hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into feature/service-stack

Browse Source
This commit is contained in:
Tamas Vajk
2021-09-16 09:42:42 +02:00
parent 05dd3fa0e7 0198cf6318
commit f015cea590
778 changed files with 28174 additions and 5661 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/csv-coverage-update.yml vendored
View File

@@ -8,7 +8,7 @@ on:
jobs:
update:
name: Update framework coverage report
if: github.event.repository.fork == false
if: github.repository == 'github/codeql'
runs-on: ubuntu-latest
steps:

4
cpp/change-notes/2021-08-31-range-analysis-upper-bound.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The `SimpleRangeAnalysis` library includes information from the
immediate guard for determining the upper bound of a stack
variable for improved accuracy.

4
cpp/change-notes/2021-09-13-overflow-static.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The `memberMayBeVarSize` predicate considers more fields to be variable size.
As a result, the "Static buffer overflow" query (cpp/static-buffer-overflow)
produces fewer false positives.

37
cpp/ql/lib/semmle/code/cpp/File.qll
View File

@@ -171,7 +171,7 @@ class Container extends Locatable, @container {
* To get the full path, use `getAbsolutePath`.
*/
class Folder extends Container, @folder {
override string getAbsolutePath() { folders(underlyingElement(this), result, _) }
override string getAbsolutePath() { folders(underlyingElement(this), result) }
override Location getLocation() {
result.getContainer() = this and
@@ -190,7 +190,7 @@ class Folder extends Container, @folder {
* DEPRECATED: use `getAbsolutePath` instead.
* Gets the name of this folder.
*/
deprecated string getName() { folders(underlyingElement(this), result, _) }
deprecated string getName() { folders(underlyingElement(this), result) }
/**
* DEPRECATED: use `getAbsolutePath` instead.
@@ -208,17 +208,7 @@ class Folder extends Container, @folder {
* DEPRECATED: use `getBaseName` instead.
* Gets the last part of the folder name.
*/
deprecated string getShortName() {
exists(string longnameRaw, string longname |
folders(underlyingElement(this), _, longnameRaw) and
longname = longnameRaw.replaceAll("\\", "/")
|
exists(int index |
result = longname.splitAt("/", index) and
not exists(longname.splitAt("/", index + 1))
)
)
}
deprecated string getShortName() { result = this.getBaseName() }
/**
* DEPRECATED: use `getParentContainer` instead.
@@ -242,7 +232,7 @@ class Folder extends Container, @folder {
* `getStem` and `getExtension`. To get the full path, use `getAbsolutePath`.
*/
class File extends Container, @file {
override string getAbsolutePath() { files(underlyingElement(this), result, _, _, _) }
override string getAbsolutePath() { files(underlyingElement(this), result) }
override string toString() { result = Container.super.toString() }
@@ -336,7 +326,13 @@ class File extends Container, @file {
* for example, for "file.tar.gz", this predicate will have the result
* "tar.gz", while `getExtension` will have the result "gz".
*/
string getExtensions() { files(underlyingElement(this), _, _, result, _) }
string getExtensions() {
exists(string name, int firstDotPos |
name = this.getBaseName() and
firstDotPos = min([name.indexOf("."), name.length() - 1]) and
result = name.suffix(firstDotPos + 1)
)
}
/**
* Gets the short name of this file, that is, the prefix of its base name up
@@ -351,7 +347,16 @@ class File extends Container, @file {
* for example, for "file.tar.gz", this predicate will have the result
* "file", while `getStem` will have the result "file.tar".
*/
string getShortName() { files(underlyingElement(this), _, result, _, _) }
string getShortName() {
exists(string name, int firstDotPos |
name = this.getBaseName() and
firstDotPos = min([name.indexOf("."), name.length()]) and
result = name.prefix(firstDotPos)
)
or
this.getAbsolutePath() = "" and
result = ""
}
}
/**

46
cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
View File

@@ -2,17 +2,18 @@ import cpp
import semmle.code.cpp.dataflow.DataFlow
/**
* Holds if `v` is a member variable of `c` that looks like it might be variable sized in practice. For
* example:
* Holds if `v` is a member variable of `c` that looks like it might be variable sized
* in practice. For example:
* ```
* struct myStruct { // c
* int amount;
* char data[1]; // v
* };
* ```
* This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`. In addition,
* there must be at least one instance where a `c` pointer is allocated with additional space. For
* example, holds for `c` if it occurs as
* This requires that `v` is an array of size 0 or 1, and `v` is the last member of `c`.
* In addition, if the size of the structure is taken, there must be at least one instance
* where a `c` pointer is allocated with additional space.
* For example, holds for `c` if it occurs as
* ```
* malloc(sizeof(c) + 100 * sizeof(char))
* ```
@@ -27,27 +28,25 @@ predicate memberMayBeVarSize(Class c, MemberVariable v) {
i = max(int j | c.getCanonicalMember(j) instanceof Field | j) and
v = c.getCanonicalMember(i) and
// v is an array of size at most 1
v.getUnspecifiedType().(ArrayType).getArraySize() <= 1
v.getUnspecifiedType().(ArrayType).getArraySize() <= 1 and
not c instanceof Union
) and
// If the size is taken, then arithmetic is performed on the result at least once
(
// `sizeof(c)` is not taken
not exists(SizeofOperator so |
so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
)
or
// or `sizeof(c)` is taken
exists(SizeofOperator so |
// `sizeof(c)` is taken
so.(SizeofTypeOperator).getTypeOperand().getUnspecifiedType() = c or
so.(SizeofExprOperator).getExprOperand().getUnspecifiedType() = c
|
// arithmetic is performed on the result
// and arithmetic is performed on the result
so.getParent*() instanceof AddExpr
)
or
exists(AddressOfExpr aoe |
// `&(c.v)` is taken
aoe.getAddressable() = v
)
or
exists(BuiltInOperationBuiltInOffsetOf oo |
// `offsetof(c, v)` using a builtin
oo.getAChild().(VariableAccess).getTarget() = v
)
)
}
@@ -61,6 +60,10 @@ int getBufferSize(Expr bufferExpr, Element why) {
result = bufferVar.getUnspecifiedType().(ArrayType).getSize() and
why = bufferVar and
not memberMayBeVarSize(_, bufferVar) and
not exists(Union bufferType |
bufferType.getAMemberVariable() = why and
bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1
) and
not result = 0 // zero sized arrays are likely to have special usage, for example
or
// behaving a bit like a 'union' overlapping other fields.
@@ -82,6 +85,13 @@ int getBufferSize(Expr bufferExpr, Element why) {
parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
result = getBufferSize(parentPtr, _) + bufferVar.getType().getSize() - parentClass.getSize()
)
or
exists(Union bufferType |
bufferType.getAMemberVariable() = why and
why = bufferVar and
bufferVar.getUnspecifiedType().(ArrayType).getSize() <= 1 and
result = bufferType.getSize()
)
)
or
// buffer is a fixed size dynamic allocation

42
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

42
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

42
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

42
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

22
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -786,13 +786,18 @@ private module Cached {
}
/**
* Holds if the call context `call` either improves virtual dispatch in
* `callable` or if it allows us to prune unreachable nodes in `callable`.
* Holds if the call context `call` improves virtual dispatch in `callable`.
*/
cached
predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) {
reducedViableImplInCallContext(_, callable, call)
or
}
/**
* Holds if the call context `call` allows us to prune unreachable nodes in `callable`.
*/
cached
predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) {
exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
}
@@ -846,6 +851,15 @@ private module Cached {
TAccessPathFrontSome(AccessPathFront apf)
}
/**
* Holds if the call context `call` either improves virtual dispatch in
* `callable` or if it allows us to prune unreachable nodes in `callable`.
*/
predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
recordDataFlowCallSiteDispatch(call, callable) or
recordDataFlowCallSiteUnreachable(call, callable)
}
/**
* A `Node` at which a cast can occur such that the type should be checked.
*/

42
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

42
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

42
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

42
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

42
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
View File

@@ -923,28 +923,29 @@ private module Stage2 {
ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
class Cc = boolean;
class Cc = CallContext;
class CcCall extends Cc {
CcCall() { this = true }
class CcCall = CallContextCall;
/** Holds if this call context may be `call`. */
predicate matchesCall(DataFlowCall call) { any() }
}
class CcNoCall = CallContextNoCall;
class CcNoCall extends Cc {
CcNoCall() { this = false }
}
Cc ccNone() { result = false }
Cc ccNone() { result instanceof CallContextAny }
private class LocalCc = Unit;
bindingset[call, c, outercc]
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
checkCallContextCall(outercc, call, c) and
if recordDataFlowCallSiteDispatch(call, c)
then result = TSpecificCall(call)
else result = TSomeCall()
}
bindingset[call, c, innercc]
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) { any() }
private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call, Cc innercc) {
checkCallContextReturn(innercc, c, call) and
if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
}
bindingset[node, cc, config]
private LocalCc getLocalCc(NodeEx node, Cc cc, Configuration config) { any() }
@@ -1172,7 +1173,8 @@ private module Stage2 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -1860,7 +1862,8 @@ private module Stage3 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -2117,7 +2120,7 @@ private module Stage3 {
private predicate flowCandSummaryCtx(NodeEx node, AccessPathFront argApf, Configuration config) {
exists(AccessPathFront apf |
Stage3::revFlow(node, true, _, apf, config) and
Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
Stage3::fwdFlow(node, any(Stage3::CcCall ccc), TAccessPathFrontSome(argApf), apf, config)
)
}
@@ -2618,7 +2621,8 @@ private module Stage4 {
fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
pragma[only_bind_into](config)) and
fwdFlowOutFromArg(call, out, argAp0, ap, config) and
fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
fwdFlowIsEntered(pragma[only_bind_into](call), pragma[only_bind_into](cc),
pragma[only_bind_into](argAp), pragma[only_bind_into](argAp0),
pragma[only_bind_into](config))
)
}
@@ -3686,8 +3690,8 @@ private module Subpaths {
*/
predicate subpaths(PathNode arg, PathNodeImpl par, PathNodeMid ret, PathNodeMid out) {
exists(ParamNodeEx p, NodeEx o, AccessPath apout |
arg.getASuccessor() = par and
arg.getASuccessor() = out and
pragma[only_bind_into](arg).getASuccessor() = par and
pragma[only_bind_into](arg).getASuccessor() = out and
subpaths03(arg, p, ret, o, apout) and
par.getNodeEx() = p and
out.getNodeEx() = o and

22
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -786,13 +786,18 @@ private module Cached {
}
/**
* Holds if the call context `call` either improves virtual dispatch in
* `callable` or if it allows us to prune unreachable nodes in `callable`.
* Holds if the call context `call` improves virtual dispatch in `callable`.
*/
cached
predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
predicate recordDataFlowCallSiteDispatch(DataFlowCall call, DataFlowCallable callable) {
reducedViableImplInCallContext(_, callable, call)
or
}
/**
* Holds if the call context `call` allows us to prune unreachable nodes in `callable`.
*/
cached
predicate recordDataFlowCallSiteUnreachable(DataFlowCall call, DataFlowCallable callable) {
exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
}
@@ -846,6 +851,15 @@ private module Cached {
TAccessPathFrontSome(AccessPathFront apf)
}
/**
* Holds if the call context `call` either improves virtual dispatch in
* `callable` or if it allows us to prune unreachable nodes in `callable`.
*/
predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
recordDataFlowCallSiteDispatch(call, callable) or
recordDataFlowCallSiteUnreachable(call, callable)
}
/**
* A `Node` at which a cast can occur such that the type should be checked.
*/

15
cpp/ql/lib/semmle/code/cpp/rangeanalysis/RangeSSA.qll
View File

@@ -95,10 +95,19 @@ class RangeSsaDefinition extends ControlFlowNodeBase {
/**
* If this definition is a phi node corresponding to a guard,
* then return the variable and the guard.
* then return the variable access and the guard.
*/
predicate isGuardPhi(VariableAccess v, Expr guard, boolean branch) {
guard_defn(v, guard, this, branch)
predicate isGuardPhi(VariableAccess va, Expr guard, boolean branch) {
guard_defn(va, guard, this, branch)
}
/**
* If this definition is a phi node corresponding to a guard,
* then return the variable guarded, the variable access and the guard.
*/
predicate isGuardPhi(StackVariable v, VariableAccess va, Expr guard, boolean branch) {
guard_defn(va, guard, this, branch) and
va.getTarget() = v
}
/** Gets the primary location of this definition. */

29
cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
View File

@@ -1530,6 +1530,29 @@ private predicate isUnsupportedGuardPhi(Variable v, RangeSsaDefinition phi, Vari
)
}
/**
* Gets the upper bound of the expression, if the expression is guarded.
* An upper bound can only be found, if a guard phi node can be found, and the
* expression has only one immediate predecessor.
*/
private float getGuardedUpperBound(VariableAccess guardedAccess) {
exists(
RangeSsaDefinition def, StackVariable v, VariableAccess guardVa, Expr guard, boolean branch
|
def.isGuardPhi(v, guardVa, guard, branch) and
// If the basic block for the variable access being examined has
// more than one predecessor, the guard phi node could originate
// from one of the predecessors. This is because the guard phi
// node is attached to the block at the end of the edge and not on
// the actual edge. It is therefore not possible to determine which
// edge the guard phi node belongs to. The predicate below ensures
// that there is one predecessor, albeit somewhat conservative.
exists(unique(BasicBlock b | b = def.(BasicBlock).getAPredecessor())) and
guardedAccess = def.getAUse(v) and
result = max(float ub | upperBoundFromGuard(guard, guardVa, ub, branch))
)
}
cached
private module SimpleRangeAnalysisCached {
/**
@@ -1565,9 +1588,9 @@ private module SimpleRangeAnalysisCached {
*/
cached
float upperBound(Expr expr) {
// Combine the upper bounds returned by getTruncatedUpperBounds into a
// single maximum value.
result = max(float ub | ub = getTruncatedUpperBounds(expr) | ub)
// Combine the upper bounds returned by getTruncatedUpperBounds and
// getGuardedUpperBound into a single maximum value
result = min([max(getTruncatedUpperBounds(expr)), getGuardedUpperBound(expr)])
}
/**

13
cpp/ql/lib/semmlecode.cpp.dbscheme
View File

@@ -310,23 +310,14 @@ diagnostics(
int location: @location_default ref
);
/*
fromSource(0) = unknown,
fromSource(1) = from source,
fromSource(2) = from library
*/
files(
unique int id: @file,
string name: string ref,
string simple: string ref,
string ext: string ref,
int fromSource: int ref
string name: string ref
);
folders(
unique int id: @folder,
string name: string ref,
string simple: string ref
string name: string ref
);
@container = @folder | @file

568
cpp/ql/lib/semmlecode.cpp.dbscheme.stats
View File

@@ -12875,18 +12875,6 @@
<k>name</k>
<v>59320</v>
</e>
<e>
<k>simple</k>
<v>40580</v>
</e>
<e>
<k>ext</k>
<v>97</v>
</e>
<e>
<k>fromSource</k>
<v>10</v>
</e>
</columnsizes>
<dependencies>
<dep>
@@ -12906,54 +12894,6 @@
</val>
</dep>
<dep>
<src>id</src>
<trg>simple</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>59320</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>ext</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>59320</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>id</src>
<trg>fromSource</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>59320</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>name</src>
<trg>id</trg>
<val>
@@ -12969,406 +12909,6 @@
</hist>
</val>
</dep>
<dep>
<src>name</src>
<trg>simple</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>59320</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>name</src>
<trg>ext</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>59320</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>name</src>
<trg>fromSource</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>59320</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>simple</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>30814</v>
</b>
<b>
<a>2</a>
<b>3</b>
<v>6123</v>
</b>
<b>
<a>3</a>
<b>7</b>
<v>3197</v>
</b>
<b>
<a>7</a>
<b>42</b>
<v>444</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>simple</src>
<trg>name</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>30814</v>
</b>
<b>
<a>2</a>
<b>3</b>
<v>6123</v>
</b>
<b>
<a>3</a>
<b>7</b>
<v>3197</v>
</b>
<b>
<a>7</a>
<b>42</b>
<v>444</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>simple</src>
<trg>ext</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>36277</v>
</b>
<b>
<a>2</a>
<b>3</b>
<v>3739</v>
</b>
<b>
<a>3</a>
<b>6</b>
<v>563</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>simple</src>
<trg>fromSource</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>40580</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>ext</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>10</v>
</b>
<b>
<a>3</a>
<b>4</b>
<v>10</v>
</b>
<b>
<a>15</a>
<b>16</b>
<v>10</v>
</b>
<b>
<a>38</a>
<b>39</b>
<v>10</v>
</b>
<b>
<a>80</a>
<b>81</b>
<v>10</v>
</b>
<b>
<a>114</a>
<b>115</b>
<v>10</v>
</b>
<b>
<a>441</a>
<b>442</b>
<v>10</v>
</b>
<b>
<a>768</a>
<b>769</b>
<v>10</v>
</b>
<b>
<a>4013</a>
<b>4014</b>
<v>10</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>ext</src>
<trg>name</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>10</v>
</b>
<b>
<a>3</a>
<b>4</b>
<v>10</v>
</b>
<b>
<a>15</a>
<b>16</b>
<v>10</v>
</b>
<b>
<a>38</a>
<b>39</b>
<v>10</v>
</b>
<b>
<a>80</a>
<b>81</b>
<v>10</v>
</b>
<b>
<a>114</a>
<b>115</b>
<v>10</v>
</b>
<b>
<a>441</a>
<b>442</b>
<v>10</v>
</b>
<b>
<a>768</a>
<b>769</b>
<v>10</v>
</b>
<b>
<a>4013</a>
<b>4014</b>
<v>10</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>ext</src>
<trg>simple</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>10</v>
</b>
<b>
<a>3</a>
<b>4</b>
<v>10</v>
</b>
<b>
<a>15</a>
<b>16</b>
<v>10</v>
</b>
<b>
<a>38</a>
<b>39</b>
<v>10</v>
</b>
<b>
<a>75</a>
<b>76</b>
<v>10</v>
</b>
<b>
<a>112</a>
<b>113</b>
<v>10</v>
</b>
<b>
<a>428</a>
<b>429</b>
<v>10</v>
</b>
<b>
<a>688</a>
<b>689</b>
<v>10</v>
</b>
<b>
<a>2838</a>
<b>2839</b>
<v>10</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>ext</src>
<trg>fromSource</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>97</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>fromSource</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>5473</a>
<b>5474</b>
<v>10</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>fromSource</src>
<trg>name</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>5473</a>
<b>5474</b>
<v>10</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>fromSource</src>
<trg>simple</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>3744</a>
<b>3745</b>
<v>10</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>fromSource</src>
<trg>ext</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>9</a>
<b>10</b>
<v>10</v>
</b>
</bs>
</hist>
</val>
</dep>
</dependencies>
</relation>
<relation>
@@ -13383,10 +12923,6 @@
<k>name</k>
<v>10817</v>
</e>
<e>
<k>simple</k>
<v>3099</v>
</e>
</columnsizes>
<dependencies>
<dep>
@@ -13406,22 +12942,6 @@
</val>
</dep>
<dep>
<src>id</src>
<trg>simple</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>10817</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>name</src>
<trg>id</trg>
<val>
@@ -13437,94 +12957,6 @@
</hist>
</val>
</dep>
<dep>
<src>name</src>
<trg>simple</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>10817</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>simple</src>
<trg>id</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>1669</v>
</b>
<b>
<a>2</a>
<b>3</b>
<v>661</v>
</b>
<b>
<a>3</a>
<b>4</b>
<v>433</v>
</b>
<b>
<a>4</a>
<b>17</b>
<v>238</v>
</b>
<b>
<a>27</a>
<b>121</b>
<v>97</v>
</b>
</bs>
</hist>
</val>
</dep>
<dep>
<src>simple</src>
<trg>name</trg>
<val>
<hist>
<budget>12</budget>
<bs>
<b>
<a>1</a>
<b>2</b>
<v>1669</v>
</b>
<b>
<a>2</a>
<b>3</b>
<v>661</v>
</b>
<b>
<a>3</a>
<b>4</b>
<v>433</v>
</b>
<b>
<a>4</a>
<b>17</b>
<v>238</v>
</b>
<b>
<a>27</a>
<b>121</b>
<v>97</v>
</b>
</bs>
</hist>
</val>
</dep>
</dependencies>
</relation>
<relation>

12
cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql Normal file
View File

@@ -0,0 +1,12 @@
/**
* @name Sum of frontend and extractor time
* @description The sum of elapsed frontend time, and the sum of elapsed extractor time.
* This query is for internal use only and may change without notice.
* @kind table
* @id cpp/frontend-and-extractor-time
*/
import cpp
select sum(Compilation c, float seconds | compilation_time(c, _, 2, seconds) | seconds) as sum_frontend_elapsed_seconds,
sum(Compilation c, float seconds | compilation_time(c, _, 4, seconds) | seconds) as sum_extractor_elapsed_seconds

13
cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.c Normal file
View File

@@ -0,0 +1,13 @@
...
fs = socket(AF_UNIX, SOCK_STREAM, 0)
...
close(fs);
fs = -1; // GOOD
...
...
fs = socket(AF_UNIX, SOCK_STREAM, 0)
...
close(fs);
if(fs) close(fs); // BAD
...

26
cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.qhelp Normal file
View File

@@ -0,0 +1,26 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Double release of the descriptor can lead to a crash of the program. Requires the attention of developers.</p>
</overview>
<recommendation>
<p>We recommend that you exclude situations of possible double release.</p>
</recommendation>
<example>
<p>The following example demonstrates an erroneous and corrected use of descriptor deallocation.</p>
<sample src="DoubleRelease.c" />
</example>
<references>
<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/FIO46-C.+Do+not+access+a+closed+file">FIO46-C. Do not access a closed file</a>.
</li>
</references>
</qhelp>

142
cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql Normal file
View File

@@ -0,0 +1,142 @@
/**
* @name Errors When Double Release
* @description Double release of the descriptor can lead to a crash of the program.
* @kind problem
* @id cpp/double-release
* @problem.severity warning
* @precision medium
* @tags security
* external/cwe/cwe-675
* external/cwe/cwe-666
*/
import cpp
import semmle.code.cpp.commons.File
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.valuenumbering.HashCons
/**
* A function call that potentially does not return (such as `exit`).
*/
class CallMayNotReturn extends FunctionCall {
CallMayNotReturn() {
// call that is known to not return
not exists(this.(ControlFlowNode).getASuccessor())
or
// call to another function that may not return
exists(CallMayNotReturn exit | getTarget() = exit.getEnclosingFunction())
or
exists(ThrowExpr tex | tex = this.(ControlFlowNode).getASuccessor())
}
}
/** Holds if there are no assignment expressions to the function argument. */
pragma[inline]
predicate checkChangeVariable(FunctionCall fc0, ControlFlowNode fc1, ControlFlowNode fc2) {
not exists(Expr exptmp |
(
exptmp = fc0.getArgument(0).(VariableAccess).getTarget().getAnAssignedValue() or
exptmp.(AddressOfExpr).getOperand() =
fc0.getArgument(0).(VariableAccess).getTarget().getAnAccess()
) and
exptmp = fc1.getASuccessor*() and
exptmp = fc2.getAPredecessor*()
) and
(
(
not fc0.getArgument(0) instanceof PointerFieldAccess and
not fc0.getArgument(0) instanceof ValueFieldAccess
or
fc0.getArgument(0).(VariableAccess).getQualifier() instanceof ThisExpr
)
or
not exists(Expr exptmp |
(
exptmp =
fc0.getArgument(0)
.(VariableAccess)
.getQualifier()
.(VariableAccess)
.getTarget()
.getAnAssignedValue() or
exptmp.(AddressOfExpr).getOperand() =
fc0.getArgument(0)
.(VariableAccess)
.getQualifier()
.(VariableAccess)
.getTarget()
.getAnAccess()
) and
exptmp = fc1.getASuccessor*() and
exptmp = fc2.getAPredecessor*()
)
)
}
/** Holds if the underlying expression is a call to the close function. Provided that the function parameter does not change after the call. */
predicate closeReturn(FunctionCall fc) {
fcloseCall(fc, _) and
checkChangeVariable(fc, fc, fc.getEnclosingFunction())
}
/** Holds if the underlying expression is a call to the close function. Provided that the function parameter does not change before the call. */
predicate closeWithoutChangeBefore(FunctionCall fc) {
fcloseCall(fc, _) and
checkChangeVariable(fc, fc.getEnclosingFunction().getEntryPoint(), fc)
}
/** Holds, if a sequential call of the specified functions is possible, via a higher-level function call. */
predicate callInOtherFunctions(FunctionCall fc, FunctionCall fc1) {
exists(FunctionCall fec1, FunctionCall fec2 |
fc.getEnclosingFunction() != fc1.getEnclosingFunction() and
fec1 = fc.getEnclosingFunction().getACallToThisFunction() and
fec2 = fc1.getEnclosingFunction().getACallToThisFunction() and
fec1.getASuccessor*() = fec2 and
checkChangeVariable(fc, fec1, fec2)
)
}
/** Holds if successive calls to close functions are possible. */
predicate interDoubleCloseFunctions(FunctionCall fc, FunctionCall fc1) {
fcloseCall(fc, _) and
fcloseCall(fc1, _) and
fc != fc1 and
fc.getASuccessor*() = fc1 and
checkChangeVariable(fc, fc, fc1)
}
/** Holds if the first arguments of the two functions are similar. */
predicate similarArguments(FunctionCall fc, FunctionCall fc1) {
globalValueNumber(fc.getArgument(0)) = globalValueNumber(fc1.getArgument(0))
or
fc.getArgument(0).(VariableAccess).getTarget() = fc1.getArgument(0).(VariableAccess).getTarget() and
(
not fc.getArgument(0) instanceof PointerFieldAccess and
not fc.getArgument(0) instanceof ValueFieldAccess
or
fc.getArgument(0).(VariableAccess).getQualifier() instanceof ThisExpr
)
or
fc.getArgument(0).(VariableAccess).getTarget() = fc1.getArgument(0).(VariableAccess).getTarget() and
(
fc.getArgument(0) instanceof PointerFieldAccess or
fc.getArgument(0) instanceof ValueFieldAccess
) and
hashCons(fc.getArgument(0)) = hashCons(fc1.getArgument(0))
}
from FunctionCall fc, FunctionCall fc1
where
not exists(CallMayNotReturn fctmp | fctmp = fc.getASuccessor*()) and
not exists(IfStmt ifs | ifs.getCondition().getAChild*() = fc) and
(
// detecting a repeated call situation within one function
closeReturn(fc) and
closeWithoutChangeBefore(fc1) and
callInOtherFunctions(fc, fc1)
or
// detection of repeated call in different functions
interDoubleCloseFunctions(fc, fc1)
) and
similarArguments(fc, fc1)
select fc, "Second call to the $@ function is possible.", fc1, fc1.getTarget().getName()

1
cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
View File

@@ -63,6 +63,7 @@ where
functionsMissingReturnStmt(f, blame) and
reachable(blame) and
not functionImperfectlyExtracted(f) and
not f.isFromUninstantiatedTemplate(_) and
(blame = stmt or blame.(Expr).getEnclosingStmt() = stmt) and
msg =
"Function " + f.getName() + " should return a value of type " + f.getType().getName() +

33
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/lowerBound.expected
View File

@@ -594,6 +594,11 @@
| test.c:659:9:659:9 | u | 0 |
| test.c:664:12:664:12 | s | -2147483648 |
| test.c:665:7:665:8 | s2 | -4 |
| test.c:670:7:670:7 | x | -2147483648 |
| test.c:671:9:671:9 | y | -2147483648 |
| test.c:675:7:675:7 | y | -2147483648 |
| test.c:684:7:684:7 | x | -2147483648 |
| test.c:689:7:689:7 | x | -2147483648 |
| test.cpp:10:7:10:7 | b | -2147483648 |
| test.cpp:11:5:11:5 | x | -2147483648 |
| test.cpp:13:10:13:10 | x | -2147483648 |
@@ -647,16 +652,18 @@
| test.cpp:97:10:97:10 | i | -2147483648 |
| test.cpp:97:22:97:22 | i | -2147483648 |
| test.cpp:98:5:98:5 | i | -2147483648 |
| test.cpp:105:7:105:7 | n | -32768 |
| test.cpp:108:7:108:7 | n | 0 |
| test.cpp:109:5:109:5 | n | 1 |
| test.cpp:111:5:111:5 | n | 0 |
| test.cpp:114:8:114:8 | n | 0 |
| test.cpp:115:5:115:5 | n | 0 |
| test.cpp:117:5:117:5 | n | 1 |
| test.cpp:120:3:120:3 | n | 0 |
| test.cpp:120:8:120:8 | n | 1 |
| test.cpp:120:12:120:12 | n | 0 |
| test.cpp:121:4:121:4 | n | 0 |
| test.cpp:121:8:121:8 | n | 0 |
| test.cpp:121:12:121:12 | n | 1 |
| test.cpp:98:9:98:9 | i | -2147483648 |
| test.cpp:99:5:99:5 | i | -2147483648 |
| test.cpp:106:7:106:7 | n | -32768 |
| test.cpp:109:7:109:7 | n | 0 |
| test.cpp:110:5:110:5 | n | 1 |
| test.cpp:112:5:112:5 | n | 0 |
| test.cpp:115:8:115:8 | n | 0 |
| test.cpp:116:5:116:5 | n | 0 |
| test.cpp:118:5:118:5 | n | 1 |
| test.cpp:121:3:121:3 | n | 0 |
| test.cpp:121:8:121:8 | n | 1 |
| test.cpp:121:12:121:12 | n | 0 |
| test.cpp:122:4:122:4 | n | 0 |
| test.cpp:122:8:122:8 | n | 0 |
| test.cpp:122:12:122:12 | n | 1 |

4
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryLower.expected
View File

@@ -15,5 +15,5 @@
| test.c:394:20:394:36 | ... ? ... : ... | 0.0 | 0.0 | 100.0 |
| test.c:606:5:606:14 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
| test.c:607:5:607:14 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |
| test.cpp:120:3:120:12 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
| test.cpp:121:3:121:12 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |
| test.cpp:121:3:121:12 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
| test.cpp:122:3:122:12 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |

4
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryUpper.expected
View File

@@ -15,5 +15,5 @@
| test.c:394:20:394:36 | ... ? ... : ... | 100.0 | 99.0 | 100.0 |
| test.c:606:5:606:14 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
| test.c:607:5:607:14 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |
| test.cpp:120:3:120:12 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
| test.cpp:121:3:121:12 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |
| test.cpp:121:3:121:12 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
| test.cpp:122:3:122:12 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |

25
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c
View File

@@ -664,3 +664,28 @@ void test_mod(int s) {
int s2 = s % 5;
out(s2); // -4 .. 4
}
void exit(int);
void guard_with_exit(int x, int y) {
if (x) {
if (y != 0) {
exit(0);
}
}
out(y); // ..
// This test ensures that we correctly identify
// that the upper bound for y is max_int when calling `out(y)`.
// The RangeSsa will place guardPhy on `out(y)`, and consequently there is no
// frontier phi node at out(y).
}
void test(int x) {
if (x >= 10) {
return;
}
// The basic below has two predecessors.
label:
out(x);
goto label;
}

1
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.cpp
View File

@@ -95,6 +95,7 @@ int ref_to_number(int &i, const int &ci, int &aliased) {
return alias;
for (; i <= 12345; i++) { // test that widening works for references
i = i;
i;
}

41
cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/upperBound.expected
View File

@@ -584,9 +584,9 @@
| test.c:639:9:639:10 | ss | 2 |
| test.c:645:8:645:8 | s | 2147483647 |
| test.c:645:15:645:15 | s | 127 |
| test.c:645:23:645:23 | s | 15 |
| test.c:646:18:646:18 | s | 15 |
| test.c:646:22:646:22 | s | 15 |
| test.c:645:23:645:23 | s | 9 |
| test.c:646:18:646:18 | s | 9 |
| test.c:646:22:646:22 | s | 9 |
| test.c:647:9:647:14 | result | 127 |
| test.c:653:7:653:7 | i | 0 |
| test.c:654:9:654:9 | i | 2147483647 |
@@ -594,6 +594,11 @@
| test.c:659:9:659:9 | u | 4294967295 |
| test.c:664:12:664:12 | s | 2147483647 |
| test.c:665:7:665:8 | s2 | 4 |
| test.c:670:7:670:7 | x | 2147483647 |
| test.c:671:9:671:9 | y | 2147483647 |
| test.c:675:7:675:7 | y | 2147483647 |
| test.c:684:7:684:7 | x | 2147483647 |
| test.c:689:7:689:7 | x | 15 |
| test.cpp:10:7:10:7 | b | 2147483647 |
| test.cpp:11:5:11:5 | x | 2147483647 |
| test.cpp:13:10:13:10 | x | 2147483647 |
@@ -646,17 +651,19 @@
| test.cpp:95:12:95:16 | alias | 2147483647 |
| test.cpp:97:10:97:10 | i | 65535 |
| test.cpp:97:22:97:22 | i | 32767 |
| test.cpp:98:5:98:5 | i | 32767 |
| test.cpp:105:7:105:7 | n | 32767 |
| test.cpp:108:7:108:7 | n | 32767 |
| test.cpp:109:5:109:5 | n | 32767 |
| test.cpp:111:5:111:5 | n | 0 |
| test.cpp:114:8:114:8 | n | 32767 |
| test.cpp:115:5:115:5 | n | 0 |
| test.cpp:117:5:117:5 | n | 32767 |
| test.cpp:120:3:120:3 | n | 32767 |
| test.cpp:120:8:120:8 | n | 32767 |
| test.cpp:120:12:120:12 | n | 0 |
| test.cpp:121:4:121:4 | n | 32767 |
| test.cpp:121:8:121:8 | n | 0 |
| test.cpp:121:12:121:12 | n | 32767 |
| test.cpp:98:5:98:5 | i | 2147483647 |
| test.cpp:98:9:98:9 | i | 12345 |
| test.cpp:99:5:99:5 | i | 32767 |
| test.cpp:106:7:106:7 | n | 32767 |
| test.cpp:109:7:109:7 | n | 32767 |
| test.cpp:110:5:110:5 | n | 32767 |
| test.cpp:112:5:112:5 | n | 0 |
| test.cpp:115:8:115:8 | n | 32767 |
| test.cpp:116:5:116:5 | n | 0 |
| test.cpp:118:5:118:5 | n | 32767 |
| test.cpp:121:3:121:3 | n | 32767 |
| test.cpp:121:8:121:8 | n | 32767 |
| test.cpp:121:12:121:12 | n | 0 |
| test.cpp:122:4:122:4 | n | 32767 |
| test.cpp:122:8:122:8 | n | 0 |
| test.cpp:122:12:122:12 | n | 32767 |

4
cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected
View File

@@ -9,6 +9,10 @@
| test.c:15:9:15:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[6]' is accessed here. |
| test.c:20:9:20:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[5]' is accessed here. |
| test.c:21:9:21:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[6]' is accessed here. |
| test.c:47:3:47:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
| test.c:54:3:54:26 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
| test.c:61:3:61:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
| test.c:72:3:72:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[1]' is accessed here. |
| test.cpp:19:3:19:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer1' has 3 elements. |
| test.cpp:20:3:20:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer2' has 3 elements. |
| test.cpp:24:27:24:27 | 4 | Potential buffer-overflow: 'buffer1' has size 3 not 4. |

44
cpp/ql/test/query-tests/Critical/OverflowStatic/test.c
View File

@@ -27,3 +27,47 @@ void f(void) {
c = stru.zs[6]; // GOOD (zs is variable size)
}
void* malloc(long unsigned int);
void test_buffer_sentinal() {
struct { char len; char buf[1]; } *b = malloc(10); // len(buf.buffer) effectively 8
b->buf[0] = 0; // GOOD
b->buf[7] = 0; // GOOD
b->buf[8] = 0; // BAD [NOT DETECTED]
}
union u {
unsigned long value;
char ptr[1];
};
void union_test() {
union u u;
u.ptr[0] = 0; // GOOD
u.ptr[sizeof(u)-1] = 0; // GOOD
u.ptr[sizeof(u)] = 0; // BAD
}
void test_struct_union() {
struct { union u u; } v;
v.u.ptr[0] = 0; // GOOD
v.u.ptr[sizeof(union u)-1] = 0; // GOOD
v.u.ptr[sizeof(union u)] = 0; // BAD
}
void union_test2() {
union { char ptr[1]; unsigned long value; } u;
u.ptr[0] = 0; // GOOD
u.ptr[sizeof(u)-1] = 0; // GOOD
u.ptr[sizeof(u)] = 0; // BAD
}
typedef struct {
char len;
char buf[1];
} var_buf;
void test_alloc() {
// Special case of taking sizeof without any addition or multiplications
var_buf *b = malloc(sizeof(var_buf));
b->buf[1] = 0; // BAD
}

10
cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp
View File

@@ -46,3 +46,13 @@ void f2(char *src)
ptr = &(buffer[1]);
memcpy(ptr, src, 100); // BAD [NOT DETECTED]
}
void f3() {
int i;
char buffer[5];
for (i=0; i<10; i++) {
if (i < 5) {
buffer[i] = 0; // GOOD
}
}
}

2
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c
View File

@@ -115,7 +115,7 @@ int twoReasons(int a, int b) {
if (a <= 0 && b > 5) {
return a < b;
}
if (a <= 100 && b > 105) {
if (a <= 100 && b > 105) { // BUG [Not detected - this clause is always false]
return a > b;
}
return 0;

134
cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp Normal file
View File

@@ -0,0 +1,134 @@
/**
* This test case is closely based on CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp
* from the SAMATE Juliet test suite.
*/
#define NULL (0)
typedef unsigned long size_t;
typedef size_t time_t;
time_t time(time_t *timer);
typedef struct {} FILE;
extern FILE *stdin;
FILE *fopen(const char *filename, const char *mode);
int fclose(FILE *stream);
#define FILENAME_MAX (4096)
typedef unsigned long size_t;
size_t strlen(const char *s);
char *strcat(char *s1, const char *s2);
char *fgets(char *s, int n, FILE *stream);
int globalReturnsTrue()
{
return 1;
}
int globalReturnsFalse()
{
return 0;
}
void printLine(const char *str);
#define BASEPATH "c:\\temp\\"
#define FOPEN fopen
namespace CWE23_Relative_Path_Traversal__char_console_fopen_11
{
void bad()
{
char * data;
char dataBuffer[FILENAME_MAX] = BASEPATH;
data = dataBuffer;
if(globalReturnsTrue())
{
{
/* Read input from the console */
size_t dataLen = strlen(data);
/* if there is room in data, read into it from the console */
if (FILENAME_MAX-dataLen > 1)
{
/* POTENTIAL FLAW: Read data from the console */
if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL)
{
/* The next few lines remove the carriage return from the string that is
* inserted by fgets() */
dataLen = strlen(data);
if (dataLen > 0 && data[dataLen-1] == '\n')
{
data[dataLen-1] = '\0';
}
}
else
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[dataLen] = '\0';
}
}
}
}
{
FILE *pFile = NULL;
/* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
pFile = FOPEN(data, "wb+");
if (pFile != NULL)
{
fclose(pFile);
}
}
}
/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
static void goodG2B1()
{
char * data;
char dataBuffer[FILENAME_MAX] = BASEPATH;
data = dataBuffer;
if(globalReturnsFalse())
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Use a fixed file name */
strcat(data, "file.txt");
}
{
FILE *pFile = NULL;
/* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
pFile = FOPEN(data, "wb+");
if (pFile != NULL)
{
fclose(pFile);
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
static void goodG2B2()
{
char * data;
char dataBuffer[FILENAME_MAX] = BASEPATH;
data = dataBuffer;
if(globalReturnsTrue())
{
/* FIX: Use a fixed file name */
strcat(data, "file.txt");
}
{
FILE *pFile = NULL;
/* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
pFile = FOPEN(data, "wb+");
if (pFile != NULL)
{
fclose(pFile);
}
}
}
}

17
cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected Normal file
View File

@@ -0,0 +1,17 @@
edges
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
nodes
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | semmle.label | ... + ... |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
#select
| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | This argument to a file access function is derived from $@ and then passed to fopen(filename) | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |

1
cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-022/TaintedPath.ql

1
cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected Normal file
View File

@@ -0,0 +1 @@
| tests.cpp:53:16:53:19 | data | This argument to an OS command is derived from $@ and then passed to system(string) | tests.cpp:33:34:33:39 | call to getenv | user input (getenv) |

1
cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-078/ExecTainted.ql

58
cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp Normal file
View File

@@ -0,0 +1,58 @@
//semmle-extractor-options: --edg --target --edg win64
// A selection of tests from the SAMATE Juliet framework for rule CWE-78.
// library types, functions etc
#define NULL (0)
typedef unsigned long size_t;
size_t strlen(const char *s);
char *strncat(char *s1, const char *s2, size_t n);
char *getenv(const char *name);
int system(const char *string);
void exit(int status);
#define FULL_COMMAND "dir "
#define ENV_VARIABLE "ADD"
#define GETENV getenv
#define SYSTEM system
void printLine(const char *str);
// ----------
/* The static variable below is used to drive control flow in the source function */
static int badStatic = 0;
static char * badSource(char * data)
{
if(badStatic)
{
{
/* Append input from an environment variable to data */
size_t dataLen = strlen(data);
char * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
strncat(data+dataLen, environment, 100-dataLen-1);
}
}
}
return data;
}
void CWE78_OS_Command_Injection__char_environment_system_21_bad()
{
char * data;
char data_buf[100] = FULL_COMMAND;
data = data_buf;
badStatic = 1; /* true */
data = badSource(data);
/* POTENTIAL FLAW: Execute command in data possibly leading to command injection [NOT DETECTED] */
if (SYSTEM(data) != 0)
{
printLine("command execution failed!");
exit(1);
}
}

30
cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected Normal file
View File

@@ -0,0 +1,30 @@
edges
| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | (LPCSTR)... |
| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | data |
| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | data indirection |
| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | (LPCSTR)... |
| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data indirection |
| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
| test.cpp:73:17:73:22 | data | test.cpp:37:73:37:76 | data |
| test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | *data |
nodes
| test.cpp:37:73:37:76 | *data | semmle.label | *data |
| test.cpp:37:73:37:76 | data | semmle.label | data |
| test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
| test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
| test.cpp:43:32:43:35 | data | semmle.label | data |
| test.cpp:43:32:43:35 | data | semmle.label | data |
| test.cpp:43:32:43:35 | data | semmle.label | data |
| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
| test.cpp:73:17:73:22 | data | semmle.label | data |
| test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
#select
| test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA | test.cpp:64:30:64:35 | call to getenv | call to getenv |

1
cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-114/UncontrolledProcessOperation.ql

132
cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp Normal file
View File

@@ -0,0 +1,132 @@
// Some SAMATE Juliet test cases for CWE-114.
typedef unsigned long size_t;
typedef unsigned int BOOL;
typedef const char *LPCSTR;
typedef void *HMODULE;
#define NULL (0)
size_t strlen(const char *s);
char *strncat(char *s1, const char *s2, size_t n);
HMODULE LoadLibraryA(LPCSTR libname);
BOOL FreeLibrary(HMODULE hModule);
char *getenv(const char *name);
#define GETENV getenv
#define ENV_VARIABLE "ADD"
void printLine(const char *msg);
// --- CWE114_Process_Control__w32_char_environment_82 ---
class CWE114_Process_Control__w32_char_environment_82_base
{
public:
/* pure virtual function */
virtual void action(char * data) = 0;
};
class CWE114_Process_Control__w32_char_environment_82_bad : public CWE114_Process_Control__w32_char_environment_82_base
{
public:
void action(char * data);
};
void CWE114_Process_Control__w32_char_environment_82_bad::action(char * data)
{
{
HMODULE hModule;
/* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to
* replace his own file with the intended library */
hModule = LoadLibraryA(data);
if (hModule != NULL)
{
FreeLibrary(hModule);
printLine("Library loaded and freed successfully");
}
else
{
printLine("Unable to load library");
}
}
}
void bad()
{
char * data;
char dataBuffer[100] = "";
data = dataBuffer;
{
/* Append input from an environment variable to data */
size_t dataLen = strlen(data);
char * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
strncat(data+dataLen, environment, 100-dataLen-1);
}
}
CWE114_Process_Control__w32_char_environment_82_base* baseObject = new CWE114_Process_Control__w32_char_environment_82_bad;
baseObject->action(data);
delete baseObject;
}
// --- CWE114_Process_Control__w32_char_console_33 ---
typedef struct {} FILE;
char *fgets(char *s, int n, FILE *stream);
FILE *stdin;
void CWE114_Process_Control__w32_char_console_33_bad()
{
char * data;
char * &dataRef = data;
char dataBuffer[100] = "";
data = dataBuffer;
{
/* Read input from the console */
size_t dataLen = strlen(data);
/* if there is room in data, read into it from the console */
if (100-dataLen > 1)
{
/* POTENTIAL FLAW: Read data from the console [NOT DETECTED] */
if (fgets(data+dataLen, (int)(100-dataLen), stdin) != NULL)
{
/* The next few lines remove the carriage return from the string that is
* inserted by fgets() */
dataLen = strlen(data);
if (dataLen > 0 && data[dataLen-1] == '\n')
{
data[dataLen-1] = '\0';
}
}
else
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[dataLen] = '\0';
}
}
}
{
char * data = dataRef;
{
HMODULE hModule;
/* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to
* replace his own file with the intended library */
hModule = LoadLibraryA(data);
if (hModule != NULL)
{
FreeLibrary(hModule);
printLine("Library loaded and freed successfully");
}
else
{
printLine("Unable to load library");
}
}
}
}

4
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.expected Normal file
View File

@@ -0,0 +1,4 @@
| tests.cpp:350:13:350:19 | call to strncat | This 'call to strncat' operation is limited to 100 bytes but the destination is only 50 bytes. |
| tests.cpp:452:9:452:15 | call to wcsncpy | This 'call to wcsncpy' operation is limited to 396 bytes but the destination is only 200 bytes. |
| tests.cpp:481:9:481:16 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |
| tests.cpp:630:13:630:20 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-120/BadlyBoundedWrite.ql

0
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.expected Normal file
View File

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref Normal file
View File

@@ -0,0 +1 @@
Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

19
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.expected Normal file
View File

@@ -0,0 +1,19 @@
| tests.cpp:45:9:45:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
| tests.cpp:60:9:60:14 | call to memcpy | This 'memcpy' operation accesses 32 bytes but the $@ is only 16 bytes. | tests.cpp:32:10:32:18 | charFirst | destination buffer |
| tests.cpp:171:9:171:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | destination buffer |
| tests.cpp:172:9:172:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:164:20:164:25 | call to malloc | array |
| tests.cpp:192:9:192:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | destination buffer |
| tests.cpp:192:9:192:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:185:12:185:24 | dataBadBuffer | destination buffer |
| tests.cpp:193:9:193:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:181:10:181:22 | dataBadBuffer | array |
| tests.cpp:193:9:193:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:185:12:185:24 | dataBadBuffer | array |
| tests.cpp:212:9:212:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:201:36:201:41 | call to alloca | destination buffer |
| tests.cpp:212:9:212:14 | call to memcpy | This 'memcpy' operation accesses 100 bytes but the $@ is only 50 bytes. | tests.cpp:205:12:205:24 | dataBadBuffer | destination buffer |
| tests.cpp:213:9:213:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:201:36:201:41 | call to alloca | array |
| tests.cpp:213:9:213:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:205:12:205:24 | dataBadBuffer | array |
| tests.cpp:237:9:237:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:221:36:221:41 | call to alloca | array |
| tests.cpp:237:9:237:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:225:12:225:24 | dataBadBuffer | array |
| tests.cpp:261:9:261:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:245:10:245:22 | dataBadBuffer | array |
| tests.cpp:261:9:261:19 | access to array | This array indexing operation accesses byte offset 99 but the $@ is only 50 bytes. | tests.cpp:249:12:249:24 | dataBadBuffer | array |
| tests.cpp:384:9:384:14 | call to memcpy | This 'memcpy' operation accesses 40 bytes but the $@ is only 10 bytes. | tests.cpp:380:19:380:24 | call to alloca | destination buffer |
| tests.cpp:434:9:434:19 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 200 bytes. | tests.cpp:422:12:422:26 | new[] | array |
| tests.cpp:453:9:453:19 | access to array | This array indexing operation accesses byte offset 399 but the $@ is only 200 bytes. | tests.cpp:445:12:445:26 | new[] | array |

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-119/OverflowBuffer.ql

0
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected Normal file
View File

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref Normal file
View File

@@ -0,0 +1 @@
Critical/OverflowDestination.ql

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.expected Normal file
View File

@@ -0,0 +1,2 @@
| tests.cpp:45:51:45:72 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |
| tests.cpp:60:52:60:74 | sizeof(<expr>) | Potential buffer-overflow: 'charFirst' has size 16 not 32. |

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref Normal file
View File

@@ -0,0 +1 @@
Critical/OverflowStatic.ql

0
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.expected Normal file
View File

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-120/OverrunWrite.ql

0
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.expected Normal file
View File

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-120/OverrunWriteFloat.ql

3
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.expected Normal file
View File

@@ -0,0 +1,3 @@
| tests.cpp:290:13:290:19 | call to wcsncpy | Potentially unsafe call to wcsncpy; third argument should be size of destination. |
| tests.cpp:306:4:306:10 | call to wcsncpy | Potentially unsafe call to wcsncpy; third argument should be size of destination. |
| tests.cpp:452:9:452:15 | call to wcsncpy | Potentially unsafe call to wcsncpy; third argument should be size of destination. |

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref Normal file
View File

@@ -0,0 +1 @@
Likely Bugs/Memory Management/StrncpyFlippedArgs.ql

3
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected Normal file
View File

@@ -0,0 +1,3 @@
edges
nodes
#select

1
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-120/UnboundedWrite.ql

671
cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp Normal file
View File

@@ -0,0 +1,671 @@
// A sample of tests from the SAMATE Juliet framework for rule CWE-119.
// library types, functions etc
typedef unsigned long size_t;
void *malloc(size_t size);
void *alloca(size_t size);
void free(void *ptr);
#define ALLOCA alloca
void *memcpy(void *s1, const void *s2, size_t n);
void *memset(void *s, int c, size_t n);
char *strcpy(char *s1, const char *s2);
size_t strlen(const char *s);
void exit(int status);
typedef unsigned int DWORD;
DWORD GetCurrentDirectoryA(DWORD bufferLength, char *buffer);
bool PathAppendA(char *path, const char *more);
#define MAX_PATH 4096
void printLine(const char *str);
void printSizeTLine(size_t val);
void printIntLine(int val);
// ----------
#define SRC_STR "0123456789abcde0123"
typedef struct _charVoid
{
char charFirst[16];
void * voidSecond;
void * voidThird;
} charVoid;
void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
{
{
charVoid structCharVoid;
structCharVoid.voidSecond = (void *)SRC_STR;
/* Print the initial block pointed to by structCharVoid.voidSecond */
printLine((char *)structCharVoid.voidSecond);
/* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */
memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));
structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
printLine((char *)structCharVoid.charFirst);
printLine((char *)structCharVoid.voidSecond);
}
}
void CWE122_Heap_Based_Buffer_Overflow__char_type_overrun_memcpy_01_bad()
{
{
charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));
structCharVoid->voidSecond = (void *)SRC_STR;
/* Print the initial block pointed to by structCharVoid->voidSecond */
printLine((char *)structCharVoid->voidSecond);
/* FLAW: Use the sizeof(*structCharVoid) which will overwrite the pointer y */
memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid));
structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
printLine((char *)structCharVoid->charFirst);
printLine((char *)structCharVoid->voidSecond);
free(structCharVoid);
}
}
void CWE124_Buffer_Underwrite__char_alloca_cpy_01_bad()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
/* FLAW: Set data pointer to before the allocated memory buffer */
data = dataBuffer - 8;
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
strcpy(data, source); // [NOT DETECTED]
printLine(data);
}
}
void CWE126_Buffer_Overread__char_alloca_loop_01_bad()
{
char * data;
char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
dataBadBuffer[50-1] = '\0'; /* null terminate */
memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
dataGoodBuffer[100-1] = '\0'; /* null terminate */
/* FLAW: Set data pointer to a small buffer */
data = dataBadBuffer;
{
size_t i, destLen;
char dest[100];
memset(dest, 'C', 100-1);
dest[100-1] = '\0'; /* null terminate */
destLen = strlen(dest);
/* POTENTIAL FLAW: using length of the dest where data
* could be smaller than dest causing buffer overread */
for (i = 0; i < destLen; i++)
{
dest[i] = data[i]; // [NOT DETECTED]
}
dest[100-1] = '\0';
printLine(dest);
}
}
void CWE127_Buffer_Underread__char_alloca_cpy_01_bad()
{
char * data;
char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
memset(dataBuffer, 'A', 100-1);
dataBuffer[100-1] = '\0';
/* FLAW: Set data pointer to before the allocated memory buffer */
data = dataBuffer - 8;
{
char dest[100*2];
memset(dest, 'C', 100*2-1); /* fill with 'C's */
dest[100*2-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
strcpy(dest, data); // [NOT DETECTED]
printLine(dest);
}
}
#define BAD_PATH_SIZE (MAX_PATH / 2) /* maintenance note: must be < MAX_PATH in order for 'bad' to be 'bad' */
void CWE785_Path_Manipulation_Function_Without_Max_Sized_Buffer__w32_01_bad()
{
{
char path[BAD_PATH_SIZE];
DWORD length;
length = GetCurrentDirectoryA(BAD_PATH_SIZE, path);
if (length == 0 || length >= BAD_PATH_SIZE) /* failure conditions for this API call */
{
exit(1);
}
/* FLAW: PathAppend assumes the 'path' parameter is MAX_PATH */
/* INCIDENTAL: CWE 121 stack based buffer overflow, which is intrinsic to
* this example identified on the CWE webpage */
if (!PathAppendA(path, "AAAAAAAAAAAA")) // [NOT DETECTED]
{
exit(1);
}
printSizeTLine(strlen(path));
printIntLine(BAD_PATH_SIZE);
printLine(path);
}
}
#define NULL (0)
void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_bad()
{
char * data;
data = NULL;
/* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = (char *)malloc(50*sizeof(char));
data[0] = '\0'; /* null terminate */
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
memcpy(data, source, 100*sizeof(char));
data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
free(data);
}
}
void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_bad()
{
char * data;
char dataBadBuffer[50];
char dataGoodBuffer[100];
/* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
* buffer in various memory copying functions using a "large" source buffer. */
data = dataBadBuffer;
data[0] = '\0'; /* null terminate */
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
memcpy(data, source, 100*sizeof(char));
data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
}
}
void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memcpy_01_bad()
{
char * data;
char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
/* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
* buffer in various memory copying functions using a "large" source buffer. */
data = dataBadBuffer;
data[0] = '\0'; /* null terminate */
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
memcpy(data, source, 100*sizeof(char));
data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
}
}
void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_loop_01_bad()
{
char * data;
char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
/* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
* buffer in various memory copying functions using a "large" source buffer. */
data = dataBadBuffer;
data[0] = '\0'; /* null terminate */
{
size_t i;
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
for (i = 0; i < 100; i++)
{
data[i] = source[i];
}
data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
}
}
void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_01_bad()
{
char * data;
char dataBadBuffer[50];
char dataGoodBuffer[100];
/* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
* buffer in various memory copying functions using a "large" source buffer. */
data = dataBadBuffer;
data[0] = '\0'; /* null terminate */
{
size_t i;
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
for (i = 0; i < 100; i++)
{
data[i] = source[i];
}
data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
printLine(data);
}
}
wchar_t *wcsncpy(wchar_t *destination, const wchar_t *source, size_t num);
size_t wcslen(const wchar_t *str);
char *strcat(char *destination, const char *source);
char *strncat(char *destination, const char *source, size_t num);
void *memmove(void *destination, const void *source, size_t num);
void printWLine(const wchar_t *line);
/* MAINTENANCE NOTE: The length of this string should equal the 10 */
#define SRC_STRING L"AAAAAAAAAA"
namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01
{
void bad()
{
wchar_t * data;
data = NULL;
/* FLAW: Did not leave space for a null terminator */
data = new wchar_t[10];
{
wchar_t source[10+1] = SRC_STRING;
/* Copy length + 1 to include NUL terminator from source */
/* POTENTIAL FLAW: data may not have enough space to hold source */
wcsncpy(data, source, wcslen(source) + 1);
printWLine(data);
delete [] data;
}
}
static void goodG2B()
{
wchar_t * data;
data = NULL;
/* FIX: Allocate space for a null terminator */
data = new wchar_t[10+1];
{
wchar_t source[10+1] = SRC_STRING;
/* Copy length + 1 to include NUL terminator from source */
/* POTENTIAL FLAW: data may not have enough space to hold source */
wcsncpy(data, source, wcslen(source) + 1); // [FALSE POSITIVE RESULT] (debatable)
printWLine(data);
delete [] data;
}
}
} /* close namespace */
namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31
{
void bad()
{
wchar_t * data;
data = NULL;
/* FLAW: Did not leave space for a null terminator */
data = new wchar_t[10];
{
wchar_t * dataCopy = data;
wchar_t * data = dataCopy;
{
wchar_t source[10+1] = SRC_STRING;
/* Copy length + 1 to include NUL terminator from source */
/* POTENTIAL FLAW: data may not have enough space to hold source */
memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t)); // [NOT DETECTED]
printWLine(data);
delete [] data;
}
}
}
} /* close namespace */
namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncat_01
{
void bad()
{
char * data;
data = NULL;
/* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = new char[50];
data[0] = '\0'; /* null terminate */
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
strncat(data, source, 100);
printLine(data);
delete [] data;
}
}
} /* close namespace */
void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_01_bad()
{
char * data;
data = NULL;
/* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = (char *)malloc(50*sizeof(char));
data[0] = '\0'; /* null terminate */
{
char source[100];
memset(source, 'C', 100-1); /* fill with 'C's */
source[100-1] = '\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
strcat(data, source); // [NOT DETECTED]
printLine(data);
free(data);
}
}
void CWE121_Stack_Based_Buffer_Overflow__CWE131_memcpy_01_bad()
{
int * data;
data = NULL;
/* FLAW: Allocate memory without using sizeof(int) */
data = (int *)ALLOCA(10);
{
int source[10] = {0};
/* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
memcpy(data, source, 10*sizeof(int));
printIntLine(data[0]);
}
}
typedef long long int64_t;
wchar_t *wmemset(wchar_t *dest, wchar_t c, size_t count);
void* calloc(size_t num, size_t size);
void printLongLongLine(int64_t longLongIntNumber);
void printDoubleLine(double doubleNumber);
void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_loop_01_bad()
{
int64_t * data;
data = NULL;
/* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = new int64_t[50];
{
int64_t source[100] = {0}; /* fill with 0's */
{
size_t i;
/* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
for (i = 0; i < 100; i++)
{
data[i] = source[i]; // [NOT DETECTED]
}
printLongLongLine(data[0]);
delete [] data;
}
}
}
void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_01_bad()
{
wchar_t * data;
data = NULL;
/* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = new wchar_t[50];
data[0] = L'\0'; /* null terminate */
{
size_t i;
wchar_t source[100];
wmemset(source, L'C', 100-1); /* fill with L'C's */
source[100-1] = L'\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
for (i = 0; i < 100; i++)
{
data[i] = source[i];
}
data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
printWLine(data);
delete [] data;
}
}
void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_01_bad()
{
wchar_t * data;
data = NULL;
/* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = new wchar_t[50];
data[0] = L'\0'; /* null terminate */
{
wchar_t source[100];
wmemset(source, L'C', 100-1); /* fill with L'C's */
source[100-1] = L'\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
wcsncpy(data, source, 100-1);
data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
printWLine(data);
delete [] data;
}
}
#ifdef _WIN32
int _snwprintf(wchar_t *buffer, size_t count, const wchar_t *format, ...);
#define SNPRINTF _snwprintf
#else
int snprintf(char *s, size_t n, const char *format, ...);
int swprintf(wchar_t *wcs, size_t maxlen, const wchar_t *format, ...);
//#define SNPRINTF snprintf --- original code; using snprintf appears to be a mistake in samate?
#define SNPRINTF swprintf
#endif
void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_01_bad()
{
wchar_t * data;
data = NULL;
/* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = new wchar_t[50];
data[0] = L'\0'; /* null terminate */
{
wchar_t source[100];
wmemset(source, L'C', 100-1); /* fill with L'C's */
source[100-1] = L'\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
SNPRINTF(data, 100, L"%s", source);
printWLine(data);
delete [] data;
}
}
/* classes used in some test cases as a custom type */
class TwoIntsClass
{
public: // Needed to access variables from label files
int intOne;
int intTwo;
};
class OneIntClass
{
public: // Needed to access variables from label files
int intOne;
};
void *operator new(size_t size, void *ptr) throw(); // placement new (from #include <new>)
void CWE122_Heap_Based_Buffer_Overflow__placement_new_01_bad()
{
char * data;
char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));
char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));
/* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */
data = dataBadBuffer;
{
/* The Visual C++ compiler generates a warning if you initialize the class with ().
* This will cause the compile to default-initialize the object.
* See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
*/
/* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
TwoIntsClass * classTwo = new(data) TwoIntsClass; // [NOT DETECTED]
/* Initialize and make use of the class */
classTwo->intOne = 5;
classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */
printIntLine(classTwo->intOne);
/* skip printing classTwo->intTwo since that could be a buffer overread */
free(data);
}
}
void CWE122_Heap_Based_Buffer_Overflow__sizeof_double_01_bad()
{
double * data;
/* Initialize data */
data = NULL;
/* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */
/* FLAW: Using sizeof the pointer and not the data type in malloc() */
data = (double *)malloc(sizeof(data)); // [NOT DETECTED]
*data = 1.7E300;
/* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
printDoubleLine(*data);
free(data);
}
int rand(void);
#define RAND32() ((rand()<<30) ^ (rand()<<15) ^ rand())
void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_01_bad()
{
int data;
/* Initialize data */
data = -1;
/* POTENTIAL FLAW: Set data to a random value */
data = RAND32();
{
int i;
int * buffer = (int *)malloc(10 * sizeof(int));
/* initialize buffer */
for (i = 0; i < 10; i++)
{
buffer[i] = 0;
}
/* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
* This code does check to see if the array index is negative */
if (data >= 0)
{
buffer[data] = 1; // [NOT DETECTED]
/* Print the array values */
for(i = 0; i < 10; i++)
{
printIntLine(buffer[i]);
}
}
else
{
printLine("ERROR: Array index is negative.");
}
free(buffer);
}
}
typedef struct FILE;
int fscanf(FILE *stream, const char *format, ...);
FILE *stdin;
void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_01_bad()
{
int data;
/* Initialize data */
data = -1;
/* POTENTIAL FLAW: Read data from the console using fscanf() */
fscanf(stdin, "%d", &data);
{
int i;
int * buffer = (int *)malloc(10 * sizeof(int));
/* initialize buffer */
for (i = 0; i < 10; i++)
{
buffer[i] = 0;
}
/* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
* This code does check to see if the array index is negative */
if (data >= 0)
{
buffer[data] = 1; // [NOT DETECTED]
/* Print the array values */
for(i = 0; i < 10; i++)
{
printIntLine(buffer[i]);
}
}
else
{
printLine("ERROR: Array index is negative.");
}
free(buffer);
}
}
void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_31_bad()
{
wchar_t * data;
data = NULL;
/* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
data = new wchar_t[50];
data[0] = L'\0'; /* null terminate */
{
wchar_t * dataCopy = data;
wchar_t * data = dataCopy;
{
wchar_t source[100];
wmemset(source, L'C', 100-1); /* fill with L'C's */
source[100-1] = L'\0'; /* null terminate */
/* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
SNPRINTF(data, 100, L"%s", source);
printWLine(data);
delete [] data;
}
}
}
int rand(void);
int globalReturnsTrueOrFalse()
{
return (rand() % 2);
}
#define SRC_STRING "AAAAAAAAAA"
void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_cpy_12_bad()
{
char * data;
char dataBadBuffer[10];
char dataGoodBuffer[10+1];
if(globalReturnsTrueOrFalse())
{
/* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
* string copies in the sinks */
data = dataBadBuffer;
data[0] = '\0'; /* null terminate */
}
else
{
/* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
* string copies in the sinks */
data = dataGoodBuffer;
data[0] = '\0'; /* null terminate */
}
{
char source[10+1] = SRC_STRING;
/* POTENTIAL FLAW: data may not have enough space to hold source */ // [NOT DETECTED]
strcpy(data, source);
printLine(data);
}
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
View File

@@ -80,4 +80,4 @@
| var_size_struct.cpp:99:3:99:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
| var_size_struct.cpp:101:3:101:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
| var_size_struct.cpp:103:3:103:9 | call to strncpy | This 'strncpy' operation may access 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
| var_size_struct.cpp:171:3:171:8 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 1 byte. | var_size_struct.cpp:125:17:125:19 | arr | destination buffer |
| var_size_struct.cpp:169:3:169:8 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 1 byte. | var_size_struct.cpp:125:17:125:19 | arr | destination buffer |

2
cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp
View File

@@ -161,8 +161,6 @@ void useVarStruct34(varStruct5 *vs5) {
varStruct5 *vs5b = (varStruct5 *)malloc(sizeof(*vs5));
varStruct6 *vs6 = (varStruct6 *)malloc(offsetof(varStruct6, arr) + 9); // establish varStruct6 as variable size
varStruct7 *vs7 = (varStruct7 *)malloc(sizeForVarStruct7(9)); // establish varStruct7 as variable size
varStruct8 *vs8a = (varStruct8 *)malloc(sizeof(varStruct8) + 9); // establish varStruct8 as variable size
varStruct8 *vs8b = (varStruct8 *)malloc(sizeof(varStruct8));
varStruct9 *vs9 = (varStruct9 *)malloc(__builtin_offsetof(varStruct9, arr) + 9); // establish varStruct9 as variable size
}

65
cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c Normal file
View File

@@ -0,0 +1,65 @@
// Snippet from a SAMATE Juliet test case for rule CWE-122 / CWE-129
// CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c
typedef unsigned long size_t;
void *malloc(size_t size);
void free(void *ptr);
#define NULL (0)
typedef struct {} FILE;
FILE *stdin;
char *fgets(char *s, int n, FILE *stream);
int atoi(const char *nptr);
void printLine(const char *str);
void printIntLine(int val);
// ---
#define CHAR_ARRAY_SIZE (64)
void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01_bad()
{
int data;
/* Initialize data */
data = -1;
{
char inputBuffer[CHAR_ARRAY_SIZE] = "";
/* POTENTIAL FLAW: Read data from the console using fgets() */
if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
{
/* Convert to int */
data = atoi(inputBuffer);
}
else
{
printLine("fgets() failed.");
}
}
{
int i;
int * buffer = (int *)malloc(10 * sizeof(int));
/* initialize buffer */
for (i = 0; i < 10; i++)
{
buffer[i] = 0;
}
/* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
* This code does check to see if the array index is negative */
if (data >= 0)
{
buffer[data] = 1;
/* Print the array values */
for(i = 0; i < 10; i++)
{
printIntLine(buffer[i]);
}
}
else
{
printLine("ERROR: Array index is negative.");
}
free(buffer);
}
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected Normal file
View File

@@ -0,0 +1 @@
| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | $@ flows to here and is used in an array indexing expression, potentially causing an invalid access. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | inputBuffer | User-provided value |

1
cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-129/ImproperArrayIndexValidation.ql

45
cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected Normal file
View File

@@ -0,0 +1,45 @@
edges
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection |
| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | (const char *)... |
| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data |
| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data indirection |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | (const char *)... |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | data indirection |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | (const char *)... |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | (const char *)... |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection |
nodes
| char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | semmle.label | recv output argument |
| char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | semmle.label | ... + ... |
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | semmle.label | data |
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | semmle.label | data indirection |
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data indirection | semmle.label | data indirection |
| char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | semmle.label | ... + ... |
| char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | semmle.label | fgets output argument |
| char_console_fprintf_01_bad.c:49:21:49:24 | (const char *)... | semmle.label | (const char *)... |
| char_console_fprintf_01_bad.c:49:21:49:24 | (const char *)... | semmle.label | (const char *)... |
| char_console_fprintf_01_bad.c:49:21:49:24 | data | semmle.label | data |
| char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | semmle.label | data indirection |
| char_console_fprintf_01_bad.c:49:21:49:24 | data indirection | semmle.label | data indirection |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
| char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | semmle.label | call to getenv |
| char_environment_fprintf_01_bad.c:36:21:36:24 | (const char *)... | semmle.label | (const char *)... |
| char_environment_fprintf_01_bad.c:36:21:36:24 | (const char *)... | semmle.label | (const char *)... |
| char_environment_fprintf_01_bad.c:36:21:36:24 | data | semmle.label | data |
| char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | semmle.label | data indirection |
| char_environment_fprintf_01_bad.c:36:21:36:24 | data indirection | semmle.label | data indirection |
#select
| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format) | char_connect_socket_w32_vsnprintf_01_bad.c:94:55:94:68 | ... + ... | recv |
| char_console_fprintf_01_bad.c:49:21:49:24 | data | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | char_console_fprintf_01_bad.c:49:21:49:24 | data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format) | char_console_fprintf_01_bad.c:30:23:30:35 | ... + ... | fgets |
| char_environment_fprintf_01_bad.c:36:21:36:24 | data | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format) | char_environment_fprintf_01_bad.c:27:30:27:35 | call to getenv | getenv |

1
cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-134/UncontrolledFormatString.ql

126
cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c Normal file
View File

@@ -0,0 +1,126 @@
// External test case from SAMATE's Juliet Test Suite for C/C++
// (http://samate.nist.gov/SRD/testsuite.php)
// Associated with CWE-134: Uncontrolled format string. http://cwe.mitre.org/data/definitions/134.html
// This is a snippet with added declarations, not the entire test case.
typedef unsigned long size_t;
typedef void *va_list;
#define va_start(ap, parmN)
#define va_end(ap)
#define va_arg(ap, type) ((type)0)
int vsnprintf(char *s, size_t n, const char *format, va_list arg);
size_t strlen(const char *s);
#define SOCKET int
#define INVALID_SOCKET (0)
#define SOCKET_ERROR (1)
#define AF_INET (2)
#define SOCK_STREAM (3)
#define IPPROTO_TCP (4)
#define IP_ADDRESS (5)
#define TCP_PORT (6)
typedef int in_addr_t;
struct in_addr {
in_addr_t s_addr;
};
struct sockaddr_in {
int sin_family;
int sin_port;
struct in_addr sin_addr;
};
in_addr_t inet_addr(const char *cp);
#define IP_ADDRESS "0.0.0.0"
void printLine(char *);
static void badVaSink(char * data, ...)
{
{
char dest[100] = "";
va_list args;
va_start(args, data);
/* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */
vsnprintf(dest, 100-1, data, args);
va_end(args);
printLine(dest);
}
}
void CWE134_Uncontrolled_Format_String__char_connect_socket_w32_vsnprintf_01_bad()
{
char * data;
char dataBuffer[100] = "";
data = dataBuffer;
{
#ifdef _WIN32
WSADATA wsaData;
int wsaDataInit = 0;
#endif
int recvResult;
struct sockaddr_in service;
char *replace;
SOCKET connectSocket = INVALID_SOCKET;
size_t dataLen = strlen(data);
do
{
#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
#endif
/* POTENTIAL FLAW: Read data using a connect socket */
connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (connectSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
service.sin_port = htons(TCP_PORT);
if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed, make sure to recv one
* less char than is in the recv_buf in order to append a terminator */
/* Abort on error or the connection was closed */
recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
data[dataLen + recvResult / sizeof(char)] = '\0';
/* Eliminate CRLF */
replace = strchr(data, '\r');
if (replace)
{
*replace = '\0';
}
replace = strchr(data, '\n');
if (replace)
{
*replace = '\0';
}
}
while (0);
if (connectSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(connectSocket);
}
#ifdef _WIN32
if (wsaDataInit)
{
WSACleanup();
}
#endif
}
badVaSink(data, data);
}

97
cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c Normal file
View File

@@ -0,0 +1,97 @@
// External test case from SAMATE's Juliet Test Suite for C/C++
// (http://samate.nist.gov/SRD/testsuite.php)
// Associated with CWE-134: Uncontrolled format string. http://cwe.mitre.org/data/definitions/134.html
// Examples amended to have all function declarations inlined.
#define NULL 0
typedef unsigned long size_t;
typedef struct {} FILE;
extern FILE * stdin;
extern FILE * stdout;
size_t strlen(const char *s);
char *fgets(char *s, int n, FILE *stream);
int fprintf(FILE *stream, const char *format, ...);
char *strcpy(char *s1, const char *s2);
void printLine(char *);
void CWE134_Uncontrolled_Format_String__char_console_fprintf_01_bad()
{
char * data;
char data_buf[100] = "";
data = data_buf;
{
/* Read input from the console */
size_t data_len = strlen(data);
/* if there is room in data, read into it from the console */
/* POTENTIAL FLAW: Read data from the console */
if(100-data_len > 1)
{
if (fgets(data+data_len, (int)(100-data_len), stdin) != NULL)
{
/* The next 3 lines remove the carriage return from the string that is
* inserted by fgets() */
data_len = strlen(data);
if (data_len > 0 && data[data_len-1] == '\n')
{
data[data_len-1] = '\0';
}
}
else
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[data_len] = '\0';
}
}
}
/* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */
fprintf(stdout, data);
}
/* goodG2B uses the GoodSource with the BadSink */
static void goodG2B()
{
char * data;
char data_buf[100] = "";
data = data_buf;
/* FIX: Use a fixed string that does not contain a format specifier */
strcpy(data, "fixedstringtest");
/* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */
fprintf(stdout, data);
}
/* goodB2G uses the BadSource with the GoodSink */
static void goodB2G()
{
char * data;
char data_buf[100] = "";
data = data_buf;
{
/* Read input from the console */
size_t data_len = strlen(data);
/* if there is room in data, read into it from the console */
/* POTENTIAL FLAW: Read data from the console */
if(100-data_len > 1)
{
if (fgets(data+data_len, (int)(100-data_len), stdin) != NULL)
{
/* The next 3 lines remove the carriage return from the string that is
* inserted by fgets() */
data_len = strlen(data);
if (data_len > 0 && data[data_len-1] == '\n')
{
data[data_len-1] = '\0';
}
}
else
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[data_len] = '\0';
}
}
}
/* FIX: Specify the format disallowing a format string vulnerability */
fprintf(stdout, "%s\n", data);
}

70
cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c Normal file
View File

@@ -0,0 +1,70 @@
// External test case from SAMATE's Juliet Test Suite for C/C++
// (http://samate.nist.gov/SRD/testsuite.php)
// Associated with CWE-134: Uncontrolled format string. http://cwe.mitre.org/data/definitions/134.html
// Examples amended to have all function declarations inlined.
#define NULL 0
typedef struct {} FILE;
typedef unsigned long size_t;
extern FILE * stdout;
size_t strlen(const char *s);
char *getenv(const char *name);
char *strcpy(char *s1, const char *s2);
char *strncat(char *s1, const char *s2, size_t n);
int fprintf(FILE *stream, const char *format, ...);
#define ENV_VARIABLE "ADD"
#define GETENV getenv
void CWE134_Uncontrolled_Format_String__char_environment_fprintf_01_bad()
{
char * data;
char data_buf[100] = "";
data = data_buf;
{
/* Append input from an environment variable to data */
size_t data_len = strlen(data);
char * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
strncat(data+data_len, environment, 100-data_len-1);
}
}
/* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */
fprintf(stdout, data);
}
/* goodG2B uses the GoodSource with the BadSink */
static void goodG2B()
{
char * data;
char data_buf[100] = "";
data = data_buf;
/* FIX: Use a fixed string that does not contain a format specifier */
strcpy(data, "fixedstringtest");
/* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */
fprintf(stdout, data);
}
/* goodB2G uses the BadSource with the GoodSink */
static void goodB2G()
{
char * data;
char data_buf[100] = "";
data = data_buf;
{
/* Append input from an environment variable to data */
size_t data_len = strlen(data);
char * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
strncat(data+data_len, environment, 100-data_len-1);
}
}
/* FIX: Specify the format disallowing a format string vulnerability */
fprintf(stdout, "%s\n", data);
}

13
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected Normal file
View File

@@ -0,0 +1,13 @@
edges
| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
| examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
| examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
nodes
| examples.cpp:63:26:63:30 | & ... | semmle.label | & ... |
| examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument |
| examples.cpp:66:11:66:14 | data | semmle.label | data |
| examples.cpp:66:11:66:14 | data | semmle.label | data |
| examples.cpp:66:11:66:14 | data | semmle.label | data |
#select
| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:63:26:63:30 | & ... | User-provided value |

1
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-190/ArithmeticTainted.ql

78
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected Normal file
View File

@@ -0,0 +1,78 @@
edges
| examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data |
| examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
| examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data |
nodes
| examples.cpp:22:26:22:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:22:26:22:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:22:26:22:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:22:26:22:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:22:26:22:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:22:26:22:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:22:26:22:33 | call to rand | semmle.label | call to rand |
| examples.cpp:25:31:25:34 | data | semmle.label | data |
| examples.cpp:35:26:35:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:35:26:35:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:35:26:35:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:35:26:35:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:35:26:35:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:35:26:35:33 | (unsigned int)... | semmle.label | (unsigned int)... |
| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
| examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand |
| examples.cpp:38:9:38:12 | data | semmle.label | data |
subpaths
#select
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | (unsigned int)... | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | (unsigned int)... | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |
| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | $@ flows to here and is used in arithmetic, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | Uncontrolled value |

1
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-190/ArithmeticUncontrolled.ql

0
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.expected Normal file
View File

1
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

1
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.expected Normal file
View File

@@ -0,0 +1 @@
| examples.cpp:66:9:66:14 | -- ... | $@ flows to here and is used in an expression which might overflow negatively. | examples.cpp:63:26:63:30 | & ... | User-provided value |

1
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-190/IntegerOverflowTainted.ql

70
cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp Normal file
View File

@@ -0,0 +1,70 @@
// Some SAMATE Juliet test cases for rule CWE-190.
///// Library functions //////
typedef struct {} FILE;
extern FILE *stdin;
int fscanf(FILE *stream, const char *format, ...);
int rand(void);
#define URAND31() (((unsigned)rand()<<30) ^ ((unsigned)rand()<<15) ^ rand())
#define RAND32() ((int)(rand() & 1 ? URAND31() : -URAND31() - 1))
void printUnsignedLine(unsigned unsignedNumber);
//// Test code /////
void CWE191_Integer_Underflow__unsigned_int_rand_sub_01_bad()
{
unsigned int data;
data = 0;
/* POTENTIAL FLAW: Use a random value */
data = (unsigned int)RAND32();
{
/* POTENTIAL FLAW: Subtracting 1 from data could cause an underflow */
unsigned int result = data - 1;
printUnsignedLine(result);
}
}
void CWE191_Integer_Underflow__unsigned_int_rand_postdec_01_bad()
{
unsigned int data;
data = 0;
/* POTENTIAL FLAW: Use a random value */
data = (unsigned int)RAND32();
{
/* POTENTIAL FLAW: Decrementing data could cause an underflow */
data--;
unsigned int result = data;
printUnsignedLine(result);
}
}
void CWE191_Integer_Underflow__unsigned_int_min_postdec_01_bad()
{
unsigned int data;
data = 0;
/* POTENTIAL FLAW: Use the minimum size of the data type */
data = 0;
{
/* POTENTIAL FLAW: Decrementing data could cause an underflow [NOT DETECTED] */
data--;
unsigned int result = data;
printUnsignedLine(result);
}
}
void CWE191_Integer_Underflow__unsigned_int_fscanf_predec_01_bad()
{
unsigned int data;
data = 0;
/* POTENTIAL FLAW: Use a value input from the console */
fscanf (stdin, "%u", &data);
{
/* POTENTIAL FLAW: Decrementing data could cause an underflow */
--data;
unsigned int result = data;
printUnsignedLine(result);
}
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.expected Normal file
View File

@@ -0,0 +1 @@
| tests.cpp:38:31:38:34 | data | $@ flows to here and is used in an expression which might overflow. | tests.cpp:57:27:57:31 | & ... | User-provided value |

1
cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-190/IntegerOverflowTainted.ql

74
cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp Normal file
View File

@@ -0,0 +1,74 @@
//semmle-extractor-options: --edg --target --edg win64
// A selection of tests from the SAMATE Juliet framework for rule CWE-197.
// library types, functions etc
typedef struct {} FILE;
int fscanf(FILE *stream, const char *format, ...);
#define CHAR_MAX (127)
FILE *stdin;
void printHexCharLine(char charHex);
// ----------
class CWE197_Numeric_Truncation_Error__short_fscanf_82_base
{
public:
/* pure virtual function */
virtual void action(short data) = 0;
};
class CWE197_Numeric_Truncation_Error__short_fscanf_82_bad : public CWE197_Numeric_Truncation_Error__short_fscanf_82_base
{
public:
void action(short data);
};
class CWE197_Numeric_Truncation_Error__short_fscanf_82_goodG2B : public CWE197_Numeric_Truncation_Error__short_fscanf_82_base
{
public:
void action(short data);
};
void CWE197_Numeric_Truncation_Error__short_fscanf_82_bad::action(short data)
{
{
/* POTENTIAL FLAW: Convert data to a char, possibly causing a truncation error */
char charData = (char)data;
printHexCharLine(charData);
}
}
void CWE197_Numeric_Truncation_Error__short_fscanf_82_goodG2B::action(short data)
{
{
char charData = (char)data;
printHexCharLine(charData);
}
}
void bad()
{
short data;
/* Initialize data */
data = -1;
/* FLAW: Use a number input from the console using fscanf() */
fscanf (stdin, "%hd", &data);
CWE197_Numeric_Truncation_Error__short_fscanf_82_base* baseObject = new CWE197_Numeric_Truncation_Error__short_fscanf_82_bad;
baseObject->action(data);
delete baseObject;
}
/* goodG2B uses the GoodSource with the BadSink */
static void goodG2B()
{
short data;
/* Initialize data */
data = -1;
/* FIX: Use a positive integer less than CHAR_MAX*/
data = CHAR_MAX-5;
CWE197_Numeric_Truncation_Error__short_fscanf_82_base* baseObject = new CWE197_Numeric_Truncation_Error__short_fscanf_82_goodG2B;
baseObject->action(data);
delete baseObject;
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected Normal file
View File

@@ -0,0 +1 @@
| tests.c:70:9:70:15 | call to fprintf | This operation exposes system data from $@. | tests.c:54:13:54:22 | call to LogonUserA | call to LogonUserA |

1
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-497/ExposedSystemData.ql

7
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/OutputWrite.expected Normal file
View File

@@ -0,0 +1,7 @@
| tests.c:29:9:29:14 | call to printf | tests.c:29:16:29:21 | %s\n |
| tests.c:29:9:29:14 | call to printf | tests.c:29:24:29:27 | line |
| tests.c:43:13:43:21 | call to printLine | tests.c:43:23:43:38 | fgets() failed |
| tests.c:62:13:62:21 | call to printLine | tests.c:62:23:62:52 | User logged in successfully. |
| tests.c:67:13:67:21 | call to printLine | tests.c:67:23:67:40 | Unable to login. |
| tests.c:70:9:70:15 | call to fprintf | tests.c:70:25:70:67 | User attempted access with password: %s\n |
| tests.c:70:9:70:15 | call to fprintf | tests.c:70:70:70:77 | password |

4
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/OutputWrite.ql Normal file
View File

@@ -0,0 +1,4 @@
import semmle.code.cpp.security.OutputWrite
from OutputWrite ow
select ow, ow.getASource()

72
cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c Normal file
View File

@@ -0,0 +1,72 @@
// SAMATE Juliet test cases for rule CWE-497.
// library functions etc
typedef struct {} FILE;
// define stdout, stderr in a similar style to MinGW
FILE std_files[2];
#define stdin (&std_files[0])
#define stderr (&std_files[1])
typedef unsigned long size_t;
size_t strlen(const char *s);
int printf(const char *format, ...);
int fprintf(FILE *stream, const char *format, ...);
char *fgets(char *s, int n, FILE *stream);
typedef struct {} *HANDLE;
int LogonUserA(const char *lpszUserName, const char *lpszDomain, const char *lpszPassword, int dwLogonType, int dwLogonProvider, HANDLE *phToken);
void CloseHandle(HANDLE h);
#define NULL (0)
#define LOGON32_LOGON_NETWORK (1)
#define LOGON32_PROVIDER_DEFAULT (2)
void printLine(const char * line)
{
if(line != NULL)
{
printf("%s\n", line);
}
}
void CWE535_Info_Exposure_Shell_Error__w32_char_01_bad()
{
{
char password[100] = "";
size_t passwordLen = 0;
HANDLE pHandle;
char * username = "User";
char * domain = "Domain";
if (fgets(password, 100, stdin) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
password[0] = '\0';
}
/* Remove the carriage return from the string that is inserted by fgets() */
passwordLen = strlen(password);
if (passwordLen > 0)
{
password[passwordLen-1] = '\0';
}
/* Use the password in LogonUser() to establish that it is "sensitive" */
if (LogonUserA(
username,
domain,
password,
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&pHandle) != 0)
{
printLine("User logged in successfully.");
CloseHandle(pHandle);
}
else
{
printLine("Unable to login.");
}
/* FLAW: Write sensitive data to stderr */
fprintf(stderr, "User attempted access with password: %s\n", password);
}
}

3
cpp/ql/test/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.expected Normal file
View File

@@ -0,0 +1,3 @@
| test.cpp:20:3:20:8 | call to fclose | Second call to the $@ function is possible. | test.cpp:21:3:21:8 | call to fclose | fclose |
| test.cpp:31:3:31:8 | call to fclose | Second call to the $@ function is possible. | test.cpp:32:3:32:8 | call to fclose | fclose |
| test.cpp:38:3:38:8 | call to fclose | Second call to the $@ function is possible. | test.cpp:44:3:44:8 | call to fclose | fclose |

1
cpp/ql/test/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-675/DoubleRelease.ql

83
cpp/ql/test/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp Normal file
View File

@@ -0,0 +1,83 @@
#define NULL (0)
typedef int FILE;
FILE *fopen(const char *filename, const char *mode);
int fclose(FILE *stream);
extern FILE * fe;
void test1()
{
FILE *f;
f = fopen("myFile.txt", "wt");
fclose(f); // GOOD
f = NULL;
}
void test2()
{
FILE *f;
f = fopen("myFile.txt", "wt");
fclose(f); // BAD
fclose(f);
}
void test3()
{
FILE *f;
FILE *g;
f = fopen("myFile.txt", "wt");
g = f;
fclose(f); // BAD
fclose(g);
}
int fGtest4_1()
{
fe = fopen("myFile.txt", "wt");
fclose(fe); // BAD
return -1;
}
int fGtest4_2()
{
fclose(fe);
return -1;
}
void Gtest4()
{
fGtest4_1();
fGtest4_2();
}
int fGtest5_1()
{
fe = fopen("myFile.txt", "wt");
fclose(fe); // GOOD
fe = NULL;
return -1;
}
int fGtest5_2()
{
fclose(fe);
return -1;
}
void Gtest5()
{
fGtest5_1();
fGtest5_2();
}
int main(int argc, char *argv[])
{
test1();
test2();
test3();
Gtest4();
Gtest5();
return 0;
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.expected Normal file
View File

@@ -0,0 +1 @@
| test.cpp:59:17:59:17 | call to operator>> | Use of 'cin' without specifying the length of the input may be dangerous. |

1
cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-676/DangerousUseOfCin.ql

81
cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp Normal file
View File

@@ -0,0 +1,81 @@
// SAMATE Juliet test case for rule DangerousUseOfCin.ql / CWE-676.
// --- library types, functions etc ---
typedef unsigned long size_t;
namespace std
{
// --- std::istream ---
// std::char_traits
template<class CharT> class char_traits;
typedef size_t streamsize;
class ios_base {
public:
streamsize width(streamsize wide);
};
template <class charT, class traits = char_traits<charT> >
class basic_ios : public ios_base {
public:
};
// std::basic_istream
template <class charT, class traits = char_traits<charT> >
class basic_istream : virtual public basic_ios<charT,traits> {
};
// operator>> std::basic_istream -> char*
template<class charT, class traits> basic_istream<charT,traits>& operator>>(basic_istream<charT,traits>&, charT*);
// std::istream
typedef basic_istream<char> istream;
// --- std::cin ---
extern istream cin;
}
void printLine(const char *str);
// --- test cases ---
using namespace std;
#define CHAR_BUFFER_SIZE 10
void CWE676_Use_of_Potentially_Dangerous_Function__basic_17_bad()
{
int j;
for(j = 0; j < 1; j++)
{
{
char charBuffer[CHAR_BUFFER_SIZE];
/* FLAW: using cin in an inherently dangerous fashion */
/* INCIDENTAL CWE120 Buffer Overflow since cin extraction is unbounded. */
cin >> charBuffer; // BAD
charBuffer[CHAR_BUFFER_SIZE-1] = '\0';
printLine(charBuffer);
}
}
}
/* good1() changes the conditions on the for statements */
static void CWE676_Use_of_Potentially_Dangerous_Function__basic_17_good1()
{
int k;
for(k = 0; k < 1; k++)
{
{
char charBuffer[CHAR_BUFFER_SIZE];
/* FIX: Use cin after specifying the length of the input */
cin.width(CHAR_BUFFER_SIZE);
cin >> charBuffer; // GOOD
charBuffer[CHAR_BUFFER_SIZE-1] = '\0';
printLine(charBuffer);
}
}
}

0
cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.expected Normal file
View File

1
cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref Normal file
View File

@@ -0,0 +1 @@
Critical/FileMayNotBeClosed.ql

3
cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.expected Normal file
View File

@@ -0,0 +1,3 @@
| tests.cpp:220:12:220:16 | call to fopen | The file is never closed |
| tests.cpp:252:12:252:15 | call to open | The file is never closed |
| tests.cpp:278:12:278:21 | call to CreateFile | The file is never closed |

1
cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref Normal file
View File

@@ -0,0 +1 @@
Critical/FileNeverClosed.ql

Some files were not shown because too many files have changed in this diff Show More