValue |
| tests.cpp:440:19:440:19 | x |
| tests.cpp:441:6:441:17 | dontUseValue |
| tests.cpp:441:23:441:23 | x |
| tests.cpp:443:6:443:27 | test_function_pointers |
| tests.cpp:456:19:456:19 | X |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
| tests.cpp:458:12:458:15 | Type |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
| tests.cpp:463:6:463:6 | x |
| tests.cpp:464:36:464:36 | s |
| tests.cpp:465:6:465:6 | y |
| tests.cpp:469:7:469:9 | INT |
| tests.cpp:471:5:471:17 | receive_array |
| tests.cpp:471:23:471:23 | a |
| tests.cpp:473:6:473:23 | test_receive_array |
| tests.cpp:474:6:474:6 | x |
| tests.cpp:475:6:475:10 | array |
| tests.cpp:476:6:476:6 | y |

9
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.ql
View File

@@ -1,9 +0,0 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
query predicate summaryCalls(SummaryCall c) { any() }
query predicate summarizedCallables(SummarizedCallable c) { any() }
query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }

29
cpp/ql/test/library-tests/dataflow/models-as-data/consistency.expected
View File

@@ -1,29 +0,0 @@
uniqueEnclosingCallable
uniqueCallEnclosingCallable
uniqueType
uniqueNodeLocation
missingLocation
uniqueNodeToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
uniquePostUpdate
postIsInSameCallable
reverseRead
argHasPostUpdate
postWithInFlow
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox
identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel

2
cpp/ql/test/library-tests/dataflow/models-as-data/consistency.ql
View File

@@ -1,2 +0,0 @@
import testModels
import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency

0
cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.expected
View File

18
cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.ql
View File

@@ -1,18 +0,0 @@
import utils.test.InlineExpectationsTest
import testModels
module InterpretElementTest implements TestSig {
string getARelevantTag() { result = "interpretElement" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element e |
e = interpretElement(_, _, _, _, _, _) and
location = e.getLocation() and
element = e.toString() and
tag = "interpretElement" and
value = ""
)
}
}
import MakeTest<InterpretElementTest>

0
cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected
View File

32
cpp/ql/test/library-tests/dataflow/models-as-data/taint.ql
View File

@@ -1,32 +0,0 @@
import utils.test.dataflow.FlowTestCommon
import testModels
module IRTest {
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.TaintTracking
/** Common data flow configuration to be used by tests. */
module TestAllocationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof FlowSource
or
source.asExpr().(FunctionCall).getTarget().getName() =
["source", "source2", "source3", "sourcePtr"]
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "test-sink")
or
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
}
import MakeTest<IRFlowTest<IRTest::IRFlow>>

298
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected → cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected
View File

@@ -1,3 +1,301 @@
uniqueEnclosingCallable
uniqueCallEnclosingCallable
uniqueType
uniqueNodeLocation
missingLocation
uniqueNodeToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
uniquePostUpdate
postIsInSameCallable
reverseRead
argHasPostUpdate
postWithInFlow
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox
identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
testFailures
summaryCalls
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
summarizedCallables
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:471:5:471:17 | receive_array |
sourceCallables
| tests.cpp:3:5:3:10 | source |
| tests.cpp:4:6:4:14 | sourcePtr |
| tests.cpp:5:6:5:19 | sourceIndirect |
| tests.cpp:6:6:6:9 | sink |
| tests.cpp:6:15:6:17 | val |
| tests.cpp:7:6:7:9 | sink |
| tests.cpp:7:16:7:18 | ptr |
| tests.cpp:11:5:11:18 | localMadSource |
| tests.cpp:12:5:12:19 | remoteMadSource |
| tests.cpp:13:5:13:14 | notASource |
| tests.cpp:14:5:14:22 | localMadSourceVoid |
| tests.cpp:15:5:15:25 | localMadSourceHasBody |
| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
| tests.cpp:18:39:18:39 | x |
| tests.cpp:18:47:18:47 | y |
| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
| tests.cpp:19:39:19:39 | x |
| tests.cpp:19:47:19:47 | y |
| tests.cpp:20:5:20:22 | remoteMadSourceVar |
| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
| tests.cpp:31:6:31:19 | localMadSource |
| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
| tests.cpp:35:6:35:17 | test_sources |
| tests.cpp:50:6:50:6 | v |
| tests.cpp:51:7:51:16 | v_indirect |
| tests.cpp:52:6:52:13 | v_direct |
| tests.cpp:63:6:63:6 | a |
| tests.cpp:63:9:63:9 | b |
| tests.cpp:63:12:63:12 | c |
| tests.cpp:63:15:63:15 | d |
| tests.cpp:75:6:75:6 | e |
| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
| tests.cpp:85:32:85:32 | x |
| tests.cpp:92:6:92:16 | madSinkArg0 |
| tests.cpp:92:22:92:22 | x |
| tests.cpp:93:6:93:13 | notASink |
| tests.cpp:93:19:93:19 | x |
| tests.cpp:94:6:94:16 | madSinkArg1 |
| tests.cpp:94:22:94:22 | x |
| tests.cpp:94:29:94:29 | y |
| tests.cpp:95:6:95:17 | madSinkArg01 |
| tests.cpp:95:23:95:23 | x |
| tests.cpp:95:30:95:30 | y |
| tests.cpp:95:37:95:37 | z |
| tests.cpp:96:6:96:17 | madSinkArg02 |
| tests.cpp:96:23:96:23 | x |
| tests.cpp:96:30:96:30 | y |
| tests.cpp:96:37:96:37 | z |
| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
| tests.cpp:97:31:97:31 | x |
| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
| tests.cpp:98:38:98:38 | x |
| tests.cpp:99:5:99:14 | madSinkVar |
| tests.cpp:100:6:100:23 | madSinkVarIndirect |
| tests.cpp:102:6:102:15 | test_sinks |
| tests.cpp:116:6:116:6 | a |
| tests.cpp:117:7:117:11 | a_ptr |
| tests.cpp:132:6:132:18 | madSinkParam0 |
| tests.cpp:132:24:132:24 | x |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:18 | MyContainer |
| tests.cpp:139:6:139:10 | value |
| tests.cpp:140:6:140:11 | value2 |
| tests.cpp:141:7:141:9 | ptr |
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:144:25:144:25 | x |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:145:34:145:34 | x |
| tests.cpp:146:5:146:15 | notASummary |
| tests.cpp:146:21:146:21 | x |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:147:34:147:34 | x |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:148:34:148:34 | x |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:149:41:149:41 | x |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:150:37:150:37 | x |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:151:32:151:32 | x |
| tests.cpp:151:40:151:40 | y |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:152:47:152:47 | x |
| tests.cpp:152:55:152:55 | y |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:153:25:153:25 | a |
| tests.cpp:153:33:153:33 | b |
| tests.cpp:153:40:153:40 | c |
| tests.cpp:153:47:153:47 | d |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:154:20:154:20 | a |
| tests.cpp:154:28:154:28 | b |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:155:34:155:34 | a |
| tests.cpp:155:41:155:41 | b |
| tests.cpp:155:48:155:48 | c |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:160:38:160:39 | mc |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:161:47:161:48 | mc |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:162:46:162:47 | mc |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:163:38:163:38 | x |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:164:47:164:47 | x |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:165:46:165:46 | x |
| tests.cpp:167:13:167:30 | madFieldToFieldVar |
| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
| tests.cpp:171:6:171:19 | test_summaries |
| tests.cpp:174:6:174:6 | a |
| tests.cpp:174:9:174:9 | b |
| tests.cpp:174:12:174:12 | c |
| tests.cpp:174:15:174:15 | d |
| tests.cpp:174:18:174:18 | e |
| tests.cpp:175:7:175:11 | a_ptr |
| tests.cpp:218:14:218:16 | mc1 |
| tests.cpp:218:19:218:21 | mc2 |
| tests.cpp:237:15:237:18 | rtn1 |
| tests.cpp:240:14:240:17 | rtn2 |
| tests.cpp:241:7:241:14 | rtn2_ptr |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:13 | MyClass |
| tests.cpp:270:6:270:26 | memberRemoteMadSource |
| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
| tests.cpp:271:46:271:46 | x |
| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
| tests.cpp:273:7:273:21 | qualifierSource |
| tests.cpp:274:7:274:26 | qualifierFieldSource |
| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
| tests.cpp:277:29:277:29 | x |
| tests.cpp:278:6:278:21 | memberMadSinkVar |
| tests.cpp:279:7:279:19 | qualifierSink |
| tests.cpp:280:7:280:23 | qualifierArg0Sink |
| tests.cpp:280:29:280:29 | x |
| tests.cpp:281:7:281:24 | qualifierFieldSink |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:284:25:284:25 | x |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:286:6:286:16 | notASummary |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:287:26:287:26 | x |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:290:6:290:8 | val |
| tests.cpp:293:7:293:7 | MyDerivedClass |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:20 | MyDerivedClass |
| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
| tests.cpp:296:6:296:21 | subtypeNonSource |
| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
| tests.cpp:300:9:300:15 | source2 |
| tests.cpp:301:6:301:9 | sink |
| tests.cpp:301:19:301:20 | mc |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:14 | MyClass |
| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
| tests.cpp:307:39:307:39 | x |
| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
| tests.cpp:308:52:308:52 | x |
| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:317:22:317:28 | source3 |
| tests.cpp:319:6:319:23 | test_class_members |
| tests.cpp:320:10:320:11 | mc |
| tests.cpp:320:14:320:16 | mc2 |
| tests.cpp:320:19:320:21 | mc3 |
| tests.cpp:320:24:320:26 | mc4 |
| tests.cpp:320:29:320:31 | mc5 |
| tests.cpp:320:34:320:36 | mc6 |
| tests.cpp:320:39:320:41 | mc7 |
| tests.cpp:320:44:320:46 | mc8 |
| tests.cpp:320:49:320:51 | mc9 |
| tests.cpp:320:54:320:57 | mc10 |
| tests.cpp:320:60:320:63 | mc11 |
| tests.cpp:321:11:321:13 | ptr |
| tests.cpp:321:17:321:23 | mc4_ptr |
| tests.cpp:322:17:322:19 | mdc |
| tests.cpp:323:23:323:25 | mnc |
| tests.cpp:323:28:323:31 | mnc2 |
| tests.cpp:324:24:324:31 | mnc2_ptr |
| tests.cpp:330:6:330:6 | a |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:14 | intPair |
| tests.cpp:430:6:430:10 | first |
| tests.cpp:431:6:431:11 | second |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:434:37:434:43 | fun_ptr |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:46:435:52 | fun_ptr |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:436:34:436:40 | fun_ptr |
| tests.cpp:436:53:436:57 | value |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:437:45:437:51 | fun_ptr |
| tests.cpp:437:64:437:68 | value |
| tests.cpp:439:5:439:14 | getTainted |
| tests.cpp:440:6:440:13 | useValue |
| tests.cpp:440:19:440:19 | x |
| tests.cpp:441:6:441:17 | dontUseValue |
| tests.cpp:441:23:441:23 | x |
| tests.cpp:443:6:443:27 | test_function_pointers |
| tests.cpp:456:19:456:19 | X |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
| tests.cpp:458:12:458:15 | Type |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
| tests.cpp:463:6:463:6 | x |
| tests.cpp:464:36:464:36 | s |
| tests.cpp:465:6:465:6 | y |
| tests.cpp:469:7:469:9 | INT |
| tests.cpp:471:5:471:17 | receive_array |
| tests.cpp:471:23:471:23 | a |
| tests.cpp:473:6:473:23 | test_receive_array |
| tests.cpp:474:6:474:6 | x |
| tests.cpp:475:6:475:10 | array |
| tests.cpp:476:6:476:6 | y |
flowSummaryNode
| tests.cpp:144:5:144:19 | [summary param] 0 in madArg0ToReturn | ParameterNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:144:5:144:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:145:6:145:28 | [summary param] 0 in madArg0ToReturnIndirect | ParameterNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |

84
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ext.yml Normal file
View File

@@ -0,0 +1,84 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "localMadSource", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "remoteMadSource", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "localMadSourceVoid", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "localMadSourceHasBody", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "remoteMadSourceIndirect", "", "", "ReturnValue[*]", "remote", "manual"]
- ["", "", False, "remoteMadSourceDoubleIndirect", "", "", "ReturnValue[**]", "remote", "manual"]
- ["", "", False, "remoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
- ["", "", False, "remoteMadSourceIndirectArg1", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "remoteMadSourceVar", "", "", "", "remote", "manual"]
- ["", "", False, "remoteMadSourceVarIndirect", "", "", "*", "remote", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
- ["", "", False, "remoteMadSourceParam0", "", "", "Parameter[0]", "remote", "manual"]
- ["MyNamespace", "", False, "namespaceLocalMadSource", "", "", "ReturnValue", "local", "manual"]
- ["MyNamespace", "", False, "namespaceLocalMadSourceVar", "", "", "", "local", "manual"]
- ["MyNamespace::MyNamespace2", "", False, "namespace2LocalMadSource", "", "", "ReturnValue", "local", "manual"]
- ["", "MyClass", True, "memberRemoteMadSource", "", "", "ReturnValue", "remote", "manual"]
- ["", "MyClass", True, "memberRemoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
- ["", "MyClass", True, "memberRemoteMadSourceVar", "", "", "", "remote", "manual"]
- ["", "MyClass", True, "subtypeRemoteMadSource1", "", "", "ReturnValue", "remote", "manual"]
- ["", "MyClass", False, "subtypeNonSource", "", "", "ReturnValue", "remote", "manual"] # the tests define this in MyDerivedClass, so it should *not* be recongized as a source
- ["", "MyClass", True, "qualifierSource", "", "", "Argument[-1]", "remote", "manual"]
- ["", "MyClass", True, "qualifierFieldSource", "", "", "Argument[-1].val", "remote", "manual"]
- ["", "MyDerivedClass", False, "subtypeRemoteMadSource2", "", "", "ReturnValue", "remote", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: sinkModel
data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
- ["", "", False, "madSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["", "", False, "madSinkArg1", "", "", "Argument[1]", "test-sink", "manual"]
- ["", "", False, "madSinkArg01", "", "", "Argument[0..1]", "test-sink", "manual"]
- ["", "", False, "madSinkArg02", "", "", "Argument[0,2]", "test-sink", "manual"]
- ["", "", False, "madSinkIndirectArg0", "", "", "Argument[*0]", "test-sink", "manual"]
- ["", "", False, "madSinkDoubleIndirectArg0", "", "", "Argument[**0]", "test-sink", "manual"]
- ["", "", False, "madSinkVar", "", "", "", "test-sink", "manual"]
- ["", "", False, "madSinkVarIndirect", "", "", "*", "test-sink", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
- ["", "", False, "madSinkParam0", "", "", "Parameter[0]", "test-sink", "manual"]
- ["", "MyClass", True, "memberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["", "MyClass", True, "memberMadSinkVar", "", "", "", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierSink", "", "", "Argument[-1]", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierArg0Sink", "", "", "Argument[-1..0]", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierFieldSink", "", "", "Argument[-1].val", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkVar", "", "", "", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkVar", "", "", "", "test-sink", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["", "", False, "madArg0ToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToReturnIndirect", "", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnValueFlow", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["", "", False, "madArg0IndirectToReturn", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0DoubleIndirectToReturn", "", "", "Argument[**0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0NotIndirectToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToArg1Indirect", "", "", "Argument[0]", "Argument[*1]", "taint", "manual"]
- ["", "", False, "madArg0IndirectToArg1Indirect", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
- ["", "", False, "madArgsComplex", "", "", "Argument[*0..1,2]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madAndImplementedComplex", "", "", "Argument[2]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArgsAny", "", "", "Argument", "ReturnValue", "taint", "manual"] # we can't express this source/sink correctly at present, "Argument" is not a valid input
- ["", "", False, "madArg0FieldToReturn", "", "", "Argument[0].Field[value]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0IndirectFieldToReturn", "", "", "Argument[*0].Field[value]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0FieldIndirectToReturn", "", "", "Argument[0].Field[*ptr]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToReturnField", "", "", "Argument[0]", "ReturnValue.Field[value]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnIndirectField", "", "", "Argument[0]", "ReturnValue[*].Field[value]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnFieldIndirect", "", "", "Argument[0]", "ReturnValue.Field[*ptr]", "taint", "manual"]
- ["", "", False, "madFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
- ["", "", False, "madFieldToIndirectFieldVar", "", "", "Field[value]", "Field[*ptr]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[*ptr]" is not a valid output
- ["", "", False, "madIndirectFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
- ["", "MyClass", True, "madArg0ToSelf", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
- ["", "MyClass", True, "madSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
- ["", "MyClass", True, "madArg0ToField", "", "", "Argument[0]", "Argument[-1].Field[val]", "taint", "manual"]
- ["", "MyClass", True, "madFieldToReturn", "", "", "Argument[-1].Field[val]", "ReturnValue", "taint", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMadSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madCallArg0ReturnToReturn", "", "", "Argument[0].ReturnValue", "ReturnValue", "value", "manual"]
- ["", "", False, "madCallArg0ReturnToReturnFirst", "", "", "Argument[0].ReturnValue", "ReturnValue.Field[first]", "value", "manual"]
- ["", "", False, "madCallArg0WithValue", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
- ["", "", False, "madCallReturnValueIgnoreFunction", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
- ["", "StructWithTypedefInParameter<T>", True, "parameter_ref_to_return_ref", "(const T &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
- ["", "", False, "receive_array", "(int[20])", "", "Argument[*0]", "ReturnValue", "taint", "manual"]

74
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ql Normal file
View File

@@ -0,0 +1,74 @@
import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency
import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
import semmle.code.cpp.security.FlowSources
import utils.test.dataflow.FlowTestCommon
module InterpretElementTest implements TestSig {
string getARelevantTag() { result = "interpretElement" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element e |
e = interpretElement(_, _, _, _, _, _) and
location = e.getLocation() and
element = e.toString() and
tag = "interpretElement" and
value = ""
)
}
}
query predicate summaryCalls(SummaryCall c) { any() }
query predicate summarizedCallables(SummarizedCallable c) { any() }
query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }
module IRTest {
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.TaintTracking
/** Common data flow configuration to be used by tests. */
module TestAllocationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof FlowSource
or
source.asExpr().(FunctionCall).getTarget().getName() =
["source", "source2", "source3", "sourcePtr"]
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "test-sink")
or
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
}
import MakeTest<MergeTests<IRFlowTest<IRTest::IRFlow>, InterpretElementTest>>
string describe(DataFlow::Node n) {
n instanceof ParameterNode and result = "ParameterNode"
or
n instanceof PostUpdateNode and result = "PostUpdateNode"
or
n instanceof ArgumentNode and result = "ArgumentNode"
or
n instanceof ReturnNode and result = "ReturnNode"
or
n instanceof OutNode and result = "OutNode"
}
query predicate flowSummaryNode(FlowSummaryNode n, string str1, string str2, string str3) {
str1 = concat(describe(n), ", ") and
str2 = concat(n.getSummarizedCallable().toString(), ", ") and
str3 = concat(n.getEnclosingCallable().toString(), ", ")
}

105
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
View File

@@ -1,105 +0,0 @@
import semmle.code.cpp.security.FlowSources
/**
* Models-as-data source models for this test.
*/
private class TestSources extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;localMadSource;;;ReturnValue;local",
";;false;remoteMadSource;;;ReturnValue;remote",
";;false;localMadSourceVoid;;;ReturnValue;local",
";;false;localMadSourceHasBody;;;ReturnValue;local",
";;false;remoteMadSourceIndirect;;;ReturnValue[*];remote",
";;false;remoteMadSourceDoubleIndirect;;;ReturnValue[**];remote",
";;false;remoteMadSourceIndirectArg0;;;Argument[*0];remote",
";;false;remoteMadSourceIndirectArg1;;;Argument[*1];remote",
";;false;remoteMadSourceVar;;;;remote",
";;false;remoteMadSourceVarIndirect;;;*;remote", // not correctly expressed
";;false;remoteMadSourceParam0;;;Parameter[0];remote",
"MyNamespace;;false;namespaceLocalMadSource;;;ReturnValue;local",
"MyNamespace;;false;namespaceLocalMadSourceVar;;;;local",
"MyNamespace::MyNamespace2;;false;namespace2LocalMadSource;;;ReturnValue;local",
";MyClass;true;memberRemoteMadSource;;;ReturnValue;remote",
";MyClass;true;memberRemoteMadSourceIndirectArg0;;;Argument[*0];remote",
";MyClass;true;memberRemoteMadSourceVar;;;;remote",
";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
";MyClass;true;qualifierSource;;;Argument[-1];remote",
";MyClass;true;qualifierFieldSource;;;Argument[-1].val;remote",
";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
]
}
}
/**
* Models-as-data sink models for this test.
*/
private class TestSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
";;false;madSinkArg0;;;Argument[0];test-sink",
";;false;madSinkArg1;;;Argument[1];test-sink",
";;false;madSinkArg01;;;Argument[0..1];test-sink",
";;false;madSinkArg02;;;Argument[0,2];test-sink",
";;false;madSinkIndirectArg0;;;Argument[*0];test-sink",
";;false;madSinkDoubleIndirectArg0;;;Argument[**0];test-sink",
";;false;madSinkVar;;;;test-sink",
";;false;madSinkVarIndirect;;;*;test-sink", // not correctly expressed
";;false;madSinkParam0;;;Parameter[0];test-sink",
";MyClass;true;memberMadSinkArg0;;;Argument[0];test-sink",
";MyClass;true;memberMadSinkVar;;;;test-sink",
";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
";MyClass;true;qualifierFieldSink;;;Argument[-1].val;test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkVar;;;;test-sink",
]
}
}
/**
* Models-as-data summary models for this test.
*/
private class TestSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
";;false;madArg0ToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToReturnIndirect;;;Argument[0];ReturnValue[*];taint",
";;false;madArg0ToReturnValueFlow;;;Argument[0];ReturnValue;value",
";;false;madArg0IndirectToReturn;;;Argument[*0];ReturnValue;taint",
";;false;madArg0DoubleIndirectToReturn;;;Argument[**0];ReturnValue;taint",
";;false;madArg0NotIndirectToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToArg1Indirect;;;Argument[0];Argument[*1];taint",
";;false;madArg0IndirectToArg1Indirect;;;Argument[*0];Argument[*1];taint",
";;false;madArgsComplex;;;Argument[*0..1,2];ReturnValue;taint",
";;false;madAndImplementedComplex;;;Argument[2];ReturnValue;taint",
";;false;madArgsAny;;;Argument;ReturnValue;taint", // (syntax not supported)
";;false;madArg0FieldToReturn;;;Argument[0].Field[value];ReturnValue;taint",
";;false;madArg0IndirectFieldToReturn;;;Argument[*0].Field[value];ReturnValue;taint",
";;false;madArg0FieldIndirectToReturn;;;Argument[0].Field[*ptr];ReturnValue;taint",
";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.Field[value];taint",
";;false;madArg0ToReturnIndirectField;;;Argument[0];ReturnValue[*].Field[value];taint",
";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.Field[*ptr];taint",
";;false;madFieldToFieldVar;;;Field[value];Field[value2];taint",
";;false;madFieldToIndirectFieldVar;;;Field[value];Field[*ptr];taint",
";;false;madIndirectFieldToFieldVar;;;;Field[value];Field[value2];taint", // not correctly expressed
";MyClass;true;madArg0ToSelf;;;Argument[0];Argument[-1];taint",
";MyClass;true;madSelfToReturn;;;Argument[-1];ReturnValue;taint",
";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].Field[val];taint",
";MyClass;true;madFieldToReturn;;;Argument[-1].Field[val];ReturnValue;taint",
"MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.Field[first];value",
";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
";;false;madCallReturnValueIgnoreFunction;;;Argument[1];ReturnValue;value",
";StructWithTypedefInParameter<T>;true;parameter_ref_to_return_ref;(const T &);;Argument[*0];ReturnValue[*];value",
";;false;receive_array;(int[20]);;Argument[*0];ReturnValue;taint"
]
}
}

28
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c Normal file
View File

@@ -0,0 +1,28 @@
// semmle-extractor-options: --expect_errors
void test_float_double1(float f, double d) {
float r1 = f * f; // GOOD
float r2 = f * d; // GOOD
double r3 = f * f; // BAD
double r4 = f * d; // GOOD
float f1 = fabsf(f * f); // GOOD
float f2 = fabsf(f * d); // GOOD
double f3 = fabs(f * f); // BAD [NOT DETECTED]
double f4 = fabs(f * d); // GOOD
}
double fabs(double f);
float fabsf(float f);
void test_float_double2(float f, double d) {
float r1 = f * f; // GOOD
float r2 = f * d; // GOOD
double r3 = f * f; // BAD
double r4 = f * d; // GOOD
float f1 = fabsf(f * f); // GOOD
float f2 = fabsf(f * d); // GOOD
double f3 = fabs(f * f); // BAD [NOT DETECTED]
double f4 = fabs(f * d); // GOOD
}

2
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
View File

@@ -1,3 +1,5 @@
| Buildless.c:6:17:6:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
| Buildless.c:21:17:21:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
| IntMultToLong.c:4:10:4:14 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
| IntMultToLong.c:7:16:7:20 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
| IntMultToLong.c:18:19:18:23 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |

2
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
View File

@@ -1 +1,3 @@
| second.cpp:26:18:26:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. |
| second.cpp:29:18:29:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. |
| tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |

3
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp Normal file
View File

@@ -0,0 +1,3 @@
// defines type size_t plausibly
typedef unsigned long size_t;

32
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp Normal file
View File

@@ -0,0 +1,32 @@
// semmle-extractor-options: --expect_errors
int printf(const char * format, ...);
// defines type `myFunctionPointerType`, referencing `size_t`
typedef size_t (*myFunctionPointerType) ();
void test_size_t() {
size_t s = 0;
printf("%zd", s); // GOOD
printf("%zi", s); // GOOD
printf("%zu", s); // GOOD (we generally permit signedness changes)
printf("%zx", s); // GOOD (we generally permit signedness changes)
printf("%d", s); // BAD [NOT DETECTED]
printf("%ld", s); // DUBIOUS [NOT DETECTED]
printf("%lld", s); // DUBIOUS [NOT DETECTED]
printf("%u", s); // BAD [NOT DETECTED]
char buffer[1024];
printf("%zd", &buffer[1023] - buffer); // GOOD
printf("%zi", &buffer[1023] - buffer); // GOOD
printf("%zu", &buffer[1023] - buffer); // GOOD
printf("%zx", &buffer[1023] - buffer); // GOOD
printf("%d", &buffer[1023] - buffer); // BAD
printf("%ld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
printf("%lld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
printf("%u", &buffer[1023] - buffer); // BAD
// (for the `%ld` and `%lld` cases, the signedness and type sizes match, `%zd` would be most correct
// and robust but the developer may know enough to make this safe)
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
View File

@@ -1,3 +1,5 @@
| buildless.cpp:5:15:5:25 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const short * | const short * |
| buildless.cpp:6:13:6:23 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const int * | const int * |
| test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
| test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
| test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |

10
cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp Normal file
View File

@@ -0,0 +1,10 @@
// semmle-extractor-options: --expect_errors
void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32) {
*(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1)
*(p_short + sizeof(int)); // BAD
*(p_int + sizeof(int)); // BAD
*(p_8 + sizeof(int)); // GOOD (`sizeof(uint8_t)` is 1, but there's an error in the type)
*(p_16 + sizeof(int)); // BAD [NOT DETECTED]
*(p_32 + sizeof(int)); // BAD [NOT DETECTED]
}

6
cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
View File

@@ -93,3 +93,9 @@ private:
myChar * const myCharsPointer;
myInt * const myIntsPointer;
};
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32);

61
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
View File

@@ -1,3 +1,24 @@
#select
| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
edges
| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 | provenance | |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 | provenance | |
@@ -12,16 +33,16 @@ edges
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance | |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance | |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | |
| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance | MaD:4 |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | Sink:MaD:2 |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:143:34:143:45 | *message_data | provenance | |
| tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:134:2:134:30 | *... = ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | Sink:MaD:3 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | Sink:MaD:1 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | Sink:MaD:3 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | Sink:MaD:1 |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | MaD:4 |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:26:15:26:20 | *call to getenv | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance | |
@@ -29,6 +50,11 @@ edges
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | provenance | |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | provenance | |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | provenance | |
models
| 1 | Sink: ; ; false; zmq_msg_send; ; ; Argument[*0]; remote-sink; manual |
| 2 | Sink: ; ; false; zmq_send; ; ; Argument[*1]; remote-sink; manual |
| 3 | Sink: ; ; false; zmq_sendmsg; ; ; Argument[*1]; remote-sink; manual |
| 4 | Summary: ; ; false; zmq_msg_init_data; ; ; Argument[*1]; Argument[*0]; taint; manual |
nodes
| tests2.cpp:50:13:50:19 | **global1 | semmle.label | **global1 |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | semmle.label | *call to mysql_get_client_info |
@@ -75,24 +101,3 @@ nodes
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | semmle.label | *pathbuf |
subpaths
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument |
#select
| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |

5
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.qlref
View File

@@ -1 +1,4 @@
Security/CWE/CWE-497/ExposedSystemData.ql
query: Security/CWE/CWE-497/ExposedSystemData.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

46
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
View File

@@ -47,7 +47,7 @@ int val();
// --- test cases ---
const char *global1 = mysql_get_client_info();
const char *global1 = mysql_get_client_info(); // $ Source
const char *global2 = "abc";
void test7()
@@ -55,15 +55,15 @@ void test7()
int sock = socket(val(), val(), val());
// tests for a strict implementation of CWE-497
std::cout << getenv("HOME"); // BAD: outputs HOME environment variable [NOT DETECTED]
std::cout << "PATH = " << getenv("PATH") << "."; // BAD: outputs PATH environment variable [NOT DETECTED]
std::cout << getenv("HOME"); // $ MISSING: Alert // outputs HOME environment variable
std::cout << "PATH = " << getenv("PATH") << "."; // $ MISSING: Alert // outputs PATH environment variable
std::cout << "PATHPATHPATH"; // GOOD: not system data
// tests for a more pragmatic implementation of CWE-497
send(sock, getenv("HOME"), val(), val()); // BAD
send(sock, getenv("PATH"), val(), val()); // BAD
send(sock, getenv("USERNAME"), val(), val()); // BAD
send(sock, getenv("APP_PASSWORD"), val(), val()); // BAD
send(sock, getenv("HOME"), val(), val()); // $ Alert
send(sock, getenv("PATH"), val(), val()); // $ Alert
send(sock, getenv("USERNAME"), val(), val()); // $ Alert
send(sock, getenv("APP_PASSWORD"), val(), val()); // $ Alert
send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information
send(sock, "HOME", val(), val()); // GOOD: not system data
send(sock, "PATH", val(), val()); // GOOD: not system data
@@ -75,11 +75,11 @@ void test7()
{
char buffer[256];
strcpy(buffer, mysql_get_client_info());
strcpy(buffer, mysql_get_client_info()); // $ Source
send(sock, mysql_get_client_info(), val(), val()); // BAD
send(sock, buffer, val(), val()); // BAD
send(sock, global1, val(), val()); // BAD
send(sock, mysql_get_client_info(), val(), val()); // $ Alert
send(sock, buffer, val(), val()); // $ Alert
send(sock, global1, val(), val()); // $ Alert
send(sock, global2, val(), val()); // GOOD: not system data
}
@@ -88,9 +88,9 @@ void test7()
const char *str1 = "123456";
const char *str2 = "abcdef";
mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val());
mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val()); // $ Source
send(sock, str1, val(), val()); // BAD
send(sock, str1, val(), val()); // $ Alert
send(sock, str2, val(), val()); // GOOD: not system data
}
@@ -98,17 +98,17 @@ void test7()
{
passwd *pw;
pw = getpwuid(val());
send(sock, pw->pw_passwd, val(), val()); // BAD
pw = getpwuid(val()); // $ Source
send(sock, pw->pw_passwd, val(), val()); // $ Alert
}
// tests for containers
{
container c1, c2;
c1.ptr = getenv("MY_SECRET_TOKEN");
c1.ptr = getenv("MY_SECRET_TOKEN"); // $ Source
c2.ptr = "";
send(sock, c1.ptr, val(), val()); // BAD
send(sock, c1.ptr, val(), val()); // $ Alert
send(sock, c2.ptr, val(), val()); // GOOD: not system data
}
}
@@ -131,20 +131,20 @@ void test_zmq(void *remoteSocket)
size_t message_len;
// prepare data
message_data = getenv("HOME");
message_data = getenv("HOME"); // $ Source
message_len = strlen(message_data) + 1;
// send as data
if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable
if (zmq_send(socket, message_data, message_len, 0) >= 0) { // $ Alert: outputs HOME environment variable
// ...
}
// send as message
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
}
@@ -152,10 +152,10 @@ void test_zmq(void *remoteSocket)
// send as message (alternative path)
if (zmq_msg_init_size(&message, message_len) == 0) {
memcpy(zmq_msg_data(&message), message_data, message_len);
if (zmq_sendmsg(remoteSocket,&message, message_len)) { // BAD: outputs HOME environment variable
if (zmq_sendmsg(remoteSocket,&message, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
}

20
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sockets.cpp
View File

@@ -23,7 +23,7 @@ void test_sockets1()
int sockfd;
sockaddr addr_remote;
char *msg = "Hello, world!";
char *path = getenv("PATH");
char *path = getenv("PATH"); // $ Source
// create socket
sockfd = socket(AF_INET, SOCK_STREAM, 0);
@@ -36,11 +36,11 @@ void test_sockets1()
// send something using 'send'
if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
// send something using 'write'
if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
// clean up
// ...
@@ -49,9 +49,9 @@ void test_sockets1()
int mksocket()
{
int fd;
fd = socket(AF_INET, SOCK_STREAM, 0);
return fd;
}
@@ -60,7 +60,7 @@ void test_sockets2()
int sockfd;
sockaddr addr_remote;
char *msg = "Hello, world!";
char *path = getenv("PATH");
char *path = getenv("PATH"); // $ Source
// create socket
sockfd = mksocket();
@@ -73,11 +73,11 @@ void test_sockets2()
// send something using 'send'
if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
// send something using 'write'
if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
// clean up
// ...

8
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sysconf.cpp
View File

@@ -21,7 +21,7 @@ void test_sc_1()
int value = sysconf(_SC_CHILD_MAX);
printf("_SC_CHILD_MAX = %i\n", _SC_CHILD_MAX); // GOOD
printf("_SC_CHILD_MAX = %i\n", value); // BAD [NOT DETECTED]
printf("_SC_CHILD_MAX = %i\n", value); // $ MISSING: Alert
}
void test_sc_2()
@@ -33,9 +33,9 @@ void test_sc_2()
pathbuf = (char *)malloc(n);
if (pathbuf != NULL)
{
confstr(_CS_PATH, pathbuf, n);
confstr(_CS_PATH, pathbuf, n); // $ Source
printf("path: %s", pathbuf); // BAD [NOT DETECTED]
write(get_fd(), pathbuf, strlen(pathbuf)); // BAD
printf("path: %s", pathbuf); // $ MISSING: Alert
write(get_fd(), pathbuf, strlen(pathbuf)); // $ Alert
}
}