hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix false positive.

Browse Source
This commit is contained in:
Geoffrey White
2020-06-25 11:30:09 +01:00
parent 720ac026dc
commit 89bea604d9
3 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
View File

@@ -15,6 +15,18 @@ import cpp
import semmle.code.cpp.models.implementations.Strcpy
import semmle.code.cpp.dataflow.DataFlow
/**
* A string copy function that returns a string, rather than an error code (for
* example, `strcpy` returns a string, whereas `strcpy_s` returns an error
* code).
*/
class InterestingStrcpyFunction extends StrcpyFunction {
InterestingStrcpyFunction()
{
getType().getUnspecifiedType() instanceof PointerType
}
}
predicate isBoolean(Expr e1) {
exists(Type t1 |
t1 = e1.getType() and
@@ -25,12 +37,12 @@ predicate isBoolean(Expr e1) {
predicate isStringCopyCastedAsBoolean(FunctionCall func, Expr expr1, string msg) {
DataFlow::localExprFlow(func, expr1) and
isBoolean(expr1.getConversion*()) and
func.getTarget() instanceof StrcpyFunction and
func.getTarget() instanceof InterestingStrcpyFunction and
msg = "Return value of " + func.getTarget().getName() + " used as a Boolean."
}
predicate isStringCopyUsedInLogicalOperationOrCondition(FunctionCall func, Expr expr1, string msg) {
func.getTarget() instanceof StrcpyFunction and
func.getTarget() instanceof InterestingStrcpyFunction and
(
(
// it is being used in an equality or logical operation

1
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected
View File

@@ -29,4 +29,3 @@
| test.cpp:135:14:135:40 | ... && ... | Return value of strcpy used in a logical operation. |
| test.cpp:137:14:137:40 | ... == ... | Return value of strcpy used in a logical operation. |
| test.cpp:139:14:139:40 | ... != ... | Return value of strcpy used in a logical operation. |
| test.cpp:159:9:159:16 | call to strcpy_s | Return value of strcpy_s used directly in a conditional expression. |

2
cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp
View File

@@ -156,7 +156,7 @@ void NegativeCases()
{
}
if (strcpy_s(szbuf1, 100, "test")) // [FALSE POSITIVE]
if (strcpy_s(szbuf1, 100, "test"))
{
}