hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into path-sensitive-stack-variable-reachability-analysis

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2021-06-14 21:40:55 +02:00
parent 714ad105fe cce8eac0a7
commit cc6ae7f8b8
737 changed files with 13650 additions and 5876 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.codeqlmanifest.json
View File

@@ -1,5 +1,6 @@
{ "provide": [ "*/ql/src/qlpack.yml",
"*/ql/test/qlpack.yml",
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
"*/ql/examples/qlpack.yml",
"*/upgrades/qlpack.yml",
"misc/legacy-support/*/qlpack.yml",

8
.github/workflows/csv-coverage.yml vendored
View File

@@ -70,8 +70,8 @@ jobs:
with:
name: rst-flow-model-coverage
path: flow-model-coverage-*.rst
- name: Check coverage files
if: github.event.pull_request
run: |
python script/misc/scripts/library-coverage/compare-files.py codeqlModels
# - name: Check coverage files
# if: github.event.pull_request
# run: |
# python script/misc/scripts/library-coverage/compare-files.py codeqlModels

4
cpp/change-notes/2021-06-10-std-types.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively.
* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure.
* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

1
cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/offset-use-before-range-check
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @tags reliability
* security

1
cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/descriptor-may-not-be-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/DescriptorNeverClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/descriptor-never-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/FileMayNotBeClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/file-may-not-be-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/FileNeverClosed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/file-never-closed
* @problem.severity warning
* @security-severity 5.9
* @tags efficiency
* security
* external/cwe/cwe-775

1
cpp/ql/src/Critical/GlobalUseBeforeInit.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/global-use-before-init
* @problem.severity warning
* @security-severity 6.9
* @tags reliability
* security
* external/cwe/cwe-457

1
cpp/ql/src/Critical/InconsistentNullnessTesting.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/inconsistent-nullness-testing
* @problem.severity warning
* @security-severity 3.6
* @tags reliability
* security
* external/cwe/cwe-476

1
cpp/ql/src/Critical/InitialisationNotRun.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/initialization-not-run
* @problem.severity warning
* @security-severity 6.4
* @tags reliability
* security
* external/cwe/cwe-456

1
cpp/ql/src/Critical/LateNegativeTest.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/late-negative-test
* @problem.severity warning
* @security-severity 10.0
* @tags reliability
* security
* external/cwe/cwe-823

1
cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/memory-may-not-be-freed
* @problem.severity warning
* @security-severity 3.6
* @tags efficiency
* security
* external/cwe/cwe-401

1
cpp/ql/src/Critical/MemoryNeverFreed.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/memory-never-freed
* @problem.severity warning
* @security-severity 3.6
* @tags efficiency
* security
* external/cwe/cwe-401

1
cpp/ql/src/Critical/MissingNegativityTest.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/missing-negativity-test
* @problem.severity warning
* @security-severity 10.0
* @tags reliability
* security
* external/cwe/cwe-823

1
cpp/ql/src/Critical/MissingNullTest.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/missing-null-test
* @problem.severity recommendation
* @security-severity 3.6
* @tags reliability
* security
* external/cwe/cwe-476

1
cpp/ql/src/Critical/NewFreeMismatch.ql
View File

@@ -3,6 +3,7 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @precision high
* @id cpp/new-free-mismatch
* @tags reliability

1
cpp/ql/src/Critical/OverflowCalculated.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/overflow-calculated
* @problem.severity warning
* @security-severity 5.9
* @tags reliability
* security
* external/cwe/cwe-131

1
cpp/ql/src/Critical/OverflowDestination.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/overflow-destination
* @problem.severity warning
* @security-severity 10.0
* @precision low
* @tags reliability
* security

1
cpp/ql/src/Critical/OverflowStatic.ql
View File

@@ -4,6 +4,7 @@
* may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @precision medium
* @id cpp/static-buffer-overflow
* @tags reliability

1
cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/return-stack-allocated-object
* @problem.severity warning
* @security-severity 2.9
* @tags reliability
* security
* external/cwe/cwe-562

1
cpp/ql/src/Critical/SizeCheck.ql
View File

@@ -4,6 +4,7 @@
* an instance of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/allocation-too-small
* @tags reliability

1
cpp/ql/src/Critical/SizeCheck2.ql
View File

@@ -4,6 +4,7 @@
* multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/suspicious-allocation-size
* @tags reliability

1
cpp/ql/src/Critical/UseAfterFree.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/use-after-free
* @problem.severity warning
* @security-severity 5.9
* @tags reliability
* security
* external/cwe/cwe-416

1
cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
View File

@@ -6,6 +6,7 @@
* to a larger type.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision very-high
* @id cpp/bad-addition-overflow-check
* @tags reliability

1
cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
View File

@@ -4,6 +4,7 @@
* be a sign that the result can overflow the type converted from.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @id cpp/integer-multiplication-cast-to-long
* @tags reliability

1
cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
View File

@@ -5,6 +5,7 @@
* unsigned integer values.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @id cpp/signed-overflow-check
* @tags correctness

1
cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
View File

@@ -6,6 +6,7 @@
* use the width of the base type, leading to misaligned reads.
* @kind path-problem
* @problem.severity warning
* @security-severity 10.0
* @precision high
* @id cpp/upcast-array-pointer-arithmetic
* @tags correctness

1
cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
View File

@@ -6,6 +6,7 @@
* from an untrusted source, this can be used for exploits.
* @kind problem
* @problem.severity recommendation
* @security-severity 6.9
* @precision high
* @id cpp/non-constant-format
* @tags maintainability

1
cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
View File

@@ -3,6 +3,7 @@
* @description Using the return value from snprintf without proper checks can cause overflow.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @id cpp/overflowing-snprintf
* @tags reliability

1
cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
View File

@@ -4,6 +4,7 @@
* a source of security issues.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @precision high
* @id cpp/wrong-number-format-arguments
* @tags reliability

1
cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
View File

@@ -4,6 +4,7 @@
* behavior.
* @kind problem
* @problem.severity error
* @security-severity 6.4
* @precision high
* @id cpp/wrong-type-format-argument
* @tags reliability

1
cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/incorrect-not-operator-usage
* @problem.severity warning
* @security-severity 3.6
* @precision medium
* @tags security
* external/cwe/cwe-480

1
cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
View File

@@ -3,6 +3,7 @@
* @description Using alloca in a loop can lead to a stack overflow
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @precision high
* @id cpp/alloca-in-loop
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/improper-null-termination
* @problem.severity warning
* @security-severity 5.9
* @tags security
* external/cwe/cwe-170
* external/cwe/cwe-665

1
cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
View File

@@ -4,6 +4,7 @@
* on undefined behavior and may lead to memory corruption.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @precision high
* @id cpp/pointer-overflow-check
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/potential-buffer-overflow
* @problem.severity warning
* @security-severity 10.0
* @tags reliability
* security
* external/cwe/cwe-676

1
cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
View File

@@ -4,6 +4,7 @@
* as the third argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @precision medium
* @id cpp/bad-strncpy-size
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
View File

@@ -7,6 +7,7 @@
* @kind problem
* @id cpp/suspicious-call-to-memset
* @problem.severity recommendation
* @security-severity 10.0
* @precision medium
* @tags reliability
* correctness

1
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
View File

@@ -3,6 +3,7 @@
* @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @precision medium
* @id cpp/unsafe-strncat
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
View File

@@ -5,6 +5,7 @@
* the machine pointer size.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/suspicious-sizeof
* @tags reliability

1
cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/uninitialized-local
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @tags security
* external/cwe/cwe-665

1
cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
View File

@@ -4,6 +4,7 @@
* may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/unsafe-strcat
* @tags reliability

1
cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/self-assignment-check
* @problem.severity warning
* @security-severity 5.9
* @tags reliability
* security
* external/cwe/cwe-826

1
cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
View File

@@ -6,6 +6,7 @@
* @kind path-problem
* @id cpp/unsafe-use-of-this
* @problem.severity error
* @security-severity 3.6
* @precision very-high
* @tags correctness
* language-features

1
cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
View File

@@ -7,6 +7,7 @@
* undefined data.
* @kind problem
* @problem.severity error
* @security-severity 2.9
* @precision very-high
* @id cpp/too-few-arguments
* @tags correctness

1
cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/memset-may-be-deleted
* @problem.severity warning
* @security-severity 6.4
* @precision high
* @tags security
* external/cwe/cwe-14

1
cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
View File

@@ -5,6 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @security-severity 5.9
* @tags security external/cwe/cwe-20
*/

1
cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
View File

@@ -5,6 +5,7 @@
* @kind path-problem
* @precision low
* @problem.severity error
* @security-severity 5.9
* @tags security external/cwe/cwe-20
*/

1
cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -4,6 +4,7 @@
* attacker to access unexpected resources.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/path-injection
* @tags security

1
cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
View File

@@ -5,6 +5,7 @@
* to command injection.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision low
* @id cpp/command-line-injection
* @tags security

1
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
View File

@@ -4,6 +4,7 @@
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @security-severity 2.9
* @precision high
* @id cpp/cgi-xss
* @tags security

1
cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
View File

@@ -5,6 +5,7 @@
* to SQL Injection.
* @kind path-problem
* @problem.severity error
* @security-severity 6.4
* @precision high
* @id cpp/sql-injection
* @tags security

1
cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
View File

@@ -5,6 +5,7 @@
* commands.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.0
* @precision medium
* @id cpp/uncontrolled-process-operation
* @tags security

1
cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/overflow-buffer
* @problem.severity recommendation
* @security-severity 10.0
* @tags security
* external/cwe/cwe-119
* external/cwe/cwe-121

1
cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
View File

@@ -5,6 +5,7 @@
* overflow.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision high
* @id cpp/badly-bounded-write
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
View File

@@ -4,6 +4,7 @@
* of data written may overflow.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/overrunning-write
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
View File

@@ -5,6 +5,7 @@
* take extreme values.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/overrunning-write-with-float
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
View File

@@ -4,6 +4,7 @@
* of data written may overflow.
* @kind path-problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/unbounded-write
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
View File

@@ -5,6 +5,7 @@
* a specific value to terminate the argument list.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/unterminated-variadic-call
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/unclear-array-index-validation
* @problem.severity warning
* @security-severity 5.9
* @tags security
* external/cwe/cwe-129
*/

1
cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
View File

@@ -5,6 +5,7 @@
* terminator can cause a buffer overrun.
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision high
* @id cpp/no-space-for-terminator
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
View File

@@ -5,6 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.9
* @precision high
* @id cpp/tainted-format-string
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
View File

@@ -5,6 +5,7 @@
* or data representation problems.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.9
* @precision high
* @id cpp/tainted-format-string-through-global
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/user-controlled-null-termination-tainted
* @problem.severity warning
* @security-severity 10.0
* @tags security
* external/cwe/cwe-170
*/

1
cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
View File

@@ -4,6 +4,7 @@
* not validated can cause overflows.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision low
* @id cpp/tainted-arithmetic
* @tags security

1
cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
View File

@@ -4,6 +4,7 @@
* validated can cause overflows.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/uncontrolled-arithmetic
* @tags security

1
cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/arithmetic-with-extreme-values
* @problem.severity warning
* @security-severity 5.9
* @precision low
* @tags security
* reliability

1
cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
View File

@@ -5,6 +5,7 @@
* @id cpp/comparison-with-wider-type
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @tags reliability
* security

1
cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/integer-overflow-tainted
* @problem.severity warning
* @security-severity 5.9
* @precision low
* @tags security
* external/cwe/cwe-190

2
cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
View File

@@ -4,11 +4,13 @@
* user can result in integer overflow.
* @kind path-problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @id cpp/uncontrolled-allocation-size
* @tags reliability
* security
* external/cwe/cwe-190
* external/cwe/cwe-789
*/
import cpp

1
cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/unsigned-difference-expression-compared-zero
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @tags security
* correctness

1
cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
View File

@@ -4,6 +4,7 @@
* @kind problem
* @id cpp/hresult-boolean-conversion
* @problem.severity error
* @security-severity 4.2
* @precision high
* @tags security
* external/cwe/cwe-253

1
cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
View File

@@ -5,6 +5,7 @@
* vulnerable to spoofing attacks.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.8
* @precision medium
* @id cpp/user-controlled-bypass
* @tags security

1
cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
View File

@@ -4,6 +4,7 @@
* to an attacker.
* @kind path-problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/cleartext-storage-buffer
* @tags security

1
cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
View File

@@ -4,6 +4,7 @@
* to an attacker.
* @kind problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/cleartext-storage-file
* @tags security

1
cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
View File

@@ -4,6 +4,7 @@
* database can expose it to an attacker.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/cleartext-storage-database
* @tags security

124
cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
View File

@@ -4,6 +4,7 @@
* an attacker to compromise security.
* @kind problem
* @problem.severity error
* @security-severity 5.2
* @precision medium
* @id cpp/weak-cryptographic-algorithm
* @tags security
@@ -28,7 +29,7 @@ Function getAnInsecureEncryptionFunction() {
/**
* A function with additional evidence it is related to encryption.
*/
Function getAdditionalEvidenceFunction() {
Function getAnAdditionalEvidenceFunction() {
(
isEncryptionAdditionalEvidence(result.getName()) or
isEncryptionAdditionalEvidence(result.getAParameter().getName())
@@ -47,7 +48,7 @@ Macro getAnInsecureEncryptionMacro() {
/**
* A macro with additional evidence it is related to encryption.
*/
Macro getAdditionalEvidenceMacro() {
Macro getAnAdditionalEvidenceMacro() {
isEncryptionAdditionalEvidence(result.getName()) and
exists(result.getAnInvocation())
}
@@ -63,61 +64,78 @@ EnumConstant getAnInsecureEncryptionEnumConst() { isInsecureEncryption(result.ge
EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(result.getName()) }
/**
* A function call we have a high confidence is related to use of an insecure
* encryption algorithm.
* A function call we have a high confidence is related to use of an insecure encryption algorithm, along
* with an associated `Element` which might be the best point to blame, and a description of that element.
*/
class InsecureFunctionCall extends FunctionCall {
Element blame;
string explain;
predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
// find use of an insecure algorithm name
(
fc.getTarget() = getAnInsecureEncryptionFunction() and
blame = fc and
description = "call to " + fc.getTarget().getName()
or
exists(MacroInvocation mi |
(
mi.getAnExpandedElement() = fc or
mi.getAnExpandedElement() = fc.getAnArgument()
) and
mi.getMacro() = getAnInsecureEncryptionMacro() and
blame = mi and
description = "invocation of macro " + mi.getMacro().getName()
)
or
exists(EnumConstantAccess ec |
ec = fc.getAnArgument() and
ec.getTarget() = getAnInsecureEncryptionEnumConst() and
blame = ec and
description = "access of enum constant " + ec.getTarget().getName()
)
) and
// find additional evidence that this function is related to encryption.
(
fc.getTarget() = getAnAdditionalEvidenceFunction()
or
exists(MacroInvocation mi |
(
mi.getAnExpandedElement() = fc or
mi.getAnExpandedElement() = fc.getAnArgument()
) and
mi.getMacro() = getAnAdditionalEvidenceMacro()
)
or
exists(EnumConstantAccess ec |
ec = fc.getAnArgument() and
ec.getTarget() = getAdditionalEvidenceEnumConst()
)
)
}
InsecureFunctionCall() {
// find use of an insecure algorithm name
(
getTarget() = getAnInsecureEncryptionFunction() and
blame = this and
explain = "function call"
or
exists(MacroInvocation mi |
(
mi.getAnExpandedElement() = this or
mi.getAnExpandedElement() = this.getAnArgument()
) and
mi.getMacro() = getAnInsecureEncryptionMacro() and
blame = mi and
explain = "macro invocation"
)
or
exists(EnumConstantAccess ec |
ec = this.getAnArgument() and
ec.getTarget() = getAnInsecureEncryptionEnumConst() and
blame = ec and
explain = "enum constant access"
)
) and
// find additional evidence that this function is related to encryption.
(
getTarget() = getAdditionalEvidenceFunction()
or
exists(MacroInvocation mi |
(
mi.getAnExpandedElement() = this or
mi.getAnExpandedElement() = this.getAnArgument()
) and
mi.getMacro() = getAdditionalEvidenceMacro()
)
or
exists(EnumConstantAccess ec |
ec = this.getAnArgument() and
ec.getTarget() = getAdditionalEvidenceEnumConst()
)
/**
* An element that is the `blame` of an `InsecureFunctionCall`.
*/
class BlamedElement extends Element {
string description;
BlamedElement() { getInsecureEncryptionEvidence(_, this, description) }
/**
* Holds if this is the `num`-th `BlamedElement` in `f`.
*/
predicate hasFileRank(File f, int num) {
exists(int loc |
getLocation().charLoc(f, loc, _) and
loc =
rank[num](BlamedElement other, int loc2 | other.getLocation().charLoc(f, loc2, _) | loc2)
)
}
Element getBlame() { result = blame }
string getDescription() { result = explain }
string getDescription() { result = description }
}
from InsecureFunctionCall c
select c.getBlame(),
"This " + c.getDescription() + " specifies a broken or weak cryptographic algorithm."
from File f, BlamedElement firstResult, BlamedElement thisResult
where
firstResult.hasFileRank(f, 1) and
thisResult.hasFileRank(f, _)
select firstResult,
"This file makes use of a broken or weak cryptographic algorithm (specified by $@).", thisResult,
thisResult.getDescription()

1
cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
View File

@@ -4,6 +4,7 @@
* attackers to retrieve portions of memory.
* @kind problem
* @problem.severity error
* @security-severity 5.2
* @precision very-high
* @id cpp/openssl-heartbleed
* @tags security

1
cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
View File

@@ -5,6 +5,7 @@
* the two operations.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/toctou-race-condition
* @tags security

1
cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
View File

@@ -4,6 +4,7 @@
* @id cpp/unsafe-create-process-call
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision medium
* @msrc.severity important
* @tags security

1
cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
View File

@@ -5,6 +5,7 @@
* state, and reading the variable may result in undefined behavior.
* @kind problem
* @problem.severity warning
* @security-severity 6.9
* @opaque-id SM02313
* @id cpp/conditionally-uninitialized-variable
* @tags security

1
cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
View File

@@ -4,6 +4,7 @@
* can cause buffer overflow conditions.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/suspicious-pointer-scaling
* @tags security

1
cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/incorrect-pointer-scaling-char
* @problem.severity warning
* @security-severity 5.9
* @precision low
* @tags security
* external/cwe/cwe-468

1
cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
View File

@@ -4,6 +4,7 @@
* can cause buffer overflow conditions.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/suspicious-pointer-scaling-void
* @tags security

1
cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
View File

@@ -5,6 +5,7 @@
* implicitly scaled.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision high
* @id cpp/suspicious-add-sizeof
* @tags security

1
cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
View File

@@ -5,6 +5,7 @@
* attack plan.
* @kind problem
* @problem.severity warning
* @security-severity 3.6
* @precision medium
* @id cpp/system-data-exposure
* @tags security

1
cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
View File

@@ -3,6 +3,7 @@
* @description Use of a standard library function that does not guard against buffer overflow.
* @kind problem
* @problem.severity error
* @security-severity 10.0
* @precision very-high
* @id cpp/dangerous-function-overflow
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
View File

@@ -4,6 +4,7 @@
* may be dangerous.
* @kind problem
* @problem.severity error
* @security-severity 10.0
* @precision high
* @id cpp/dangerous-cin
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
View File

@@ -3,6 +3,7 @@
* @description Use of a standard library function that is not thread-safe.
* @kind problem
* @problem.severity warning
* @security-severity 10.0
* @precision high
* @id cpp/potentially-dangerous-function
* @tags reliability

1
cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/incorrect-string-type-conversion
* @problem.severity error
* @security-severity 5.9
* @precision high
* @tags security
* external/cwe/cwe-704

1
cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
View File

@@ -3,6 +3,7 @@
* @description Creating a file that is world-writable can allow an attacker to write to the file.
* @kind problem
* @problem.severity warning
* @security-severity 5.9
* @precision medium
* @id cpp/world-writable-file-creation
* @tags security

1
cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
View File

@@ -7,6 +7,7 @@
* @id cpp/unsafe-dacl-security-descriptor
* @kind problem
* @problem.severity error
* @security-severity 5.9
* @precision high
* @tags security
* external/cwe/cwe-732

1
cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/lock-order-cycle
* @problem.severity error
* @security-severity 6.9
* @tags security
* external/cwe/cwe-764
* external/cwe/cwe-833

1
cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/twice-locked
* @problem.severity error
* @security-severity 6.9
* @precision low
* @tags security
* external/cwe/cwe-764

1
cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
View File

@@ -5,6 +5,7 @@
* @kind problem
* @id cpp/unreleased-lock
* @problem.severity error
* @security-severity 6.9
* @precision low
* @tags security
* external/cwe/cwe-764

1
cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
View File

@@ -5,6 +5,7 @@
* attack.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.4
* @precision medium
* @id cpp/tainted-permissions-check
* @tags security

1
cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
View File

@@ -6,6 +6,7 @@
* @kind problem
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition
* @problem.severity warning
* @security-severity 3.6
* @tags security
* external/cwe/cwe-835
*/

4
cpp/ql/src/semmle/code/cpp/Location.qll
View File

@@ -128,7 +128,9 @@ deprecated library class LocationExpr extends Location, @location_expr { }
* Gets the length of the longest line in file `f`.
*/
pragma[nomagic]
private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getEndColumn()) }
private int maxCols(File f) {
result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn()))
}
/**
* A C/C++ element that has a location in a file

281
cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
View File

@@ -63,14 +63,278 @@ class Ptrdiff_t extends Type {
override string getAPrimaryQlClass() { result = "Ptrdiff_t" }
}
/**
* A parent class representing C/C++ a typedef'd `UserType` such as `int8_t`.
*/
abstract private class IntegralUnderlyingUserType extends UserType {
IntegralUnderlyingUserType() { this.getUnderlyingType() instanceof IntegralType }
}
abstract private class TFixedWidthIntegralType extends IntegralUnderlyingUserType { }
/**
* A C/C++ fixed-width numeric type, such as `int8_t`.
*/
class FixedWidthIntegralType extends TFixedWidthIntegralType {
FixedWidthIntegralType() { this instanceof TFixedWidthIntegralType }
}
abstract private class TMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
/**
* A C/C++ minimum-width numeric type, such as `int_least8_t`.
*/
class MinimumWidthIntegralType extends TMinimumWidthIntegralType {
MinimumWidthIntegralType() { this instanceof TMinimumWidthIntegralType }
}
abstract private class TFastestMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
/**
* A C/C++ minimum-width numeric type, representing the fastest integer type with a
* width of at least `N` such as `int_fast8_t`.
*/
class FastestMinimumWidthIntegralType extends TFastestMinimumWidthIntegralType {
FastestMinimumWidthIntegralType() { this instanceof TFastestMinimumWidthIntegralType }
}
abstract private class TMaximumWidthIntegralType extends IntegralUnderlyingUserType { }
/**
* A C/C++ maximum-width numeric type, either `intmax_t` or `uintmax_t`.
*/
class MaximumWidthIntegralType extends TMaximumWidthIntegralType {
MaximumWidthIntegralType() { this instanceof TMaximumWidthIntegralType }
}
/**
* An enum type based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`
*/
class FixedWidthEnumType extends UserType {
FixedWidthEnumType() { this.(Enum).getExplicitUnderlyingType() instanceof FixedWidthIntegralType }
}
/**
* The C/C++ `int8_t` type.
*/
class Int8_t extends TFixedWidthIntegralType {
Int8_t() { this.hasGlobalOrStdName("int8_t") }
override string getAPrimaryQlClass() { result = "Int8_t" }
}
/**
* The C/C++ `int16_t` type.
*/
class Int16_t extends TFixedWidthIntegralType {
Int16_t() { this.hasGlobalOrStdName("int16_t") }
override string getAPrimaryQlClass() { result = "Int16_t" }
}
/**
* The C/C++ `int32_t` type.
*/
class Int32_t extends TFixedWidthIntegralType {
Int32_t() { this.hasGlobalOrStdName("int32_t") }
override string getAPrimaryQlClass() { result = "Int32_t" }
}
/**
* The C/C++ `int64_t` type.
*/
class Int64_t extends TFixedWidthIntegralType {
Int64_t() { this.hasGlobalOrStdName("int64_t") }
override string getAPrimaryQlClass() { result = "Int64_t" }
}
/**
* The C/C++ `uint8_t` type.
*/
class UInt8_t extends TFixedWidthIntegralType {
UInt8_t() { this.hasGlobalOrStdName("uint8_t") }
override string getAPrimaryQlClass() { result = "UInt8_t" }
}
/**
* The C/C++ `uint16_t` type.
*/
class UInt16_t extends TFixedWidthIntegralType {
UInt16_t() { this.hasGlobalOrStdName("uint16_t") }
override string getAPrimaryQlClass() { result = "UInt16_t" }
}
/**
* The C/C++ `uint32_t` type.
*/
class UInt32_t extends TFixedWidthIntegralType {
UInt32_t() { this.hasGlobalOrStdName("uint32_t") }
override string getAPrimaryQlClass() { result = "UInt32_t" }
}
/**
* The C/C++ `uint64_t` type.
*/
class UInt64_t extends TFixedWidthIntegralType {
UInt64_t() { this.hasGlobalOrStdName("uint64_t") }
override string getAPrimaryQlClass() { result = "UInt64_t" }
}
/**
* The C/C++ `int_least8_t` type.
*/
class Int_least8_t extends TMinimumWidthIntegralType {
Int_least8_t() { this.hasGlobalOrStdName("int_least8_t") }
override string getAPrimaryQlClass() { result = "Int_least8_t" }
}
/**
* The C/C++ `int_least16_t` type.
*/
class Int_least16_t extends TMinimumWidthIntegralType {
Int_least16_t() { this.hasGlobalOrStdName("int_least16_t") }
override string getAPrimaryQlClass() { result = "Int_least16_t" }
}
/**
* The C/C++ `int_least32_t` type.
*/
class Int_least32_t extends TMinimumWidthIntegralType {
Int_least32_t() { this.hasGlobalOrStdName("int_least32_t") }
override string getAPrimaryQlClass() { result = "Int_least32_t" }
}
/**
* The C/C++ `int_least64_t` type.
*/
class Int_least64_t extends TMinimumWidthIntegralType {
Int_least64_t() { this.hasGlobalOrStdName("int_least64_t") }
override string getAPrimaryQlClass() { result = "Int_least64_t" }
}
/**
* The C/C++ `uint_least8_t` type.
*/
class UInt_least8_t extends TMinimumWidthIntegralType {
UInt_least8_t() { this.hasGlobalOrStdName("uint_least8_t") }
override string getAPrimaryQlClass() { result = "UInt_least8_t" }
}
/**
* The C/C++ `uint_least16_t` type.
*/
class UInt_least16_t extends TMinimumWidthIntegralType {
UInt_least16_t() { this.hasGlobalOrStdName("uint_least16_t") }
override string getAPrimaryQlClass() { result = "UInt_least16_t" }
}
/**
* The C/C++ `uint_least32_t` type.
*/
class UInt_least32_t extends TMinimumWidthIntegralType {
UInt_least32_t() { this.hasGlobalOrStdName("uint_least32_t") }
override string getAPrimaryQlClass() { result = "UInt_least32_t" }
}
/**
* The C/C++ `uint_least64_t` type.
*/
class UInt_least64_t extends TMinimumWidthIntegralType {
UInt_least64_t() { this.hasGlobalOrStdName("uint_least64_t") }
override string getAPrimaryQlClass() { result = "UInt_least64_t" }
}
/**
* The C/C++ `int_fast8_t` type.
*/
class Int_fast8_t extends TFastestMinimumWidthIntegralType {
Int_fast8_t() { this.hasGlobalOrStdName("int_fast8_t") }
override string getAPrimaryQlClass() { result = "Int_fast8_t" }
}
/**
* The C/C++ `int_fast16_t` type.
*/
class Int_fast16_t extends TFastestMinimumWidthIntegralType {
Int_fast16_t() { this.hasGlobalOrStdName("int_fast16_t") }
override string getAPrimaryQlClass() { result = "Int_fast16_t" }
}
/**
* The C/C++ `int_fast32_t` type.
*/
class Int_fast32_t extends TFastestMinimumWidthIntegralType {
Int_fast32_t() { this.hasGlobalOrStdName("int_fast32_t") }
override string getAPrimaryQlClass() { result = "Int_fast32_t" }
}
/**
* The C/C++ `int_fast64_t` type.
*/
class Int_fast64_t extends TFastestMinimumWidthIntegralType {
Int_fast64_t() { this.hasGlobalOrStdName("int_fast64_t") }
override string getAPrimaryQlClass() { result = "Int_fast64_t" }
}
/**
* The C/C++ `uint_fast8_t` type.
*/
class UInt_fast8_t extends TFastestMinimumWidthIntegralType {
UInt_fast8_t() { this.hasGlobalOrStdName("uint_fast8_t") }
override string getAPrimaryQlClass() { result = "UInt_fast8_t" }
}
/**
* The C/C++ `uint_fast16_t` type.
*/
class UInt_fast16_t extends TFastestMinimumWidthIntegralType {
UInt_fast16_t() { this.hasGlobalOrStdName("uint_fast16_t") }
override string getAPrimaryQlClass() { result = "UInt_fast16_t" }
}
/**
* The C/C++ `uint_fast32_t` type.
*/
class UInt_fast32_t extends TFastestMinimumWidthIntegralType {
UInt_fast32_t() { this.hasGlobalOrStdName("uint_fast32_t") }
override string getAPrimaryQlClass() { result = "UInt_fast32_t" }
}
/**
* The C/C++ `uint_fast64_t` type.
*/
class UInt_fast64_t extends TFastestMinimumWidthIntegralType {
UInt_fast64_t() { this.hasGlobalOrStdName("uint_fast64_t") }
override string getAPrimaryQlClass() { result = "UInt_fast64_t" }
}
/**
* The C/C++ `intmax_t` type.
*/
class Intmax_t extends Type {
Intmax_t() {
this.getUnderlyingType() instanceof IntegralType and
this.hasName("intmax_t")
}
class Intmax_t extends TMaximumWidthIntegralType {
Intmax_t() { this.hasGlobalOrStdName("intmax_t") }
override string getAPrimaryQlClass() { result = "Intmax_t" }
}
@@ -78,11 +342,8 @@ class Intmax_t extends Type {
/**
* The C/C++ `uintmax_t` type.
*/
class Uintmax_t extends Type {
Uintmax_t() {
this.getUnderlyingType() instanceof IntegralType and
this.hasName("uintmax_t")
}
class Uintmax_t extends TMaximumWidthIntegralType {
Uintmax_t() { this.hasGlobalOrStdName("uintmax_t") }
override string getAPrimaryQlClass() { result = "Uintmax_t" }
}

Some files were not shown because too many files have changed in this diff Show More