mirror of
https://github.com/github/codeql.git
synced 2026-06-11 16:01:09 +02:00
C++
This commit is contained in:
Owen Mansel-Chan
@@ -1 +1,2 @@
|
||||
jsf/4.13 Functions/AV Rule 107.ql
|
||||
query: jsf/4.13 Functions/AV Rule 107.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
|
||||
query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -48,7 +48,7 @@ void test1()
|
||||
|
||||
void test2()
|
||||
{
|
||||
Lock<Mutex> myLock(); // BAD (interpreted as a function declaration, this does nothing)
|
||||
Lock<Mutex> myLock(); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block]
|
||||
|
||||
// ...
|
||||
}
|
||||
@@ -62,14 +62,14 @@ void test3()
|
||||
|
||||
void test4()
|
||||
{
|
||||
Lock<Mutex>(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
|
||||
Lock<Mutex>(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended) // $ Alert[cpp/local-variable-hides-global-variable]
|
||||
|
||||
// ...
|
||||
}
|
||||
|
||||
void test5()
|
||||
{
|
||||
Lock<Mutex> myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing)
|
||||
Lock<Mutex> myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block]
|
||||
|
||||
// ...
|
||||
}
|
||||
|
||||
@@ -1 +1 @@
|
||||
semmle/code/cpp/PrintAST.ql
|
||||
query: semmle/code/cpp/PrintAST.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
|
||||
query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
|
||||
query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -3,6 +3,6 @@ void workFunction_0(char *s) {
|
||||
char buf[80], buf1[8];
|
||||
if(len<0) return;
|
||||
memset(buf,0,len); //GOOD
|
||||
memset(buf1,0,len1); //BAD
|
||||
memset(buf1,0,len1); //BAD // $ Alert
|
||||
if(len1<0) return;
|
||||
}
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
#select
|
||||
| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
|
||||
edges
|
||||
| test.cpp:22:27:22:30 | **argv | test.cpp:23:20:23:26 | *access to array | provenance | |
|
||||
| test.cpp:23:20:23:26 | *access to array | test.cpp:29:13:29:20 | *filePath | provenance | |
|
||||
@@ -6,5 +8,3 @@ nodes
|
||||
| test.cpp:23:20:23:26 | *access to array | semmle.label | *access to array |
|
||||
| test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-078/WordexpTainted.ql
|
||||
query: experimental/Security/CWE/CWE-078/WordexpTainted.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -19,14 +19,14 @@ enum {
|
||||
|
||||
int wordexp(const char *restrict s, wordexp_t *restrict p, int flags);
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
int main(int argc, char** argv) { // $ Source
|
||||
char *filePath = argv[2];
|
||||
|
||||
{
|
||||
// BAD: the user string is injected directly into `wordexp` which performs command substitution
|
||||
|
||||
wordexp_t we;
|
||||
wordexp(filePath, &we, 0);
|
||||
wordexp(filePath, &we, 0); // $ Alert
|
||||
}
|
||||
|
||||
{
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
|
||||
query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -20,7 +20,7 @@ void myFclose(FILE * fmy)
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
fclose(fe); // BAD
|
||||
fclose(fe); // BAD // $ Alert
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
myFclose(fe); // GOOD
|
||||
return 0;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
|
||||
query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -11,7 +11,7 @@ void workFunction_0(char *s) {
|
||||
while(intIndex > 2)
|
||||
{
|
||||
buf[intIndex] = 1;
|
||||
int intIndex; // BAD
|
||||
int intIndex; // BAD // $ Alert
|
||||
intIndex--;
|
||||
}
|
||||
intIndex = 10;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
|
||||
query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -8,7 +8,7 @@ int strlen(const char *string);
|
||||
|
||||
// the following function is homebrew crypto written for this test. This is a bad algorithm
|
||||
// on multiple levels and should never be used in cryptography.
|
||||
void encryptString(char *string, unsigned int key) {
|
||||
void encryptString(char *string, unsigned int key) { // $ Alert
|
||||
char *ptr = string;
|
||||
int len = strlen(string);
|
||||
|
||||
@@ -27,7 +27,7 @@ void encryptString(char *string, unsigned int key) {
|
||||
|
||||
// the following function is homebrew crypto written for this test. This is a bad algorithm
|
||||
// on multiple levels and should never be used in cryptography.
|
||||
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) {
|
||||
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { // $ Alert
|
||||
unsigned int state[2];
|
||||
unsigned int t;
|
||||
|
||||
@@ -48,7 +48,7 @@ void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int d
|
||||
// the following function resembles an implementation of the AES "mix columns"
|
||||
// step. It is not accurate, efficient or safe and should never be used in
|
||||
// cryptography.
|
||||
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
|
||||
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert
|
||||
// The "mix columns" step takes four bytes as inputs. Each byte represents a
|
||||
// polynomial with 8 one-bit coefficients, e.g. input bits 00001101
|
||||
// represent the polynomial x^3 + x^2 + 1. Arithmetic is reduced modulo
|
||||
@@ -80,7 +80,7 @@ void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
|
||||
// the following function resembles initialization of an S-box as may be done
|
||||
// in an implementation of DES, AES and other encryption algorithms. It is not
|
||||
// accurate, efficient or safe and should never be used in cryptography.
|
||||
void init_aes_sbox(unsigned char data[256]) {
|
||||
void init_aes_sbox(unsigned char data[256]) { // $ Alert
|
||||
// initialize `data` in a loop using lots of ^, ^= and << operations and
|
||||
// a few fixed constants.
|
||||
unsigned int state = 0x12345678;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
|
||||
query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -63,7 +63,7 @@ static void badTest1(const char* ptr)
|
||||
int ret;
|
||||
int len;
|
||||
len = strlen(ptr);
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert
|
||||
wprintf(L"%lc", wc);
|
||||
ptr += ret;
|
||||
}
|
||||
@@ -73,7 +73,7 @@ static void badTest2(const char* ptr)
|
||||
int ret;
|
||||
int len;
|
||||
len = strlen(ptr);
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert
|
||||
wprintf(L"%lc", wc);
|
||||
ptr += ret;
|
||||
}
|
||||
@@ -103,7 +103,7 @@ static void badTest3(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD
|
||||
ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD // $ Alert
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -120,7 +120,7 @@ static void badTest4(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, 16); // BAD
|
||||
ret = mbtowc(wc, ptr, 16); // BAD // $ Alert
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -137,7 +137,7 @@ static void badTest5(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD
|
||||
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD // $ Alert
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -155,7 +155,7 @@ static void badTest6(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && wc_len > 0) {
|
||||
ret = mbtowc(wc, ptr, wc_len); // BAD
|
||||
ret = mbtowc(wc, ptr, wc_len); // BAD // $ Alert
|
||||
if (ret <0)
|
||||
if (checkErrors()) {
|
||||
++ptr;
|
||||
@@ -178,7 +178,7 @@ static void badTest7(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && wc_len > 0) {
|
||||
ret = mbtowc(wc, ptr, len); // BAD
|
||||
ret = mbtowc(wc, ptr, len); // BAD // $ Alert
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -194,7 +194,7 @@ static void badTest8(const char* ptr,wchar_t *wc)
|
||||
int len;
|
||||
len = strlen(ptr);
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, len); // BAD
|
||||
ret = mbtowc(wc, ptr, len); // BAD // $ Alert
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
|
||||
@@ -25,8 +25,8 @@ void* calloc (size_t num, size_t size);
|
||||
void* malloc (size_t size);
|
||||
|
||||
static void badTest1(void *src, int size) {
|
||||
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD
|
||||
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD
|
||||
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD // $ Alert
|
||||
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD // $ Alert
|
||||
}
|
||||
void goodTest2(){
|
||||
wchar_t src[] = L"0123456789ABCDEF";
|
||||
@@ -42,7 +42,7 @@ void goodTest2(){
|
||||
static void badTest2(){
|
||||
wchar_t src[] = L"0123456789ABCDEF";
|
||||
char dst[16];
|
||||
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD
|
||||
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD // $ Alert
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
static void goodTest3(){
|
||||
@@ -55,7 +55,7 @@ static void badTest3(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
|
||||
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert
|
||||
}
|
||||
static void goodTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
@@ -67,13 +67,13 @@ static void badTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
|
||||
wchar_t * dst = (wchar_t*)malloc(size + 1);
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert
|
||||
}
|
||||
static int goodTest5(void *src){
|
||||
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD
|
||||
}
|
||||
static int badTest5 (void *src) {
|
||||
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD
|
||||
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD // $ Alert
|
||||
}
|
||||
static void goodTest6(WCHAR *src)
|
||||
{
|
||||
@@ -90,6 +90,6 @@ static void goodTest6(WCHAR *src)
|
||||
static void badTest6(WCHAR *src)
|
||||
{
|
||||
char dst[5] ="";
|
||||
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD
|
||||
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD // $ Alert
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
|
||||
@@ -12,11 +12,11 @@ size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbsta
|
||||
|
||||
|
||||
static void badTest1(void *src, int size) {
|
||||
mbstowcs((wchar_t*)src,(char*)src,size); // BAD
|
||||
mbstowcs((wchar_t*)src,(char*)src,size); // BAD // $ Alert
|
||||
_locale_t locale;
|
||||
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD
|
||||
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD // $ Alert
|
||||
mbstate_t *mbstate;
|
||||
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD
|
||||
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD // $ Alert
|
||||
}
|
||||
static void goodTest2(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
@@ -32,7 +32,7 @@ static void goodTest2(){
|
||||
static void badTest2(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
wchar_t dst[16];
|
||||
mbstowcs(dst, src,16); // BAD
|
||||
mbstowcs(dst, src,16); // BAD // $ Alert
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
static void goodTest3(){
|
||||
@@ -45,7 +45,7 @@ static void badTest3(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = mbstowcs(NULL, src,NULL);
|
||||
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
|
||||
mbstowcs(dst, src,size+1); // BAD
|
||||
mbstowcs(dst, src,size+1); // BAD // $ Alert
|
||||
}
|
||||
static void goodTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
@@ -57,13 +57,13 @@ static void badTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = mbstowcs(NULL, src,NULL);
|
||||
wchar_t * dst = (wchar_t*)malloc(size + 1);
|
||||
mbstowcs(dst, src,size+1); // BAD
|
||||
mbstowcs(dst, src,size+1); // BAD // $ Alert
|
||||
}
|
||||
static int goodTest5(void *src){
|
||||
return mbstowcs(NULL, (char*)src,NULL); // GOOD
|
||||
}
|
||||
static int badTest5 (void *src) {
|
||||
return mbstowcs(NULL, (char*)src,3); // BAD
|
||||
return mbstowcs(NULL, (char*)src,3); // BAD // $ Alert
|
||||
}
|
||||
static void goodTest6(void *src){
|
||||
wchar_t dst[5];
|
||||
@@ -77,6 +77,6 @@ static void goodTest6(void *src){
|
||||
}
|
||||
static void badTest6(void *src){
|
||||
wchar_t dst[5];
|
||||
mbstowcs(dst, (char*)src,260); // BAD
|
||||
mbstowcs(dst, (char*)src,260); // BAD // $ Alert
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ static size_t badTest1(unsigned char *src){
|
||||
int cb = 0;
|
||||
unsigned char dst[50];
|
||||
while( cb < sizeof(dst) )
|
||||
dst[cb++]=*src++; // BAD
|
||||
dst[cb++]=*src++; // BAD // $ Alert
|
||||
return _mbclen(dst);
|
||||
}
|
||||
static void goodTest2(unsigned char *src){
|
||||
@@ -33,7 +33,7 @@ static void badTest2(unsigned char *src){
|
||||
unsigned char dst[50];
|
||||
while( cb < sizeof(dst) )
|
||||
{
|
||||
_mbccpy(dst+cb,src); // BAD
|
||||
_mbccpy(dst+cb,src); // BAD // $ Alert
|
||||
cb+=_mbclen(src);
|
||||
src=_mbsinc(src);
|
||||
}
|
||||
@@ -44,5 +44,5 @@ static void goodTest3(){
|
||||
}
|
||||
static void badTest3(){
|
||||
wchar_t name[50];
|
||||
name[sizeof(name) - 1] = L'\0'; // BAD
|
||||
name[sizeof(name) - 1] = L'\0'; // BAD // $ Alert
|
||||
}
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
#select
|
||||
| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
|
||||
| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
|
||||
| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
|
||||
| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
|
||||
| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication |
|
||||
| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication |
|
||||
| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
|
||||
| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
|
||||
| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication |
|
||||
edges
|
||||
| test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | ... * ... | provenance | |
|
||||
| test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance | |
|
||||
@@ -18,13 +28,3 @@ nodes
|
||||
| test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... |
|
||||
| test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication |
|
||||
| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication |
|
||||
| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication |
|
||||
| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication |
|
||||
| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication |
|
||||
| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication |
|
||||
| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
|
||||
| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication |
|
||||
| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
|
||||
query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -10,31 +10,31 @@ void test()
|
||||
int y = getAnInt();
|
||||
|
||||
char *buffer1 = (char *)malloc(x + y); // GOOD
|
||||
char *buffer2 = (char *)malloc(x * y); // BAD
|
||||
char *buffer2 = (char *)malloc(x * y); // BAD // $ Alert
|
||||
int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD
|
||||
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD
|
||||
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD // $ Alert
|
||||
|
||||
if ((x <= 1000) && (y <= 1000))
|
||||
{
|
||||
char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE]
|
||||
char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE] // $ Alert
|
||||
}
|
||||
|
||||
size_t size1 = x * y;
|
||||
char *buffer5 = (char *)malloc(size1); // BAD
|
||||
size_t size1 = x * y; // $ Source
|
||||
char *buffer5 = (char *)malloc(size1); // BAD // $ Alert
|
||||
|
||||
size_t size2 = x;
|
||||
size2 *= y;
|
||||
char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED]
|
||||
|
||||
char *buffer7 = new char[x * 10]; // GOOD
|
||||
char *buffer8 = new char[x * y]; // BAD
|
||||
char *buffer9 = new char[x * x]; // BAD
|
||||
char *buffer8 = new char[x * y]; // BAD // $ Alert
|
||||
char *buffer9 = new char[x * x]; // BAD // $ Alert
|
||||
}
|
||||
|
||||
|
||||
// --- custom allocators ---
|
||||
|
||||
void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
|
||||
void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here] // $ Alert
|
||||
void *MyMalloc2(size_t size);
|
||||
|
||||
void customAllocatorTests()
|
||||
@@ -42,6 +42,6 @@ void customAllocatorTests()
|
||||
int x = getAnInt();
|
||||
int y = getAnInt();
|
||||
|
||||
char *buffer1 = (char *)MyMalloc1(x * y); // BAD
|
||||
char *buffer2 = (char *)MyMalloc2(x * y); // BAD
|
||||
char *buffer1 = (char *)MyMalloc1(x * y); // BAD // $ Alert Source
|
||||
char *buffer2 = (char *)MyMalloc2(x * y); // BAD // $ Alert
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
|
||||
query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -6,17 +6,17 @@ void functionWork(char aA[10],unsigned int aUI) {
|
||||
int aI;
|
||||
|
||||
aI = (aUI*8)/10; // GOOD
|
||||
aI = aUI*8; // BAD
|
||||
aI = aUI*8; // BAD // $ Alert
|
||||
aP = aA+aI;
|
||||
aI = (int)aUI*8; // GOOD
|
||||
|
||||
aL = (unsigned long)(aI*aI); // BAD
|
||||
aL = (unsigned long)(aI*aI); // BAD // $ Alert
|
||||
aL = ((unsigned long)aI*aI); // GOOD
|
||||
|
||||
testCall((unsigned long)(aI*aI)); // BAD
|
||||
testCall((unsigned long)(aI*aI)); // BAD // $ Alert
|
||||
testCall(((unsigned long)aI*aI)); // GOOD
|
||||
|
||||
if((unsigned long)(aI*aI) > aL) // BAD
|
||||
if((unsigned long)(aI*aI) > aL) // BAD // $ Alert
|
||||
return;
|
||||
if(((unsigned long)aI*aI) > aL) // GOOD
|
||||
return;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -15,49 +15,49 @@ void test()
|
||||
unsigned short b1 = getAnUnsignedShort();
|
||||
unsigned short c1 = getAnUnsignedShort();
|
||||
|
||||
if (a+b>c) a = c-b; // BAD
|
||||
if (a+b>c) { a = c-b; } // BAD
|
||||
if (b+a>c) a = c-b; // BAD
|
||||
if (b+a>c) { a = c-b; } // BAD
|
||||
if (c>a+b) a = c-b; // BAD
|
||||
if (c>a+b) { a = c-b; } // BAD
|
||||
if (c>b+a) a = c-b; // BAD
|
||||
if (c>b+a) { a = c-b; } // BAD
|
||||
if (a+b>c) a = c-b; // BAD // $ Alert
|
||||
if (a+b>c) { a = c-b; } // BAD // $ Alert
|
||||
if (b+a>c) a = c-b; // BAD // $ Alert
|
||||
if (b+a>c) { a = c-b; } // BAD // $ Alert
|
||||
if (c>a+b) a = c-b; // BAD // $ Alert
|
||||
if (c>a+b) { a = c-b; } // BAD // $ Alert
|
||||
if (c>b+a) a = c-b; // BAD // $ Alert
|
||||
if (c>b+a) { a = c-b; } // BAD // $ Alert
|
||||
|
||||
if (a+b>=c) a = c-b; // BAD
|
||||
if (a+b>=c) { a = c-b; } // BAD
|
||||
if (b+a>=c) a = c-b; // BAD
|
||||
if (b+a>=c) { a = c-b; } // BAD
|
||||
if (c>=a+b) a = c-b; // BAD
|
||||
if (c>=a+b) { a = c-b; } // BAD
|
||||
if (c>=b+a) a = c-b; // BAD
|
||||
if (c>=b+a) { a = c-b; } // BAD
|
||||
if (a+b>=c) a = c-b; // BAD // $ Alert
|
||||
if (a+b>=c) { a = c-b; } // BAD // $ Alert
|
||||
if (b+a>=c) a = c-b; // BAD // $ Alert
|
||||
if (b+a>=c) { a = c-b; } // BAD // $ Alert
|
||||
if (c>=a+b) a = c-b; // BAD // $ Alert
|
||||
if (c>=a+b) { a = c-b; } // BAD // $ Alert
|
||||
if (c>=b+a) a = c-b; // BAD // $ Alert
|
||||
if (c>=b+a) { a = c-b; } // BAD // $ Alert
|
||||
|
||||
if (a+b<c) a = c-b; // BAD
|
||||
if (a+b<c) { a = c-b; } // BAD
|
||||
if (b+a<c) a = c-b; // BAD
|
||||
if (b+a<c) { a = c-b; } // BAD
|
||||
if (c<a+b) a = c-b; // BAD
|
||||
if (c<a+b) { a = c-b; } // BAD
|
||||
if (c<b+a) a = c-b; // BAD
|
||||
if (c<b+a) { a = c-b; } // BAD
|
||||
if (a+b<c) a = c-b; // BAD // $ Alert
|
||||
if (a+b<c) { a = c-b; } // BAD // $ Alert
|
||||
if (b+a<c) a = c-b; // BAD // $ Alert
|
||||
if (b+a<c) { a = c-b; } // BAD // $ Alert
|
||||
if (c<a+b) a = c-b; // BAD // $ Alert
|
||||
if (c<a+b) { a = c-b; } // BAD // $ Alert
|
||||
if (c<b+a) a = c-b; // BAD // $ Alert
|
||||
if (c<b+a) { a = c-b; } // BAD // $ Alert
|
||||
|
||||
if (a+b<=c) a = c-b; // BAD
|
||||
if (a+b<=c) { a = c-b; } // BAD
|
||||
if (b+a<=c) a = c-b; // BAD
|
||||
if (b+a<=c) { a = c-b; } // BAD
|
||||
if (c<=a+b) a = c-b; // BAD
|
||||
if (c<=a+b) { a = c-b; } // BAD
|
||||
if (c<=b+a) a = c-b; // BAD
|
||||
if (c<=b+a) { a = c-b; } // BAD
|
||||
if (a+b<=c) a = c-b; // BAD // $ Alert
|
||||
if (a+b<=c) { a = c-b; } // BAD // $ Alert
|
||||
if (b+a<=c) a = c-b; // BAD // $ Alert
|
||||
if (b+a<=c) { a = c-b; } // BAD // $ Alert
|
||||
if (c<=a+b) a = c-b; // BAD // $ Alert
|
||||
if (c<=a+b) { a = c-b; } // BAD // $ Alert
|
||||
if (c<=b+a) a = c-b; // BAD // $ Alert
|
||||
if (c<=b+a) { a = c-b; } // BAD // $ Alert
|
||||
|
||||
if (a+b>d) a = d-b; // BAD
|
||||
if (a+b>d) a = d-b; // BAD // $ Alert
|
||||
if (a+(double)b>c) a = c-b; // GOOD
|
||||
if (a+(-x)>c) a = c-(-y); // GOOD
|
||||
if (a+b>c) { b++; a = c-b; } // GOOD
|
||||
if (a+d>c) a = c-d; // GOOD
|
||||
if (a1+b1>c1) a1 = c1-b1; // GOOD
|
||||
|
||||
if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
|
||||
if (a+b<=c) { return; } a = c-b; // BAD
|
||||
if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD // $ Alert
|
||||
if (a+b<=c) { return; } a = c-b; // BAD // $ Alert
|
||||
}
|
||||
|
||||
@@ -1,3 +1,22 @@
|
||||
#select
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size |
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size |
|
||||
| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size |
|
||||
| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size |
|
||||
| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size |
|
||||
| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size |
|
||||
| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size |
|
||||
| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size |
|
||||
| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size |
|
||||
edges
|
||||
| test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | provenance | |
|
||||
| test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr | provenance | |
|
||||
@@ -99,22 +118,3 @@ nodes
|
||||
| test.cpp:98:18:98:27 | test6_callee output argument [p] | semmle.label | test6_callee output argument [p] |
|
||||
subpaths
|
||||
| test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:98:18:98:27 | test6_callee output argument [p] |
|
||||
#select
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size |
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size |
|
||||
| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size |
|
||||
| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size |
|
||||
| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size |
|
||||
| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size |
|
||||
| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size |
|
||||
| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size |
|
||||
| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size |
|
||||
| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size |
|
||||
| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Likely Bugs/ArrayAccessProductFlow.ql
|
||||
query: experimental/Likely Bugs/ArrayAccessProductFlow.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
char *malloc(int size);
|
||||
|
||||
void test1(int size) {
|
||||
char *arr = malloc(size);
|
||||
char *arr = malloc(size); // $ Source
|
||||
for (int i = 0; i < size; i++) {
|
||||
arr[i] = 0; // GOOD
|
||||
}
|
||||
|
||||
for (int i = 0; i <= size; i++) {
|
||||
arr[i] = i; // BAD
|
||||
arr[i] = i; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,7 +18,7 @@ typedef struct {
|
||||
|
||||
array_t mk_array(int size) {
|
||||
array_t arr;
|
||||
arr.p = malloc(size);
|
||||
arr.p = malloc(size); // $ Source
|
||||
arr.size = size;
|
||||
|
||||
return arr;
|
||||
@@ -32,7 +32,7 @@ void test2(int size) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr.size; i++) {
|
||||
arr.p[i] = i; // BAD
|
||||
arr.p[i] = i; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr.size; i++) {
|
||||
arr.p[i] = i; // BAD
|
||||
arr.p[i] = i; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -52,7 +52,7 @@ void test3(int size) {
|
||||
|
||||
void test4(int size) {
|
||||
array_t arr;
|
||||
arr.p = malloc(size);
|
||||
arr.p = malloc(size); // $ Source
|
||||
arr.size = size;
|
||||
|
||||
for (int i = 0; i < arr.size; i++) {
|
||||
@@ -60,13 +60,13 @@ void test4(int size) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr.size; i++) {
|
||||
arr.p[i] = i; // BAD
|
||||
arr.p[i] = i; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
array_t *mk_array_p(int size) {
|
||||
array_t *arr = (array_t*) malloc(sizeof(array_t));
|
||||
arr->p = malloc(size);
|
||||
arr->p = malloc(size); // $ Source
|
||||
arr->size = size;
|
||||
|
||||
return arr;
|
||||
@@ -80,7 +80,7 @@ void test5(int size) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr->size; i++) {
|
||||
arr->p[i] = i; // BAD
|
||||
arr->p[i] = i; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -90,7 +90,7 @@ void test6_callee(array_t *arr) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr->size; i++) {
|
||||
arr->p[i] = i; // BAD
|
||||
arr->p[i] = i; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,3 +1,25 @@
|
||||
#select
|
||||
| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
|
||||
| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
|
||||
| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
|
||||
| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
|
||||
| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
|
||||
| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
|
||||
| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
|
||||
| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
|
||||
| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||
| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
|
||||
| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
|
||||
| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
|
||||
| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
|
||||
| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
|
||||
| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
|
||||
| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
|
||||
| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |
|
||||
| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read |
|
||||
| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write |
|
||||
| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write |
|
||||
| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write |
|
||||
edges
|
||||
| test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array | provenance | Config |
|
||||
| test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | provenance | Config |
|
||||
@@ -178,25 +200,3 @@ nodes
|
||||
| test.cpp:325:24:325:26 | end | semmle.label | end |
|
||||
| test.cpp:325:24:325:26 | end | semmle.label | end |
|
||||
subpaths
|
||||
#select
|
||||
| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
|
||||
| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
|
||||
| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
|
||||
| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
|
||||
| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
|
||||
| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
|
||||
| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
|
||||
| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
|
||||
| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
|
||||
| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
|
||||
| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
|
||||
| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
|
||||
| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
|
||||
| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
|
||||
| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
|
||||
| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
|
||||
| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |
|
||||
| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read |
|
||||
| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write |
|
||||
| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write |
|
||||
| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
|
||||
query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -32,60 +32,60 @@ void testOneArray(OneArray *arr) {
|
||||
|
||||
void testBig(BigArray *arr) {
|
||||
arr->buf[MAX_SIZE-1] = 0; // GOOD
|
||||
arr->buf[MAX_SIZE] = 0; // BAD
|
||||
arr->buf[MAX_SIZE+1] = 0; // BAD
|
||||
arr->buf[MAX_SIZE] = 0; // BAD // $ Alert
|
||||
arr->buf[MAX_SIZE+1] = 0; // BAD // $ Alert
|
||||
|
||||
for(int i = 0; i < MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // GOOD
|
||||
}
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // BAD
|
||||
arr->buf[i] = 0; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
void testFields(ArrayAndFields *arr) {
|
||||
arr->buf[MAX_SIZE-1] = 0; // GOOD
|
||||
arr->buf[MAX_SIZE] = 0; // BAD?
|
||||
arr->buf[MAX_SIZE+1] = 0; // BAD?
|
||||
arr->buf[MAX_SIZE] = 0; // BAD? // $ Alert
|
||||
arr->buf[MAX_SIZE+1] = 0; // BAD? // $ Alert
|
||||
|
||||
for(int i = 0; i < MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // GOOD
|
||||
}
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // BAD?
|
||||
arr->buf[i] = 0; // BAD? // $ Alert
|
||||
}
|
||||
|
||||
for(int i = 0; i < MAX_SIZE+2; i++) {
|
||||
arr->buf[i] = 0; // BAD?
|
||||
arr->buf[i] = 0; // BAD? // $ Alert
|
||||
}
|
||||
// is this different if it's a memcpy?
|
||||
}
|
||||
|
||||
void assignThroughPointer(int *p) {
|
||||
void assignThroughPointer(int *p) { // $ Sink
|
||||
*p = 0; // ??? should the result go at a flow source?
|
||||
}
|
||||
|
||||
void addToPointerAndAssign(int *p) {
|
||||
p[MAX_SIZE-1] = 0; // GOOD
|
||||
p[MAX_SIZE] = 0; // BAD
|
||||
p[MAX_SIZE] = 0; // BAD // $ Alert
|
||||
}
|
||||
|
||||
void testInterproc(BigArray *arr) {
|
||||
assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
|
||||
assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
|
||||
assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD // $ Alert
|
||||
|
||||
addToPointerAndAssign(arr->buf);
|
||||
addToPointerAndAssign(arr->buf); // $ Source
|
||||
}
|
||||
|
||||
#define MAX_SIZE_BYTES 4096
|
||||
|
||||
void testCharIndex(BigArray *arr) {
|
||||
char *charBuf = (char*) arr->buf;
|
||||
char *charBuf = (char*) arr->buf; // $ Source
|
||||
|
||||
charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
|
||||
charBuf[MAX_SIZE_BYTES] = 0; // BAD
|
||||
charBuf[MAX_SIZE_BYTES] = 0; // BAD // $ Alert
|
||||
}
|
||||
|
||||
void testEqRefinement() {
|
||||
@@ -125,7 +125,7 @@ void testStackAllocated() {
|
||||
char *arr[MAX_SIZE];
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
arr[i] = 0; // BAD
|
||||
arr[i] = 0; // BAD // $ Alert
|
||||
}
|
||||
}
|
||||
|
||||
@@ -133,18 +133,18 @@ int strncmp(const char*, const char*, int);
|
||||
|
||||
char testStrncmp2(char *arr) {
|
||||
if(strncmp(arr, "<test>", 6) == 0) {
|
||||
arr += 6;
|
||||
arr += 6; // $ Alert
|
||||
}
|
||||
return *arr; // GOOD [FALSE POSITIVE]
|
||||
return *arr; // GOOD [FALSE POSITIVE] // $ Sink
|
||||
}
|
||||
|
||||
void testStrncmp1() {
|
||||
char asdf[5];
|
||||
testStrncmp2(asdf);
|
||||
testStrncmp2(asdf); // $ Source
|
||||
}
|
||||
|
||||
void countdownBuf1(int **p) {
|
||||
*--(*p) = 1; // GOOD [FALSE POSITIVE]
|
||||
*--(*p) = 1; // GOOD [FALSE POSITIVE] // $ Sink
|
||||
*--(*p) = 2; // GOOD
|
||||
*--(*p) = 3; // GOOD
|
||||
*--(*p) = 4; // GOOD
|
||||
@@ -153,7 +153,7 @@ void countdownBuf1(int **p) {
|
||||
void countdownBuf2() {
|
||||
int buf[4];
|
||||
|
||||
int *x = buf + 4;
|
||||
int *x = buf + 4; // $ Alert
|
||||
|
||||
countdownBuf1(&x);
|
||||
}
|
||||
@@ -215,10 +215,10 @@ int countdownLength2() {
|
||||
|
||||
void pointer_size_larger_than_array_element_size() {
|
||||
unsigned char buffer[100]; // getByteSize() = 100
|
||||
int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
|
||||
int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25 // $ Source
|
||||
|
||||
ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99
|
||||
ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103
|
||||
ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103 // $ Alert
|
||||
}
|
||||
|
||||
struct vec2 { int x, y; };
|
||||
@@ -226,10 +226,10 @@ struct vec3 { int x, y, z; };
|
||||
|
||||
void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() {
|
||||
vec3 array[3]; // getByteSize() = 9 * sizeof(int)
|
||||
vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
|
||||
vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4 // $ Source
|
||||
|
||||
ptr[3] = vec2{}; // GOOD: writes ints 6, 7
|
||||
ptr[4] = vec2{}; // BAD: writes ints 8, 9
|
||||
ptr[4] = vec2{}; // BAD: writes ints 8, 9 // $ Alert
|
||||
}
|
||||
|
||||
void pointer_size_larger_than_array_element_size_and_does_not_divide_it() {
|
||||
@@ -258,7 +258,7 @@ void call_use(unsigned char* p, int n) {
|
||||
if(n == 3) {
|
||||
unsigned char x = p[0];
|
||||
unsigned char y = p[1];
|
||||
unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
|
||||
unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point. // $ Alert
|
||||
use(x, y, z);
|
||||
}
|
||||
}
|
||||
@@ -283,7 +283,7 @@ void test_call_use2() {
|
||||
call_call_use(buffer1,1);
|
||||
|
||||
unsigned char buffer2[2];
|
||||
call_call_use(buffer2,2);
|
||||
call_call_use(buffer2,2); // $ Source
|
||||
|
||||
unsigned char buffer3[3];
|
||||
call_call_use(buffer3,3);
|
||||
@@ -296,7 +296,7 @@ int guardingCallee(int *arr, int size) {
|
||||
|
||||
int sum;
|
||||
for (int i = 0; i < size; i++) {
|
||||
sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size
|
||||
sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size // $ Alert
|
||||
}
|
||||
return sum;
|
||||
}
|
||||
@@ -306,7 +306,7 @@ int guardingCaller() {
|
||||
guardingCallee(arr1, MAX_SIZE);
|
||||
|
||||
int arr2[10];
|
||||
guardingCallee(arr2, 10);
|
||||
guardingCallee(arr2, 10); // $ Source
|
||||
}
|
||||
|
||||
// simplified md5 padding
|
||||
@@ -319,10 +319,10 @@ void correlatedCondition(int num) {
|
||||
end = temp + 56;
|
||||
}
|
||||
else if (num < 64) {
|
||||
end = temp + 64; // GOOD [FALSE POSITVE]
|
||||
end = temp + 64; // GOOD [FALSE POSITVE] // $ Alert
|
||||
}
|
||||
char *temp2 = temp + num;
|
||||
while(temp2 != end) {
|
||||
while(temp2 != end) { // $ Sink
|
||||
*temp2 = 0;
|
||||
temp2++;
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,7 +9,7 @@ int main(int argc, char *argv[])
|
||||
{
|
||||
//umask(0022);
|
||||
FILE *fp;
|
||||
fp = fopen("myFile.txt","w"); // BAD
|
||||
fp = fopen("myFile.txt","w"); // BAD // $ Alert
|
||||
//chmod("myFile.txt",0644);
|
||||
fprintf(fp,"%s\n","data to file");
|
||||
fclose(fp);
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
|
||||
query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,7 +9,7 @@ int chdir(char *path);
|
||||
void exit(int status);
|
||||
|
||||
int funTest1(){
|
||||
if (chroot("/myFold/myTmp") == -1) { // BAD
|
||||
if (chroot("/myFold/myTmp") == -1) { // BAD // $ Alert
|
||||
exit(-1);
|
||||
}
|
||||
return 0;
|
||||
@@ -26,7 +26,7 @@ int funTest2(){
|
||||
}
|
||||
|
||||
int funTest3(){
|
||||
chdir("/myFold/myTmp"); // BAD
|
||||
chdir("/myFold/myTmp"); // BAD // $ Alert
|
||||
return 0;
|
||||
}
|
||||
int main(int argc, char *argv[])
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -6,7 +6,7 @@ int fclose(FILE *stream);
|
||||
|
||||
void funcTest1()
|
||||
{
|
||||
umask(0666); // BAD
|
||||
umask(0666); // BAD // $ Alert
|
||||
FILE *fe;
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
fclose(fe);
|
||||
@@ -27,7 +27,7 @@ void funcTest2(int mode)
|
||||
FILE *fe;
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
fclose(fe);
|
||||
chmod("myFile.txt",0555-mode); // BAD
|
||||
chmod("myFile.txt",0555-mode); // BAD // $ Alert
|
||||
}
|
||||
|
||||
void funcTest2g(int mode)
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-285/PamAuthorization.ql
|
||||
query: experimental/Security/CWE/CWE-285/PamAuthorization.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -26,7 +26,7 @@ bool PamAuthBad(const std::string &username_in,
|
||||
return false;
|
||||
}
|
||||
|
||||
err = pam_authenticate(pamh, 0);
|
||||
err = pam_authenticate(pamh, 0); // $ Alert
|
||||
if (err != PAM_SUCCESS)
|
||||
return err;
|
||||
|
||||
|
||||
@@ -22,8 +22,8 @@ char host[] = "codeql.com";
|
||||
|
||||
void bad(void) {
|
||||
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); // $ Alert
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); // $ Alert
|
||||
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
|
||||
curl_easy_perform(curl.get());
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-295/CurlSSL.ql
|
||||
query: experimental/Security/CWE/CWE-295/CurlSSL.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,3 +1,15 @@
|
||||
#select
|
||||
| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. |
|
||||
| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
|
||||
| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
|
||||
| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. |
|
||||
| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
|
||||
| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. |
|
||||
| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. |
|
||||
| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
|
||||
| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
|
||||
| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. |
|
||||
| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. |
|
||||
edges
|
||||
| test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer | provenance | |
|
||||
| test.cpp:47:10:47:15 | buffer | test.cpp:45:7:45:10 | *func | provenance | |
|
||||
@@ -32,15 +44,3 @@ nodes
|
||||
| test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode |
|
||||
subpaths
|
||||
| test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | test.cpp:81:17:81:20 | call to func |
|
||||
#select
|
||||
| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. |
|
||||
| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
|
||||
| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
|
||||
| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. |
|
||||
| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. |
|
||||
| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. |
|
||||
| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. |
|
||||
| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
|
||||
| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. |
|
||||
| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. |
|
||||
| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
|
||||
query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -54,7 +54,7 @@ void file()
|
||||
FILE *file;
|
||||
|
||||
// BAD: write zipcode to file in cleartext
|
||||
fputs(theZipcode, file);
|
||||
fputs(theZipcode, file); // $ Alert
|
||||
|
||||
// GOOD: encrypt first
|
||||
char *encrypted = encrypt(theZipcode);
|
||||
@@ -71,15 +71,15 @@ int main(int argc, char **argv)
|
||||
char *buff4;
|
||||
|
||||
// BAD: write medical to buffer in cleartext
|
||||
sprintf(buff1, "%s", medical);
|
||||
sprintf(buff1, "%s", medical); // $ Alert Source
|
||||
|
||||
// BAD: write medical to buffer in cleartext
|
||||
char *temp = medical;
|
||||
sprintf(buff2, "%s", temp);
|
||||
char *temp = medical; // $ Source
|
||||
sprintf(buff2, "%s", temp); // $ Alert
|
||||
|
||||
// BAD: write medical to buffer in cleartext
|
||||
char *buff5 = func(medical);
|
||||
sprintf(buff3, "%s", buff5);
|
||||
char *buff5 = func(medical); // $ Source
|
||||
sprintf(buff3, "%s", buff5); // $ Alert
|
||||
|
||||
char *buff6 = encrypt(medical);
|
||||
// GOOD: encrypt first
|
||||
@@ -93,10 +93,10 @@ void stream()
|
||||
ofstream mystream;
|
||||
|
||||
// BAD: write zipcode to file in cleartext
|
||||
mystream << "the zipcode is: " << theZipcode;
|
||||
mystream << "the zipcode is: " << theZipcode; // $ Alert Source
|
||||
|
||||
// BAD: write zipcode to file in cleartext
|
||||
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode));
|
||||
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); // $ Alert
|
||||
|
||||
// GOOD: encrypt first
|
||||
char *encrypted = encrypt(theZipcode);
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
|
||||
query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -44,13 +44,13 @@ int getSize2(int type) {
|
||||
|
||||
int badTestf1(int type, int met) {
|
||||
int is = getSize(type);
|
||||
if (met == 1) return 123 / is; // BAD
|
||||
else return 123 / getSize2(type); // BAD
|
||||
if (met == 1) return 123 / is; // BAD // $ Alert
|
||||
else return 123 / getSize2(type); // BAD // $ Alert
|
||||
}
|
||||
int badTestf2(int type) {
|
||||
int is;
|
||||
is = getSize(type);
|
||||
return 123 / is; // BAD
|
||||
return 123 / is; // BAD // $ Alert
|
||||
}
|
||||
|
||||
int badTestf3(int type, int met) {
|
||||
@@ -62,23 +62,23 @@ int badTestf3(int type, int met) {
|
||||
case 2:
|
||||
if (0 == is) return 123 / is; // BAD [NOT DETECTED]
|
||||
case 3:
|
||||
if (!is & 123 / is) // BAD
|
||||
if (!is & 123 / is) // BAD // $ Alert
|
||||
return 123;
|
||||
case 4:
|
||||
if (!is | 123 / is) // BAD
|
||||
if (!is | 123 / is) // BAD // $ Alert
|
||||
return 123;
|
||||
case 5:
|
||||
if (123 / is || !is) // BAD
|
||||
if (123 / is || !is) // BAD // $ Alert
|
||||
return 123;
|
||||
case 6:
|
||||
if (123 / is && !is) // BAD
|
||||
if (123 / is && !is) // BAD // $ Alert
|
||||
return 123;
|
||||
case 7:
|
||||
if (!is) return 123 / is; // BAD
|
||||
if (!is) return 123 / is; // BAD // $ Alert
|
||||
case 8:
|
||||
if (is > -1) return 123 / is; // BAD
|
||||
if (is > -1) return 123 / is; // BAD // $ Alert
|
||||
case 9:
|
||||
if (is < 2) return 123 / is; // BAD
|
||||
if (is < 2) return 123 / is; // BAD // $ Alert
|
||||
}
|
||||
if (is != 0) return -1;
|
||||
if (is == 0) type += 1;
|
||||
@@ -125,20 +125,20 @@ int badTestf4(int type) {
|
||||
int is = getSize(type);
|
||||
int d;
|
||||
d = type * is;
|
||||
return 123 / d; // BAD
|
||||
return 123 / d; // BAD // $ Alert
|
||||
}
|
||||
|
||||
int badTestf5(int type) {
|
||||
int is = getSize(type);
|
||||
int d;
|
||||
d = is / type;
|
||||
return 123 / d; // BAD
|
||||
return 123 / d; // BAD // $ Alert
|
||||
}
|
||||
int badTestf6(int type) {
|
||||
int is = getSize(type);
|
||||
int d;
|
||||
d = is / type;
|
||||
return type * 123 / d; // BAD
|
||||
return type * 123 / d; // BAD // $ Alert
|
||||
}
|
||||
|
||||
int badTestf7(int type, int met) {
|
||||
@@ -150,7 +150,7 @@ int badTestf7(int type, int met) {
|
||||
return 123 / is; // GOOD
|
||||
}
|
||||
quit:
|
||||
return 123 / is; // BAD
|
||||
return 123 / is; // BAD // $ Alert
|
||||
}
|
||||
|
||||
int goodTestf7(int type, int met) {
|
||||
@@ -169,8 +169,8 @@ int goodTestf7(int type, int met) {
|
||||
|
||||
int badTestf8(int type) {
|
||||
int is = getSize(type);
|
||||
type /= is; // BAD
|
||||
type %= is; // BAD
|
||||
type /= is; // BAD // $ Alert
|
||||
type %= is; // BAD // $ Alert
|
||||
return type;
|
||||
}
|
||||
|
||||
@@ -184,7 +184,7 @@ float getSizeFloat(float type) {
|
||||
}
|
||||
float badTestf9(float type) {
|
||||
float is = getSizeFloat(type);
|
||||
return 123 / is; // BAD
|
||||
return 123 / is; // BAD // $ Alert
|
||||
}
|
||||
float goodTestf9(float type) {
|
||||
float is = getSizeFloat(type);
|
||||
@@ -196,18 +196,18 @@ int badTestf10(int type) {
|
||||
int out = type;
|
||||
int is = getSize(type);
|
||||
if (is > -2) {
|
||||
out /= 123 / (is + 1); // BAD
|
||||
out /= 123 / (is + 1); // BAD // $ Alert
|
||||
}
|
||||
if (is > 0) {
|
||||
return 123 / (is - 1); // BAD
|
||||
return 123 / (is - 1); // BAD // $ Alert
|
||||
}
|
||||
if (is <= 0) return 0;
|
||||
return 123 / (is - 1); // BAD
|
||||
return 123 / (is - 1); // BAD // $ Alert
|
||||
return 0;
|
||||
}
|
||||
int badTestf11(int type) {
|
||||
int is = getSize(type);
|
||||
return 123 / (is - 3); // BAD
|
||||
return 123 / (is - 3); // BAD // $ Alert
|
||||
}
|
||||
|
||||
int goodTestf11(int type) {
|
||||
@@ -255,12 +255,12 @@ int badMySubDiv(int type, int is) {
|
||||
|
||||
void badTestf13(int type) {
|
||||
int is = getSize(type);
|
||||
badMyDiv(type, is); // BAD
|
||||
badMyDiv(type, is - 2); // BAD
|
||||
badMySubDiv(type, is); // BAD
|
||||
badMyDiv(type, is); // BAD // $ Alert
|
||||
badMyDiv(type, is - 2); // BAD // $ Alert
|
||||
badMySubDiv(type, is); // BAD // $ Alert
|
||||
goodMyDiv(type, is); // GOOD
|
||||
if (is < 5)
|
||||
badMySubDiv(type, is); // BAD
|
||||
badMySubDiv(type, is); // BAD // $ Alert
|
||||
if (is < 0)
|
||||
badMySubDiv(type, is); // BAD [NOT DETECTED]
|
||||
if (is > 5)
|
||||
@@ -270,9 +270,9 @@ void badTestf13(int type) {
|
||||
if (is > 0)
|
||||
badMyDiv(type, is); // GOOD
|
||||
if (is < 5)
|
||||
badMyDiv(type, is - 3); // BAD
|
||||
badMyDiv(type, is - 3); // BAD // $ Alert
|
||||
if (is < 0)
|
||||
badMyDiv(type, is + 1); // BAD
|
||||
badMyDiv(type, is + 1); // BAD // $ Alert
|
||||
if (is > 5)
|
||||
badMyDiv(type, is - 3); // GOOD
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
|
||||
query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -13,7 +13,7 @@ int fclose(FILE *stream);
|
||||
int funcTest1()
|
||||
{
|
||||
FILE *fp;
|
||||
char *filename = tmpnam(NULL); // BAD
|
||||
char *filename = tmpnam(NULL); // BAD // $ Alert
|
||||
fp = fopen(filename,"w");
|
||||
fprintf(fp,"%s\n","data to file");
|
||||
fclose(fp);
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
|
||||
query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -31,7 +31,7 @@ unsigned char * badResize_0(unsigned char * buffer,size_t currentSize,size_t new
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
return buffer;
|
||||
}
|
||||
@@ -60,7 +60,7 @@ unsigned char * badResize_1_0(unsigned char * buffer,size_t currentSize,size_t n
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
return buffer;
|
||||
}
|
||||
@@ -136,7 +136,7 @@ unsigned char * badResize_1_1(unsigned char * buffer,size_t currentSize,size_t n
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
if(!buffer)
|
||||
aFakeFailed_1(1, 1);
|
||||
@@ -183,7 +183,7 @@ unsigned char * badResize_2_0(unsigned char * buffer,size_t currentSize,size_t n
|
||||
assert(buffer!=0);
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
return buffer;
|
||||
}
|
||||
@@ -279,7 +279,7 @@ unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t
|
||||
unsigned char *tmp = buffer;
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
if (buffer == NULL)
|
||||
{
|
||||
free(tmp);
|
||||
@@ -296,7 +296,7 @@ unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t
|
||||
unsigned char *tmp = buffer;
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
tmp = (unsigned char *)realloc(tmp, newSize);
|
||||
tmp = (unsigned char *)realloc(tmp, newSize); // $ Alert
|
||||
if (tmp != 0)
|
||||
{
|
||||
buffer = tmp;
|
||||
@@ -325,7 +325,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
if (cond)
|
||||
{
|
||||
@@ -339,7 +339,7 @@ unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
assert(cond); // irrelevant
|
||||
}
|
||||
return buffer;
|
||||
|
||||
@@ -1,3 +1,17 @@
|
||||
#select
|
||||
| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress |
|
||||
| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream |
|
||||
| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block |
|
||||
| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read |
|
||||
| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
|
||||
| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
|
||||
| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen |
|
||||
| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate |
|
||||
| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread |
|
||||
| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread |
|
||||
| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets |
|
||||
| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress |
|
||||
| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream |
|
||||
edges
|
||||
| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance | |
|
||||
| brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance | |
|
||||
@@ -214,17 +228,3 @@ subpaths
|
||||
| zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument |
|
||||
| zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument |
|
||||
| zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument |
|
||||
#select
|
||||
| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress |
|
||||
| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream |
|
||||
| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block |
|
||||
| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read |
|
||||
| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
|
||||
| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save |
|
||||
| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen |
|
||||
| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate |
|
||||
| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread |
|
||||
| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread |
|
||||
| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets |
|
||||
| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress |
|
||||
| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream |
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-409/DecompressionBombs.ql
|
||||
query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -15,12 +15,12 @@ BrotliDecoderResult BrotliDecoderDecompressStream(
|
||||
void brotli_test(int argc, const char **argv) {
|
||||
uint8_t output[1024];
|
||||
size_t output_size = sizeof(output);
|
||||
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
|
||||
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD // $ Alert
|
||||
|
||||
size_t input_size = 1024;
|
||||
const uint8_t *input_p = (const uint8_t*)argv[2];
|
||||
uint8_t *output_p = output;
|
||||
size_t out_size;
|
||||
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
|
||||
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD // $ Alert
|
||||
&output_p, &out_size);
|
||||
}
|
||||
|
||||
@@ -19,7 +19,7 @@ static int read_data(archive *ar) {
|
||||
size_t size;
|
||||
la_int64_t offset;
|
||||
|
||||
int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
|
||||
int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD // $ Alert
|
||||
if (r == ARCHIVE_EOF)
|
||||
return ARCHIVE_OK;
|
||||
if (r < ARCHIVE_OK)
|
||||
|
||||
@@ -4,7 +4,7 @@ void minizip_test(int argc, const char **argv);
|
||||
void zlib_test(int argc, const char **argv);
|
||||
void zstd_test(int argc, const char **argv);
|
||||
|
||||
int main(int argc, const char **argv) {
|
||||
int main(int argc, const char **argv) { // $ Source
|
||||
brotli_test(argc, argv);
|
||||
libarchive_test(argc, argv);
|
||||
minizip_test(argc, argv);
|
||||
|
||||
@@ -14,7 +14,7 @@ void minizip_test(int argc, const char **argv) {
|
||||
int32_t bytes_read;
|
||||
char buf[4096];
|
||||
while(true) {
|
||||
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
|
||||
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD // $ Alert
|
||||
if (bytes_read <= 0) {
|
||||
break;
|
||||
}
|
||||
@@ -23,7 +23,7 @@ void minizip_test(int argc, const char **argv) {
|
||||
void *zip_reader = mz_zip_reader_create();
|
||||
mz_zip_reader_open_file(zip_reader, argv[1]);
|
||||
mz_zip_reader_goto_first_entry(zip_reader);
|
||||
mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
|
||||
mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD // $ Alert
|
||||
|
||||
UnzOpen(argv[3]); // BAD
|
||||
UnzOpen(argv[3]); // BAD // $ Alert
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ void UnsafeInflate(char *input) {
|
||||
infstream.next_out = output; // output char array
|
||||
|
||||
inflateInit(&infstream);
|
||||
inflate(&infstream, 0); // BAD
|
||||
inflate(&infstream, 0); // BAD // $ Alert
|
||||
}
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ void UnsafeGzread(char *fileName) {
|
||||
gzFile inFileZ = gzopen(fileName, "rb");
|
||||
unsigned char unzipBuffer[8192];
|
||||
while (true) {
|
||||
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
|
||||
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD // $ Alert
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -48,7 +48,7 @@ void UnsafeGzfread(char *fileName) {
|
||||
gzFile inFileZ = gzopen(fileName, "rb");
|
||||
while (true) {
|
||||
char buffer[1000];
|
||||
if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
|
||||
if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD // $ Alert
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -59,7 +59,7 @@ void UnsafeGzgets(char *fileName) {
|
||||
char *buffer = new char[4000000000];
|
||||
char *result;
|
||||
while (true) {
|
||||
result = gzgets(inFileZ, buffer, 1000000000); // BAD
|
||||
result = gzgets(inFileZ, buffer, 1000000000); // BAD // $ Alert
|
||||
if (result == nullptr) {
|
||||
break;
|
||||
}
|
||||
@@ -74,7 +74,7 @@ void InflateString(char *input) {
|
||||
uLong source_length = 500;
|
||||
uLong destination_length = sizeof(output);
|
||||
|
||||
uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
|
||||
uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD // $ Alert
|
||||
}
|
||||
|
||||
void zlib_test(int argc, char **argv) {
|
||||
|
||||
@@ -36,7 +36,7 @@ void zstd_test(int argc, const char **argv) {
|
||||
ZSTD_inBuffer input = {buffIn, read, 0};
|
||||
while (input.pos < input.size) {
|
||||
ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
|
||||
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD
|
||||
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD // $ Alert
|
||||
CHECK_ZSTD(ret);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-415/DoubleFree.ql
|
||||
query: experimental/Security/CWE/CWE-415/DoubleFree.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -8,14 +8,14 @@ void workFunction_0(char *s) {
|
||||
char *buf;
|
||||
buf = (char *) malloc(intSize);
|
||||
free(buf); // GOOD
|
||||
if(buf) free(buf); // BAD
|
||||
if(buf) free(buf); // BAD // $ Alert
|
||||
}
|
||||
void workFunction_1(char *s) {
|
||||
int intSize = 10;
|
||||
char *buf;
|
||||
buf = (char *) malloc(intSize);
|
||||
free(buf); // GOOD
|
||||
free(buf); // BAD
|
||||
free(buf); // BAD // $ Alert
|
||||
}
|
||||
void workFunction_2(char *s) {
|
||||
int intSize = 10;
|
||||
@@ -54,7 +54,7 @@ void workFunction_5(char *s, int intFlag) {
|
||||
if(intFlag) {
|
||||
free(buf); // GOOD
|
||||
}
|
||||
free(buf); // BAD
|
||||
free(buf); // BAD // $ Alert
|
||||
}
|
||||
void workFunction_6(char *s, int intFlag) {
|
||||
int intSize = 10;
|
||||
@@ -75,7 +75,7 @@ void workFunction_7(char *s) {
|
||||
char *buf1;
|
||||
buf = (char *) malloc(intSize);
|
||||
buf1 = (char *) realloc(buf,intSize*4);
|
||||
free(buf); // BAD
|
||||
free(buf); // BAD // $ Alert
|
||||
}
|
||||
void workFunction_8(char *s) {
|
||||
int intSize = 10;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
|
||||
query: experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -68,7 +68,7 @@ void funcWork1b() {
|
||||
}
|
||||
delete [] bufMyData;
|
||||
|
||||
}
|
||||
} // $ Alert
|
||||
}
|
||||
|
||||
void funcWork1() {
|
||||
@@ -97,7 +97,7 @@ void funcWork1() {
|
||||
}
|
||||
delete [] bufMyData;
|
||||
|
||||
}
|
||||
} // $ Alert
|
||||
}
|
||||
|
||||
void funcWork2() {
|
||||
@@ -125,7 +125,7 @@ void funcWork2() {
|
||||
}
|
||||
delete [] bufMyData;
|
||||
|
||||
}
|
||||
} // $ Alert
|
||||
}
|
||||
void funcWork3() {
|
||||
int a;
|
||||
@@ -148,7 +148,7 @@ void funcWork3() {
|
||||
}
|
||||
delete [] bufMyData;
|
||||
|
||||
}
|
||||
} // $ Alert
|
||||
}
|
||||
|
||||
|
||||
@@ -180,7 +180,7 @@ void funcWork4b() {
|
||||
catch (...)
|
||||
{
|
||||
delete valData; // BAD
|
||||
}
|
||||
} // $ Alert
|
||||
}
|
||||
void funcWork5() {
|
||||
int a;
|
||||
@@ -218,7 +218,7 @@ void funcWork5b() {
|
||||
catch (...)
|
||||
{
|
||||
delete valData; // BAD
|
||||
}
|
||||
} // $ Alert
|
||||
}
|
||||
void funcWork6() {
|
||||
int a;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
|
||||
query: experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -25,7 +25,7 @@ void testFunction(char c1,int i1)
|
||||
case 9:
|
||||
break;
|
||||
dafault:
|
||||
}
|
||||
} // $ Alert
|
||||
|
||||
switch(c1){ // BAD
|
||||
c1=c1*2;
|
||||
@@ -35,7 +35,7 @@ void testFunction(char c1,int i1)
|
||||
break;
|
||||
case 9:
|
||||
break;
|
||||
}
|
||||
} // $ Alert
|
||||
|
||||
if((c1<6)&&(c1>0))
|
||||
switch(c1){ // BAD
|
||||
@@ -47,7 +47,7 @@ void testFunction(char c1,int i1)
|
||||
break;
|
||||
case 1:
|
||||
break;
|
||||
}
|
||||
} // $ Alert
|
||||
|
||||
if((c1<6)&&(c1>0))
|
||||
switch(c1){ // BAD
|
||||
@@ -55,6 +55,6 @@ void testFunction(char c1,int i1)
|
||||
break;
|
||||
case 1:
|
||||
break;
|
||||
}
|
||||
} // $ Alert
|
||||
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
|
||||
query: experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -42,7 +42,7 @@ int gootTest2(SSL *ssl)
|
||||
int badTest1(SSL *ssl)
|
||||
{
|
||||
int ret;
|
||||
switch ((ret = SSL_shutdown(ssl))) {
|
||||
switch ((ret = SSL_shutdown(ssl))) { // $ Alert
|
||||
case 1:
|
||||
break;
|
||||
case 0:
|
||||
@@ -58,7 +58,7 @@ int badTest1(SSL *ssl)
|
||||
int badTest2(SSL *ssl)
|
||||
{
|
||||
int ret;
|
||||
ret = SSL_shutdown(ssl);
|
||||
ret = SSL_shutdown(ssl); // $ Alert
|
||||
switch (ret) {
|
||||
case 1:
|
||||
break;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-675/DoubleRelease.ql
|
||||
query: experimental/Security/CWE/CWE-675/DoubleRelease.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -17,7 +17,7 @@ void test2()
|
||||
FILE *f;
|
||||
|
||||
f = fopen("myFile.txt", "wt");
|
||||
fclose(f); // BAD
|
||||
fclose(f); // BAD // $ Alert
|
||||
fclose(f);
|
||||
}
|
||||
|
||||
@@ -28,14 +28,14 @@ void test3()
|
||||
|
||||
f = fopen("myFile.txt", "wt");
|
||||
g = f;
|
||||
fclose(f); // BAD
|
||||
fclose(f); // BAD // $ Alert
|
||||
fclose(g);
|
||||
}
|
||||
|
||||
int fGtest4_1()
|
||||
{
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
fclose(fe); // BAD
|
||||
fclose(fe); // BAD // $ Alert
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
|
||||
query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
|
||||
query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -5,25 +5,25 @@ void workFunction_0(char *s) {
|
||||
int intSize;
|
||||
char buf[80];
|
||||
if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
|
||||
if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
|
||||
if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations]
|
||||
if(intSize>0 && tmpFunction()) return;
|
||||
if(intSize<0 & tmpFunction()) return; // BAD
|
||||
if(intSize<0 & tmpFunction()) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations]
|
||||
}
|
||||
void workFunction_1(char *s) {
|
||||
int intA,intB;
|
||||
|
||||
if(intA + intB) return; // BAD
|
||||
if(intA + intB) return; // BAD // $ Alert[cpp/errors-after-refactoring]
|
||||
if(intA + intB>4) return; // GOOD
|
||||
if(intA>0 && (intA + intB)) return; // BAD
|
||||
if(intA>0 && (intA + intB)) return; // BAD // $ Alert[cpp/errors-after-refactoring]
|
||||
while(intA>0)
|
||||
{
|
||||
if(intB - intA<10) break;
|
||||
intA--;
|
||||
}while(intA>0); // BAD
|
||||
}while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring]
|
||||
for(intA=100; intA>0; intA--)
|
||||
{
|
||||
if(intB - intA<10) break;
|
||||
}while(intA>0); // BAD
|
||||
}while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring]
|
||||
while(intA>0)
|
||||
{
|
||||
if(intB - intA<10) break;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
|
||||
query: experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -32,13 +32,13 @@ void funcTest2()
|
||||
|
||||
void funcTest3()
|
||||
{
|
||||
std::runtime_error("msg error"); // BAD
|
||||
std::runtime_error("msg error"); // BAD // $ Alert
|
||||
throw std::runtime_error("msg error"); // GOOD
|
||||
}
|
||||
|
||||
void TestFunc()
|
||||
{
|
||||
funcTest1();
|
||||
DllMain();
|
||||
funcTest1(); // $ Alert
|
||||
DllMain(); // $ Alert
|
||||
funcTest2();
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
|
||||
query: experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -49,9 +49,9 @@ int functionWork1b(int retIndex) {
|
||||
char a[10];
|
||||
int b;
|
||||
int *p = &b;
|
||||
scanf("%i", &i); // BAD
|
||||
scanf("%s", a); // BAD
|
||||
scanf("%i", p); // BAD
|
||||
scanf("%i", &i); // BAD // $ Alert
|
||||
scanf("%s", a); // BAD // $ Alert
|
||||
scanf("%i", p); // BAD // $ Alert
|
||||
if(retIndex == 0)
|
||||
return (int)*a;
|
||||
if(retIndex == 1)
|
||||
@@ -102,9 +102,9 @@ int functionWork2b() {
|
||||
char a[10];
|
||||
int b;
|
||||
int *p = &b;
|
||||
scanf("%i", &i); // BAD
|
||||
scanf("%s", a); // BAD
|
||||
scanf("%i", p); // BAD
|
||||
scanf("%i", &i); // BAD // $ Alert
|
||||
scanf("%s", a); // BAD // $ Alert
|
||||
scanf("%i", p); // BAD // $ Alert
|
||||
globalVal = i;
|
||||
globalVala = a;
|
||||
globalValp = p;
|
||||
@@ -112,12 +112,12 @@ int functionWork2b() {
|
||||
}
|
||||
int functionWork2b_() {
|
||||
char a[10];
|
||||
scanf("%s", a); // BAD
|
||||
scanf("%s", a); // BAD // $ Alert
|
||||
globalVala2 = a[0];
|
||||
return 0;
|
||||
}
|
||||
int functionWork3b(int * i) {
|
||||
scanf("%i", i); // BAD
|
||||
scanf("%i", i); // BAD // $ Alert
|
||||
return 0;
|
||||
}
|
||||
int functionWork3() {
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
|
||||
query: experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -10,10 +10,10 @@ char tmpFunction2(char * buf)
|
||||
}
|
||||
void workFunction_0(char *s, char * buf) {
|
||||
int intA;
|
||||
intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD
|
||||
intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD // $ Alert
|
||||
intA = tmpFunction1(buf); //GOOD
|
||||
intA += tmpFunction2(buf); // GOOD
|
||||
buf[intA] = intA++; // BAD
|
||||
buf[intA] = intA++; // BAD // $ Alert
|
||||
intA++;
|
||||
buf[intA] = intA; // GOOD
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
|
||||
query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1)
|
||||
{
|
||||
|
||||
if(b1||b2&&b3) //BAD
|
||||
if(b1||b2&&b3) //BAD // $ Alert
|
||||
return;
|
||||
if((b1||b2)&&b3) //GOOD
|
||||
return;
|
||||
if(b1||(b2&&b3)) //GOOD
|
||||
return;
|
||||
|
||||
if(b1||b2&i1) //BAD
|
||||
if(b1||b2&i1) //BAD // $ Alert
|
||||
return;
|
||||
if((b1||b2)&i1) //GOOD
|
||||
return;
|
||||
@@ -16,26 +16,26 @@ void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1)
|
||||
return;
|
||||
if(b1&&b2&0) //GOOD
|
||||
return;
|
||||
if(b1||b2|i1) //BAD
|
||||
if(b1||b2|i1) //BAD // $ Alert
|
||||
return;
|
||||
if((b1||b2)|i1) //GOOD
|
||||
return;
|
||||
|
||||
if(i1|i2&c1) //BAD
|
||||
if(i1|i2&c1) //BAD // $ Alert
|
||||
return;
|
||||
if((i1|i2)&i3) //GOOD
|
||||
return;
|
||||
if(i1^i2&c1) //BAD
|
||||
if(i1^i2&c1) //BAD // $ Alert
|
||||
return;
|
||||
if((i1^i2)&i3) //GOOD
|
||||
return;
|
||||
|
||||
if(i1|i2^c1) //BAD
|
||||
if(i1|i2^c1) //BAD // $ Alert
|
||||
return;
|
||||
if((i1|i2)^i3) //GOOD
|
||||
return;
|
||||
|
||||
if(b1|b2^b3) //BAD
|
||||
if(b1|b2^b3) //BAD // $ Alert
|
||||
return;
|
||||
if((b1|b2)^b3) //GOOD
|
||||
return;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
|
||||
query: experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
|
||||
query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -13,15 +13,15 @@ void strlen_test1(){
|
||||
struct buffers buffAll;
|
||||
struct buffers * buffAll1;
|
||||
|
||||
buff1[strlen(buff1)]=0; // BAD
|
||||
buffAll.array[strlen(buffAll.array)]=0; // BAD
|
||||
buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD
|
||||
buffAll1->array[strlen(buffAll1->array)]=0; // BAD
|
||||
buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD
|
||||
globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD
|
||||
globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD
|
||||
globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD
|
||||
globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD
|
||||
buff1[strlen(buff1)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
buffAll.array[strlen(buffAll.array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
buffAll1->array[strlen(buffAll1->array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen]
|
||||
}
|
||||
|
||||
void strlen_test2(){
|
||||
|
||||
@@ -7,13 +7,13 @@ void testFunction()
|
||||
int i1,i2,i3;
|
||||
bool b1,b2,b3;
|
||||
char c1,c2,c3;
|
||||
b1 = -b2; //BAD
|
||||
b1 = -b2; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type]
|
||||
b1 = !b2; //GOOD
|
||||
b1++; //BAD
|
||||
++b1; //BAD
|
||||
if(i1=tmpFunc()!=i2) //BAD
|
||||
b1++; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type]
|
||||
++b1; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type]
|
||||
if(i1=tmpFunc()!=i2) //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type]
|
||||
return;
|
||||
if(i1=tmpFunc()!=11) //BAD
|
||||
if(i1=tmpFunc()!=11) //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type]
|
||||
return;
|
||||
if((i1=tmpFunc())!=i2) //GOOD
|
||||
return;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
|
||||
query: experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -24,7 +24,7 @@ bool badTest1(SSL *ssl,char *text)
|
||||
char buf[256];
|
||||
if( peer = SSL_get_peer_certificate(ssl))
|
||||
{
|
||||
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD
|
||||
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD // $ Alert
|
||||
if((char*)strcasestr(buf,text)) return true;
|
||||
}
|
||||
return false;
|
||||
|
||||
@@ -16,7 +16,7 @@ int main(int argc, char **argv)
|
||||
|
||||
// BAD, do not use scanf without specifying a length first
|
||||
char buf1[10];
|
||||
scanf("%s", buf1);
|
||||
scanf("%s", buf1); // $ Alert
|
||||
|
||||
// GOOD, length is specified. The length should be one less than the size of the destination buffer, since the last character is the NULL terminator.
|
||||
char buf2[20];
|
||||
@@ -25,7 +25,7 @@ int main(int argc, char **argv)
|
||||
|
||||
// BAD, do not use scanf without specifying a length first
|
||||
char file[10];
|
||||
fscanf(file, "%s", buf2);
|
||||
fscanf(file, "%s", buf2); // $ Alert
|
||||
|
||||
// GOOD, with 'sscanf' the input can be checked first and enough room allocated [FALSE POSITIVE]
|
||||
if (argc >= 1)
|
||||
@@ -33,7 +33,7 @@ int main(int argc, char **argv)
|
||||
char *src = argv[0];
|
||||
char *dest = (char *)malloc(strlen(src) + 1);
|
||||
|
||||
sscanf(src, "%s", dest);
|
||||
sscanf(src, "%s", dest); // $ Alert
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
|
||||
query: experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
semmle/code/cpp/PrintAST.ql
|
||||
query: semmle/code/cpp/PrintAST.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
semmle/code/cpp/ASTConsistency.ql
|
||||
query: semmle/code/cpp/ASTConsistency.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
Telemetry/CompilerErrors.ql
|
||||
query: Telemetry/CompilerErrors.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
Telemetry/DatabaseQuality.ql
|
||||
query: Telemetry/DatabaseQuality.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
Telemetry/ExtractionMetrics.ql
|
||||
query: Telemetry/ExtractionMetrics.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
Telemetry/SucceededIncludes.ql
|
||||
query: Telemetry/SucceededIncludes.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
semmle/code/cpp/ir/IRConsistency.ql
|
||||
query: semmle/code/cpp/ir/IRConsistency.ql
|
||||
|
||||
@@ -1 +1 @@
|
||||
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql
|
||||
query: semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user