hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-20 06:24:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

add fallback if I can't easily determine the variable

Browse Source
This commit is contained in:
erik-krogh
2024-04-05 16:18:20 +02:00
parent 8b220cc1b3
commit ca4f667053
3 changed files with 24 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
View File

@@ -27,17 +27,23 @@ class DangerousAssignOpExpr extends AssignOp {
predicate problematicCasting(Type t, Expr e) { e.getType().(NumType).widerThan(t) }
Variable getVariable(DangerousAssignOpExpr a) {
result = a.getDest().(VarAccess).getVariable()
Variable getVariable(Expr dest) {
result = dest.(VarAccess).getVariable()
or
result = a.getDest().(ArrayAccess).getArray().(VarAccess).getVariable()
result = dest.(ArrayAccess).getArray().(VarAccess).getVariable()
}
from DangerousAssignOpExpr a, Expr e, Variable v
from DangerousAssignOpExpr a, Expr e, Top v
where
e = a.getSource() and
problematicCasting(a.getDest().getType(), e) and
v = getVariable(a)
(
v = getVariable(a.getDest())
or
// fallback, in case we can't easily determine the variable
not exists(getVariable(a.getDest())) and
v = a.getDest()
)
select a,
"Implicit cast of source $@ to narrower destination type " + a.getDest().getType().getName() + ".",
v, "type " + e.getType().getName()
"Implicit cast of $@ to narrower destination type " + a.getDest().getType().getName() + ".",
v, "source type " + e.getType().getName()

7
java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.expected
View File

@@ -1,3 +1,4 @@
| Test.java:68:5:68:25 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:64:4:64:13 | int i | type long |
| Test.java:87:4:87:9 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:81:4:81:13 | int i | type long |
| Test.java:289:5:289:30 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:285:4:285:27 | int[] arr | type long |
| Test.java:68:5:68:25 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:64:4:64:13 | int i | source type long |
| Test.java:87:4:87:9 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:81:4:81:13 | int i | source type long |
| Test.java:289:5:289:30 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:285:4:285:27 | int[] arr | source type long |
| Test.java:293:7:293:44 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:293:7:293:24 | ...[...] | source type long |

7
java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java
View File

@@ -288,6 +288,9 @@ class Test {
// which will result in overflows if it is large
arr[2] += getLargeNumber();
}
// BAD.
getAnIntArray()[0] += getLargeNumber();
}
}
@@ -295,6 +298,10 @@ class Test {
return Long.MAX_VALUE / 2;
}
public static int[] getAnIntArray() {
return new int[10];
}
public static boolean properlyBounded(int i) {
return i < Integer.MAX_VALUE;
}