hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Remove all uses of hasQualifiedName/1

Browse Source
This commit is contained in:
Jonas Jensen
2019-05-03 10:20:48 +02:00
parent 64a87a863c
commit 5e789901df
22 changed files with 119 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
View File

@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
import Negativity
predicate closeCall(FunctionCall fc, Variable v) {
fc.getTarget().hasQualifiedName("close") and v.getAnAccess() = fc.getArgument(0)
fc.getTarget().hasGlobalName("close") and v.getAnAccess() = fc.getArgument(0)
or
exists(FunctionCall midcall, Function mid, int arg |
fc.getArgument(arg) = v.getAnAccess() and

2
cpp/ql/src/Critical/DescriptorNeverClosed.ql
View File

@@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
predicate closed(Expr e) {
exists(FunctionCall fc |
fc.getTarget().hasQualifiedName("close") and
fc.getTarget().hasGlobalName("close") and
fc.getArgument(0) = e
)
}

2
cpp/ql/src/Critical/GlobalUseBeforeInit.ql
View File

@@ -30,7 +30,7 @@ predicate useFunc(GlobalVariable v, Function f) {
}
predicate uninitialisedBefore(GlobalVariable v, Function f) {
f.hasQualifiedName("main")
f.hasGlobalName("main")
or
exists(Call call, Function g |
uninitialisedBefore(v, g) and

4
cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
View File

@@ -55,7 +55,7 @@ predicate allocCallOrIndirect(Expr e) {
* can cause memory leaks.
*/
predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode verified) {
reallocCall.getTarget().hasQualifiedName("realloc") and
reallocCall.getTarget().hasGlobalName("realloc") and
reallocCall.getArgument(0) = v.getAnAccess() and
(
exists(Variable newV, ControlFlowNode node |
@@ -82,7 +82,7 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
predicate freeCallOrIndirect(ControlFlowNode n, Variable v) {
// direct free call
freeCall(n, v.getAnAccess()) and
not n.(FunctionCall).getTarget().hasQualifiedName("realloc")
not n.(FunctionCall).getTarget().hasGlobalName("realloc")
or
// verified realloc call
verifiedRealloc(_, v, n)

12
cpp/ql/src/Critical/OverflowCalculated.ql
View File

@@ -14,8 +14,8 @@ import cpp
class MallocCall extends FunctionCall {
MallocCall() {
this.getTarget().hasQualifiedName("malloc") or
this.getTarget().hasQualifiedName("std::malloc")
this.getTarget().hasGlobalName("malloc") or
this.getTarget().hasQualifiedName("std", "malloc")
}
Expr getAllocatedSize() {
@@ -36,12 +36,12 @@ predicate spaceProblem(FunctionCall append, string msg) {
malloc.getAllocatedSize() = add and
buffer.getAnAccess() = strlen.getStringExpr() and
(
insert.getTarget().hasQualifiedName("strcpy") or
insert.getTarget().hasQualifiedName("strncpy")
insert.getTarget().hasGlobalName("strcpy") or
insert.getTarget().hasGlobalName("strncpy")
) and
(
append.getTarget().hasQualifiedName("strcat") or
append.getTarget().hasQualifiedName("strncat")
append.getTarget().hasGlobalName("strcat") or
append.getTarget().hasGlobalName("strncat")
) and
malloc.getASuccessor+() = insert and
insert.getArgument(1) = buffer.getAnAccess() and

2
cpp/ql/src/Critical/OverflowDestination.ql
View File

@@ -25,7 +25,7 @@ import semmle.code.cpp.security.TaintTracking
predicate sourceSized(FunctionCall fc, Expr src) {
exists(string name |
(name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
fc.getTarget().hasQualifiedName(name)
fc.getTarget().hasGlobalName(name)
) and
exists(Expr dest, Expr size, Variable v |
fc.getArgument(0) = dest and

16
cpp/ql/src/Critical/OverflowStatic.ql
View File

@@ -59,21 +59,21 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
}
predicate bufferAndSizeFunction(Function f, int buf, int size) {
f.hasQualifiedName("read") and buf = 1 and size = 2
f.hasGlobalName("read") and buf = 1 and size = 2
or
f.hasQualifiedName("fgets") and buf = 0 and size = 1
f.hasGlobalName("fgets") and buf = 0 and size = 1
or
f.hasQualifiedName("strncpy") and buf = 0 and size = 2
f.hasGlobalName("strncpy") and buf = 0 and size = 2
or
f.hasQualifiedName("strncat") and buf = 0 and size = 2
f.hasGlobalName("strncat") and buf = 0 and size = 2
or
f.hasQualifiedName("memcpy") and buf = 0 and size = 2
f.hasGlobalName("memcpy") and buf = 0 and size = 2
or
f.hasQualifiedName("memmove") and buf = 0 and size = 2
f.hasGlobalName("memmove") and buf = 0 and size = 2
or
f.hasQualifiedName("snprintf") and buf = 0 and size = 1
f.hasGlobalName("snprintf") and buf = 0 and size = 1
or
f.hasQualifiedName("vsnprintf") and buf = 0 and size = 1
f.hasGlobalName("vsnprintf") and buf = 0 and size = 1
}
class CallWithBufferSize extends FunctionCall {

2
cpp/ql/src/Critical/UseAfterFree.ql
View File

@@ -16,7 +16,7 @@ import semmle.code.cpp.controlflow.LocalScopeVariableReachability
predicate isFreeExpr(Expr e, LocalScopeVariable v) {
exists(VariableAccess va | va.getTarget() = v |
exists(FunctionCall fc | fc = e |
fc.getTarget().hasQualifiedName("free") and
fc.getTarget().hasGlobalName("free") and
va = fc.getArgument(0)
)
or

8
cpp/ql/src/DefaultOptions.qll
View File

@@ -32,7 +32,7 @@ class Options extends string
*/
predicate overrideReturnsNull(Call call) {
// Used in CVS:
call.(FunctionCall).getTarget().hasQualifiedName("Xstrdup")
call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
or
CustomOptions::overrideReturnsNull(call) // old Options.qll
}
@@ -46,7 +46,7 @@ class Options extends string
*/
predicate returnsNull(Call call) {
// Used in CVS:
call.(FunctionCall).getTarget().hasQualifiedName("Xstrdup") and
call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
nullValue(call.getArgument(0))
or
CustomOptions::returnsNull(call) // old Options.qll
@@ -92,7 +92,7 @@ class Options extends string
* By default holds only for `fgets`.
*/
predicate alwaysCheckReturnValue(Function f) {
f.hasQualifiedName("fgets") or
f.hasGlobalName("fgets") or
CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
}
@@ -108,7 +108,7 @@ class Options extends string
fc.isInMacroExpansion()
or
// common way of sleeping using select:
(fc.getTarget().hasQualifiedName("select") and
(fc.getTarget().hasGlobalName("select") and
fc.getArgument(0).getValue() = "0")
or
CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll

4
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
View File

@@ -16,8 +16,8 @@ import semmle.code.cpp.security.TaintTracking
/** A call that prints its arguments to `stdout`. */
class PrintStdoutCall extends FunctionCall {
PrintStdoutCall() {
getTarget().hasQualifiedName("puts") or
getTarget().hasQualifiedName("printf")
getTarget().hasGlobalName("puts") or
getTarget().hasGlobalName("printf")
}
}

6
cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
View File

@@ -73,9 +73,9 @@ class VarargsFunction extends Function {
}
predicate isWhitelisted() {
this.hasQualifiedName("open") or
this.hasQualifiedName("fcntl") or
this.hasQualifiedName("ptrace")
this.hasGlobalName("open") or
this.hasGlobalName("fcntl") or
this.hasGlobalName("ptrace")
}
}

4
cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
View File

@@ -18,8 +18,8 @@ import cpp
class MallocCall extends FunctionCall
{
MallocCall() {
this.getTarget().hasQualifiedName("malloc") or
this.getTarget().hasQualifiedName("std::malloc")
this.getTarget().hasGlobalName("malloc") or
this.getTarget().hasQualifiedName("std", "malloc")
}
Expr getAllocatedSize() {

2
cpp/ql/src/semmle/code/cpp/Print.qll
View File

@@ -40,7 +40,7 @@ private abstract class DumpDeclaration extends Declaration {
* Gets a string that uniquely identifies this declaration, suitable for use when debugging queries. Only holds for
* functions, user-defined types, global and namespace-scope variables, and member variables.
*
* This operation is very expensive, and should not be used in production queries. Consider using `hasName()` or
* This operation is very expensive, and should not be used in production queries. Consider using
* `hasQualifiedName()` for identifying known declarations in production queries.
*/
string getIdentityString() {

6
cpp/ql/src/semmle/code/cpp/commons/Alloc.qll
View File

@@ -6,7 +6,7 @@ import cpp
predicate allocationFunction(Function f)
{
exists(string name |
f.hasQualifiedName(name) and
f.hasGlobalName(name) and
(
name = "malloc" or
name = "calloc" or
@@ -61,7 +61,7 @@ predicate allocationCall(FunctionCall fc)
allocationFunction(fc.getTarget()) and
(
// realloc(ptr, 0) only frees the pointer
fc.getTarget().hasQualifiedName("realloc") implies
fc.getTarget().hasGlobalName("realloc") implies
not fc.getArgument(1).getValue() = "0"
)
}
@@ -72,7 +72,7 @@ predicate allocationCall(FunctionCall fc)
predicate freeFunction(Function f, int argNum)
{
exists(string name |
f.hasQualifiedName(name) and
f.hasGlobalName(name) and
(
(name = "free" and argNum = 0) or
(name = "realloc" and argNum = 0) or

28
cpp/ql/src/semmle/code/cpp/commons/File.qll
View File

@@ -6,16 +6,16 @@ import cpp
predicate fopenCall(FunctionCall fc)
{
exists(Function f | f = fc.getTarget() |
f.hasQualifiedName("fopen") or
f.hasQualifiedName("open") or
f.hasQualifiedName("_open") or
f.hasQualifiedName("_wopen") or
f.hasQualifiedName("CreateFile") or
f.hasQualifiedName("CreateFileA") or
f.hasQualifiedName("CreateFileW") or
f.hasQualifiedName("CreateFileTransacted") or
f.hasQualifiedName("CreateFileTransactedA") or
f.hasQualifiedName("CreateFileTransactedW")
f.hasGlobalName("fopen") or
f.hasGlobalName("open") or
f.hasGlobalName("_open") or
f.hasGlobalName("_wopen") or
f.hasGlobalName("CreateFile") or
f.hasGlobalName("CreateFileA") or
f.hasGlobalName("CreateFileW") or
f.hasGlobalName("CreateFileTransacted") or
f.hasGlobalName("CreateFileTransactedA") or
f.hasGlobalName("CreateFileTransactedW")
)
}
@@ -26,16 +26,16 @@ predicate fcloseCall(FunctionCall fc, Expr closed)
{
exists(Function f | f = fc.getTarget() |
(
f.hasQualifiedName("fclose") and
f.hasGlobalName("fclose") and
closed = fc.getArgument(0)
) or (
f.hasQualifiedName("close") and
f.hasGlobalName("close") and
closed = fc.getArgument(0)
) or (
f.hasQualifiedName("_close") and
f.hasGlobalName("_close") and
closed = fc.getArgument(0)
) or (
f.hasQualifiedName("CloseHandle") and
f.hasGlobalName("CloseHandle") and
closed = fc.getArgument(0)
)
)

12
cpp/ql/src/semmle/code/cpp/commons/StringAnalysis.qll
View File

@@ -56,12 +56,12 @@ class AnalysedString extends Expr
*/
class StrlenCall extends FunctionCall {
StrlenCall() {
this.getTarget().hasQualifiedName("strlen") or
this.getTarget().hasQualifiedName("wcslen") or
this.getTarget().hasQualifiedName("_mbslen") or
this.getTarget().hasQualifiedName("_mbslen_l") or
this.getTarget().hasQualifiedName("_mbstrlen") or
this.getTarget().hasQualifiedName("_mbstrlen_l")
this.getTarget().hasGlobalName("strlen") or
this.getTarget().hasGlobalName("wcslen") or
this.getTarget().hasGlobalName("_mbslen") or
this.getTarget().hasGlobalName("_mbslen_l") or
this.getTarget().hasGlobalName("_mbstrlen") or
this.getTarget().hasGlobalName("_mbstrlen_l")
}
/**

2
cpp/ql/src/semmle/code/cpp/controlflow/Dereferenced.qll
View File

@@ -7,7 +7,7 @@ import Nullness
predicate callDereferences(FunctionCall fc, int i)
{
exists(string name |
fc.getTarget().hasQualifiedName(name) and
fc.getTarget().hasGlobalName(name) and
(
(name = "bcopy" and i in [0..1]) or
(name = "memcpy" and i in [0..1]) or

4
cpp/ql/src/semmle/code/cpp/controlflow/Nullness.qll
View File

@@ -47,7 +47,7 @@ predicate nullCheckExpr(Expr checkExpr, Variable var)
or
exists(FunctionCall fc, AnalysedExpr child |
expr = fc and
fc.getTarget().hasQualifiedName("__builtin_expect") and
fc.getTarget().hasGlobalName("__builtin_expect") and
fc.getArgument(0) = child and nullCheckExpr(child, v))
)
}
@@ -87,7 +87,7 @@ predicate validCheckExpr(Expr checkExpr, Variable var)
or
exists(FunctionCall fc, AnalysedExpr child |
expr = fc and
fc.getTarget().hasQualifiedName("__builtin_expect") and
fc.getTarget().hasGlobalName("__builtin_expect") and
fc.getArgument(0) = child and validCheckExpr(child, v))
)
}

20
cpp/ql/src/semmle/code/cpp/models/implementations/Inet.qll
View File

@@ -3,7 +3,7 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
class InetNtoa extends TaintFunction {
InetNtoa() {
hasQualifiedName("inet_ntoa")
hasGlobalName("inet_ntoa")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -14,7 +14,7 @@ class InetNtoa extends TaintFunction {
class InetAton extends TaintFunction, ArrayFunction {
InetAton() {
hasQualifiedName("inet_aton")
hasGlobalName("inet_aton")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -42,7 +42,7 @@ class InetAton extends TaintFunction, ArrayFunction {
class InetAddr extends TaintFunction, ArrayFunction {
InetAddr() {
hasQualifiedName("inet_addr")
hasGlobalName("inet_addr")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -61,7 +61,7 @@ class InetAddr extends TaintFunction, ArrayFunction {
class InetNetwork extends TaintFunction, ArrayFunction {
InetNetwork() {
hasQualifiedName("inet_network")
hasGlobalName("inet_network")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -80,7 +80,7 @@ class InetNetwork extends TaintFunction, ArrayFunction {
class InetMakeaddr extends TaintFunction {
InetMakeaddr() {
hasQualifiedName("inet_makeaddr")
hasGlobalName("inet_makeaddr")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -94,7 +94,7 @@ class InetMakeaddr extends TaintFunction {
class InetLnaof extends TaintFunction {
InetLnaof() {
hasQualifiedName("inet_lnaof")
hasGlobalName("inet_lnaof")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -105,7 +105,7 @@ class InetLnaof extends TaintFunction {
class InetNetof extends TaintFunction {
InetNetof() {
hasQualifiedName("inet_netof")
hasGlobalName("inet_netof")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -116,7 +116,7 @@ class InetNetof extends TaintFunction {
class InetPton extends TaintFunction, ArrayFunction {
InetPton() {
hasQualifiedName("inet_pton")
hasGlobalName("inet_pton")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -146,7 +146,7 @@ class InetPton extends TaintFunction, ArrayFunction {
class Gethostbyname extends TaintFunction, ArrayFunction {
Gethostbyname() {
hasQualifiedName("gethostbyname")
hasGlobalName("gethostbyname")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -165,7 +165,7 @@ class Gethostbyname extends TaintFunction, ArrayFunction {
class Gethostbyaddr extends TaintFunction, ArrayFunction {
Gethostbyaddr() {
hasQualifiedName("gethostbyaddr")
hasGlobalName("gethostbyaddr")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

2
cpp/ql/src/semmle/code/cpp/models/implementations/Strftime.qll
View File

@@ -3,7 +3,7 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
class Strftime extends TaintFunction, ArrayFunction {
Strftime() {
hasQualifiedName("strftime")
hasGlobalName("strftime")
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {

2
cpp/ql/src/semmle/code/cpp/pointsto/PointsTo.qll
View File

@@ -588,7 +588,7 @@ predicate allocateDescriptorCall(FunctionCall fc)
{
exists(string name |
name = "socket" and
fc.getTarget().hasQualifiedName(name))
fc.getTarget().hasGlobalName(name))
}
/**

96
cpp/ql/src/semmle/code/cpp/security/CommandExecution.qll
View File

@@ -9,13 +9,13 @@ import semmle.code.cpp.security.FunctionWithWrappers
*/
class SystemFunction extends FunctionWithWrappers {
SystemFunction() {
hasQualifiedName("system")
or hasQualifiedName("popen")
hasGlobalName("system")
or hasGlobalName("popen")
// Windows variants
or hasQualifiedName("_popen")
or hasQualifiedName("_wpopen")
or hasQualifiedName("_wsystem")
or hasGlobalName("_popen")
or hasGlobalName("_wpopen")
or hasGlobalName("_wsystem")
}
override predicate interestingArg(int arg) {
@@ -31,36 +31,36 @@ class SystemFunction extends FunctionWithWrappers {
*/
class VarargsExecFunctionCall extends FunctionCall {
VarargsExecFunctionCall() {
getTarget().hasQualifiedName("execl")
or getTarget().hasQualifiedName("execle")
or getTarget().hasQualifiedName("execlp")
getTarget().hasGlobalName("execl")
or getTarget().hasGlobalName("execle")
or getTarget().hasGlobalName("execlp")
// Windows
or getTarget().hasQualifiedName("_execl")
or getTarget().hasQualifiedName("_execle")
or getTarget().hasQualifiedName("_execlp")
or getTarget().hasQualifiedName("_execlpe")
or getTarget().hasQualifiedName("_spawnl")
or getTarget().hasQualifiedName("_spawnle")
or getTarget().hasQualifiedName("_spawnlp")
or getTarget().hasQualifiedName("_spawnlpe")
or getTarget().hasQualifiedName("_wexecl")
or getTarget().hasQualifiedName("_wexecle")
or getTarget().hasQualifiedName("_wexeclp")
or getTarget().hasQualifiedName("_wexeclpe")
or getTarget().hasQualifiedName("_wspawnl")
or getTarget().hasQualifiedName("_wspawnle")
or getTarget().hasQualifiedName("_wspawnlp")
or getTarget().hasQualifiedName("_wspawnlpe")
or getTarget().hasGlobalName("_execl")
or getTarget().hasGlobalName("_execle")
or getTarget().hasGlobalName("_execlp")
or getTarget().hasGlobalName("_execlpe")
or getTarget().hasGlobalName("_spawnl")
or getTarget().hasGlobalName("_spawnle")
or getTarget().hasGlobalName("_spawnlp")
or getTarget().hasGlobalName("_spawnlpe")
or getTarget().hasGlobalName("_wexecl")
or getTarget().hasGlobalName("_wexecle")
or getTarget().hasGlobalName("_wexeclp")
or getTarget().hasGlobalName("_wexeclpe")
or getTarget().hasGlobalName("_wspawnl")
or getTarget().hasGlobalName("_wspawnle")
or getTarget().hasGlobalName("_wspawnlp")
or getTarget().hasGlobalName("_wspawnlpe")
}
/** Whether the last argument to the function is an environment pointer */
predicate hasEnvironmentArgument() {
getTarget().hasQualifiedName("execle")
or getTarget().hasQualifiedName("_execle")
or getTarget().hasQualifiedName("_execlpe")
or getTarget().hasQualifiedName("_wexecle")
or getTarget().hasQualifiedName("_wexeclpe")
getTarget().hasGlobalName("execle")
or getTarget().hasGlobalName("_execle")
or getTarget().hasGlobalName("_execlpe")
or getTarget().hasGlobalName("_wexecle")
or getTarget().hasGlobalName("_wexeclpe")
}
/** The arguments passed to the command. The 0th such argument is conventionally
@@ -100,27 +100,27 @@ class VarargsExecFunctionCall extends FunctionCall {
*/
class ArrayExecFunctionCall extends FunctionCall {
ArrayExecFunctionCall() {
getTarget().hasQualifiedName("execv")
or getTarget().hasQualifiedName("execvp")
or getTarget().hasQualifiedName("execvpe")
getTarget().hasGlobalName("execv")
or getTarget().hasGlobalName("execvp")
or getTarget().hasGlobalName("execvpe")
// Windows variants
or getTarget().hasQualifiedName("_execv")
or getTarget().hasQualifiedName("_execve")
or getTarget().hasQualifiedName("_execvp")
or getTarget().hasQualifiedName("_execvpe")
or getTarget().hasQualifiedName("_spawnv")
or getTarget().hasQualifiedName("_spawnve")
or getTarget().hasQualifiedName("_spawnvp")
or getTarget().hasQualifiedName("_spawnvpe")
or getTarget().hasQualifiedName("_wexecv")
or getTarget().hasQualifiedName("_wexecve")
or getTarget().hasQualifiedName("_wexecvp")
or getTarget().hasQualifiedName("_wexecvpe")
or getTarget().hasQualifiedName("_wspawnv")
or getTarget().hasQualifiedName("_wspawnve")
or getTarget().hasQualifiedName("_wspawnvp")
or getTarget().hasQualifiedName("_wspawnvpe")
or getTarget().hasGlobalName("_execv")
or getTarget().hasGlobalName("_execve")
or getTarget().hasGlobalName("_execvp")
or getTarget().hasGlobalName("_execvpe")
or getTarget().hasGlobalName("_spawnv")
or getTarget().hasGlobalName("_spawnve")
or getTarget().hasGlobalName("_spawnvp")
or getTarget().hasGlobalName("_spawnvpe")
or getTarget().hasGlobalName("_wexecv")
or getTarget().hasGlobalName("_wexecve")
or getTarget().hasGlobalName("_wexecvp")
or getTarget().hasGlobalName("_wexecvpe")
or getTarget().hasGlobalName("_wspawnv")
or getTarget().hasGlobalName("_wspawnve")
or getTarget().hasGlobalName("_wspawnvp")
or getTarget().hasGlobalName("_wspawnvpe")
}
/** The argument with the array of command arguments */