hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-18 05:24:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into redsun82/swift-6

Browse Source
This commit is contained in:
Paolo Tranquilli
2024-10-30 12:27:24 +01:00
parent d3fb2543d2 2b678c97ab
commit 91f683d94c
1226 changed files with 129482 additions and 83308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.bazelrc
View File

@@ -1,5 +1,4 @@
common --enable_platform_specific_config
common --enable_bzlmod
# because we use --override_module with `%workspace%`, the lock file is not stable
common --lockfile_mode=off

2
.bazelversion
View File

@@ -1 +1 @@
5f5d70b6c4d2fb1a889479569107f1692239e8a7
8.0.0rc1

4
.github/labeler.yml vendored
View File

@@ -38,6 +38,10 @@ Swift:
- swift/**/*
- change-notes/**/*swift*
Actions:
- actions/**/*
- change-notes/**/*actions*
documentation:
- "**/*.qhelp"
- "**/*.md"

2
.github/workflows/build-ripunzip.yml vendored
View File

@@ -17,7 +17,7 @@ jobs:
strategy:
fail-fast: false
matrix:
os: [ubuntu-20.04, macos-12, windows-2019]
os: [ubuntu-20.04, macos-13, windows-2019]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4

69
.github/workflows/rust-analysis.yml vendored Normal file
View File

@@ -0,0 +1,69 @@
name: "Code scanning - Rust"
on:
push:
branches:
- main
- 'rc/*'
pull_request:
branches:
- main
- 'rc/*'
paths:
- '**/*.rs'
- '**/Cargo.toml'
- '.github/codeql/codeql-config.yml'
- '.github/workflows/rust-analysis.yml'
schedule:
- cron: '0 9 * * 1'
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES: "true"
jobs:
analyze:
strategy:
matrix:
language: [ 'rust' ]
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
pull-requests: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Query latest nightly CodeQL bundle
shell: bash
id: codeql
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
REPO=dsp-testing/codeql-cli-nightlies
TAG=$(
gh release list -R $REPO -L1 --exclude-drafts --json tagName -q ".[] | .tagName"
)
echo "nightly_bundle=https://github.com/$REPO/releases/download/$TAG/codeql-bundle-linux64.tar.zst" \
| tee -a "$GITHUB_OUTPUT"
- name: Initialize CodeQL
uses: github/codeql-action/init@main
with:
tools: ${{ steps.codeql.outputs.nightly_bundle }}
languages: ${{ matrix.language }}
config: |
disable-default-queries: true
queries:
- uses: security-and-quality
paths-ignore:
- '/rust/ql/tests'
- name: Autobuild
uses: github/codeql-action/autobuild@main
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@main

4
.github/workflows/swift.yml vendored
View File

@@ -44,7 +44,7 @@ jobs:
# without waiting for the macOS build
build-and-test-macos:
if: github.repository_owner == 'github'
runs-on: macos-12-xl
runs-on: macos-13-xlarge
steps:
- uses: actions/checkout@v4
- uses: ./swift/actions/build-and-test
@@ -64,7 +64,7 @@ jobs:
qltests-macos:
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
needs: build-and-test-macos
runs-on: macos-12-xl
runs-on: macos-13-xlarge
steps:
- uses: actions/checkout@v4
- uses: ./swift/actions/run-ql-tests

1
CODEOWNERS
View File

@@ -23,7 +23,6 @@
/ql/ @github/codeql-ql-for-ql-reviewers
# Bazel (excluding BUILD.bazel files)
WORKSPACE.bazel @github/codeql-ci-reviewers
MODULE.bazel @github/codeql-ci-reviewers
.bazelversion @github/codeql-ci-reviewers
.bazelrc @github/codeql-ci-reviewers

29
Cargo.lock generated
View File

@@ -384,17 +384,20 @@ dependencies = [
"clap",
"codeql-extractor",
"figment",
"glob",
"itertools 0.13.0",
"log",
"num-traits",
"ra_ap_base_db",
"ra_ap_hir",
"ra_ap_hir_def",
"ra_ap_hir_expand",
"ra_ap_ide_db",
"ra_ap_load-cargo",
"ra_ap_parser",
"ra_ap_paths",
"ra_ap_project_model",
"ra_ap_span",
"ra_ap_syntax",
"ra_ap_vfs",
"rust-extractor-macros",
@@ -629,6 +632,7 @@ dependencies = [
"atomic",
"pear",
"serde",
"serde_yaml",
"uncased",
"version_check",
]
@@ -702,6 +706,12 @@ dependencies = [
"wasi",
]
[[package]]
name = "glob"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
[[package]]
name = "globset"
version = "0.4.15"
@@ -2056,6 +2066,19 @@ dependencies = [
"syn",
]
[[package]]
name = "serde_yaml"
version = "0.9.34+deprecated"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
dependencies = [
"indexmap 2.5.0",
"itoa",
"ryu",
"serde",
"unsafe-libyaml",
]
[[package]]
name = "sharded-slab"
version = "0.1.7"
@@ -2379,6 +2402,12 @@ version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "229730647fbc343e3a80e463c1db7f78f3855d3f3739bee0dda773c9a037c90a"
[[package]]
name = "unsafe-libyaml"
version = "0.2.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
[[package]]
name = "utf8parse"
version = "0.2.2"

10
MODULE.bazel
View File

@@ -18,16 +18,16 @@ bazel_dep(name = "platforms", version = "0.0.10")
bazel_dep(name = "rules_go", version = "0.50.0")
bazel_dep(name = "rules_pkg", version = "1.0.1")
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
bazel_dep(name = "rules_python", version = "0.35.0")
bazel_dep(name = "bazel_skylib", version = "1.6.1")
bazel_dep(name = "rules_python", version = "0.36.0")
bazel_dep(name = "bazel_skylib", version = "1.7.1")
bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
bazel_dep(name = "fmt", version = "10.0.0")
bazel_dep(name = "rules_kotlin", version = "1.9.4-codeql.1")
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
bazel_dep(name = "gazelle", version = "0.38.0")
bazel_dep(name = "rules_dotnet", version = "0.15.1")
bazel_dep(name = "rules_dotnet", version = "0.16.1")
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
bazel_dep(name = "rules_rust", version = "0.50.0")
bazel_dep(name = "rules_rust", version = "0.52.2")
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)

2
WORKSPACE.bazel
View File

@@ -1,2 +0,0 @@
# please use MODULE.bazel to add dependencies
# this empty file is required by internal repositories, don't remove it

20
actions/BUILD.bazel Normal file
View File

@@ -0,0 +1,20 @@
load("//misc/bazel:pkg.bzl", "codeql_pack")
package(default_visibility = ["//visibility:public"])
[
codeql_pack(
name = "-".join(parts),
srcs = [
"//actions/extractor",
],
pack_prefix = "/".join(parts),
)
for parts in (
[
"experimental",
"actions",
],
["actions"],
)
]

10
actions/extractor/BUILD.bazel Normal file
View File

@@ -0,0 +1,10 @@
load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix")
codeql_pkg_files(
name = "extractor",
srcs = [
"codeql-extractor.yml",
] + glob(["tools/**"]),
strip_prefix = strip_prefix.from_pkg(),
visibility = ["//actions:__pkg__"],
)

44
actions/extractor/codeql-extractor.yml Normal file
View File

@@ -0,0 +1,44 @@
name: "actions"
aliases: []
display_name: "GitHub Actions"
version: 0.0.1
column_kind: "utf16"
unicode_newlines: true
build_modes:
- none
file_coverage_languages: []
github_api_languages: []
scc_languages: []
file_types:
- name: workflow
display_name: GitHub Actions workflow files
extensions:
- .yml
- .yaml
forwarded_extractor_name: javascript
options:
trap:
title: TRAP options
description: Options about how the extractor handles TRAP files
type: object
visibility: 3
properties:
cache:
title: TRAP cache options
description: Options about how the extractor handles its TRAP cache
type: object
properties:
dir:
title: TRAP cache directory
description: The directory of the TRAP cache to use
type: string
bound:
title: TRAP cache bound
description: A soft limit (in MB) on the size of the TRAP cache
type: string
pattern: "[0-9]+"
write:
title: TRAP cache writeable
description: Whether to write to the TRAP cache as well as reading it
type: string
pattern: "(true|TRUE|false|FALSE)"

40
actions/extractor/tools/autobuild-impl.ps1 Normal file
View File

@@ -0,0 +1,40 @@
if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
Write-Output 'Path filters set. Passing them through to the JavaScript extractor.'
} else {
Write-Output 'No path filters set. Using the default filters.'
$DefaultPathFilters = @(
'exclude:**/*',
'include:.github/workflows/**/*.yml',
'include:.github/workflows/**/*.yaml',
'include:**/action.yml',
'include:**/action.yaml'
)
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
}
# Find the JavaScript extractor directory via `codeql resolve extractor`.
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
if ($LASTEXITCODE -ne 0) {
throw 'Failed to resolve JavaScript extractor.'
}
Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
# Run the JavaScript autobuilder.
$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
&$JavaScriptAutoBuild
if ($LASTEXITCODE -ne 0) {
throw "JavaScript autobuilder failed."
}

3
actions/extractor/tools/autobuild.cmd Normal file
View File

@@ -0,0 +1,3 @@
@echo off
rem All of the work is done in the PowerShell script
powershell.exe %~dp0autobuild-impl.ps1

39
actions/extractor/tools/autobuild.sh Executable file
View File

@@ -0,0 +1,39 @@
#!/bin/sh
set -eu
DEFAULT_PATH_FILTERS=$(cat << END
exclude:**/*
include:.github/workflows/**/*.yml
include:.github/workflows/**/*.yaml
include:**/action.yml
include:**/action.yaml
END
)
if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
echo "Path filters set. Passing them through to the JavaScript extractor."
else
echo "No path filters set. Using the default filters."
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
export LGTM_INDEX_FILTERS
fi
# Find the JavaScript extractor directory via `codeql resolve extractor`.
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
# Run the JavaScript autobuilder
JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
${JAVASCRIPT_AUTO_BUILD}

1
actions/ql/lib/actions.qll Normal file
View File

@@ -0,0 +1 @@
predicate placeholder(int x) { x = 0 }

12
actions/ql/lib/qlpack.yml Normal file
View File

@@ -0,0 +1,12 @@
name: codeql/actions-all
version: 0.0.1-dev
library: true
warnOnImplicitThis: true
dependencies:
codeql/util: ${workspace}
codeql/yaml: ${workspace}
codeql/controlflow: ${workspace}
codeql/dataflow: ${workspace}
codeql/javascript-all: ${workspace}
extractor: actions
groups: actions

16
actions/ql/src/Placeholder.ql Normal file
View File

@@ -0,0 +1,16 @@
/**
* @name Placeholder Query
* @description Placeholder
* @kind problem
* @problem.severity warning
* @security-severity 9.3
* @precision high
* @id actions/placeholder
* @tags actions security
*/
import actions
import javascript
from File f
select f, "Analyzed a file."

8
actions/ql/src/qlpack.yml Normal file
View File

@@ -0,0 +1,8 @@
name: codeql/actions-queries
version: 0.0.1-dev
library: false
groups: [actions, queries]
extractor: actions
dependencies:
codeql/actions-all: ${workspace}
warnOnImplicitThis: true

23
actions/ql/test/library-tests/.github/workflows/shell.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
on: push
jobs:
job1:
runs-on: ubuntu-latest
steps:
- shell: pwsh
run: Write-Output "foo"
job2:
runs-on: ubuntu-latest
steps:
- run: echo "foo"
job3:
runs-on: windows-latest
steps:
- shell: bash
run: echo "foo"
job4:
runs-on: windows-latest
steps:
- run: Write-Output "foo"

1
actions/ql/test/library-tests/Placeholder.expected Normal file
View File

@@ -0,0 +1 @@
| 1 |

1
actions/ql/test/library-tests/Placeholder.ql Normal file
View File

@@ -0,0 +1 @@
select 1

8
actions/ql/test/qlpack.yml Normal file
View File

@@ -0,0 +1,8 @@
name: codeql/actions-tests
groups: [codeql, test]
dependencies:
codeql/actions-all: ${workspace}
codeql/actions-queries: ${workspace}
extractor: actions
tests: .
warnOnImplicitThis: true

23
actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
on: push
jobs:
job1:
runs-on: ubuntu-latest
steps:
- shell: pwsh
run: Write-Output "foo"
job2:
runs-on: ubuntu-latest
steps:
- run: echo "foo"
job3:
runs-on: windows-latest
steps:
- shell: bash
run: echo "foo"
job4:
runs-on: windows-latest
steps:
- run: Write-Output "foo"

1
actions/ql/test/query-tests/Placeholder/Placeholder.expected Normal file
View File

@@ -0,0 +1 @@
| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | Analyzed a file. |

1
actions/ql/test/query-tests/Placeholder/Placeholder.qlref Normal file
View File

@@ -0,0 +1 @@
Placeholder.ql

4
config/identical-files.json
View File

@@ -351,9 +351,5 @@
"Python model summaries test extension": [
"python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
"python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
],
"Diagnostics.qll": [
"ruby/ql/lib/codeql/ruby/Diagnostics.qll",
"rust/ql/lib/codeql/rust/Diagnostics.qll"
]
}

15
cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/exprs.ql Normal file
View File

@@ -0,0 +1,15 @@
class Expr extends @expr {
string toString() { none() }
}
class Location extends @location_expr {
string toString() { none() }
}
predicate isExprRequires(Expr expr) { exists(int kind | exprs(expr, kind, _) | kind = 390) }
from Expr expr, int kind, int kind_new, Location location
where
exprs(expr, kind, location) and
if isExprRequires(expr) then kind_new = 1 else kind_new = kind
select expr, kind_new, location

2316
cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2315
cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

3
cpp/downgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/upgrade.properties Normal file
View File

@@ -0,0 +1,3 @@
description: Add requires expr
compatibility: partial
exprs.rel: run exprs.qlo

17
cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/exprs.ql Normal file
View File

@@ -0,0 +1,17 @@
class Expr extends @expr {
string toString() { none() }
}
class Location extends @location_expr {
string toString() { none() }
}
predicate isExprRequirement(Expr expr) {
exists(int kind | exprs(expr, kind, _) | kind = [391, 392, 393])
}
from Expr expr, int kind, int kind_new, Location location
where
exprs(expr, kind, location) and
if isExprRequirement(expr) then kind_new = 1 else kind_new = kind
select expr, kind_new, location

2323
cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

17
cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/params.ql Normal file
View File

@@ -0,0 +1,17 @@
class Parameter extends @parameter {
string toString() { none() }
}
class ParameterizedElement extends @parameterized_element {
string toString() { none() }
}
class Type extends @type {
string toString() { none() }
}
from Parameter param, ParameterizedElement pe, int index, Type type
where
params(param, pe, index, type) and
not pe instanceof @requires_expr
select param, pe, index, type

2316
cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

5
cpp/downgrades/e51fad7a2436caefab0c6bd52f05e28e7cce4d92/upgrade.properties Normal file
View File

@@ -0,0 +1,5 @@
description: Support C++20 requires expressions
compatibility: partial
compound_requirement_is_noexcept.rel: delete
exprs.rel: run exprs.qlo
params.rel: run params.qlo

7
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 2.0.2
### Minor Analysis Improvements
* Added taint flow model for `fopen` and related functions.
* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.
## 2.0.1
No user-facing changes.

4
cpp/ql/lib/change-notes/2014-10-11-requires-expressions.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Added classes `RequiresExpr`, `SimpleRequirementExpr`, `TypeRequirementExpr`, `CompoundRequirementExpr`, and `NestedRequirementExpr` to represent C++20 requires expressions and the simple, type, compound, and nested requirements that can occur in `requires` expressions.

5
cpp/ql/lib/change-notes/2014-10-16-implicitly-declared-fns.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: feature
---
* Added the predicate `mayBeFromImplicitlyDeclaredFunction()` to the `Call` class to represent calls that may be the return value of an implicitly declared C function.
* Added the predicate `getAnExplicitDeclarationEntry()` to the `Function` class to get a `FunctionDeclarationEntry` that is not implicit.

4
cpp/ql/lib/change-notes/2024-10-16-function-pointer-resolution.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The function call target resolution algorithm has been improved to resolve more calls through function pointers. As a result, dataflow queries may have more results.

4
cpp/ql/lib/change-notes/2024-10-16-new-api-for-call-target-resolution.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Added a new predicate `DataFlow::getARuntimeTarget` for getting a function that may be invoked by a `Call` expression. Unlike `Call.getTarget` this new predicate may also resolve function pointers.

6
cpp/ql/lib/change-notes/released/2.0.2.md Normal file
View File

@@ -0,0 +1,6 @@
## 2.0.2
### Minor Analysis Improvements
* Added taint flow model for `fopen` and related functions.
* The `SimpleRangeAnalysis` library (`semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis`) now generates more precise ranges for calls to `fgetc` and `getc`.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.0.1
lastReleaseVersion: 2.0.2

1
cpp/ql/lib/cpp.qll
View File

@@ -17,6 +17,7 @@ import semmle.code.cpp.File
import semmle.code.cpp.Linkage
import semmle.code.cpp.Location
import semmle.code.cpp.Compilation
import semmle.code.cpp.Concept
import semmle.code.cpp.Element
import semmle.code.cpp.Namespace
import semmle.code.cpp.Specifier

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 2.0.2-dev
version: 2.0.3-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

161
cpp/ql/lib/semmle/code/cpp/Concept.qll Normal file
View File

@@ -0,0 +1,161 @@
/**
* Provides classes for working with C++ concepts.
*/
import semmle.code.cpp.exprs.Expr
/**
* A C++ requires expression.
*
* For example, with `T` and `U` template parameters:
* ```cpp
* requires (T x, U y) { x + y; };
* ```
*/
class RequiresExpr extends Expr, @requires_expr {
override string toString() {
if exists(this.getAParameter())
then result = "requires(...) { ... }"
else result = "requires { ... }"
}
override string getAPrimaryQlClass() { result = "RequiresExpr" }
/**
* Gets a requirement in this requires expression.
*/
RequirementExpr getARequirement() { result = this.getAChild() }
/**
* Gets the nth requirement in this requires expression.
*/
RequirementExpr getRequirement(int n) { result = this.getChild(n) }
/**
* Gets the number of requirements in this requires expression.
*/
int getNumberOfRequirements() { result = count(this.getARequirement()) }
/**
* Gets a parameter of this requires expression, if any.
*/
Parameter getAParameter() { result.getRequiresExpr() = underlyingElement(this) }
/**
* Gets the the nth parameter of this requires expression.
*/
Parameter getParameter(int n) {
result.getRequiresExpr() = underlyingElement(this) and result.getIndex() = n
}
/**
* Gets the number of parameters of this requires expression.
*/
int getNumberOfParameters() { result = count(this.getAParameter()) }
}
/**
* A C++ requirement in a requires expression.
*/
class RequirementExpr extends Expr { }
/**
* A C++ simple requirement in a requires expression.
*
* For example, if:
* ```cpp
* requires(T x, U y) { x + y; };
* ```
* with `T` and `U` template parameters, then `x + y;` is a simple requirement.
*/
class SimpleRequirementExpr extends RequirementExpr {
SimpleRequirementExpr() {
this.getParent() instanceof RequiresExpr and
not this instanceof TypeRequirementExpr and
not this instanceof CompoundRequirementExpr and
not this instanceof NestedRequirementExpr
}
override string getAPrimaryQlClass() { result = "SimpleRequirementExpr" }
}
/**
* A C++ type requirement in a requires expression.
*
* For example, if:
* ```cpp
* requires { typename T::a_field; };
* ```
* with `T` a template parameter, then `typename T::a_field;` is a type requirement.
*/
class TypeRequirementExpr extends RequirementExpr, TypeName {
TypeRequirementExpr() { this.getParent() instanceof RequiresExpr }
override string getAPrimaryQlClass() { result = "TypeRequirementExpr" }
}
/**
* A C++ compound requirement in a requires expression.
*
* For example, if:
* ```cpp
* requires(T x) { { x } noexcept -> std::same_as<int>; };
* ```
* with `T` a template parameter, then `{ x } noexcept -> std::same_as<int>;` is
* a compound requirement.
*/
class CompoundRequirementExpr extends RequirementExpr, @compound_requirement {
override string toString() {
if exists(this.getReturnTypeRequirement())
then result = "{ ... } -> ..."
else result = "{ ... }"
}
override string getAPrimaryQlClass() { result = "CompoundRequirementExpr" }
/**
* Gets the expression from the compound requirement.
*/
Expr getExpr() { result = this.getChild(0) }
/**
* Gets the return type requirement from the compound requirement, if any.
*/
Expr getReturnTypeRequirement() { result = this.getChild(1) }
/**
* Holds if the expression from the compound requirement must not be
* potentially throwing.
*/
predicate isNoExcept() { compound_requirement_is_noexcept(underlyingElement(this)) }
}
/**
* A C++ nested requirement in a requires expression.
*
* For example, if:
* ```cpp
* requires { requires std::is_same<T, int>::value; };
* ```
* with `T` a template parameter, then `requires std::is_same<T, int>::value;` is
* a nested requirement.
*/
class NestedRequirementExpr extends Expr, @nested_requirement {
override string toString() { result = "requires ..." }
override string getAPrimaryQlClass() { result = "NestedRequirementExpr" }
/**
* Gets the constraint from the nested requirement.
*/
Expr getConstraint() { result = this.getChild(0) }
}
/**
* A C++ concept id expression.
*/
class ConceptIdExpr extends RequirementExpr, @concept_id {
override string toString() { result = "concept<...>" }
override string getAPrimaryQlClass() { result = "ConceptIdExpr" }
}

21
cpp/ql/lib/semmle/code/cpp/Element.qll
View File

@@ -129,7 +129,7 @@ class Element extends ElementBase {
* or certain kinds of `Statement`.
*/
Element getParentScope() {
// result instanceof class
// result instanceof Class
exists(Declaration m |
m = this and
result = m.getDeclaringType() and
@@ -138,31 +138,40 @@ class Element extends ElementBase {
or
exists(TemplateClass tc | this = tc.getATemplateArgument() and result = tc)
or
// result instanceof namespace
// result instanceof Namespace
exists(Namespace n | result = n and n.getADeclaration() = this)
or
exists(FriendDecl d, Namespace n | this = d and n.getADeclaration() = d and result = n)
or
exists(Namespace n | this = n and result = n.getParentNamespace())
or
// result instanceof stmt
// result instanceof Stmt
exists(LocalVariable v |
this = v and
exists(DeclStmt ds | ds.getADeclaration() = v and result = ds.getParent())
)
or
exists(Parameter p | this = p and result = p.getFunction())
exists(Parameter p |
this = p and
(
result = p.getFunction() or
result = p.getCatchBlock().getParent().(Handler).getParent().(TryStmt).getParent() or
result = p.getRequiresExpr().getEnclosingStmt().getParent()
)
)
or
exists(GlobalVariable g, Namespace n | this = g and n.getADeclaration() = g and result = n)
or
exists(TemplateVariable tv | this = tv.getATemplateArgument() and result = tv)
or
exists(EnumConstant e | this = e and result = e.getDeclaringEnum())
or
// result instanceof block|function
// result instanceof Block|Function
exists(BlockStmt b | this = b and blockscope(unresolveElement(b), unresolveElement(result)))
or
exists(TemplateFunction tf | this = tf.getATemplateArgument() and result = tf)
or
// result instanceof stmt
// result instanceof Stmt
exists(ControlStructure s | this = s and result = s.getParent())
or
using_container(unresolveElement(result), underlyingElement(this))

8
cpp/ql/lib/semmle/code/cpp/Function.qll
View File

@@ -230,6 +230,14 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
)
}
/**
* Gets a non-implicit function declaration entry.
*/
FunctionDeclarationEntry getAnExplicitDeclarationEntry() {
result = this.getADeclarationEntry() and
not result.isImplicit()
}
private predicate declEntry(FunctionDeclarationEntry fde) {
fun_decls(unresolveElement(fde), underlyingElement(this), _, _, _) and
// If one .cpp file specializes a function, and another calls the

17
cpp/ql/lib/semmle/code/cpp/Parameter.qll
View File

@@ -7,8 +7,8 @@ import semmle.code.cpp.Declaration
private import semmle.code.cpp.internal.ResolveClass
/**
* A C/C++ function parameter or catch block parameter. For example the
* function parameter `p` and the catch block parameter `e` in the following
* A C/C++ function parameter, catch block parameter, or requires expression parameter.
* For example the function parameter `p` and the catch block parameter `e` in the following
* code:
* ```
* void myFunction(int p) {
@@ -20,8 +20,8 @@ private import semmle.code.cpp.internal.ResolveClass
* }
* ```
*
* For catch block parameters, there is a one-to-one correspondence between
* the `Parameter` and its `ParameterDeclarationEntry`.
* For catch block parameters and expression , there is a one-to-one
* correspondence between the `Parameter` and its `VariableDeclarationEntry`.
*
* For function parameters, there is a one-to-many relationship between
* `Parameter` and `ParameterDeclarationEntry`, because one function can
@@ -73,7 +73,8 @@ class Parameter extends LocalScopeVariable, @parameter {
}
private VariableDeclarationEntry getANamedDeclarationEntry() {
result = this.getAnEffectiveDeclarationEntry() and result.getName() != ""
result = this.getAnEffectiveDeclarationEntry() and
exists(string name | var_decls(unresolveElement(result), _, _, name, _) | name != "")
}
/**
@@ -118,6 +119,12 @@ class Parameter extends LocalScopeVariable, @parameter {
*/
BlockStmt getCatchBlock() { params(underlyingElement(this), unresolveElement(result), _, _) }
/**
* Gets the requires expression to which the parameter belongs, if it is a
* requires expression parameter.
*/
RequiresExpr getRequiresExpr() { params(underlyingElement(this), unresolveElement(result), _, _) }
/**
* Gets the zero-based index of this parameter.
*

103
cpp/ql/lib/semmle/code/cpp/PrintAST.qll
View File

@@ -80,6 +80,10 @@ private Declaration getAnEnclosingDeclaration(Locatable ast) {
or
result = ast.(Parameter).getFunction()
or
result = ast.(Parameter).getCatchBlock().getEnclosingFunction()
or
result = ast.(Parameter).getRequiresExpr().getEnclosingFunction()
or
result = ast.(Expr).getEnclosingDeclaration()
or
result = ast.(Initializer).getDeclaration()
@@ -99,7 +103,10 @@ private newtype TPrintAstNode =
stmt.getADeclarationEntry() = entry and
shouldPrintDeclaration(stmt.getEnclosingFunction())
} or
TParametersNode(Function func) { shouldPrintDeclaration(func) } or
TFunctionParametersNode(Function func) { shouldPrintDeclaration(func) } or
TRequiresExprParametersNode(RequiresExpr req) {
shouldPrintDeclaration(getAnEnclosingDeclaration(req))
} or
TConstructorInitializersNode(Constructor ctor) {
ctor.hasEntryPoint() and
shouldPrintDeclaration(ctor)
@@ -303,14 +310,14 @@ class ExprNode extends AstNode {
ExprNode() { expr = ast }
override AstNode getChildInternal(int childIndex) {
result.getAst() = expr.getChild(childIndex)
override PrintAstNode getChildInternal(int childIndex) {
result.(AstNode).getAst() = expr.getChild(childIndex)
or
childIndex = max(int index | exists(expr.getChild(index)) or index = 0) + 1 and
result.getAst() = expr.(ConditionDeclExpr).getInitializingExpr()
result.(AstNode).getAst() = expr.(ConditionDeclExpr).getInitializingExpr()
or
exists(int destructorIndex |
result.getAst() = expr.getImplicitDestructorCall(destructorIndex) and
result.(AstNode).getAst() = expr.getImplicitDestructorCall(destructorIndex) and
childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 2
)
}
@@ -329,7 +336,8 @@ class ExprNode extends AstNode {
}
override string getChildAccessorPredicateInternal(int childIndex) {
result = getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).getAst())
result =
getChildAccessorWithoutConversions(ast, this.getChildInternal(childIndex).(AstNode).getAst())
}
/**
@@ -409,6 +417,26 @@ class StmtExprNode extends ExprNode {
}
}
/**
* A node representing a `RequiresExpr`
*/
class RequiresExprNode extends ExprNode {
override RequiresExpr expr;
override PrintAstNode getChildInternal(int childIndex) {
result = super.getChildInternal(childIndex)
or
childIndex = -1 and
result.(RequiresExprParametersNode).getRequiresExpr() = expr
}
override string getChildAccessorPredicateInternal(int childIndex) {
result = super.getChildAccessorPredicateInternal(childIndex)
or
childIndex = -1 and result = "<params>"
}
}
/**
* A node representing a `DeclarationEntry`.
*/
@@ -510,6 +538,22 @@ class DeclStmtNode extends StmtNode {
}
}
/**
* A node representing a `Handler`.
*/
class HandlerNode extends ChildStmtNode {
Handler handler;
HandlerNode() { handler = stmt }
override BaseAstNode getChildInternal(int childIndex) {
result = super.getChildInternal(childIndex)
or
childIndex = -1 and
result.getAst() = handler.getParameter()
}
}
/**
* A node representing a `Parameter`.
*/
@@ -552,10 +596,10 @@ class InitializerNode extends AstNode {
/**
* A node representing the parameters of a `Function`.
*/
class ParametersNode extends PrintAstNode, TParametersNode {
class FunctionParametersNode extends PrintAstNode, TFunctionParametersNode {
Function func;
ParametersNode() { this = TParametersNode(func) }
FunctionParametersNode() { this = TFunctionParametersNode(func) }
final override string toString() { result = "" }
@@ -576,6 +620,33 @@ class ParametersNode extends PrintAstNode, TParametersNode {
final Function getFunction() { result = func }
}
/**
* A node representing the parameters of a `RequiresExpr`.
*/
class RequiresExprParametersNode extends PrintAstNode, TRequiresExprParametersNode {
RequiresExpr req;
RequiresExprParametersNode() { this = TRequiresExprParametersNode(req) }
final override string toString() { result = "" }
final override Location getLocation() { result = getRepresentativeLocation(req) }
override AstNode getChildInternal(int childIndex) {
result.getAst() = req.getParameter(childIndex)
}
override string getChildAccessorPredicateInternal(int childIndex) {
exists(this.getChildInternal(childIndex)) and
result = "getParameter(" + childIndex.toString() + ")"
}
/**
* Gets the `RequiresExpr` for which this node represents the parameters.
*/
final RequiresExpr getRequiresExpr() { result = req }
}
/**
* A node representing the initializer list of a `Constructor`.
*/
@@ -679,7 +750,7 @@ class FunctionNode extends FunctionOrGlobalOrNamespaceVariableNode {
override PrintAstNode getChildInternal(int childIndex) {
childIndex = 0 and
result.(ParametersNode).getFunction() = func
result.(FunctionParametersNode).getFunction() = func
or
childIndex = 1 and
result.(ConstructorInitializersNode).getConstructor() = func
@@ -754,6 +825,8 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
or
s.(ConstexprIfStmt).getElse() = e and pred = "getElse()"
or
s.(Handler).getParameter() = e and pred = "getParameter()"
or
s.(IfStmt).getInitialization() = e and pred = "getInitialization()"
or
s.(IfStmt).getCondition() = e and pred = "getCondition()"
@@ -901,6 +974,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
or
expr.(CommaExpr).getRightOperand() = ele and pred = "getRightOperand()"
or
expr.(CompoundRequirementExpr).getExpr() = ele and pred = "getExpr()"
or
expr.(CompoundRequirementExpr).getReturnTypeRequirement() = ele and
pred = "getReturnTypeRequirement()"
or
expr.(ConditionDeclExpr).getVariableAccess() = ele and pred = "getVariableAccess()"
or
expr.(ConstructorFieldInit).getExpr() = ele and pred = "getExpr()"
@@ -921,6 +999,8 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
or
expr.(LambdaExpression).getInitializer() = ele and pred = "getInitializer()"
or
expr.(NestedRequirementExpr).getConstraint() = ele and pred = "getConstraint()"
or
expr.(NewOrNewArrayExpr).getAllocatorCall() = ele and pred = "getAllocatorCall()"
or
expr.(NewOrNewArrayExpr).getAlignmentArgument() = ele and pred = "getAlignmentArgument()"
@@ -960,6 +1040,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
or
expr.(UnaryOperation).getOperand() = ele and pred = "getOperand()"
or
exists(int n |
expr.(RequiresExpr).getRequirement(n) = ele and
pred = "getRequirement(" + n + ")"
)
or
expr.(SizeofExprOperator).getExprOperand() = ele and pred = "getExprOperand()"
or
expr.(StmtExpr).getStmt() = ele and pred = "getStmt()"

20
cpp/ql/lib/semmle/code/cpp/Variable.qll
View File

@@ -241,6 +241,10 @@ class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
name != "" and result = name
or
name = "" and result = this.getVariable().(LocalVariable).getName()
or
name = "" and
not this instanceof ParameterDeclarationEntry and
result = this.getVariable().(Parameter).getName()
)
)
}
@@ -295,19 +299,11 @@ class ParameterDeclarationEntry extends VariableDeclarationEntry {
private string getAnonymousParameterDescription() {
not exists(this.getName()) and
exists(string idx |
idx =
((this.getIndex() + 1).toString() + "th")
.replaceAll("1th", "1st")
.replaceAll("2th", "2nd")
.replaceAll("3th", "3rd")
.replaceAll("11st", "11th")
.replaceAll("12nd", "12th")
.replaceAll("13rd", "13th") and
exists(string anon |
anon = "(unnamed parameter " + this.getIndex().toString() + ")" and
if exists(this.getCanonicalName())
then
result = "declaration of " + this.getCanonicalName() + " as anonymous " + idx + " parameter"
else result = "declaration of " + idx + " parameter"
then result = "declaration of " + this.getCanonicalName() + " as " + anon
else result = "declaration of " + anon
)
}

5
cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
View File

@@ -149,6 +149,11 @@ class Call extends Expr, NameQualifiableElement, TCall {
variableAddressEscapesTreeNonConst(va, this.getQualifier().getFullyConverted()) and
i = -1
}
/** Holds if this expression could be the return value of an implicitly declared function. */
predicate mayBeFromImplicitlyDeclaredFunction() {
this.getTarget().getADeclarationEntry().isImplicit()
}
}
/**

7
cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll
View File

@@ -181,12 +181,7 @@ class VariableDeclarationEntry extends @var_decl {
string getName() { var_decls(this, _, _, result, _) and result != "" }
}
class Parameter extends LocalScopeVariable, @parameter {
@functionorblock function;
int index;
Parameter() { params(this, function, index, _) }
}
class Parameter extends LocalScopeVariable, @parameter { }
class GlobalOrNamespaceVariable extends Variable, @globalvariable { }

5
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
View File

@@ -1328,7 +1328,10 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
/** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode() and
(
call.(SummaryCall).getReceiver() = receiver.(FlowSummaryNode).getSummaryNode() or
call.asCallInstruction().getCallTargetOperand() = receiver.asOperand()
) and
exists(kind)
}

14
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
View File

@@ -17,6 +17,7 @@ private import SsaInternals as Ssa
private import DataFlowImplCommon as DataFlowImplCommon
private import codeql.util.Unit
private import Node0ToString
private import DataFlowDispatch as DataFlowDispatch
import ExprNodes
/**
@@ -2497,3 +2498,16 @@ class AdditionalCallTarget extends Unit {
*/
abstract Declaration viableTarget(Call call);
}
/**
* Gets a function that may be called by `call`.
*
* Note that `call` may be a call to a function pointer expression.
*/
Function getARuntimeTarget(Call call) {
exists(DataFlowCall dfCall | dfCall.asCallInstruction().getUnconvertedResultExpression() = call |
result = DataFlowDispatch::viableCallable(dfCall).asSourceCallable()
or
result = DataFlowImplCommon::viableCallableLambda(dfCall, _).asSourceCallable()
)
}

9
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
View File

@@ -683,8 +683,13 @@ private Overlap getExtentOverlap(MemoryLocation0 def, MemoryLocation0 use) {
def.getVirtualVariable() = use.getVirtualVariable() and
def instanceof EntireAllocationMemoryLocation and
(
// EntireAllocationMemoryLocation exactly overlaps itself.
use instanceof EntireAllocationMemoryLocation and
// EntireAllocationMemoryLocation exactly overlaps any EntireAllocationMemoryLocation for the
// same allocation. Checking the allocation, rather than the memory location itself, ensures
// that we get the right relationship between the "must" and "may" memory locations for that
// allocation.
// Note that if one of the locations is a "may" access, the overlap will be downgraded to
// `MustTotallyOverlap` or `MayPartialOverlap` in `getOverlap()`.
use.(EntireAllocationMemoryLocation).getAnAllocation() = def.getAnAllocation() and
result instanceof MustExactlyOverlap
or
not use instanceof EntireAllocationMemoryLocation and

20
cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
View File

@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.SideEffect
/** The function `fopen` and friends. */
private class Fopen extends Function, AliasFunction, SideEffectFunction {
private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
Fopen() {
this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
or
@@ -47,4 +47,22 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
i = 0 and
buffer = true
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
(
this.hasGlobalOrStdName(["fopen", "freopen"]) or
this.hasGlobalName(["_wfopen", "_fsopen", "_wfsopen"])
) and
input.isParameterDeref(0) and
output.isReturnValueDeref()
or
// The out parameter is a pointer to a `FILE*`.
this.hasGlobalOrStdName("fopen_s") and
input.isParameterDeref(1) and
output.isParameterDeref(0, 2)
or
this.hasGlobalName(["_open", "_wopen"]) and
input.isParameterDeref(0) and
output.isReturnValue()
}
}

2
cpp/ql/lib/semmle/code/cpp/models/implementations/Printf.qll
View File

@@ -91,7 +91,7 @@ private class Sprintf extends FormattingFunction, NonThrowingFunction {
override int getFirstFormatArgumentIndex() {
if this.hasName("__builtin___sprintf_chk")
then result = 4
else result = this.getNumberOfParameters()
else result = super.getFirstFormatArgumentIndex()
}
}

43
cpp/ql/lib/semmle/code/cpp/models/interfaces/FormattingFunction.qll
View File

@@ -42,6 +42,21 @@ private Type getAFormatterWideTypeOrDefault() {
* A standard library function that uses a `printf`-like formatting string.
*/
abstract class FormattingFunction extends ArrayFunction, TaintFunction {
int firstFormatArgumentIndex;
FormattingFunction() {
firstFormatArgumentIndex > 0 and
if this.hasDefinition()
then firstFormatArgumentIndex = this.getDefinition().getNumberOfParameters()
else
if this instanceof BuiltInFunction
then firstFormatArgumentIndex = this.getNumberOfParameters()
else
forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
firstFormatArgumentIndex = fde.getNumberOfParameters()
)
}
/** Gets the position at which the format parameter occurs. */
abstract int getFormatParameterIndex();
@@ -121,33 +136,7 @@ abstract class FormattingFunction extends ArrayFunction, TaintFunction {
* the first format specifier in the format string. We ignore all
* implicit function definitions.
*/
int getFirstFormatArgumentIndex() {
// The formatting function either has a definition in the snapshot, or all
// `DeclarationEntry`s agree on the number of parameters (otherwise we don't
// really know the correct number)
if this.hasDefinition()
then result = this.getDefinition().getNumberOfParameters()
else result = this.getNumberOfExplicitParameters()
}
/**
* Gets a non-implicit function declaration entry.
*/
private FunctionDeclarationEntry getAnExplicitDeclarationEntry() {
result = this.getADeclarationEntry() and
not result.isImplicit()
}
/**
* Gets the number of parameters, excluding any parameters that have been defined
* from implicit function declarations. If there is some inconsistency in the number
* of parameters, then don't return anything.
*/
private int getNumberOfExplicitParameters() {
forex(FunctionDeclarationEntry fde | fde = this.getAnExplicitDeclarationEntry() |
result = fde.getNumberOfParameters()
)
}
int getFirstFormatArgumentIndex() { result = firstFormatArgumentIndex }
/**
* Gets the position of the buffer size argument, if any.

49
cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
View File

@@ -192,6 +192,37 @@ private class UnsignedMulExpr extends MulExpr {
}
}
/**
* Gets the value of the `EOF` macro.
*
* This is typically `"-1"`, but this is not guaranteed to be the case on all
* systems.
*/
private int getEofValue() {
exists(MacroInvocation mi |
mi.getMacroName() = "EOF" and
result = unique( | | mi.getExpr().getValue().toInt())
)
}
/** Get standard `getc` function or related variants. */
private class Getc extends Function {
Getc() { this.hasGlobalOrStdOrBslName(["fgetc", "getc"]) }
}
/** A call to `getc` */
private class CallToGetc extends FunctionCall {
CallToGetc() { this.getTarget() instanceof Getc }
}
/**
* A call to `getc` that we can analyze because we know
* the value of the `EOF` macro.
*/
private class AnalyzableCallToGetc extends CallToGetc {
AnalyzableCallToGetc() { exists(getEofValue()) }
}
/**
* Holds if `expr` is effectively a multiplication of `operand` with the
* positive constant `positive`.
@@ -287,6 +318,8 @@ private predicate analyzableExpr(Expr e) {
or
e instanceof RemExpr
or
e instanceof AnalyzableCallToGetc
or
// A conversion is analyzable, provided that its child has an arithmetic
// type. (Sometimes the child is a reference type, and so does not get
// any bounds.) Rather than checking whether the type of the child is
@@ -861,6 +894,14 @@ private float getLowerBoundsImpl(Expr expr) {
)
)
or
exists(AnalyzableCallToGetc getc |
expr = getc and
// from https://en.cppreference.com/w/c/io/fgetc:
// On success, returns the obtained character as an unsigned char
// converted to an int. On failure, returns EOF.
result = min([typeLowerBound(any(UnsignedCharType pct)), getEofValue()])
)
or
// If the conversion is to an arithmetic type then we just return the
// lower bound of the child. We do not need to handle truncation and
// overflow here, because that is done in `getTruncatedLowerBounds`.
@@ -1055,6 +1096,14 @@ private float getUpperBoundsImpl(Expr expr) {
)
)
or
exists(AnalyzableCallToGetc getc |
expr = getc and
// from https://en.cppreference.com/w/c/io/fgetc:
// On success, returns the obtained character as an unsigned char
// converted to an int. On failure, returns EOF.
result = max([typeUpperBound(any(UnsignedCharType pct)), getEofValue()])
)
or
// If the conversion is to an arithmetic type then we just return the
// upper bound of the child. We do not need to handle truncation and
// overflow here, because that is done in `getTruncatedUpperBounds`.

14
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -534,7 +534,7 @@ static_asserts(
#keyset[function, index, type_id]
params(
int id: @parameter,
int function: @functionorblock ref,
int function: @parameterized_element ref,
int index: int ref,
int type_id: @type ref
);
@@ -1790,6 +1790,10 @@ case @expr.kind of
| 387 = @istriviallyrelocatable
| 388 = @datasizeof
| 389 = @c11_generic
| 390 = @requires_expr
| 391 = @nested_requirement
| 392 = @compound_requirement
| 393 = @concept_id
;
@var_args_expr = @vastartexpr
@@ -1908,6 +1912,10 @@ case @expr.kind of
| @istriviallyrelocatable
;
compound_requirement_is_noexcept(
int expr: @compound_requirement ref
);
new_allocated_type(
unique int expr: @new_expr ref,
int type_id: @type ref
@@ -2167,11 +2175,11 @@ stmt_decl_entry_bind(
int decl_entry: @element ref
);
@functionorblock = @function | @stmt_block;
@parameterized_element = @function | @stmt_block | @requires_expr;
blockscope(
unique int block: @stmt_block ref,
int enclosing: @functionorblock ref
int enclosing: @parameterized_element ref
);
@jump = @stmt_goto | @stmt_break | @stmt_continue;

2751
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

File diff suppressed because it is too large Load Diff

2316
cpp/ql/lib/upgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2323
cpp/ql/lib/upgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/upgrades/6f5d51e89e762fe4609fd4ac8ee3afb04221e873/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Support C++20 requires expressions
compatibility: backwards

2315
cpp/ql/lib/upgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2316
cpp/ql/lib/upgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/semmlecode.cpp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

2
cpp/ql/lib/upgrades/7ff6a6e53dbcff09d1b9b758b594bc6d17366863/upgrade.properties Normal file
View File

@@ -0,0 +1,2 @@
description: Add requires expressions
compatibility: full

9
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,12 @@
## 1.2.5
### Minor Analysis Improvements
* The `cpp/unclear-array-index-validation` ("Unclear validation of array index") query has been improved to reduce false positives and increase true positives.
* Fixed false positives in the `cpp/uninitialized-local` ("Potentially uninitialized local variable") query if there are extraction errors in the function.
* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to detect byte arrays.
* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to recognize dynamic checks prior to possible dangerous widening.
## 1.2.4
### Minor Analysis Improvements

3
cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
View File

@@ -170,7 +170,8 @@ where
) and
not arg.isAffectedByMacro() and
not arg.isFromUninstantiatedTemplate(_) and
not actual.getUnspecifiedType() instanceof ErroneousType
not actual.getUnspecifiedType() instanceof ErroneousType and
not arg.(Call).mayBeFromImplicitlyDeclaredFunction()
select arg,
"This format specifier for type '" + expected.getName() + "' does not match the argument type '" +
actual.getUnspecifiedType().getName() + "'."

110
cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
View File

@@ -14,102 +14,56 @@
import cpp
import semmle.code.cpp.controlflow.IRGuards
import semmle.code.cpp.security.FlowSources
import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
import semmle.code.cpp.security.FlowSources as FS
import semmle.code.cpp.dataflow.new.TaintTracking
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import ImproperArrayIndexValidation::PathGraph
import semmle.code.cpp.security.Security
predicate hasUpperBound(VariableAccess offsetExpr) {
exists(BasicBlock controlled, StackVariable offsetVar, SsaDefinition def |
controlled.contains(offsetExpr) and
linearBoundControls(controlled, def, offsetVar) and
offsetExpr = def.getAUse(offsetVar)
predicate isFlowSource(FS::FlowSource source, string sourceType) {
sourceType = source.getSourceType()
}
predicate guardChecks(IRGuardCondition g, Expr e, boolean branch) {
exists(Operand op | op.getDef().getConvertedResultExpression() = e |
// `op < k` is true and `k > 0`
g.comparesLt(op, any(int k | k > 0), true, any(BooleanValue bv | bv.getValue() = branch))
or
// `op < _ + k` is true and `k > 0`.
g.comparesLt(op, _, any(int k | k > 0), true, branch)
or
// op == k
g.comparesEq(op, _, true, any(BooleanValue bv | bv.getValue() = branch))
or
// op == _ + k
g.comparesEq(op, _, _, true, branch)
)
}
pragma[noinline]
predicate linearBoundControls(BasicBlock controlled, SsaDefinition def, StackVariable offsetVar) {
exists(GuardCondition guard, boolean branch |
guard.controls(controlled, branch) and
cmpWithLinearBound(guard, def.getAUse(offsetVar), Lesser(), branch)
/**
* Holds if `arrayExpr` accesses an `ArrayType` with a constant size `N`, and
* the value of `offsetExpr` is known to be smaller than `N`.
*/
predicate offsetIsAlwaysInBounds(ArrayExpr arrayExpr, VariableAccess offsetExpr) {
exists(ArrayType arrayType |
arrayType = arrayExpr.getArrayBase().getUnspecifiedType() and
arrayType.getArraySize() > upperBound(offsetExpr.getFullyConverted())
)
}
predicate readsVariable(LoadInstruction load, Variable var) {
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
}
predicate hasUpperBoundsCheck(Variable var) {
exists(RelationalOperation oper, VariableAccess access |
oper.getAnOperand() = access and
access.getTarget() = var and
// Comparing to 0 is not an upper bound check
not oper.getAnOperand().getValue() = "0"
)
}
predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
readsVariable(node.asInstruction(), checkedVar) and
any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
}
predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
predicate predictableInstruction(Instruction instr) {
instr instanceof ConstantInstruction
or
instr instanceof StringConstantInstruction
or
// This could be a conversion on a string literal
predictableInstruction(instr.(UnaryInstruction).getUnary())
}
module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
predicate isBarrier(DataFlow::Node node) {
hasUpperBound(node.asExpr())
or
// These barriers are ported from `DefaultTaintTracking` because this query is quite noisy
// otherwise.
exists(Variable checkedVar |
readsVariable(node.asInstruction(), checkedVar) and
hasUpperBoundsCheck(checkedVar)
)
or
exists(Variable checkedVar, Operand access |
readsVariable(access.getDef(), checkedVar) and
nodeIsBarrierEqualityCandidate(node, access, checkedVar)
)
or
// Don't use dataflow into binary instructions if both operands are unpredictable
exists(BinaryInstruction iTo |
iTo = node.asInstruction() and
not predictableInstruction(iTo.getLeft()) and
not predictableInstruction(iTo.getRight()) and
// propagate taint from either the pointer or the offset, regardless of predictability
not iTo instanceof PointerArithmeticInstruction
)
or
// don't use dataflow through calls to pure functions if two or more operands
// are unpredictable
exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
iTo = node.asInstruction() and
isPureFunction(iTo.getStaticCallTarget().getName()) and
iFrom1 = iTo.getAnArgument() and
iFrom2 = iTo.getAnArgument() and
not predictableInstruction(iFrom1) and
not predictableInstruction(iFrom2) and
iFrom1 != iFrom2
)
node = DataFlow::BarrierGuard<guardChecks/3>::getABarrierNode()
}
predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
predicate isSink(DataFlow::Node sink) {
exists(ArrayExpr arrayExpr, VariableAccess offsetExpr |
offsetExpr = arrayExpr.getArrayOffset() and
sink.asExpr() = offsetExpr and
not hasUpperBound(offsetExpr)
not offsetIsAlwaysInBounds(arrayExpr, offsetExpr)
)
}
}

5
cpp/ql/src/change-notes/2024-09-26-wcharcharconversion-false-positives.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to detect byte arrays.
* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to recognize dynamic checks prior to possible dangerous widening.

4
cpp/ql/src/change-notes/2024-10-02-uninitialized-local.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed false positives in the `cpp/uninitialized-local` ("Potentially uninitialized local variable") query if there are extraction errors in the function.

4
cpp/ql/src/change-notes/2024-10-15-wrong-type-format-argument.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Remove results from the `cpp/wrong-type-format-argument` ("Wrong type of arguments to formatting function") query if the argument is the return value of an implicitly declared function.

8
cpp/ql/src/change-notes/released/1.2.5.md Normal file
View File

@@ -0,0 +1,8 @@
## 1.2.5
### Minor Analysis Improvements
* The `cpp/unclear-array-index-validation` ("Unclear validation of array index") query has been improved to reduce false positives and increase true positives.
* Fixed false positives in the `cpp/uninitialized-local` ("Potentially uninitialized local variable") query if there are extraction errors in the function.
* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to detect byte arrays.
* The `cpp/incorrect-string-type-conversion` query now produces fewer false positives caused by failure to recognize dynamic checks prior to possible dangerous widening.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.4
lastReleaseVersion: 1.2.5

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.2.5-dev
version: 1.2.6-dev
groups:
- cpp
- queries

2
cpp/ql/test/examples/expressions/PrintAST.expected
View File

@@ -870,6 +870,8 @@ Throw.cpp:
# 8| Type = [BoolType] bool
# 8| ValueCategory = prvalue
# 12| getChild(1): [Handler] <handler>
# 12| getParameter(): [Parameter] e
# 12| Type = [PointerType] E *
# 12| getBlock(): [CatchBlock] { ... }
# 13| getStmt(0): [ExprStmt] ExprStmt
# 13| getExpr(): [ReThrowExpr] re-throw exception

28
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp
View File

@@ -6,7 +6,7 @@ int wprintf (const wchar_t* format, ...);
int strlen( const char * string );
int checkErrors();
void goodTest0()
static void goodTest0()
{
char * ptr = "123456789";
int ret;
@@ -17,7 +17,7 @@ void goodTest0()
ptr += ret;
}
}
void goodTest1(const char* ptr)
static void goodTest1(const char* ptr)
{
int ret;
int len;
@@ -27,7 +27,7 @@ void goodTest1(const char* ptr)
ptr += ret;
}
}
void goodTest2(char* ptr)
static void goodTest2(char* ptr)
{
int ret;
ptr[10]=0;
@@ -38,7 +38,7 @@ void goodTest2(char* ptr)
}
}
void goodTest3(const char* ptr)
static void goodTest3(const char* ptr)
{
int ret;
int len;
@@ -48,7 +48,7 @@ void goodTest3(const char* ptr)
ptr += ret;
}
}
void goodTest4(const char* ptr)
static void goodTest4(const char* ptr)
{
int ret;
int len;
@@ -58,7 +58,7 @@ void goodTest4(const char* ptr)
ptr += ret;
}
}
void badTest1(const char* ptr)
static void badTest1(const char* ptr)
{
int ret;
int len;
@@ -68,7 +68,7 @@ void badTest1(const char* ptr)
ptr += ret;
}
}
void badTest2(const char* ptr)
static void badTest2(const char* ptr)
{
int ret;
int len;
@@ -79,7 +79,7 @@ void badTest2(const char* ptr)
}
}
void goodTest5(const char* ptr,wchar_t *wc,int wc_len)
static void goodTest5(const char* ptr,wchar_t *wc,int wc_len)
{
int ret;
int len;
@@ -96,7 +96,7 @@ void goodTest5(const char* ptr,wchar_t *wc,int wc_len)
}
}
void badTest3(const char* ptr,int wc_len)
static void badTest3(const char* ptr,int wc_len)
{
int ret;
int len;
@@ -113,7 +113,7 @@ void badTest3(const char* ptr,int wc_len)
wc++;
}
}
void badTest4(const char* ptr,int wc_len)
static void badTest4(const char* ptr,int wc_len)
{
int ret;
int len;
@@ -130,7 +130,7 @@ void badTest4(const char* ptr,int wc_len)
wc++;
}
}
void badTest5(const char* ptr,int wc_len)
static void badTest5(const char* ptr,int wc_len)
{
int ret;
int len;
@@ -148,7 +148,7 @@ void badTest5(const char* ptr,int wc_len)
}
}
void badTest6(const char* ptr,int wc_len)
static void badTest6(const char* ptr,int wc_len)
{
int ret;
int len;
@@ -171,7 +171,7 @@ void badTest6(const char* ptr,int wc_len)
ptr+=ret;
}
}
void badTest7(const char* ptr,int wc_len)
static void badTest7(const char* ptr,int wc_len)
{
int ret;
int len;
@@ -188,7 +188,7 @@ void badTest7(const char* ptr,int wc_len)
ptr+=ret;
}
}
void badTest8(const char* ptr,wchar_t *wc)
static void badTest8(const char* ptr,wchar_t *wc)
{
int ret;
int len;

20
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp
View File

@@ -24,7 +24,7 @@ typedef unsigned int size_t;
void* calloc (size_t num, size_t size);
void* malloc (size_t size);
void badTest1(void *src, int size) {
static void badTest1(void *src, int size) {
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD
}
@@ -39,43 +39,43 @@ void goodTest2(){
}
printf("%s\n", dst);
}
void badTest2(){
static void badTest2(){
wchar_t src[] = L"0123456789ABCDEF";
char dst[16];
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD
printf("%s\n", dst);
}
void goodTest3(){
static void goodTest3(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)calloc(size + 1, sizeof(wchar_t));
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // GOOD
}
void badTest3(){
static void badTest3(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
}
void goodTest4(){
static void goodTest4(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)malloc((size + 1)*sizeof(wchar_t));
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // GOOD
}
void badTest4(){
static void badTest4(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)malloc(size + 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
}
int goodTest5(void *src){
static int goodTest5(void *src){
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD
}
int badTest5 (void *src) {
static int badTest5 (void *src) {
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD
}
void goodTest6(WCHAR *src)
static void goodTest6(WCHAR *src)
{
int size;
char dst[5] ="";
@@ -87,7 +87,7 @@ void goodTest6(WCHAR *src)
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, sizeof(dst), 0, 0); // GOOD
printf("%s\n", dst);
}
void badTest6(WCHAR *src)
static void badTest6(WCHAR *src)
{
char dst[5] ="";
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD

22
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp
View File

@@ -11,14 +11,14 @@ size_t _mbstowcs_l(wchar_t *wcstr,const char *mbstr,size_t count, _locale_t loca
size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbstate);
void badTest1(void *src, int size) {
static void badTest1(void *src, int size) {
mbstowcs((wchar_t*)src,(char*)src,size); // BAD
_locale_t locale;
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD
mbstate_t *mbstate;
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD
}
void goodTest2(){
static void goodTest2(){
char src[] = "0123456789ABCDEF";
wchar_t dst[16];
int res = mbstowcs(dst, src,16); // GOOD
@@ -29,43 +29,43 @@ void goodTest2(){
}
printf("%s\n", dst);
}
void badTest2(){
static void badTest2(){
char src[] = "0123456789ABCDEF";
wchar_t dst[16];
mbstowcs(dst, src,16); // BAD
printf("%s\n", dst);
}
void goodTest3(){
static void goodTest3(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)calloc(size + 1, sizeof(wchar_t));
mbstowcs(dst, src,size+1); // GOOD
}
void badTest3(){
static void badTest3(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
mbstowcs(dst, src,size+1); // BAD
}
void goodTest4(){
static void goodTest4(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)malloc((size + 1)*sizeof(wchar_t));
mbstowcs(dst, src,size+1); // GOOD
}
void badTest4(){
static void badTest4(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)malloc(size + 1);
mbstowcs(dst, src,size+1); // BAD
}
int goodTest5(void *src){
static int goodTest5(void *src){
return mbstowcs(NULL, (char*)src,NULL); // GOOD
}
int badTest5 (void *src) {
static int badTest5 (void *src) {
return mbstowcs(NULL, (char*)src,3); // BAD
}
void goodTest6(void *src){
static void goodTest6(void *src){
wchar_t dst[5];
int size = mbstowcs(NULL, (char*)src,NULL);
if(size>=sizeof(dst)){
@@ -75,7 +75,7 @@ void goodTest6(void *src){
mbstowcs(dst, (char*)src,sizeof(dst)); // GOOD
printf("%s\n", dst);
}
void badTest6(void *src){
static void badTest6(void *src){
wchar_t dst[5];
mbstowcs(dst, (char*)src,260); // BAD
printf("%s\n", dst);

10
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp
View File

@@ -9,14 +9,14 @@ void goodTest1(unsigned char *src){
unsigned char dst[50];
_mbsnbcpy(dst,src,sizeof(dst)); // GOOD
}
size_t badTest1(unsigned char *src){
static size_t badTest1(unsigned char *src){
int cb = 0;
unsigned char dst[50];
while( cb < sizeof(dst) )
dst[cb++]=*src++; // BAD
return _mbclen(dst);
}
void goodTest2(unsigned char *src){
static void goodTest2(unsigned char *src){
int cb = 0;
unsigned char dst[50];
@@ -27,7 +27,7 @@ void goodTest2(unsigned char *src){
src=_mbsinc(src);
}
}
void badTest2(unsigned char *src){
static void badTest2(unsigned char *src){
int cb = 0;
unsigned char dst[50];
@@ -38,11 +38,11 @@ void badTest2(unsigned char *src){
src=_mbsinc(src);
}
}
void goodTest3(){
static void goodTest3(){
wchar_t name[50];
name[sizeof(name) / sizeof(*name) - 1] = L'\0'; // GOOD
}
void badTest3(){
static void badTest3(){
wchar_t name[50];
name[sizeof(name) - 1] = L'\0'; // BAD
}

7
cpp/ql/test/library-tests/basic_blocks/bb_cfg.ql
View File

@@ -1,4 +1,9 @@
// query-type: graph
/**
* query-type: graph
*
* @kind graph-equivalence-test
*/
import cpp
class DestructorCallEnhanced extends DestructorCall {

7
cpp/ql/test/library-tests/basic_blocks/cfg.ql
View File

@@ -1,4 +1,9 @@
// query-type: graph
/**
* query-type: graph
*
* @kind graph-equivalence-test
*/
import cpp
class DestructorCallEnhanced extends DestructorCall {

7
cpp/ql/test/library-tests/c++_exceptions/graphable.ql
View File

@@ -1,4 +1,9 @@
// query-type: graph
/**
* query-type: graph
*
* @kind graph-equivalence-test
*/
import cpp
class DestructorCallEnhanced extends DestructorCall {

7
cpp/ql/test/library-tests/constexpr_if/cfg.ql
View File

@@ -1,4 +1,9 @@
// query-type: graph
/**
* query-type: graph
*
* @kind graph-equivalence-test
*/
import cpp
class DestructorCallEnhanced extends DestructorCall {

3
cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
View File

@@ -3,6 +3,9 @@ uniqueEnclosingCallable
| test.cpp:864:47:864:54 | call to source | Node should have one enclosing callable but has 0. |
| test.cpp:872:46:872:51 | call to source | Node should have one enclosing callable but has 0. |
| test.cpp:872:53:872:56 | 1 | Node should have one enclosing callable but has 0. |
| test.cpp:1126:33:1129:1 | {...} | Node should have one enclosing callable but has 0. |
| test.cpp:1127:3:1127:13 | reads_input | Node should have one enclosing callable but has 0. |
| test.cpp:1128:3:1128:21 | not_does_read_input | Node should have one enclosing callable but has 0. |
uniqueCallEnclosingCallable
| test.cpp:864:47:864:54 | call to source | Call should have one enclosing callable but has 0. |
| test.cpp:872:46:872:51 | call to source | Call should have one enclosing callable but has 0. |

4
cpp/ql/test/library-tests/dataflow/dataflow-tests/flowOut.cpp
View File

@@ -78,7 +78,7 @@ int* deref(int** p) { // $ ast-def=p ir-def=*p ir-def=**p
return q;
}
void test1() {
void flowout_test1() {
int x = 0;
int* p = &x;
deref(&p)[0] = source();
@@ -95,7 +95,7 @@ void addtaint2(int** p) { // $ ast-def=p ir-def=*p ir-def=**p
addtaint1(q);
}
void test2() {
void flowout_test2() {
int x = 0;
int* p = &x;
addtaint2(&p);

2
cpp/ql/test/library-tests/dataflow/dataflow-tests/self-Iterator.cpp
View File

@@ -15,7 +15,7 @@ template<> struct std::iterator_traits<unsigned long>
};
int test() {
int iterator_test() {
unsigned long x = source();
sink(x); // $ ast ir
}

1
cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected
View File

@@ -323,6 +323,7 @@ irFlow
| test.cpp:1069:9:1069:14 | call to source | test.cpp:1074:10:1074:10 | i |
| test.cpp:1069:9:1069:14 | call to source | test.cpp:1081:10:1081:10 | i |
| test.cpp:1117:27:1117:34 | call to source | test.cpp:1117:27:1117:34 | call to source |
| test.cpp:1132:11:1132:16 | call to source | test.cpp:1121:8:1121:8 | x |
| true_upon_entry.cpp:9:11:9:16 | call to source | true_upon_entry.cpp:13:8:13:8 | x |
| true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
| true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |

16
cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp
View File

@@ -1115,4 +1115,20 @@ void indirect_sink_const_ref(const T&);
void test_temp_with_conversion_from_materialization() {
indirect_sink_const_ref(source()); // $ ir MISSING: ast
}
void reads_input(int x) {
sink(x); // $ ir MISSING: ast
}
void not_does_read_input(int x);
void (*dispatch_table[])(int) = {
reads_input,
not_does_read_input
};
void test_dispatch_table(int i) {
int x = source();
dispatch_table[i](x);
}

22
cpp/ql/test/library-tests/dataflow/dataflow-tests/true_upon_entry.cpp
View File

@@ -5,7 +5,7 @@ int source();
void sink(...);
bool random();
void test1() {
void on_entry_test1() {
int x = source();
for (int i = 0; i < 10; i++) {
x = 0;
@@ -13,7 +13,7 @@ void test1() {
sink(x); // $ SPURIOUS: ir
}
void test2(int iterations) {
void on_entry_test2(int iterations) {
int x = source();
for (int i = 0; i < iterations; i++) {
x = 0;
@@ -21,7 +21,7 @@ void test2(int iterations) {
sink(x); // $ ast,ir
}
void test3() {
void on_entry_test3() {
int x = 0;
for (int i = 0; i < 10; i++) {
x = source();
@@ -29,7 +29,7 @@ void test3() {
sink(x); // $ ast,ir
}
void test4() {
void on_entry_test4() {
int x = source();
for (int i = 0; i < 10; i++) {
if (random())
@@ -39,7 +39,7 @@ void test4() {
sink(x); // $ ast,ir
}
void test5() {
void on_entry_test5() {
int x = source();
for (int i = 0; i < 10; i++) {
if (random())
@@ -49,7 +49,7 @@ void test5() {
sink(x); // $ ast,ir
}
void test6() {
void on_entry_test6() {
int y;
int x = source();
for (int i = 0; i < 10 && (y = 1); i++) {
@@ -57,7 +57,7 @@ void test6() {
sink(x); // $ ast,ir
}
void test7() {
void on_entry_test7() {
int y;
int x = source();
for (int i = 0; i < 10 && (y = 1); i++) {
@@ -66,7 +66,7 @@ void test7() {
sink(x); // $ SPURIOUS: ir
}
void test8() {
void on_entry_test8() {
int x = source();
// It appears to the analysis that the condition can exit after `i < 10`
// without having assigned to `x`. That is an effect of how the
@@ -78,7 +78,7 @@ void test8() {
sink(x); // $ SPURIOUS: ast,ir
}
void test9() {
void on_entry_test9() {
int y;
int x = source();
for (int i = 0; (y = 1) && i < 10; i++) {
@@ -86,14 +86,14 @@ void test9() {
sink(x); // $ ast,ir
}
void test10() {
void on_entry_test10() {
int x = source();
for (int i = 0; (x = 1) && i < 10; i++) {
}
sink(x); // no flow
}
void test10(int b, int d) {
void on_entry_test10(int b, int d) {
int i = 0;
int x = source();
if (b)

2
cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
View File

@@ -185,6 +185,8 @@ postWithInFlow
| simple.cpp:83:12:83:13 | f1 [post update] | PostUpdateNode should not be the target of local flow. |
| simple.cpp:92:7:92:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
| simple.cpp:118:7:118:7 | i [post update] | PostUpdateNode should not be the target of local flow. |
| simple.cpp:124:5:124:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
| simple.cpp:124:6:124:6 | p [inner post update] | PostUpdateNode should not be the target of local flow. |
| struct_init.c:24:11:24:12 | ab [inner post update] | PostUpdateNode should not be the target of local flow. |
| struct_init.c:36:17:36:24 | nestedAB [inner post update] | PostUpdateNode should not be the target of local flow. |
viableImplInCallContextTooLarge

3
cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.expected
View File

@@ -291,3 +291,6 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par
| simple.cpp:94:10:94:11 | a2 | IR only |
| simple.cpp:118:7:118:7 | i | AST only |
| simple.cpp:120:8:120:8 | a | IR only |
| simple.cpp:124:5:124:6 | * ... | AST only |
| simple.cpp:131:14:131:14 | a | IR only |
| simple.cpp:136:10:136:10 | a | IR only |

3
cpp/ql/test/library-tests/dataflow/fields/partial-definition-ir.expected
View File

@@ -651,6 +651,9 @@
| simple.cpp:94:10:94:11 | a2 |
| simple.cpp:118:5:118:5 | a |
| simple.cpp:120:8:120:8 | a |
| simple.cpp:131:14:131:14 | a |
| simple.cpp:135:20:135:20 | q |
| simple.cpp:136:10:136:10 | a |
| struct_init.c:15:8:15:9 | ab |
| struct_init.c:15:12:15:12 | a |
| struct_init.c:16:8:16:9 | ab |

2
cpp/ql/test/library-tests/dataflow/fields/partial-definition.expected
View File

@@ -581,6 +581,8 @@ WARNING: module 'DataFlow' has been deprecated and may be removed in future (par
| simple.cpp:92:7:92:7 | i |
| simple.cpp:118:5:118:5 | a |
| simple.cpp:118:7:118:7 | i |
| simple.cpp:124:5:124:6 | * ... |
| simple.cpp:135:20:135:20 | q |
| struct_init.c:15:8:15:9 | ab |
| struct_init.c:15:12:15:12 | a |
| struct_init.c:16:8:16:9 | ab |

18
cpp/ql/test/library-tests/dataflow/fields/simple.cpp
View File

@@ -120,4 +120,20 @@ void post_update_to_phi_input(bool b)
sink(a.i); // $ ast,ir
}
} // namespace Simple
void write_to_param(int* p) {
*p = user_input();
}
void alias_with_fields(bool b) {
A a;
int* q;
if(b) {
q = &a.i;
} else {
q = nullptr;
}
write_to_param(q);
sink(a.i); // $ MISSING: ast,ir
}
} // namespace Simple

10
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -6584,6 +6584,16 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
| taint.cpp:767:21:767:24 | ref arg path | taint.cpp:768:8:768:11 | path | |
| taint.cpp:768:8:768:11 | path | taint.cpp:768:7:768:11 | * ... | |
| taint.cpp:778:37:778:42 | call to source | taint.cpp:779:7:779:9 | obj | |
| taint.cpp:785:23:785:28 | source | taint.cpp:785:23:785:28 | source | |
| taint.cpp:785:23:785:28 | source | taint.cpp:786:18:786:23 | source | |
| taint.cpp:785:23:785:28 | source | taint.cpp:790:15:790:20 | source | |
| taint.cpp:786:12:786:16 | call to fopen | taint.cpp:787:7:787:7 | f | |
| taint.cpp:786:18:786:23 | source | taint.cpp:786:12:786:16 | call to fopen | TAINT |
| taint.cpp:789:8:789:9 | f2 | taint.cpp:790:11:790:12 | f2 | |
| taint.cpp:789:8:789:9 | f2 | taint.cpp:791:7:791:8 | f2 | |
| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:790:11:790:12 | f2 [inner post update] | |
| taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:791:7:791:8 | f2 | |
| taint.cpp:790:11:790:12 | f2 | taint.cpp:790:10:790:12 | & ... | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:17:26:17:32 | source1 | |
| vector.cpp:16:43:16:49 | source1 | vector.cpp:31:38:31:44 | source1 | |
| vector.cpp:17:21:17:33 | call to vector | vector.cpp:19:14:19:14 | v | |

12
cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
View File

@@ -777,4 +777,16 @@ TaintInheritingContentObject source(bool);
void test_TaintInheritingContent() {
TaintInheritingContentObject obj = source(true);
sink(obj.flowFromObject); // $ ir MISSING: ast
}
FILE* fopen(const char*, const char*);
int fopen_s(FILE** pFile, const char *filename, const char *mode);
void fopen_test(char* source) {
FILE* f = fopen(source, "r");
sink(f); // $ ast,ir
FILE* f2;
fopen_s(&f2, source, "r");
sink(f2); // $ ast,ir
}

Some files were not shown because too many files have changed in this diff Show More