hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

add all remaining explicit this

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-11-26 13:50:10 +01:00
parent 00ee34c0a0
commit 6ff8d4de5c
104 changed files with 479 additions and 451 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/lib/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
View File

@@ -626,9 +626,9 @@ library class ExprEvaluator extends int {
// All assignments must have the same int value
result =
unique(Expr value |
value = v.getAnAssignedValue() and not ignoreVariableAssignment(e, v, value)
value = v.getAnAssignedValue() and not this.ignoreVariableAssignment(e, v, value)
|
getValueInternalNonSubExpr(value)
this.getValueInternalNonSubExpr(value)
)
)
}

2
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -452,7 +452,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
/** Holds if this phi node has input from the `rnk`'th write operation in block `block`. */
final predicate hasInputAtRankInBlock(IRBlock block, int rnk) {
hasInputAtRankInBlock(block, rnk, _)
this.hasInputAtRankInBlock(block, rnk, _)
}
/**

2
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
View File

@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
final override string toString() { result = tag.toString() }
final override Instruction getAnyDef() {
result = unique(Instruction defInstr | hasDefinition(defInstr, _))
result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
}
final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }

2
cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll
View File

@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
final override string toString() { result = tag.toString() }
final override Instruction getAnyDef() {
result = unique(Instruction defInstr | hasDefinition(defInstr, _))
result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
}
final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }

2
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
View File

@@ -307,7 +307,7 @@ class NonPhiMemoryOperand extends NonPhiOperand, MemoryOperand, TNonPhiMemoryOpe
final override string toString() { result = tag.toString() }
final override Instruction getAnyDef() {
result = unique(Instruction defInstr | hasDefinition(defInstr, _))
result = unique(Instruction defInstr | this.hasDefinition(defInstr, _))
}
final override Overlap getDefinitionOverlap() { this.hasDefinition(_, result) }

4
cpp/ql/src/AlertSuppression.ql
View File

@@ -18,12 +18,12 @@ class SuppressionComment extends Comment {
(
this instanceof CppStyleComment and
// strip the beginning slashes
text = getContents().suffix(2)
text = this.getContents().suffix(2)
or
this instanceof CStyleComment and
// strip both the beginning /* and the end */ the comment
exists(string text0 |
text0 = getContents().suffix(2) and
text0 = this.getContents().suffix(2) and
text = text0.prefix(text0.length() - 2)
) and
// The /* */ comment must be a single-line comment

4
cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql
View File

@@ -153,12 +153,12 @@ class ExtClass extends Class {
}
predicate hasLocationInfo(string path, int startline, int startcol, int endline, int endcol) {
if hasOneVariableGroup()
if this.hasOneVariableGroup()
then
exists(VariableDeclarationGroup vdg | vdg.getClass() = this |
vdg.hasLocationInfo(path, startline, startcol, endline, endcol)
)
else getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
else this.getLocation().hasLocationInfo(path, startline, startcol, endline, endcol)
}
}

4
cpp/ql/src/Critical/OverflowStatic.ql
View File

@@ -103,9 +103,9 @@ class CallWithBufferSize extends FunctionCall {
// `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
// result in this case we pick the minimum value obtainable from dataflow and range analysis.
result =
upperBound(statedSizeExpr())
upperBound(this.statedSizeExpr())
.minimum(min(Expr statedSizeSrc |
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
DataFlow::localExprFlow(statedSizeSrc, this.statedSizeExpr())
|
statedSizeSrc.getValue().toInt()
))

2
cpp/ql/src/JPL_C/LOC-2/Rule 09/Semaphores.qll
View File

@@ -22,7 +22,7 @@ abstract class LockOperation extends FunctionCall {
ControlFlowNode getAReachedNode() {
result = this
or
exists(ControlFlowNode mid | mid = getAReachedNode() |
exists(ControlFlowNode mid | mid = this.getAReachedNode() |
not mid != this.getMatchingUnlock() and
result = mid.getASuccessor()
)

14
cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll
View File

@@ -156,8 +156,8 @@ abstract class LeapYearFieldAccess extends YearFieldAccess {
//
// https://aa.usno.navy.mil/faq/docs/calendars.php
this.isUsedInMod4Operation() and
additionalModulusCheckForLeapYear(400) and
additionalModulusCheckForLeapYear(100)
this.additionalModulusCheckForLeapYear(400) and
this.additionalModulusCheckForLeapYear(100)
}
}
@@ -176,17 +176,17 @@ class StructTmLeapYearFieldAccess extends LeapYearFieldAccess {
override predicate isUsedInCorrectLeapYearCheck() {
this.isUsedInMod4Operation() and
additionalModulusCheckForLeapYear(400) and
additionalModulusCheckForLeapYear(100) and
this.additionalModulusCheckForLeapYear(400) and
this.additionalModulusCheckForLeapYear(100) and
// tm_year represents years since 1900
(
additionalAdditionOrSubstractionCheckForLeapYear(1900)
this.additionalAdditionOrSubstractionCheckForLeapYear(1900)
or
// some systems may use 2000 for 2-digit year conversions
additionalAdditionOrSubstractionCheckForLeapYear(2000)
this.additionalAdditionOrSubstractionCheckForLeapYear(2000)
or
// converting from/to Unix epoch
additionalAdditionOrSubstractionCheckForLeapYear(1970)
this.additionalAdditionOrSubstractionCheckForLeapYear(1970)
)
}
}

18
cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
View File

@@ -57,7 +57,7 @@ class LoopWithAlloca extends Stmt {
or
// `e == 0`
exists(EQExpr eq |
conditionRequires(eq, truth.booleanNot()) and
this.conditionRequires(eq, truth.booleanNot()) and
eq.getAnOperand().getValue().toInt() = 0 and
e = eq.getAnOperand() and
not exists(e.getValue())
@@ -65,7 +65,7 @@ class LoopWithAlloca extends Stmt {
or
// `e != 0`
exists(NEExpr eq |
conditionRequires(eq, truth) and
this.conditionRequires(eq, truth) and
eq.getAnOperand().getValue().toInt() = 0 and
e = eq.getAnOperand() and
not exists(e.getValue())
@@ -73,7 +73,7 @@ class LoopWithAlloca extends Stmt {
or
// `(bool)e == true`
exists(EQExpr eq |
conditionRequires(eq, truth) and
this.conditionRequires(eq, truth) and
eq.getAnOperand().getValue().toInt() = 1 and
e = eq.getAnOperand() and
e.getUnspecifiedType() instanceof BoolType and
@@ -82,7 +82,7 @@ class LoopWithAlloca extends Stmt {
or
// `(bool)e != true`
exists(NEExpr eq |
conditionRequires(eq, truth.booleanNot()) and
this.conditionRequires(eq, truth.booleanNot()) and
eq.getAnOperand().getValue().toInt() = 1 and
e = eq.getAnOperand() and
e.getUnspecifiedType() instanceof BoolType and
@@ -90,7 +90,7 @@ class LoopWithAlloca extends Stmt {
)
or
exists(NotExpr notExpr |
conditionRequires(notExpr, truth.booleanNot()) and
this.conditionRequires(notExpr, truth.booleanNot()) and
e = notExpr.getOperand()
)
or
@@ -98,7 +98,7 @@ class LoopWithAlloca extends Stmt {
// requires both of its operand to be true as well.
exists(LogicalAndExpr andExpr |
truth = true and
conditionRequires(andExpr, truth) and
this.conditionRequires(andExpr, truth) and
e = andExpr.getAnOperand()
)
or
@@ -106,7 +106,7 @@ class LoopWithAlloca extends Stmt {
// it requires both of its operand to be false as well.
exists(LogicalOrExpr orExpr |
truth = false and
conditionRequires(orExpr, truth) and
this.conditionRequires(orExpr, truth) and
e = orExpr.getAnOperand()
)
}
@@ -141,9 +141,9 @@ class LoopWithAlloca extends Stmt {
* `conditionRequiresInequality`.
*/
private Variable getAControllingVariable() {
conditionRequires(result.getAnAccess(), _)
this.conditionRequires(result.getAnAccess(), _)
or
conditionRequiresInequality(result.getAnAccess(), _, _)
this.conditionRequiresInequality(result.getAnAccess(), _, _)
}
/**

48
cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll
View File

@@ -61,72 +61,72 @@ class PointerArithmeticAccess extends BufferAccess, Expr {
* A pair of buffer accesses through a call to memcpy.
*/
class MemCpy extends BufferAccess, FunctionCall {
MemCpy() { getTarget().hasName("memcpy") }
MemCpy() { this.getTarget().hasName("memcpy") }
override Expr getPointer() {
result = getArgument(0) or
result = getArgument(1)
result = this.getArgument(0) or
result = this.getArgument(1)
}
override Expr getAccessedLength() { result = getArgument(2) }
override Expr getAccessedLength() { result = this.getArgument(2) }
}
class StrncpySizeExpr extends BufferAccess, FunctionCall {
StrncpySizeExpr() { getTarget().hasName("strncpy") }
StrncpySizeExpr() { this.getTarget().hasName("strncpy") }
override Expr getPointer() {
result = getArgument(0) or
result = getArgument(1)
result = this.getArgument(0) or
result = this.getArgument(1)
}
override Expr getAccessedLength() { result = getArgument(2) }
override Expr getAccessedLength() { result = this.getArgument(2) }
}
class RecvSizeExpr extends BufferAccess, FunctionCall {
RecvSizeExpr() { getTarget().hasName("recv") }
RecvSizeExpr() { this.getTarget().hasName("recv") }
override Expr getPointer() { result = getArgument(1) }
override Expr getPointer() { result = this.getArgument(1) }
override Expr getAccessedLength() { result = getArgument(2) }
override Expr getAccessedLength() { result = this.getArgument(2) }
}
class SendSizeExpr extends BufferAccess, FunctionCall {
SendSizeExpr() { getTarget().hasName("send") }
SendSizeExpr() { this.getTarget().hasName("send") }
override Expr getPointer() { result = getArgument(1) }
override Expr getPointer() { result = this.getArgument(1) }
override Expr getAccessedLength() { result = getArgument(2) }
override Expr getAccessedLength() { result = this.getArgument(2) }
}
class SnprintfSizeExpr extends BufferAccess, FunctionCall {
SnprintfSizeExpr() { getTarget().hasName("snprintf") }
SnprintfSizeExpr() { this.getTarget().hasName("snprintf") }
override Expr getPointer() { result = getArgument(0) }
override Expr getPointer() { result = this.getArgument(0) }
override Expr getAccessedLength() { result = getArgument(1) }
override Expr getAccessedLength() { result = this.getArgument(1) }
}
class MemcmpSizeExpr extends BufferAccess, FunctionCall {
MemcmpSizeExpr() { getTarget().hasName("Memcmp") }
MemcmpSizeExpr() { this.getTarget().hasName("Memcmp") }
override Expr getPointer() {
result = getArgument(0) or
result = getArgument(1)
result = this.getArgument(0) or
result = this.getArgument(1)
}
override Expr getAccessedLength() { result = getArgument(2) }
override Expr getAccessedLength() { result = this.getArgument(2) }
}
class MallocSizeExpr extends BufferAccess, FunctionCall {
MallocSizeExpr() { getTarget().hasName("malloc") }
MallocSizeExpr() { this.getTarget().hasName("malloc") }
override Expr getPointer() { none() }
override Expr getAccessedLength() { result = getArgument(0) }
override Expr getAccessedLength() { result = this.getArgument(0) }
}
class NetworkFunctionCall extends FunctionCall {
NetworkFunctionCall() { getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
NetworkFunctionCall() { this.getTarget().hasName(["ntohd", "ntohf", "ntohl", "ntohll", "ntohs"]) }
}
class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {

2
cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql
View File

@@ -13,7 +13,7 @@ import cpp
class MacroFunctionCall extends MacroInvocation {
MacroFunctionCall() {
not exists(getParentInvocation()) and
not exists(this.getParentInvocation()) and
this.getMacro().getHead().matches("%(%")
}

2
cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql
View File

@@ -13,7 +13,7 @@ import semmle.code.cpp.commons.Assertions
class MacroFunctionCall extends MacroInvocation {
MacroFunctionCall() {
not exists(getParentInvocation()) and
not exists(this.getParentInvocation()) and
this.getMacro().getHead().matches("%(%")
}

2
cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
View File

@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
int getIndex() { result = i }
/** Gets the description of the function being called. */
string getFunctionDescription() { result = getExternalFunction().toString() }
string getFunctionDescription() { result = this.getExternalFunction().toString() }
}
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */

2
cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll
View File

@@ -38,7 +38,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
int getIndex() { result = i }
/** Gets the description of the function being called. */
string getFunctionDescription() { result = getExternalFunction().toString() }
string getFunctionDescription() { result = this.getExternalFunction().toString() }
}
/** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalAPIDataNode`s. */

8
cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
View File

@@ -42,7 +42,7 @@ class VarargsFunction extends Function {
}
private int trailingArgValueCount(string value) {
result = strictcount(FunctionCall fc | trailingArgValue(fc) = value)
result = strictcount(FunctionCall fc | this.trailingArgValue(fc) = value)
}
string nonTrailingVarArgValue(FunctionCall fc, int index) {
@@ -58,11 +58,11 @@ class VarargsFunction extends Function {
string normalTerminator(int cnt) {
result = ["0", "-1"] and
cnt = trailingArgValueCount(result) and
2 * cnt > totalCount() and
cnt = this.trailingArgValueCount(result) and
2 * cnt > this.totalCount() and
not exists(FunctionCall fc, int index |
// terminator value is used in a non-terminating position
nonTrailingVarArgValue(fc, index) = result
this.nonTrailingVarArgValue(fc, index) = result
)
}

12
cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
View File

@@ -42,7 +42,7 @@ class TaintSource extends VariableAccess {
definitionUsePair(_, this, va)
or
exists(VariableAccess mid, Expr def |
sourceReaches(mid) and
this.sourceReaches(mid) and
exprDefinition(_, def, mid) and
definitionUsePair(_, def, va)
)
@@ -53,11 +53,11 @@ class TaintSource extends VariableAccess {
* from `va`, possibly using intermediate reassignments.
*/
private predicate reachesSink(VariableAccess va, VariableAccess sink) {
isSink(sink) and
this.isSink(sink) and
va = sink
or
exists(VariableAccess mid, Expr def |
reachesSink(mid, sink) and
this.reachesSink(mid, sink) and
exprDefinition(_, def, va) and
definitionUsePair(_, def, mid)
)
@@ -71,15 +71,15 @@ class TaintSource extends VariableAccess {
* this source to `sink` found via `tainted(source, sink)`.)
*/
predicate reaches(VariableAccess sink) {
isSink(sink) and
this.isSink(sink) and
not exists(VariableAccess va |
va != this and
va != sink and
mayAddNullTerminator(_, va)
|
sourceReaches(va)
this.sourceReaches(va)
or
reachesSink(va, sink)
this.reachesSink(va, sink)
)
}
}

40
cpp/ql/src/Security/CWE/CWE-457/InitializationFunctions.qll
View File

@@ -84,8 +84,8 @@ class ParameterNullCheck extends ParameterCheck {
p.getFunction() instanceof InitializationFunction and
p.getType().getUnspecifiedType() instanceof PointerType and
exists(VariableAccess va | va = p.getAnAccess() |
nullSuccessor = getATrueSuccessor() and
notNullSuccessor = getAFalseSuccessor() and
nullSuccessor = this.getATrueSuccessor() and
notNullSuccessor = this.getAFalseSuccessor() and
(
va = this.(NotExpr).getOperand() or
va = any(EQExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or
@@ -95,8 +95,8 @@ class ParameterNullCheck extends ParameterCheck {
.getAnOperand()
)
or
nullSuccessor = getAFalseSuccessor() and
notNullSuccessor = getATrueSuccessor() and
nullSuccessor = this.getAFalseSuccessor() and
notNullSuccessor = this.getATrueSuccessor() and
(
va = this or
va = any(NEExpr eq | eq = this and eq.getAnOperand().getValue() = "0").getAnOperand() or
@@ -132,7 +132,7 @@ class ValidatedExternalCondInitFunction extends ExternalData {
ValidatedExternalCondInitFunction() { this.getDataPath().matches("%cond-init%.csv") }
predicate isExternallyVerified(Function f, int param) {
functionSignature(f, getField(1), getField(2)) and param = getFieldAsInt(3)
functionSignature(f, this.getField(1), this.getField(2)) and param = this.getFieldAsInt(3)
}
}
@@ -193,7 +193,7 @@ class InitializationFunction extends Function {
.getAnOverridingFunction+()
.(InitializationFunction)
.initializedParameter() or
getParameter(i) = any(InitializationFunctionCall c).getAnInitParameter()
this.getParameter(i) = any(InitializationFunctionCall c).getAnInitParameter()
)
or
// If we have no definition, we look at SAL annotations
@@ -227,7 +227,7 @@ class InitializationFunction extends Function {
result = getAnInitializedArgument(any(Call c))
or
exists(IfStmt check | result = check.getCondition().getAChild*() |
paramReassignmentCondition(check)
this.paramReassignmentCondition(check)
)
)
or
@@ -249,15 +249,15 @@ class InitializationFunction extends Function {
/** Holds if `n` can be reached without the parameter at `index` being reassigned. */
predicate paramNotReassignedAt(ControlFlowNode n, int index, Context c) {
c = getAContext(index) and
c = this.getAContext(index) and
(
not exists(this.getEntryPoint()) and index = i and n = this
or
n = this.getEntryPoint() and index = i
or
exists(ControlFlowNode mid | paramNotReassignedAt(mid, index, c) |
exists(ControlFlowNode mid | this.paramNotReassignedAt(mid, index, c) |
n = mid.getASuccessor() and
not n = paramReassignment(index) and
not n = this.paramReassignment(index) and
/*
* Ignore successor edges where the parameter is null, because it is then confirmed to be
* initialized.
@@ -265,7 +265,7 @@ class InitializationFunction extends Function {
not exists(ParameterNullCheck nullCheck |
nullCheck = mid and
nullCheck = getANullCheck(index) and
nullCheck = this.getANullCheck(index) and
n = nullCheck.getNullSuccessor()
) and
/*
@@ -281,13 +281,13 @@ class InitializationFunction extends Function {
/** Gets a null-check on the parameter at `index`. */
private ParameterNullCheck getANullCheck(int index) {
getParameter(index) = result.getParameter()
this.getParameter(index) = result.getParameter()
}
/** Gets a parameter which is not at the given index. */
private Parameter getOtherParameter(int index) {
index = i and
result = getAParameter() and
result = this.getAParameter() and
not result.getIndex() = index
}
@@ -306,10 +306,10 @@ class InitializationFunction extends Function {
if
strictcount(Parameter p |
exists(Context c | c = ParamNull(p) or c = ParamNotNull(p)) and
p = getOtherParameter(index)
p = this.getOtherParameter(index)
) = 1
then
exists(Parameter p | p = getOtherParameter(index) |
exists(Parameter p | p = this.getOtherParameter(index) |
result = ParamNull(p) or result = ParamNotNull(p)
)
else
@@ -424,8 +424,8 @@ class ConditionalInitializationCall extends FunctionCall {
/** Gets the argument passed for the given parameter to this call. */
Expr getArgumentForParameter(Parameter p) {
p = getTarget().getAParameter() and
result = getArgument(p.getIndex())
p = this.getTarget().getAParameter() and
result = this.getArgument(p.getIndex())
}
/**
@@ -442,7 +442,7 @@ class ConditionalInitializationCall extends FunctionCall {
context = ParamNotNull(otherP) or
context = ParamNull(otherP)
|
otherArg = getArgumentForParameter(otherP) and
otherArg = this.getArgumentForParameter(otherP) and
(otherArg instanceof AddressOfExpr implies context = ParamNotNull(otherP)) and
(otherArg.getType() instanceof ArrayType implies context = ParamNotNull(otherP)) and
(otherArg.getValue() = "0" implies context = ParamNull(otherP))
@@ -511,8 +511,8 @@ class ConditionalInitializationCall extends FunctionCall {
)
)
or
exists(ControlFlowNode mid | mid = uncheckedReaches(var) |
not mid = getStatusVariable().getAnAccess() and
exists(ControlFlowNode mid | mid = this.uncheckedReaches(var) |
not mid = this.getStatusVariable().getAnAccess() and
not mid = var.getAnAccess() and
not exists(VariableAccess write | result = write and write = var.getAnAccess() |
write = any(AssignExpr a).getLValue() or

16
cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll
View File

@@ -44,7 +44,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
// Find a call that conditionally initializes this variable
hasConditionalInitialization(f, call, this, initAccess, e) and
// Ignore cases where the variable is assigned prior to the call
not reaches(getAnAssignedValue(), initAccess) and
not reaches(this.getAnAssignedValue(), initAccess) and
// Ignore cases where the variable is assigned field-wise prior to the call.
not exists(FieldAccess fa |
exists(Assignment a |
@@ -56,7 +56,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
) and
// Ignore cases where the variable is assigned by a prior call to an initialization function
not exists(Call c |
getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
reaches(c, initAccess)
) and
/*
@@ -64,7 +64,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
* the CFG, but should always be considered as initialized, so exclude them.
*/
not exists(getInitializer().getExpr())
not exists(this.getInitializer().getExpr())
}
/**
@@ -90,7 +90,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
// Variable associated with this particular call
call = initializingCall and
// Access is a meaningful read access
result = getAReadAccess() and
result = this.getAReadAccess() and
// Which occurs after the call
reaches(call, result) and
/*
@@ -124,7 +124,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
call = initializingCall and
initializingFunction = f and
e = evidence and
result = getAReadAccessAfterCall(initializingCall) and
result = this.getAReadAccessAfterCall(initializingCall) and
(
// Access is risky because status return code ignored completely
call instanceof ExprInVoidContext
@@ -148,7 +148,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
call = initializingCall and
initializingFunction = f and
e = evidence and
result = getAReadAccessAfterCall(initializingCall) and
result = this.getAReadAccessAfterCall(initializingCall) and
exists(LocalVariable status, Assignment a |
a.getRValue() = call and
call = status.getAnAssignedValue() and
@@ -184,7 +184,7 @@ class ConditionallyInitializedVariable extends LocalVariable {
ConditionalInitializationFunction initializingFunction,
ConditionalInitializationCall initializingCall, Evidence evidence
) {
result = getARiskyAccessBeforeStatusCheck(initializingFunction, initializingCall, evidence) or
result = getARiskyAccessWithNoStatusCheck(initializingFunction, initializingCall, evidence)
result = this.getARiskyAccessBeforeStatusCheck(initializingFunction, initializingCall, evidence) or
result = this.getARiskyAccessWithNoStatusCheck(initializingFunction, initializingCall, evidence)
}
}

12
cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
View File

@@ -31,15 +31,15 @@ abstract class SystemData extends Element {
*/
Expr getAnExprIndirect() {
// direct SystemData
result = getAnExpr() or
result = this.getAnExpr() or
// flow via global or member variable (conservative approximation)
result = getAnAffectedVar().getAnAccess() or
result = this.getAnAffectedVar().getAnAccess() or
// flow via stack variable
definitionUsePair(_, getAnExprIndirect(), result) or
useUsePair(_, getAnExprIndirect(), result) or
useUsePair(_, result, getAnExprIndirect()) or
definitionUsePair(_, this.getAnExprIndirect(), result) or
useUsePair(_, this.getAnExprIndirect(), result) or
useUsePair(_, result, this.getAnExprIndirect()) or
// flow from assigned value to assignment expression
result.(AssignExpr).getRValue() = getAnExprIndirect()
result.(AssignExpr).getRValue() = this.getAnExprIndirect()
}
/**

30
cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
View File

@@ -67,16 +67,16 @@ class IFStream extends Type {
*/
class CinVariable extends NamespaceVariable {
CinVariable() {
getName() = ["cin", "wcin"] and
getNamespace().getName() = "std"
this.getName() = ["cin", "wcin"] and
this.getNamespace().getName() = "std"
}
}
/** A call to `std::operator>>`. */
class OperatorRShiftCall extends FunctionCall {
OperatorRShiftCall() {
getTarget().getNamespace().getName() = "std" and
getTarget().hasName("operator>>")
this.getTarget().getNamespace().getName() = "std" and
this.getTarget().hasName("operator>>")
}
/*
@@ -87,15 +87,15 @@ class OperatorRShiftCall extends FunctionCall {
*/
Expr getSource() {
if getTarget() instanceof MemberFunction
then result = getQualifier()
else result = getArgument(0)
if this.getTarget() instanceof MemberFunction
then result = this.getQualifier()
else result = this.getArgument(0)
}
Expr getDest() {
if getTarget() instanceof MemberFunction
then result = getArgument(0)
else result = getArgument(1)
if this.getTarget() instanceof MemberFunction
then result = this.getArgument(0)
else result = this.getArgument(1)
}
}
@@ -119,7 +119,7 @@ abstract class PotentiallyDangerousInput extends Expr {
* Gets the width restriction that applies to the input stream
* for this expression, if any.
*/
Expr getWidth() { result = getPreviousAccess().getWidthAfter() }
Expr getWidth() { result = this.getPreviousAccess().getWidthAfter() }
private Expr getWidthSetHere() {
exists(FunctionCall widthCall |
@@ -154,11 +154,11 @@ abstract class PotentiallyDangerousInput extends Expr {
* after this expression, if any.
*/
Expr getWidthAfter() {
result = getWidthSetHere()
result = this.getWidthSetHere()
or
not exists(getWidthSetHere()) and
not isWidthConsumedHere() and
result = getWidth()
not exists(this.getWidthSetHere()) and
not this.isWidthConsumedHere() and
result = this.getWidth()
}
}

8
cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
View File

@@ -21,9 +21,9 @@ predicate argumentMayBeRoot(Expr e) {
class SetuidLikeFunctionCall extends FunctionCall {
SetuidLikeFunctionCall() {
(getTarget().hasGlobalName("setuid") or getTarget().hasGlobalName("setresuid")) and
(this.getTarget().hasGlobalName("setuid") or this.getTarget().hasGlobalName("setresuid")) and
// setuid/setresuid with the root user are false positives.
not argumentMayBeRoot(getArgument(0))
not argumentMayBeRoot(this.getArgument(0))
}
}
@@ -44,7 +44,7 @@ class SetuidLikeWrapperCall extends FunctionCall {
class CallBeforeSetuidFunctionCall extends FunctionCall {
CallBeforeSetuidFunctionCall() {
getTarget()
this.getTarget()
.hasGlobalName([
"setgid", "setresgid",
// Compatibility may require skipping initgroups and setgroups return checks.
@@ -52,7 +52,7 @@ class CallBeforeSetuidFunctionCall extends FunctionCall {
"initgroups", "setgroups"
]) and
// setgid/setresgid/etc with the root group are false positives.
not argumentMayBeRoot(getArgument(0))
not argumentMayBeRoot(this.getArgument(0))
}
}

2
cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
View File

@@ -24,7 +24,7 @@ class CallMayNotReturn extends FunctionCall {
not exists(this.(ControlFlowNode).getASuccessor())
or
// call to another function that may not return
exists(CallMayNotReturn exit | getTarget() = exit.getEnclosingFunction())
exists(CallMayNotReturn exit | this.getTarget() = exit.getEnclosingFunction())
}
}

6
cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
View File

@@ -118,7 +118,7 @@ private predicate exprReleases(Expr e, Expr released, string kind) {
}
class Resource extends MemberVariable {
Resource() { not isStatic() }
Resource() { not this.isStatic() }
// Check that an expr is somewhere in this class - does not have to be a constructor
predicate inSameClass(Expr e) {
@@ -129,7 +129,7 @@ class Resource extends MemberVariable {
f instanceof Destructor and f.getDeclaringType() = this.getDeclaringType()
or
exists(Function mid, FunctionCall fc |
calledFromDestructor(mid) and
this.calledFromDestructor(mid) and
fc.getEnclosingFunction() = mid and
fc.getTarget() = f and
f.getDeclaringType() = this.getDeclaringType()
@@ -137,7 +137,7 @@ class Resource extends MemberVariable {
}
predicate inDestructor(Expr e) {
exists(Function f | f = e.getEnclosingFunction() | calledFromDestructor(f))
exists(Function f | f = e.getEnclosingFunction() | this.calledFromDestructor(f))
}
predicate acquisitionWithRequiredKind(Assignment acquireAssign, string kind) {

3
cpp/ql/test/experimental/library-tests/rangeanalysis/extensibility/extensibility.ql
View File

@@ -29,7 +29,8 @@ class CustomAddFunctionCall extends SimpleRangeAnalysisExpr, FunctionCall {
class SelfSub extends SimpleRangeAnalysisExpr, SubExpr {
SelfSub() {
getLeftOperand().(VariableAccess).getTarget() = getRightOperand().(VariableAccess).getTarget()
this.getLeftOperand().(VariableAccess).getTarget() =
this.getRightOperand().(VariableAccess).getTarget()
}
override float getLowerBounds() { result = 0 }