hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

[CPP-370] Reformat test cases so that the .expect files line up with what was

Browse Source 
checked in initially.  Check for DataFlow::DefinitionByReferenceNode
          when computing isSource() for our taint analysis.
This commit is contained in:
Ziemowit Laski
2019-05-13 18:29:19 -07:00
parent ed67c9fd5a
commit b205951e6d
5 changed files with 97 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
View File

@@ -46,51 +46,56 @@ predicate whitelisted(FunctionCall fc) {
exists(Function f, int arg | f = fc.getTarget() | whitelistFunction(f, arg))
}
predicate isNonConst(Expr e) {
exists(FunctionCall fc | fc = e.(FunctionCall) |
not whitelisted(fc) and not fc.getTarget().hasDefinition()
)
or
exists(Parameter p | p = e.(VariableAccess).getTarget().(Parameter) |
p.getFunction().getName() = "main" and p.getType() instanceof PointerType
)
or
e instanceof CrementOperation
or
e instanceof AddressOfExpr
or
e instanceof ReferenceToExpr
or
e instanceof AssignPointerAddExpr
or
e instanceof AssignPointerSubExpr
or
e instanceof PointerArithmeticOperation
or
e instanceof FieldAccess
or
e instanceof PointerDereferenceExpr
or
e instanceof AddressOfExpr
or
e instanceof ExprCall
or
e instanceof NewArrayExpr
or
e instanceof AssignExpr
or
exists(Variable v | v = e.(VariableAccess).getTarget() |
v.getType().(ArrayType).getBaseType() instanceof CharType and
exists(AssignExpr ae |
ae.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
predicate isNonConst(DataFlow::Node node) {
exists(Expr e | e = node.asExpr() |
exists(FunctionCall fc | fc = e.(FunctionCall) |
not whitelisted(fc) and not fc.getTarget().hasDefinition()
)
or
exists(Parameter p | p = e.(VariableAccess).getTarget().(Parameter) |
p.getFunction().getName() = "main" and p.getType() instanceof PointerType
)
or
e instanceof CrementOperation
or
e instanceof AddressOfExpr
or
e instanceof ReferenceToExpr
or
e instanceof AssignPointerAddExpr
or
e instanceof AssignPointerSubExpr
or
e instanceof PointerArithmeticOperation
or
e instanceof FieldAccess
or
e instanceof PointerDereferenceExpr
or
e instanceof AddressOfExpr
or
e instanceof ExprCall
or
e instanceof NewArrayExpr
or
e instanceof AssignExpr
or
exists(Variable v | v = e.(VariableAccess).getTarget() |
v.getType().(ArrayType).getBaseType() instanceof CharType and
exists(AssignExpr ae |
ae.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
)
)
)
or
// TODO: Figure out what to do with DataFlow::DefinitionByReferenceNode
exists(DataFlow::DefinitionByReferenceNode dbr | dbr = node.(DataFlow::DefinitionByReferenceNode))
}
class NonConstFlow extends TaintTracking::Configuration {
NonConstFlow() { this = "NonConstFlow" }
override predicate isSource(DataFlow::Node source) { isNonConst(source.asExpr()) }
override predicate isSource(DataFlow::Node source) { isNonConst(source) }
override predicate isSink(DataFlow::Node sink) {
exists(FormattingFunctionCall fc | sink.asExpr() = fc.getArgument(fc.getFormatParameterIndex()))
@@ -105,5 +110,5 @@ where
sink.asExpr() = formatString
)
select formatString,
"The format string argument to " + call.getTarget().getQualifiedName() +
"The format string argument to " + call.getTarget().getName() +
" should be constant to prevent security issues and other potential errors."

32
cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c
View File

@@ -1,9 +1,5 @@
extern int printf(const char *fmt, ...);
// For the following `...gettext` functions, we assume that
// all translations preserve the type and order of `%` specifiers
// (and hence are safe to use as format strings). This
// assumption is hard-coded into the query.
extern char *gettext (const char *__msgid);
@@ -12,6 +8,7 @@ extern char *dgettext (const char *__domainname, const char *__msgid);
extern char *dcgettext (const char *__domainname,
const char *__msgid, int __category);
extern char *ngettext (const char *__msgid1, const char *__msgid2,
unsigned long int __n);
@@ -26,30 +23,27 @@ extern char *dcngettext (const char *__domainname, const char *__msgid1,
extern char *any_random_function(const char *);
#define NULL ((void*)0)
#define _(X) my_gettext(X)
#define _(X) any_random_function((X))
int main(int argc, char **argv) {
if(argc > 1)
printf(argv[1]); // NOT OK
printf(argv[1]); // not ok
else
printf("No argument supplied.\n"); // OK
printf("No argument supplied.\n"); // ok
printf(_("No argument supplied.\n")); // NOT OK
printf(_("No argument supplied.\n")); // not ok
printf(dgettext(NULL, "No argument supplied.\n")); // OK
printf(dgettext(NULL, "No argument supplied.\n")); // ok
printf(ngettext("One argument\n", "%d arguments\n", argc-1), argc-1); // OK
printf(ngettext("One argument\n", "%d arguments\n", argc-1), argc-1); // ok
printf(gettext("%d arguments\n"), argc-1); // OK
printf(any_random_function("%d arguments\n"), argc-1); // NOT OK
printf(gettext("%d arguments\n"), argc-1); // ok
printf(any_random_function("%d arguments\n"), argc-1); // not ok
#undef _
/* The special `..gettext..` functions are allowed arbitrary arguments */
printf(_(any_random_function("%d arguments\n")), // OK
argc-1);
printf(_("%d more arguments\n"), // OK
argc-1);
// Since `_` is mapped to `some_random_function` above,
// the following call will be flagged.
printf(_(any_random_function("%d arguments\n")),
argc-1); // not ok
return 0;
}

36
cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected
View File

@@ -1,17 +1,19 @@
| NonConstantFormat.c:34:10:34:16 | access to array | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| NonConstantFormat.c:38:9:38:36 | call to my_gettext | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| NonConstantFormat.c:45:9:45:27 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:60:12:60:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:63:12:63:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:64:12:64:26 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:65:12:65:17 | + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:66:12:66:18 | * ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:67:12:67:18 | & ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:68:12:68:39 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:70:10:70:35 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:73:12:73:20 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:79:12:79:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:85:12:85:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:91:12:91:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:96:12:96:18 | ++ ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:113:12:113:24 | new[] | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| NonConstantFormat.c:30:10:30:16 | access to array | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| NonConstantFormat.c:34:9:34:36 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| NonConstantFormat.c:41:9:41:27 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| NonConstantFormat.c:45:9:45:48 | call to any_random_function | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:45:10:45:21 | call to make_message | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:50:12:50:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:53:12:53:21 | call to const_wash | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:54:12:54:26 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:55:12:55:17 | + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:56:12:56:18 | * ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:57:12:57:18 | & ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:58:12:58:39 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:60:10:60:35 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:63:12:63:20 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:69:12:69:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:75:12:75:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:81:12:81:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:86:12:86:18 | ++ ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:103:12:103:24 | new[] | The format string argument to printf should be constant to prevent security issues and other potential errors. |

35
cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp
View File

@@ -10,10 +10,6 @@ const char *messages[] = {
"%u tasks left\n",
};
const char *simple_func(const char *str) {
return str;
}
const char *choose_message(unsigned int n) {
if (n == 0) {
const char *message = messages[0];
@@ -27,7 +23,7 @@ const char *choose_message(unsigned int n) {
const char *make_message(unsigned int n) {
static char buf[64];
sprintf(buf, "%d tasks left\n", n); // OK
sprintf(buf, "%d tasks left\n", n);
return buf;
}
@@ -45,14 +41,8 @@ const char *const_wash(char *str) {
}
int main(int argc, char **argv) {
const char *message = messages[2];
printf(simple_func("Hello, World\n")); // OK
printf(choose_message(argc - 1), argc - 1); // OK
printf(messages[1]); // OK
printf(message); // OK
printf(make_message(argc - 1)); // OK
printf("Hello, World\n"); // OK
printf(gettext("Hello, World\n")); // OK
printf(make_message(argc - 1)); // NOT OK
printf(_("Hello, World\n")); // OK
{
char hello[] = "hello, World\n";
@@ -100,14 +90,14 @@ int main(int argc, char **argv) {
const char *hello = "Hello, World\n";
const char **p = &hello;
(*p)++;
printf(hello); // NOT OK [NOT DETECTED]
printf(hello); // NOT OK
}
{
// Same as above block but through a C++ reference
const char *hello = "Hello, World\n";
const char *&p = hello;
p++;
printf(hello); // NOT OK [NOT DETECTED]
printf(hello); // NOT OK
}
if (gettext_debug) {
printf(new char[100]); // NOT OK
@@ -120,5 +110,22 @@ int main(int argc, char **argv) {
}
printf(argc > 2 ? "More than one\n" : _("Only one\n")); // OK
// This following is OK since a const literal is passed to const_wash()
// and the taint tracker detects this.
//
//
printf(const_wash("Hello, World\n")); // OK
}
const char *simple_func(const char *str) {
return str;
}
void another_func(void) {
const char *message = messages[2];
printf(simple_func("Hello, World\n")); // OK
printf(messages[1]); // OK
printf(message); // OK
printf("Hello, World\n"); // OK
printf(gettext("Hello, World\n")); // OK
}

6
cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected
View File

@@ -1,16 +1,10 @@
| consts.cpp:63:9:63:10 | c5 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:69:9:69:10 | c6 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:81:9:81:10 | c8 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:86:9:86:10 | v1 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:91:9:91:10 | v2 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:95:9:95:10 | v3 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:100:9:100:10 | v4 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:103:9:103:15 | call to varFunc | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:107:9:107:10 | v5 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:112:9:112:10 | v6 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:116:9:116:13 | access to array | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:121:9:121:10 | v8 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:130:9:130:10 | v9 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:135:9:135:11 | v10 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:140:9:140:11 | v11 | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| consts.cpp:145:9:145:11 | v12 | The format string argument to printf should be constant to prevent security issues and other potential errors. |