From f54debd65aade2255e0a5638ba03123742ff5d2e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 22:57:08 +0200 Subject: [PATCH] C++ --- .../examples/BadLocking/AV Rule 107.qlref | 3 +- .../LocalVariableHidesGlobalVariable.qlref | 3 +- .../BadLocking/UnintendedDeclaration.cpp | 6 +- .../test/examples/expressions/PrintAST.qlref | 2 +- .../NoCheckBeforeUnsafePutUser.qlref | 3 +- .../tests/LateCheckOfFunctionArgument.qlref | 3 +- .../Security/CWE/CWE-020/semmle/tests/test.c | 2 +- .../CWE/CWE-078/WordexpTainted.expected | 4 +- .../Security/CWE/CWE-078/WordexpTainted.qlref | 3 +- .../query-tests/Security/CWE/CWE-078/test.cpp | 4 +- .../semmle/tests/FindWrapperFunctions.qlref | 3 +- .../CWE/CWE-1041/semmle/tests/test.cpp | 2 +- ...OfVariableWithUnnecessarilyWideScope.qlref | 3 +- .../Security/CWE/CWE-1126/semmle/tests/test.c | 2 +- .../CustomCryptographicPrimitive.qlref | 3 +- .../Security/CWE/CWE-1240/tests_crypto.cpp | 8 +- ...usWorksWithMultibyteOrWideCharacters.qlref | 3 +- .../CWE/CWE-125/semmle/tests/test.cpp | 16 +- .../CWE/CWE-125/semmle/tests/test1.cpp | 14 +- .../CWE/CWE-125/semmle/tests/test2.cpp | 16 +- .../CWE/CWE-125/semmle/tests/test3.cpp | 6 +- .../AllocMultiplicationOverflow.expected | 20 +- .../AllocMultiplicationOverflow.qlref | 3 +- .../AllocMultiplicationOverflow/test.cpp | 20 +- ...ousUseOfTransformationAfterOperation.qlref | 3 +- .../test.cpp | 8 +- .../IfStatementAdditionOverflow.qlref | 3 +- .../IfStatementAdditionOverflow/test.cpp | 70 +++--- .../ArrayAccessProductFlow.expected | 38 ++-- .../array-access/ArrayAccessProductFlow.qlref | 3 +- .../CWE/CWE-193/array-access/test.cpp | 20 +- .../ConstantSizeArrayOffByOne.expected | 44 ++-- .../ConstantSizeArrayOffByOne.qlref | 3 +- .../CWE/CWE-193/constant-size/test.cpp | 58 ++--- ...ensitiveInformationUnauthorizedActor.qlref | 3 +- .../Security/CWE/CWE-200/test1/test.cpp | 2 +- ...ensitiveInformationUnauthorizedActor.qlref | 3 +- ...ensitiveInformationUnauthorizedActor.qlref | 3 +- .../IncorrectChangingWorkingDirectory.qlref | 3 +- .../CWE/CWE-243/semmle/tests/test.cpp | 4 +- .../tests/IncorrectPrivilegeAssignment.qlref | 3 +- .../CWE/CWE-266/semmle/tests/test.cpp | 4 +- .../CWE/CWE-285/PamAuthorization.qlref | 3 +- .../query-tests/Security/CWE/CWE-285/test.cpp | 2 +- .../Security/CWE/CWE-295/CurlSSL.cpp | 4 +- .../Security/CWE/CWE-295/CurlSSL.qlref | 3 +- .../tests/PrivateCleartextWrite.expected | 24 +-- .../semmle/tests/PrivateCleartextWrite.qlref | 3 +- .../CWE/CWE-359/semmle/tests/test.cpp | 16 +- .../tests/DivideByZeroUsingReturnValue.qlref | 3 +- .../CWE/CWE-369/semmle/tests/test.cpp | 54 ++--- .../semmle/tests/InsecureTemporaryFile.qlref | 3 +- .../CWE/CWE-377/semmle/tests/test.cpp | 2 +- .../MemoryLeakOnFailedCallToRealloc.qlref | 3 +- .../Security/CWE/CWE-401/semmle/tests/test.c | 16 +- .../DecompressionBombs.expected | 28 +-- .../DecompressionBombs.qlref | 3 +- .../CWE-409/DecompressionBombs/brotliTest.cpp | 4 +- .../DecompressionBombs/libarchiveTests.cpp | 2 +- .../CWE/CWE-409/DecompressionBombs/main.cpp | 2 +- .../DecompressionBombs/minizipTest.cpp | 6 +- .../CWE-409/DecompressionBombs/zlibTest.cpp | 10 +- .../CWE-409/DecompressionBombs/zstdTest.cpp | 2 +- .../CWE/CWE-415/semmle/tests/DoubleFree.qlref | 3 +- .../Security/CWE/CWE-415/semmle/tests/test.c | 8 +- .../tests/DangerousUseOfExceptionBlocks.qlref | 3 +- .../CWE/CWE-476/semmle/tests/test.cpp | 12 +- .../tests/FindIncorrectlyUsedSwitch.qlref | 3 +- .../Security/CWE/CWE-561/semmle/tests/test.c | 8 +- .../tests/DangerousUseSSL_shutdown.qlref | 3 +- .../CWE/CWE-670/semmle/tests/test.cpp | 4 +- .../CWE-675/semmle/tests/DoubleRelease.qlref | 3 +- .../CWE/CWE-675/semmle/tests/test.cpp | 6 +- ...lowManagementAfterRefactoringTheCode.qlref | 3 +- ...FlowManagementWhenUsingBitOperations.qlref | 3 +- .../Security/CWE/CWE-691/semmle/tests/test.c | 12 +- .../tests/FindIncorrectlyUsedExceptions.qlref | 3 +- .../CWE/CWE-703/semmle/tests/test.cpp | 6 +- .../tests/ImproperCheckReturnValueScanf.qlref | 3 +- .../CWE/CWE-754/semmle/tests/test.cpp | 16 +- ...finedOrImplementationDefinedBehavior.qlref | 3 +- .../Security/CWE/CWE-758/semmle/tests/test.c | 4 +- ...rorWhenUseBitwiseOrLogicalOperations.qlref | 3 +- .../CWE/CWE-783/semmle/tests/test.cpp | 14 +- ...yLocationAfterEndOfBufferUsingStrlen.qlref | 3 +- ...rPrecedenceLogicErrorWhenUseBoolType.qlref | 3 +- .../Security/CWE/CWE-788/semmle/tests/test.c | 18 +- .../CWE/CWE-788/semmle/tests/test.cpp | 10 +- ...BufferAccessWithIncorrectLengthValue.qlref | 3 +- .../CWE/CWE-805/semmle/tests/test.cpp | 2 +- .../semmle/tests/MemoryUnsafeFunctionScan.cpp | 6 +- .../tests/MemoryUnsafeFunctionScan.qlref | 3 +- .../library-tests/c11_generic/PrintAST.qlref | 2 +- .../conversions/consistency.qlref | 2 +- .../extraction_errors/CompilerErrors.qlref | 2 +- .../extraction_errors/DatabaseQuality.qlref | 2 +- .../extraction_errors/ExtractionMetrics.qlref | 2 +- .../extraction_errors/SucceededIncludes.qlref | 2 +- .../ir/aliased_ssa_consistency_unsound.qlref | 2 +- .../aliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../library-tests/ir/ir/raw_consistency.qlref | 2 +- .../unaliased_ssa_consistency_unsound.qlref | 2 +- ...naliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../ssa/aliased_ssa_consistency_unsound.qlref | 2 +- .../ir/ssa/aliased_ssa_ir_unsound.qlref | 2 +- .../aliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../unaliased_ssa_consistency_unsound.qlref | 2 +- .../ir/ssa/unaliased_ssa_ir_unsound.qlref | 2 +- ...naliased_ssa_ssa_consistency_unsound.qlref | 2 +- .../lossy_pointer_cast/lossy_pointer_cast.c | 4 +- .../lossy_pointer_cast.qlref | 3 +- .../subscript_operator/PrintAST.qlref | 2 +- .../syntax-zoo/aliased_ssa_consistency.qlref | 2 +- .../syntax-zoo/raw_consistency.qlref | 2 +- .../unaliased_ssa_consistency.qlref | 2 +- .../integral_types_ms/integral_type.qlref | 2 +- .../AlertSuppression/AlertSuppression.qlref | 2 +- .../FeatureEnvy/FeatureEnvy.qlref | 3 +- .../Architecture/FeatureEnvy/a.cpp | 6 +- .../InappropriateIntimacy.qlref | 2 +- .../ClassesWithManyFields/cwmf.cpp | 14 +- .../ClassesWithManyFields/cwmf.qlref | 3 +- .../ClassesWithManyFields/different_types.h | 2 +- .../ComplexFunctions/ComplexFunctions.qlref | 3 +- .../ComplexFunctions/complex.c | 2 +- .../GuardedFree/GuardedFree.qlref | 3 +- .../Best Practices/GuardedFree/test.cpp | 10 +- .../DeclarationHidesParameter.qlref | 3 +- .../DeclarationHidesParameter/hiding.cpp | 14 +- .../DeclarationHidesVariable.qlref | 3 +- .../DeclarationHidesVariable/hiding.cpp | 6 +- .../DeclarationHidesVariable.qlref | 3 +- .../LocalVariableHidesGlobalVariable/Hiding.c | 16 +- .../LocalVariableHidesGlobalVariable.qlref | 3 +- .../CommaBeforeMisleadingIndentation.qlref | 3 +- .../CommaBeforeMisleadingIndentation/test.cpp | 10 +- .../Likely Errors/EmptyBlock/EmptyBlock.qlref | 3 +- .../Likely Errors/EmptyBlock/empty_block.cpp | 6 +- .../OffsetUseBeforeRangeCheck.qlref | 3 +- .../OffsetUseBeforeRangeCheck/test.cpp | 12 +- .../Likely Errors/Slicing/Slicing.qlref | 3 +- .../Likely Errors/Slicing/test.cpp | 2 +- .../ConstructorOrMethodWithExactDate.cpp | 8 +- .../Japanese Era/JapaneseEraDate.qlref | 3 +- .../Japanese Era/StructWithExactDate.cpp | 6 +- .../MagicConstantsNumbers.qlref | 3 +- .../MagicConstantsNumbers/a123.c | 2 +- .../MagicConstantsNumbers/b123.c | 2 +- .../MagicConstantsNumbers/case.c | 2 +- .../MagicConstantsNumbers/constants.h | 10 +- .../MagicConstantsNumbers/functions.h | 4 +- .../MagicConstantsNumbers/templates.cpp | 4 +- .../MagicConstantsString.qlref | 3 +- .../MagicConstantsString/constants.h | 2 +- .../MagicConstantsString/joining.cpp | 6 +- .../Best Practices/RuleOfTwo/RuleOfTwo.cpp | 12 +- .../Best Practices/RuleOfTwo/RuleOfTwo.qlref | 3 +- .../SloppyGlobal/SloppyGlobal.qlref | 3 +- .../Best Practices/SloppyGlobal/main.cpp | 14 +- .../UnusedIncludes/unusedIncludes.cpp | 8 +- .../UnusedIncludes/unusedIncludes.qlref | 3 +- .../UnusedLocals/UnusedLocals.qlref | 3 +- .../Unused Entities/UnusedLocals/code.c | 16 +- .../Unused Entities/UnusedLocals/code.cpp | 12 +- .../Unused Entities/UnusedLocals/code2.cpp | 16 +- .../Unused Entities/UnusedLocals/errors.c | 2 +- .../UnusedStaticFunctions.qlref | 3 +- .../UnusedStaticFunctions/unused_functions.c | 8 +- .../UnusedStaticFunctions/unused_mut.c | 4 +- .../unused_static_functions.cpp | 6 +- .../UnusedStaticFunctions/used_by_var_ref.c | 6 +- .../UnusedStaticVariables.qlref | 3 +- .../UnusedStaticVariables/test.cpp | 8 +- .../DeadCodeFunction/DeadCodeFunction.qlref | 3 +- .../Critical/DeadCodeFunction/test.cpp | 2 +- .../Critical/DeadCodeGoto/DeadCodeGoto.qlref | 3 +- .../Critical/DeadCodeGoto/test.cpp | 6 +- .../FileClosed/FileMayNotBeClosed.qlref | 3 +- .../Critical/FileClosed/FileNeverClosed.qlref | 3 +- .../query-tests/Critical/FileClosed/file.c | 8 +- .../GlobalUseBeforeInit.qlref | 3 +- .../Critical/GlobalUseBeforeInit/test.cpp | 4 +- .../InitialisationNotRun.qlref | 3 +- .../Critical/InitialisationNotRun/test.cpp | 4 +- .../LargeParameter/LargeParameter.qlref | 3 +- .../Critical/LargeParameter/test.cpp | 20 +- .../Critical/MemoryFreed/DoubleFree.expected | 30 +-- .../Critical/MemoryFreed/DoubleFree.qlref | 3 +- .../MemoryFreed/MemoryMayNotBeFreed.qlref | 3 +- .../MemoryFreed/MemoryNeverFreed.qlref | 3 +- .../MemoryFreed/UseAfterFree.expected | 50 ++--- .../Critical/MemoryFreed/UseAfterFree.qlref | 3 +- .../Critical/MemoryFreed/my_auto_ptr.cpp | 12 +- .../query-tests/Critical/MemoryFreed/test.cpp | 26 +-- .../Critical/MemoryFreed/test_free.cpp | 124 +++++------ .../IncorrectCheckScanf.qlref | 3 +- .../MissingCheckScanf.expected | 44 ++-- .../MissingCheckScanf/MissingCheckScanf.qlref | 3 +- .../Critical/MissingCheckScanf/test.cpp | 96 ++++----- .../MissingNullTest/MissingNullTest.qlref | 3 +- .../Critical/MissingNullTest/test.cpp | 12 +- .../NewFree/NewArrayDeleteMismatch.qlref | 3 +- .../NewFree/NewDeleteArrayMismatch.qlref | 3 +- .../Critical/NewFree/NewFreeMismatch.qlref | 3 +- .../query-tests/Critical/NewFree/test.cpp | 54 ++--- .../query-tests/Critical/NewFree/test2.cpp | 12 +- .../NotInitialised/NotInitialised.qlref | 3 +- .../Critical/NotInitialised/test.cpp | 4 +- .../NoSpaceForZeroTerminator.qlref | 3 +- .../OverflowCalculated.qlref | 3 +- .../Critical/OverflowCalculated/tests1.cpp | 12 +- .../Critical/OverflowCalculated/tests2.cpp | 4 +- .../Critical/OverflowCalculated/tests3.cpp | 10 +- .../OverflowStatic/OverflowStatic.qlref | 3 +- .../Critical/OverflowStatic/test.c | 8 +- .../Critical/OverflowStatic/test.cpp | 10 +- .../Critical/OverflowStatic/test2.c | 14 +- .../ReturnValueIgnored.qlref | 3 +- .../Critical/ReturnValueIgnored/test.cpp | 2 +- .../Critical/SizeCheck/SizeCheck2.qlref | 3 +- .../query-tests/Critical/SizeCheck/test2.c | 10 +- .../UnsafeUseOfThis/UnsafeUseOfThis.qlref | 2 +- .../Diagnostics/ExtractedFiles.qlref | 2 +- .../Diagnostics/ExtractionErrors.qlref | 2 +- .../Diagnostics/ExtractionWarnings.qlref | 2 +- .../FailedExtractorInvocations.qlref | 2 +- .../CommentedOutCode/CommentedOutCode.qlref | 3 +- .../Documentation/CommentedOutCode/test.c | 10 +- .../Documentation/CommentedOutCode/test2.cpp | 30 +-- .../DocumentApi/DocumentApi.qlref | 3 +- .../DocumentApi/comment_prototypes.c | 12 +- .../Documentation/DocumentApi/definition.c | 4 +- .../TodoComments/FixmeComments.qlref | 3 +- .../TodoComments/TodoComments.qlref | 3 +- .../Documentation/TodoComments/todo.c | 14 +- .../Documentation/TodoComments/todo_fixme.cpp | 12 +- .../Cleanup-DuplicateIncludeGuard.qlref | 3 +- .../Cleanup-DuplicateIncludeGuard/header1.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header2.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header4.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header6.h | 2 +- .../Cleanup-DuplicateIncludeGuard/header7.h | 2 +- .../subfolder/header4.h | 2 +- .../subfolder/header5.h | 2 +- .../LimitedScopeFile/LimitedScopeFile.qlref | 3 +- .../LOC-3/Rule 13/LimitedScopeFile/file1.c | 2 +- .../LimitedScopeFunction.qlref | 3 +- .../LOC-3/Rule 13/LimitedScopeFunction/test.c | 6 +- .../JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref | 3 +- .../query-tests/JPL_C/LOC-3/Rule 17/test.c | 2 +- .../NonConstFunctionPointer.qlref | 3 +- .../Rule 29/NonConstFunctionPointer/test.c | 6 +- .../FunctionPointerConversions.qlref | 3 +- .../Rule 30/FunctionPointerConversions/test.c | 12 +- .../AmbiguouslySignedBitField.qlref | 3 +- .../AmbiguouslySignedBitField/test.cpp | 10 +- .../BadAdditionOverflowCheck.qlref | 3 +- .../ComparisonWithCancelingSubExpr.qlref | 3 +- .../PointlessSelfComparison.qlref | 3 +- .../SignedOverflowCheck.cpp | 14 +- .../SignedOverflowCheck.qlref | 3 +- .../BadAdditionOverflowCheck/templates.cpp | 2 +- .../BadAdditionOverflowCheck/test.cpp | 20 +- .../Arithmetic/BadCheckOdd/BadCheckOdd.qlref | 3 +- .../Arithmetic/BadCheckOdd/test.cpp | 4 +- .../BitwiseSignCheck/BitwiseSignCheck.qlref | 3 +- .../Arithmetic/BitwiseSignCheck/bsc.cpp | 8 +- .../ComparisonPrecedence.qlref | 3 +- .../ComparisonPrecedence/template.cpp | 2 +- .../Arithmetic/ComparisonPrecedence/test.cpp | 16 +- .../FloatComparison/FloatComparison.qlref | 3 +- .../Arithmetic/FloatComparison/c.c | 8 +- .../Arithmetic/IntMultToLong/Buildless.c | 4 +- .../Arithmetic/IntMultToLong/IntMultToLong.c | 28 +-- .../IntMultToLong/IntMultToLong.cpp | 2 +- .../IntMultToLong/IntMultToLong.qlref | 3 +- .../PointlessComparison/ConstVirtual.cpp | 2 +- .../PointlessComparison/PointlessComparison.c | 94 ++++---- .../PointlessComparison.cpp | 10 +- .../PointlessComparison.qlref | 3 +- .../PointlessComparison/RegressionTests.cpp | 2 +- .../PointlessComparison/Templates.cpp | 2 +- .../PointlessComparison/UnsignedGEZero.qlref | 3 +- .../Arithmetic/UnsignedGEZero/Templates.cpp | 2 +- .../UnsignedGEZero/UnsignedGEZero.c | 44 ++-- .../UnsignedGEZero/UnsignedGEZero.cpp | 44 ++-- .../UnsignedGEZero/UnsignedGEZero.qlref | 3 +- .../ContinueInFalseLoop.qlref | 3 +- .../Likely Bugs/ContinueInFalseLoop/test.cpp | 4 +- .../ArrayArgSizeMismatch.qlref | 3 +- .../Conversion/ArrayArgSizeMismatch/test.cpp | 2 +- .../CastArrayPointerArithmetic.expected | 20 +- .../CastArrayPointerArithmetic.qlref | 3 +- .../CastArrayPointerArithmetic/test.cpp | 24 +-- .../ImplicitDowncastFromBitfield.qlref | 3 +- .../ImplicitDowncastFromBitfield/test.cpp | 4 +- .../LossyFunctionResultCast.qlref | 3 +- .../LossyFunctionResultCast/test.cpp | 18 +- .../NonConstantFormat/NonConstantFormat.c | 8 +- .../NonConstantFormat.expected | 40 ++-- .../NonConstantFormat/NonConstantFormat.qlref | 3 +- .../Format/NonConstantFormat/nested.cpp | 10 +- .../Format/NonConstantFormat/test.cpp | 48 ++--- .../SnprintfOverflow/SnprintfOverflow.qlref | 3 +- .../Format/SnprintfOverflow/test.cpp | 8 +- .../TooManyFormatArguments.qlref | 3 +- .../WrongNumberOfFormatArguments.qlref | 3 +- .../Format/WrongNumberOfFormatArguments/a.c | 4 +- .../Format/WrongNumberOfFormatArguments/b.c | 4 +- .../Format/WrongNumberOfFormatArguments/c.c | 4 +- .../custom_printf.cpp | 4 +- .../WrongNumberOfFormatArguments/macros.cpp | 10 +- .../syntax_errors.c | 2 +- .../WrongNumberOfFormatArguments/test.c | 28 +-- .../Buildless/WrongTypeFormatArguments.qlref | 3 +- .../Buildless/second.cpp | 4 +- .../Buildless/tests.c | 2 +- .../Builtin/WrongTypeFormatArguments.qlref | 3 +- .../WrongTypeFormatArguments/Builtin/tests.c | 2 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_mixed_byte_wprintf/tests.cpp | 22 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_mixed_word_size/tests_32.cpp | 4 +- .../Linux_mixed_word_size/tests_64.cpp | 4 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_signed_chars/format.h | 2 +- .../Linux_signed_chars/linux.cpp | 2 +- .../Linux_signed_chars/linux_c.c | 2 +- .../Linux_signed_chars/pri_macros.h | 2 +- .../Linux_signed_chars/printf1.h | 102 ++++----- .../Linux_signed_chars/real_world.h | 8 +- .../Linux_signed_chars/wide_string.h | 2 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_two_byte_wprintf/printf.cpp | 4 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Linux_unsigned_chars/format.h | 2 +- .../Linux_unsigned_chars/pri_macros.h | 2 +- .../Linux_unsigned_chars/printf1.h | 22 +- .../Linux_unsigned_chars/real_world.h | 8 +- .../Linux_unsigned_chars/wide_string.h | 2 +- .../Microsoft/WrongTypeFormatArguments.qlref | 3 +- .../Microsoft/format.h | 2 +- .../Microsoft/pri_macros.h | 2 +- .../Microsoft/printf1.h | 58 ++--- .../Microsoft/real_world.h | 8 +- .../Microsoft/wide_string.h | 4 +- .../WrongTypeFormatArguments.qlref | 3 +- .../Microsoft_no_wchar/format.h | 2 +- .../Microsoft_no_wchar/pri_macros.h | 2 +- .../Microsoft_no_wchar/printf1.h | 54 ++--- .../Microsoft_no_wchar/real_world.h | 8 +- .../Microsoft_no_wchar/wide_string.h | 4 +- .../InconsistentCheckReturnNull.qlref | 3 +- .../InconsistentCheckReturnNull/test.c | 2 +- .../Adding365daysPerYear.qlref | 3 +- .../Leap Year/Adding365DaysPerYear/test.cpp | 10 +- ...UncheckedReturnValueForTimeFunctions.qlref | 2 +- .../UnsafeArrayForDaysOfYear.qlref | 3 +- .../UnsafeArrayForDaysOfYear/test.cpp | 6 +- .../AssignWhereCompareMeant.qlref | 3 +- .../AssignWhereCompareMeant/test.cpp | 48 ++--- .../CompareWhereAssignMeant.qlref | 3 +- .../ExprHasNoEffect.qlref | 3 +- .../CompareWhereAssignMeant/test.cpp | 20 +- .../DubiousNullCheck/DubiousNullCheck.cpp | 8 +- .../DubiousNullCheck/DubiousNullCheck.qlref | 3 +- .../TryCompile-abcdef/ExprHasNoEffect.qlref | 3 +- .../ExprHasNoEffect/ExprHasNoEffect.qlref | 3 +- .../autoconf/ExprHasNoEffect.qlref | 3 +- .../ExprHasNoEffect/autoconf/conftest.c.c | 2 +- .../ExprHasNoEffect/autoconf/conftest_abc.c | 2 +- .../Likely Typos/ExprHasNoEffect/calls.cpp | 4 +- .../Likely Typos/ExprHasNoEffect/expr.cpp | 6 +- .../tmp_abc/ExprHasNoEffect.qlref | 3 +- .../Likely Typos/ExprHasNoEffect/preproc.c | 4 +- .../Likely Typos/ExprHasNoEffect/template.cpp | 2 +- .../ExprHasNoEffect/templatey.cpp | 2 +- .../Likely Typos/ExprHasNoEffect/test.c | 26 +-- .../Likely Typos/ExprHasNoEffect/test.cpp | 4 +- .../Likely Typos/ExprHasNoEffect/volatile.c | 8 +- .../Likely Typos/ExprHasNoEffect/weak.c | 2 +- .../IncorrectNotOperatorUsage.c | 16 +- .../IncorrectNotOperatorUsage.cpp | 18 +- .../IncorrectNotOperatorUsage.qlref | 3 +- .../ShortCircuitBitMask.qlref | 3 +- .../ShortCircuitBitMask/big_ints.cpp | 24 +-- .../UsingStrcpyAsBoolean.qlref | 3 +- .../Likely Typos/UsingStrcpyAsBoolean/test.c | 22 +- .../UsingStrcpyAsBoolean/test.cpp | 40 ++-- .../inconsistentLoopDirection.c | 12 +- .../inconsistentLoopDirection.cpp | 38 ++-- .../inconsistentLoopDirection.qlref | 3 +- .../AllocaInLoop/AllocaInLoop.qlref | 3 +- .../AllocaInLoop/AllocaInLoop1.cpp | 8 +- .../AllocaInLoop/AllocaInLoop1ms.cpp | 6 +- .../AllocaInLoop/AllocaInLoop2.c | 2 +- .../AllocaInLoop/AllocaInLoop3.cpp | 2 +- .../AllocaInLoop/BoundedLoop.cpp | 18 +- .../ImproperNullTermination.qlref | 3 +- .../ImproperNullTerminationTainted.qlref | 3 +- .../ImproperNullTermination/test.cpp | 56 ++--- .../NtohlArrayNoBound/NtohlArrayNoBound.qlref | 3 +- .../NtohlArrayNoBound/test.cpp | 18 +- .../More64BitWaste/More64BitWaste.qlref | 3 +- .../Padding/More64BitWaste/test.cpp | 4 +- .../NonPortablePrintf/NonPortablePrintf.qlref | 3 +- .../Padding/NonPortablePrintf/test.cpp | 8 +- .../Suboptimal64BitType.qlref | 3 +- .../Padding/Suboptimal64BitType/types.c | 2 +- .../PointerOverflow/PointerOverflow.qlref | 3 +- .../PointerOverflow/test.cpp | 8 +- .../ReturnCstrOfLocalStdString.qlref | 3 +- .../ReturnCstrOfLocalStdString/test.cpp | 6 +- .../ReturnStackAllocatedMemory.expected | 34 +-- .../ReturnStackAllocatedMemory.qlref | 3 +- .../ReturnStackAllocatedMemory/test.cpp | 52 ++--- .../StackAddressEscapes.qlref | 3 +- .../StackAddressEscapes/manager.cpp | 2 +- .../StackAddressEscapes/test.cpp | 124 +++++------ .../StrncpyFlippedArgs.qlref | 3 +- .../StrncpyFlippedArgs/test.c | 4 +- .../StrncpyFlippedArgs/test.cpp | 40 ++-- .../SuspiciousCallToMemset.qlref | 3 +- .../SuspiciousCallToMemset/doc_tests.c | 2 +- .../SuspiciousCallToMemset/test.cpp | 60 +++--- .../SuspiciousCallToStrncat.qlref | 3 +- .../SuspiciousCallToStrncat/test.c | 14 +- .../SuspiciousSizeof/SuspiciousSizeof.qlref | 3 +- .../SuspiciousSizeof/test.cpp | 12 +- .../UnsafeUseOfStrcat/strcat.c | 4 +- .../UnsafeUseOfStrcat/strcat.qlref | 3 +- .../UsingExpiredStackAddress.expected | 56 ++--- .../UsingExpiredStackAddress.qlref | 3 +- .../UsingExpiredStackAddress/test.cpp | 102 ++++----- .../IncorrectConstructorDelegation.qlref | 3 +- .../IncorrectConstructorDelegation/test.cpp | 4 +- .../NonVirtualDestructorInBaseClass.cpp | 6 +- .../NonVirtualDestructorInBaseClass.qlref | 3 +- .../ThrowInDestructor/ThrowInDestructor.qlref | 3 +- .../Likely Bugs/OO/ThrowInDestructor/test.cpp | 6 +- .../TlsSettingsMisconfiguration.qlref | 3 +- .../UseOfDeprecatedHardcodedProtocol.qlref | 3 +- .../Likely Bugs/Protocols/test.cpp | 34 +-- .../Likely Bugs/Protocols/test2.cpp | 10 +- .../Likely Bugs/Protocols/test3.cpp | 2 +- .../RedundantNullCheckSimple.cpp | 24 +-- .../RedundantNullCheckSimple.expected | 36 ++-- .../RedundantNullCheckSimple.qlref | 3 +- .../ReturnConstType/ReturnConstType.qlref | 3 +- .../Likely Bugs/ReturnConstType/test.cpp | 14 +- .../ReturnConstTypeMember.qlref | 3 +- .../ReturnConstTypeMember/templates.cpp | 2 +- .../ReturnConstTypeMember/test.cpp | 6 +- .../ShortLoopVarName/ShortLoopVarName.cpp | 8 +- .../ShortLoopVarName/ShortLoopVarName.qlref | 3 +- .../ImplicitFunctionDeclaration.qlref | 3 +- .../MistypedFunctionArguments.qlref | 3 +- .../TooFewArguments.qlref | 3 +- .../TooManyArguments.qlref | 3 +- .../Underspecified Functions/test.c | 50 ++--- .../UseInOwnInitializer.qlref | 3 +- .../Likely Bugs/UseInOwnInitializer/test.cpp | 8 +- .../Metrics/Functions/FunLinesOfCode.qlref | 2 +- .../Functions/FunLinesOfComments.qlref | 2 +- .../Metrics/Functions/FunNumberOfCalls.qlref | 2 +- .../Functions/FunNumberOfParameters.qlref | 2 +- .../Functions/FunNumberOfStatements.qlref | 2 +- .../Rule 2/BoundedLoopIterations.qlref | 3 +- .../query-tests/Power of 10/Rule 2/loops.cpp | 26 +-- .../CWE/CWE-014/MemsetMayBeDeleted.qlref | 3 +- .../query-tests/Security/CWE/CWE-014/test.cpp | 6 +- ..._Path_Traversal__char_console_fopen_11.cpp | 4 +- .../SAMATE/TaintedPath/TaintedPath.expected | 4 +- .../SAMATE/TaintedPath/TaintedPath.qlref | 3 +- .../SAMATE/ExecTainted/ExecTainted.expected | 4 +- .../SAMATE/ExecTainted/ExecTainted.qlref | 3 +- .../CWE/CWE-078/SAMATE/ExecTainted/tests.cpp | 4 +- .../semmle/ExecTainted/ExecTainted.expected | 50 ++--- .../semmle/ExecTainted/ExecTainted.qlref | 3 +- .../CWE/CWE-078/semmle/ExecTainted/test.cpp | 66 +++--- .../CWE/CWE-079/semmle/CgiXss/CgiXss.expected | 8 +- .../CWE/CWE-079/semmle/CgiXss/CgiXss.qlref | 3 +- .../CWE/CWE-079/semmle/CgiXss/search.c | 8 +- .../UncontrolledProcessOperation.expected | 4 +- .../UncontrolledProcessOperation.qlref | 3 +- .../UncontrolledProcessOperation/test.cpp | 4 +- .../UncontrolledProcessOperation.expected | 22 +- .../UncontrolledProcessOperation.qlref | 3 +- .../UncontrolledProcessOperation/test.cpp | 34 +-- .../CWE-119/SAMATE/BadlyBoundedWrite.qlref | 3 +- .../SAMATE/OffsetUseBeforeRangeCheck.qlref | 3 +- .../CWE/CWE-119/SAMATE/OverflowBuffer.qlref | 3 +- .../SAMATE/OverflowDestination.expected | 2 +- .../CWE-119/SAMATE/OverflowDestination.qlref | 3 +- .../CWE/CWE-119/SAMATE/OverflowStatic.qlref | 3 +- .../CWE/CWE-119/SAMATE/OverrunWrite.qlref | 3 +- .../CWE-119/SAMATE/OverrunWriteFloat.qlref | 3 +- .../SAMATE/OverrunWriteProductFlow.expected | 32 +-- .../SAMATE/OverrunWriteProductFlow.qlref | 3 +- .../CWE-119/SAMATE/StrncpyFlippedArgs.qlref | 3 +- .../CWE-119/SAMATE/UnboundedWrite.expected | 2 +- .../CWE/CWE-119/SAMATE/UnboundedWrite.qlref | 3 +- .../SAMATE/VeryLikelyOverrunWrite.qlref | 3 +- .../Security/CWE/CWE-119/SAMATE/test.cpp | 40 ++-- .../Security/CWE/CWE-119/SAMATE/tests.cpp | 34 +-- .../semmle/tests/BadlyBoundedWrite.qlref | 3 +- .../tests/OffsetUseBeforeRangeCheck.qlref | 3 +- .../CWE-119/semmle/tests/OverflowBuffer.qlref | 3 +- .../semmle/tests/OverflowDestination.expected | 10 +- .../semmle/tests/OverflowDestination.qlref | 3 +- .../CWE-119/semmle/tests/OverflowStatic.qlref | 3 +- .../CWE-119/semmle/tests/OverrunWrite.qlref | 3 +- .../semmle/tests/OverrunWriteFloat.qlref | 3 +- .../semmle/tests/StrncpyFlippedArgs.qlref | 3 +- .../semmle/tests/UnboundedWrite.expected | 6 +- .../CWE-119/semmle/tests/UnboundedWrite.qlref | 3 +- .../semmle/tests/VeryLikelyOverrunWrite.qlref | 3 +- .../CWE/CWE-119/semmle/tests/main.cpp | 2 +- .../semmle/tests/overflowdestination.cpp | 12 +- .../CWE/CWE-119/semmle/tests/tests.cpp | 202 +++++++++--------- .../CWE/CWE-119/semmle/tests/tests_restrict.c | 2 +- .../CWE/CWE-119/semmle/tests/unions.cpp | 6 +- .../CWE-119/semmle/tests/var_size_struct.cpp | 10 +- .../UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref | 3 +- .../CWE-120/semmle/UnsafeUseOfStrcat/test.c | 4 +- .../semmle/tests/BadlyBoundedWrite.qlref | 3 +- .../CWE-120/semmle/tests/OverrunWrite.qlref | 3 +- .../semmle/tests/OverrunWriteFloat.qlref | 3 +- .../semmle/tests/UnboundedWrite.expected | 12 +- .../CWE-120/semmle/tests/UnboundedWrite.qlref | 3 +- .../semmle/tests/VeryLikelyOverrunWrite.qlref | 3 +- .../Security/CWE/CWE-120/semmle/tests/tests.c | 42 ++-- .../CWE/CWE-120/semmle/tests/tests2.cpp | 14 +- .../CWE/CWE-120/semmle/tests/unions.c | 4 +- .../CWE-120/semmle/tests/var_size_struct.cpp | 2 +- .../CWE/CWE-120/semmle/tests/varbuffer.c | 22 +- .../tests/UnterminatedVarargsCall.qlref | 3 +- .../CWE/CWE-121/semmle/tests/more_tests.cpp | 10 +- .../Security/CWE/CWE-121/semmle/tests/tests.c | 8 +- ...Based_Buffer_Overflow__c_CWE129_fgets_01.c | 4 +- .../ImproperArrayIndexValidation.expected | 4 +- .../ImproperArrayIndexValidation.qlref | 3 +- .../ImproperArrayIndexValidation.expected | 10 +- .../ImproperArrayIndexValidation.qlref | 3 +- .../ImproperArrayIndexValidation/test1.c | 10 +- .../NoSpaceForZeroTerminator.qlref | 3 +- .../CWE-131/NoSpaceForZeroTerminator/test.c | 8 +- .../CWE-131/NoSpaceForZeroTerminator/test.cpp | 18 +- .../NoSpaceForZeroTerminator/test2.cpp | 8 +- .../SAMATE/UncontrolledFormatString.expected | 8 +- .../SAMATE/UncontrolledFormatString.qlref | 3 +- ...char_connect_socket_w32_vsnprintf_01_bad.c | 4 +- .../SAMATE/char_console_fprintf_01_bad.c | 4 +- .../SAMATE/char_environment_fprintf_01_bad.c | 4 +- .../CWE/CWE-134/semmle/argv/argvLocal.c | 50 ++--- .../CWE-134/semmle/argv/argvLocal.expected | 50 ++--- .../CWE/CWE-134/semmle/argv/argvLocal.qlref | 3 +- .../semmle/consts/NonConstantFormat.expected | 48 ++--- .../semmle/consts/NonConstantFormat.qlref | 3 +- .../CWE/CWE-134/semmle/consts/consts.cpp | 40 ++-- .../CWE/CWE-134/semmle/funcs/funcsLocal.c | 30 +-- .../CWE-134/semmle/funcs/funcsLocal.expected | 18 +- .../CWE/CWE-134/semmle/funcs/funcsLocal.qlref | 3 +- .../UncontrolledFormatString.expected | 12 +- .../globalVars/UncontrolledFormatString.qlref | 3 +- .../CWE-134/semmle/globalVars/globalVars.c | 12 +- .../Security/CWE/CWE-134/semmle/ifs/ifs.c | 24 +-- .../CWE/CWE-134/semmle/ifs/ifs.expected | 24 +-- .../Security/CWE/CWE-134/semmle/ifs/ifs.qlref | 3 +- .../CWE-190/SAMATE/ArithmeticTainted.expected | 4 +- .../CWE-190/SAMATE/ArithmeticTainted.qlref | 3 +- .../SAMATE/ArithmeticUncontrolled.expected | 26 +-- .../SAMATE/ArithmeticUncontrolled.qlref | 3 +- .../SAMATE/ArithmeticWithExtremeValues.qlref | 3 +- .../SAMATE/IntegerOverflowTainted.qlref | 3 +- .../Security/CWE/CWE-190/SAMATE/examples.cpp | 12 +- .../ArithmeticUncontrolled.expected | 56 ++--- .../ArithmeticUncontrolled.qlref | 3 +- .../semmle/ArithmeticUncontrolled/test.c | 36 ++-- .../semmle/ArithmeticUncontrolled/test.cpp | 56 ++--- .../ArithmeticWithExtremeValues.qlref | 3 +- .../semmle/ArithmeticWithExtremeValues/test.c | 12 +- .../ComparisonWithWiderType.qlref | 3 +- .../semmle/ComparisonWithWiderType/test.c | 34 +-- .../TaintedAllocationSize.expected | 42 ++-- .../TaintedAllocationSize.qlref | 3 +- .../semmle/TaintedAllocationSize/test.cpp | 62 +++--- .../semmle/tainted/ArithmeticTainted.expected | 24 +-- .../semmle/tainted/ArithmeticTainted.qlref | 3 +- .../tainted/IntegerOverflowTainted.qlref | 3 +- .../CWE/CWE-190/semmle/tainted/main.cpp | 2 +- .../CWE/CWE-190/semmle/tainted/test.c | 6 +- .../CWE/CWE-190/semmle/tainted/test2.cpp | 16 +- .../CWE/CWE-190/semmle/tainted/test3.c | 4 +- .../CWE/CWE-190/semmle/tainted/test4.cpp | 2 +- .../CWE/CWE-190/semmle/tainted/test5.cpp | 8 +- .../CWE/CWE-190/semmle/tainted/test6.cpp | 6 +- ...gnedDifferenceExpressionComparedZero.qlref | 3 +- .../test.cpp | 34 +-- .../CWE/CWE-193/InvalidPointerDeref.qlref | 2 +- .../IntegerOverflowTainted.qlref | 3 +- .../SAMATE/IntegerOverflowTainted/tests.cpp | 2 +- .../tests/DangerousFunctionOverflow.qlref | 3 +- .../semmle/tests/DangerousUseOfCin.qlref | 3 +- .../CWE-242/semmle/tests/OverrunWrite.qlref | 3 +- .../semmle/tests/OverrunWriteFloat.qlref | 3 +- .../semmle/tests/VeryLikelyOverrunWrite.qlref | 3 +- .../CWE/CWE-242/semmle/tests/tests.cpp | 78 +++---- .../CWE/CWE-253/HResultBooleanConversion.c | 22 +- .../CWE/CWE-253/HResultBooleanConversion.cpp | 22 +- .../CWE-253/HResultBooleanConversion.qlref | 3 +- .../AuthenticationBypass.expected | 14 +- .../AuthenticationBypass.qlref | 3 +- .../semmle/AuthenticationBypass/test.cpp | 20 +- .../CWE/CWE-295/SSLResultConflation.qlref | 3 +- .../CWE/CWE-295/SSLResultNotChecked.qlref | 3 +- .../query-tests/Security/CWE/CWE-295/test.cpp | 18 +- .../Security/CWE/CWE-295/test2.cpp | 8 +- .../tests/CleartextBufferWrite.expected | 6 +- .../semmle/tests/CleartextBufferWrite.qlref | 3 +- .../semmle/tests/CleartextFileWrite.expected | 32 +-- .../semmle/tests/CleartextFileWrite.qlref | 3 +- .../tests/CleartextTransmission.expected | 82 +++---- .../semmle/tests/CleartextTransmission.qlref | 3 +- .../CWE/CWE-311/semmle/tests/test.cpp | 10 +- .../CWE/CWE-311/semmle/tests/test2.cpp | 28 +-- .../CWE/CWE-311/semmle/tests/test3.cpp | 110 +++++----- .../CWE/CWE-319/UseOfHttp/UseOfHttp.expected | 14 +- .../CWE/CWE-319/UseOfHttp/UseOfHttp.qlref | 3 +- .../Security/CWE/CWE-319/UseOfHttp/test.cpp | 14 +- .../CWE/CWE-326/InsufficientKeySize.expected | 8 +- .../CWE/CWE-326/InsufficientKeySize.qlref | 3 +- .../query-tests/Security/CWE/CWE-326/test.cpp | 6 +- .../CWE/CWE-327/BrokenCryptoAlgorithm.qlref | 3 +- .../query-tests/Security/CWE/CWE-327/test.cpp | 2 +- .../Security/CWE/CWE-327/test2.cpp | 2 +- .../CWE-367/semmle/TOCTOUFilesystemRace.qlref | 3 +- .../Security/CWE/CWE-367/semmle/test2.cpp | 32 +-- .../IteratorToExpiredContainer.qlref | 3 +- .../tests/IteratorToExpiredContainer/test.cpp | 12 +- .../tests/UseAfterFree/UseAfterFree.expected | 30 +-- .../tests/UseAfterFree/UseAfterFree.qlref | 3 +- .../semmle/tests/UseAfterFree/test.cpp | 52 ++--- .../UseOfStringAfterLifetimeEnds.qlref | 4 +- .../UseOfStringAfterLifetimeEnds/test.cpp | 26 +-- .../UseOfUniquePointerAfterLifetimeEnds.qlref | 3 +- .../UseOfUniquePtrAfterLifetimeEnds/test.cpp | 20 +- .../CWE/CWE-428/UnsafeCreateProcessCall.cpp | 26 +-- .../CWE/CWE-428/UnsafeCreateProcessCall.qlref | 3 +- .../ConditionallyUninitializedVariable.qlref | 3 +- .../examples.cpp | 2 +- .../test.cpp | 4 +- .../semmle/tests/UninitializedLocal.expected | 30 +-- .../semmle/tests/UninitializedLocal.qlref | 3 +- .../CWE/CWE-457/semmle/tests/errors.cpp | 4 +- .../CWE/CWE-457/semmle/tests/test.cpp | 52 ++--- .../IncorrectPointerScaling.qlref | 3 +- .../IncorrectPointerScalingChar.qlref | 3 +- .../IncorrectPointerScalingVoid.qlref | 3 +- .../semmle/IncorrectPointerScaling/test.cpp | 18 +- .../SuspiciousAddWithSizeof.qlref | 3 +- .../SuspiciousAddWithSizeof/buildless.cpp | 4 +- .../semmle/SuspiciousAddWithSizeof/test.cpp | 14 +- .../CWE-497/SAMATE/ExposedSystemData.expected | 2 +- .../CWE-497/SAMATE/ExposedSystemData.qlref | 3 +- .../PotentiallyExposedSystemData.expected | 4 +- .../SAMATE/PotentiallyExposedSystemData.qlref | 3 +- .../Security/CWE/CWE-497/SAMATE/tests.c | 4 +- .../PotentiallyExposedSystemData.expected | 36 ++-- .../tests/PotentiallyExposedSystemData.qlref | 3 +- .../CWE/CWE-497/semmle/tests/tests.cpp | 38 ++-- .../CWE/CWE-497/semmle/tests/tests_passwd.cpp | 6 +- .../IncorrectAllocationErrorHandling.qlref | 3 +- .../query-tests/Security/CWE/CWE-570/test.cpp | 40 ++-- .../Security/CWE/CWE-611/XXE.expected | 62 +++--- .../Security/CWE/CWE-611/XXE.qlref | 3 +- .../Security/CWE/CWE-611/tests.cpp | 40 ++-- .../Security/CWE/CWE-611/tests2.cpp | 12 +- .../Security/CWE/CWE-611/tests3.cpp | 20 +- .../Security/CWE/CWE-611/tests4.cpp | 10 +- .../Security/CWE/CWE-611/tests5.cpp | 22 +- .../DangerousUseOfCin/DangerousUseOfCin.qlref | 3 +- .../CWE-676/SAMATE/DangerousUseOfCin/test.cpp | 2 +- .../DangerousUseOfCin/DangerousUseOfCin.qlref | 3 +- .../CWE-676/semmle/DangerousUseOfCin/test.cpp | 2 +- .../DangerousFunctionOverflow.qlref | 3 +- .../PotentiallyDangerousFunction.qlref | 3 +- .../PotentiallyDangerousFunction/test.c | 12 +- .../CWE/CWE-732/OpenCallMissingModeArgument.c | 8 +- .../CWE-732/OpenCallMissingModeArgument.qlref | 3 +- .../CWE-732/UnsafeDaclSecurityDescriptor.cpp | 6 +- .../UnsafeDaclSecurityDescriptor.qlref | 3 +- .../semmle/tests/DiningPhilosophers.cpp | 10 +- .../CWE-764/semmle/tests/LockOrderCycle.qlref | 3 +- .../CWE-764/semmle/tests/TwiceLocked.qlref | 3 +- .../CWE-764/semmle/tests/UnreleasedLock.qlref | 3 +- .../CWE/CWE-764/semmle/tests/test.cpp | 38 ++-- .../CWE-772/SAMATE/FileMayNotBeClosed.qlref | 3 +- .../CWE/CWE-772/SAMATE/FileNeverClosed.qlref | 3 +- .../CWE-772/SAMATE/MemoryMayNotBeFreed.qlref | 3 +- .../CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref | 3 +- .../Security/CWE/CWE-772/SAMATE/tests.cpp | 14 +- .../tests-file/FileMayNotBeClosed.qlref | 3 +- .../semmle/tests-file/FileNeverClosed.qlref | 3 +- .../CWE/CWE-772/semmle/tests-file/test.cpp | 34 +-- .../tests-memory/MemoryMayNotBeFreed.qlref | 3 +- .../tests-memory/MemoryNeverFreed.qlref | 3 +- .../CWE/CWE-772/semmle/tests-memory/test.cpp | 52 ++--- .../TaintedCondition.expected | 4 +- .../TaintedCondition/TaintedCondition.qlref | 3 +- .../CWE-807/semmle/TaintedCondition/test.cpp | 4 +- ...teLoopWithUnsatisfiableExitCondition.qlref | 3 +- .../test.cpp | 10 +- .../CWE/CWE-843/TypeConfusion.expected | 20 +- .../Security/CWE/CWE-843/TypeConfusion.qlref | 3 +- .../query-tests/Security/CWE/CWE-843/test.cpp | 36 ++-- .../query-tests/Summary/LinesOfCode.qlref | 2 +- .../query-tests/Summary/LinesOfUserCode.qlref | 2 +- .../query-tests/definitions/definitions.qlref | 2 +- .../AV Rule 1/AV Rule 1.c | 2 +- .../AV Rule 1/AV Rule 1.qlref | 3 +- .../AV Rule 13/AV Rule 13.qlref | 3 +- .../jsf/4.04 Environment/AV Rule 13/test.cpp | 4 +- .../AV Rule 32/AV Rule 32.qlref | 3 +- .../AV Rule 32/test.c | 2 +- .../AV Rule 35/AV Rule 35.qlref | 2 +- .../AV Rule 53 54/AV Rule 53.1.qlref | 3 +- .../4.09 Style/AV Rule 53 54/AV Rule 53.qlref | 2 +- .../4.09 Style/AV Rule 53 54/AV Rule 54.qlref | 2 +- .../jsf/4.09 Style/AV Rule 53 54/test.c | 2 +- .../4.10 Classes/AV Rule 73/AV Rule 73.cpp | 2 +- .../4.10 Classes/AV Rule 73/AV Rule 73.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 73/original.cpp | 4 +- .../4.10 Classes/AV Rule 76/AV Rule 76.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 76/test.cpp | 6 +- .../AV Rule 77.1/AV Rule 77.1.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 77.1/test.cpp | 2 +- .../4.10 Classes/AV Rule 78/AV Rule 78.cpp | 6 +- .../4.10 Classes/AV Rule 78/AV Rule 78.qlref | 3 +- .../4.10 Classes/AV Rule 79/AV Rule 79.cpp | 16 +- .../4.10 Classes/AV Rule 79/AV Rule 79.qlref | 3 +- .../4.10 Classes/AV Rule 79/Container2.cpp | 2 +- .../4.10 Classes/AV Rule 79/DeleteThis.cpp | 8 +- .../AV Rule 79/ExternalOwners.cpp | 2 +- .../jsf/4.10 Classes/AV Rule 79/Lambda.cpp | 2 +- .../4.10 Classes/AV Rule 79/ListDelete.cpp | 2 +- .../4.10 Classes/AV Rule 79/NoDestructor.cpp | 2 +- .../4.10 Classes/AV Rule 79/PlacementNew.cpp | 2 +- .../AV Rule 79/SelfRegistering.cpp | 2 +- .../jsf/4.10 Classes/AV Rule 79/Variants.cpp | 10 +- .../jsf/4.10 Classes/AV Rule 79/Wrapped.cpp | 4 +- .../4.10 Classes/AV Rule 82/AV Rule 82.cpp | 8 +- .../4.10 Classes/AV Rule 82/AV Rule 82.qlref | 3 +- .../4.10 Classes/AV Rule 85/AV Rule 85.cpp | 10 +- .../4.10 Classes/AV Rule 85/AV Rule 85.qlref | 3 +- .../4.10 Classes/AV Rule 97/AV Rule 97.qlref | 3 +- .../jsf/4.10 Classes/AV Rule 97/jsf97.cpp | 10 +- .../AV Rule 107/AV Rule 107.qlref | 3 +- .../jsf/4.13 Functions/AV Rule 107/test.c | 8 +- .../AV Rule 114/AV Rule 114.qlref | 3 +- .../jsf/4.13 Functions/AV Rule 114/complex.c | 4 +- .../jsf/4.13 Functions/AV Rule 114/test.c | 6 +- .../jsf/4.13 Functions/AV Rule 114/test.cpp | 16 +- .../AV Rule 145/AV Rule 145.qlref | 3 +- .../4.16 Initialization/AV Rule 145/test.c | 6 +- .../AV Rule 157/AV Rule 157.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 157/test.c | 6 +- .../AV Rule 164/AV Rule 164.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 164/test.c | 16 +- .../AV Rule 165/AV Rule 165.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 165/test.c | 18 +- .../AV Rule 166/AV Rule 166.qlref | 3 +- .../jsf/4.21 Operators/AV Rule 166/test.c | 4 +- .../AV Rule 176/176.cpp | 10 +- .../AV Rule 176/176.qlref | 3 +- .../AV Rule 186/AV Rule 186.qlref | 3 +- .../AV Rule 186/test.c | 4 +- .../AV Rule 193/AV Rule 193.c | 4 +- .../AV Rule 193/AV Rule 193.qlref | 3 +- .../AV Rule 193/nested.c | 4 +- .../AV Rule 193/test.c | 12 +- .../AV Rule 196/AV Rule 196.c | 8 +- .../AV Rule 196/AV Rule 196.qlref | 3 +- .../AV Rule 201/AV Rule 201.c | 22 +- .../AV Rule 201/AV Rule 201.qlref | 3 +- .../AV Rule 201/NestedLoopSameVar.qlref | 3 +- .../AV Rule 201/StructMembers.cpp | 4 +- .../AV Rule 210/AV Rule 210.c | 10 +- .../AV Rule 210/AV Rule 210.qlref | 3 +- 789 files changed, 4114 insertions(+), 3807 deletions(-) diff --git a/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref b/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref index 57f35c3bcf2..e24890cc9a8 100644 --- a/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref +++ b/cpp/ql/test/examples/BadLocking/AV Rule 107.qlref @@ -1 +1,2 @@ -jsf/4.13 Functions/AV Rule 107.ql +query: jsf/4.13 Functions/AV Rule 107.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref b/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref index 0267b31251d..326ddde08d3 100644 --- a/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref +++ b/cpp/ql/test/examples/BadLocking/LocalVariableHidesGlobalVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp b/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp index 034291f4d19..babe4a7fced 100644 --- a/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp +++ b/cpp/ql/test/examples/BadLocking/UnintendedDeclaration.cpp @@ -48,7 +48,7 @@ void test1() void test2() { - Lock myLock(); // BAD (interpreted as a function declaration, this does nothing) + Lock myLock(); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block] // ... } @@ -62,14 +62,14 @@ void test3() void test4() { - Lock(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended) + Lock(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended) // $ Alert[cpp/local-variable-hides-global-variable] // ... } void test5() { - Lock myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing) + Lock myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing) // $ Alert[cpp/function-in-block] // ... } diff --git a/cpp/ql/test/examples/expressions/PrintAST.qlref b/cpp/ql/test/examples/expressions/PrintAST.qlref index 6fcb30ac7a6..645e39136f5 100644 --- a/cpp/ql/test/examples/expressions/PrintAST.qlref +++ b/cpp/ql/test/examples/expressions/PrintAST.qlref @@ -1 +1 @@ -semmle/code/cpp/PrintAST.ql \ No newline at end of file +query: semmle/code/cpp/PrintAST.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref index a4543b332dd..b88242c72ab 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql +query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref index e9107625d29..b0ca696135e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/LateCheckOfFunctionArgument.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql +query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c index 40fb688fb20..4a1ceb2ec8a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/semmle/tests/test.c @@ -3,6 +3,6 @@ void workFunction_0(char *s) { char buf[80], buf1[8]; if(len<0) return; memset(buf,0,len); //GOOD - memset(buf1,0,len1); //BAD + memset(buf1,0,len1); //BAD // $ Alert if(len1<0) return; } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected index e3afe00da6e..b03a1ff7040 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.expected @@ -1,3 +1,5 @@ +#select +| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. | edges | test.cpp:22:27:22:30 | **argv | test.cpp:23:20:23:26 | *access to array | provenance | | | test.cpp:23:20:23:26 | *access to array | test.cpp:29:13:29:20 | *filePath | provenance | | @@ -6,5 +8,3 @@ nodes | test.cpp:23:20:23:26 | *access to array | semmle.label | *access to array | | test.cpp:29:13:29:20 | *filePath | semmle.label | *filePath | subpaths -#select -| test.cpp:29:13:29:20 | *filePath | test.cpp:22:27:22:30 | **argv | test.cpp:29:13:29:20 | *filePath | Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection. | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref index ecff539f3e6..d5892372878 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/WordexpTainted.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-078/WordexpTainted.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-078/WordexpTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp index 0ae98b8f163..7c8224ce653 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp @@ -19,14 +19,14 @@ enum { int wordexp(const char *restrict s, wordexp_t *restrict p, int flags); -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source char *filePath = argv[2]; { // BAD: the user string is injected directly into `wordexp` which performs command substitution wordexp_t we; - wordexp(filePath, &we, 0); + wordexp(filePath, &we, 0); // $ Alert } { diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref index 22dae13892f..c3c257615c3 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/FindWrapperFunctions.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql +query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp index 4f862a324e5..bd7e8f40d74 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1041/semmle/tests/test.cpp @@ -20,7 +20,7 @@ void myFclose(FILE * fmy) int main(int argc, char *argv[]) { fe = fopen("myFile.txt", "wt"); - fclose(fe); // BAD + fclose(fe); // BAD // $ Alert fe = fopen("myFile.txt", "wt"); myFclose(fe); // GOOD return 0; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref index 6da5822f7f0..2a1e4406454 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql +query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c index 47d89188e6b..fc078db7924 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c @@ -11,7 +11,7 @@ void workFunction_0(char *s) { while(intIndex > 2) { buf[intIndex] = 1; - int intIndex; // BAD + int intIndex; // BAD // $ Alert intIndex--; } intIndex = 10; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref index ddf0380834b..30a603676bb 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/CustomCryptographicPrimitive.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql +query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp index 6aa1bbe06a7..56dd45e3a64 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1240/tests_crypto.cpp @@ -8,7 +8,7 @@ int strlen(const char *string); // the following function is homebrew crypto written for this test. This is a bad algorithm // on multiple levels and should never be used in cryptography. -void encryptString(char *string, unsigned int key) { +void encryptString(char *string, unsigned int key) { // $ Alert char *ptr = string; int len = strlen(string); @@ -27,7 +27,7 @@ void encryptString(char *string, unsigned int key) { // the following function is homebrew crypto written for this test. This is a bad algorithm // on multiple levels and should never be used in cryptography. -void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { +void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { // $ Alert unsigned int state[2]; unsigned int t; @@ -48,7 +48,7 @@ void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int d // the following function resembles an implementation of the AES "mix columns" // step. It is not accurate, efficient or safe and should never be used in // cryptography. -void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { +void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert // The "mix columns" step takes four bytes as inputs. Each byte represents a // polynomial with 8 one-bit coefficients, e.g. input bits 00001101 // represent the polynomial x^3 + x^2 + 1. Arithmetic is reduced modulo @@ -80,7 +80,7 @@ void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // the following function resembles initialization of an S-box as may be done // in an implementation of DES, AES and other encryption algorithms. It is not // accurate, efficient or safe and should never be used in cryptography. -void init_aes_sbox(unsigned char data[256]) { +void init_aes_sbox(unsigned char data[256]) { // $ Alert // initialize `data` in a loop using lots of ^, ^= and << operations and // a few fixed constants. unsigned int state = 0x12345678; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref index 228684a4e25..9c9b71af695 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/DangerousWorksWithMultibyteOrWideCharacters.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql +query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp index b4f0830039d..9c5f15048fe 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test.cpp @@ -63,7 +63,7 @@ static void badTest1(const char* ptr) int ret; int len; len = strlen(ptr); - for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results + for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert wprintf(L"%lc", wc); ptr += ret; } @@ -73,7 +73,7 @@ static void badTest2(const char* ptr) int ret; int len; len = strlen(ptr); - for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results + for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results // $ Alert wprintf(L"%lc", wc); ptr += ret; } @@ -103,7 +103,7 @@ static void badTest3(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD + ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -120,7 +120,7 @@ static void badTest4(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, 16); // BAD + ret = mbtowc(wc, ptr, 16); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -137,7 +137,7 @@ static void badTest5(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD + ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -155,7 +155,7 @@ static void badTest6(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && wc_len > 0) { - ret = mbtowc(wc, ptr, wc_len); // BAD + ret = mbtowc(wc, ptr, wc_len); // BAD // $ Alert if (ret <0) if (checkErrors()) { ++ptr; @@ -178,7 +178,7 @@ static void badTest7(const char* ptr,int wc_len) len = wc_len; wchar_t *wc = new wchar_t[wc_len]; while (*ptr && wc_len > 0) { - ret = mbtowc(wc, ptr, len); // BAD + ret = mbtowc(wc, ptr, len); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) @@ -194,7 +194,7 @@ static void badTest8(const char* ptr,wchar_t *wc) int len; len = strlen(ptr); while (*ptr && len > 0) { - ret = mbtowc(wc, ptr, len); // BAD + ret = mbtowc(wc, ptr, len); // BAD // $ Alert if (ret <0) break; if (ret == 0 || ret > len) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp index d66f36d38b9..40916f0c4b7 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test1.cpp @@ -25,8 +25,8 @@ void* calloc (size_t num, size_t size); void* malloc (size_t size); static void badTest1(void *src, int size) { - WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD - MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD + WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD // $ Alert + MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD // $ Alert } void goodTest2(){ wchar_t src[] = L"0123456789ABCDEF"; @@ -42,7 +42,7 @@ void goodTest2(){ static void badTest2(){ wchar_t src[] = L"0123456789ABCDEF"; char dst[16]; - WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD + WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD // $ Alert printf("%s\n", dst); } static void goodTest3(){ @@ -55,7 +55,7 @@ static void badTest3(){ char src[] = "0123456789ABCDEF"; int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0); wchar_t * dst = (wchar_t*)calloc(size + 1, 1); - MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD + MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert } static void goodTest4(){ char src[] = "0123456789ABCDEF"; @@ -67,13 +67,13 @@ static void badTest4(){ char src[] = "0123456789ABCDEF"; int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0); wchar_t * dst = (wchar_t*)malloc(size + 1); - MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD + MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD // $ Alert } static int goodTest5(void *src){ return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD } static int badTest5 (void *src) { - return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD + return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD // $ Alert } static void goodTest6(WCHAR *src) { @@ -90,6 +90,6 @@ static void goodTest6(WCHAR *src) static void badTest6(WCHAR *src) { char dst[5] =""; - WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD + WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD // $ Alert printf("%s\n", dst); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp index 65e5a9ee275..07bf78f5f3d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test2.cpp @@ -12,11 +12,11 @@ size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbsta static void badTest1(void *src, int size) { - mbstowcs((wchar_t*)src,(char*)src,size); // BAD + mbstowcs((wchar_t*)src,(char*)src,size); // BAD // $ Alert _locale_t locale; - _mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD + _mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD // $ Alert mbstate_t *mbstate; - mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD + mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD // $ Alert } static void goodTest2(){ char src[] = "0123456789ABCDEF"; @@ -32,7 +32,7 @@ static void goodTest2(){ static void badTest2(){ char src[] = "0123456789ABCDEF"; wchar_t dst[16]; - mbstowcs(dst, src,16); // BAD + mbstowcs(dst, src,16); // BAD // $ Alert printf("%s\n", dst); } static void goodTest3(){ @@ -45,7 +45,7 @@ static void badTest3(){ char src[] = "0123456789ABCDEF"; int size = mbstowcs(NULL, src,NULL); wchar_t * dst = (wchar_t*)calloc(size + 1, 1); - mbstowcs(dst, src,size+1); // BAD + mbstowcs(dst, src,size+1); // BAD // $ Alert } static void goodTest4(){ char src[] = "0123456789ABCDEF"; @@ -57,13 +57,13 @@ static void badTest4(){ char src[] = "0123456789ABCDEF"; int size = mbstowcs(NULL, src,NULL); wchar_t * dst = (wchar_t*)malloc(size + 1); - mbstowcs(dst, src,size+1); // BAD + mbstowcs(dst, src,size+1); // BAD // $ Alert } static int goodTest5(void *src){ return mbstowcs(NULL, (char*)src,NULL); // GOOD } static int badTest5 (void *src) { - return mbstowcs(NULL, (char*)src,3); // BAD + return mbstowcs(NULL, (char*)src,3); // BAD // $ Alert } static void goodTest6(void *src){ wchar_t dst[5]; @@ -77,6 +77,6 @@ static void goodTest6(void *src){ } static void badTest6(void *src){ wchar_t dst[5]; - mbstowcs(dst, (char*)src,260); // BAD + mbstowcs(dst, (char*)src,260); // BAD // $ Alert printf("%s\n", dst); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp index 662cdfc7be8..4ac5ce29fc6 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-125/semmle/tests/test3.cpp @@ -13,7 +13,7 @@ static size_t badTest1(unsigned char *src){ int cb = 0; unsigned char dst[50]; while( cb < sizeof(dst) ) - dst[cb++]=*src++; // BAD + dst[cb++]=*src++; // BAD // $ Alert return _mbclen(dst); } static void goodTest2(unsigned char *src){ @@ -33,7 +33,7 @@ static void badTest2(unsigned char *src){ unsigned char dst[50]; while( cb < sizeof(dst) ) { - _mbccpy(dst+cb,src); // BAD + _mbccpy(dst+cb,src); // BAD // $ Alert cb+=_mbclen(src); src=_mbsinc(src); } @@ -44,5 +44,5 @@ static void goodTest3(){ } static void badTest3(){ wchar_t name[50]; - name[sizeof(name) - 1] = L'\0'; // BAD + name[sizeof(name) - 1] = L'\0'; // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected index c55008f6550..2d714cac53e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.expected @@ -1,3 +1,13 @@ +#select +| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication | +| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication | +| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication | +| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication | +| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication | +| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication | +| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | +| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | +| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication | edges | test.cpp:22:17:22:21 | ... * ... | test.cpp:22:17:22:21 | ... * ... | provenance | | | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | provenance | | @@ -18,13 +28,3 @@ nodes | test.cpp:45:36:45:40 | ... * ... | semmle.label | ... * ... | | test.cpp:46:36:46:40 | ... * ... | semmle.label | ... * ... | subpaths -#select -| test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | test.cpp:13:33:13:37 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:13:33:13:37 | ... * ... | multiplication | -| test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | test.cpp:15:31:15:35 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:15:31:15:35 | ... * ... | multiplication | -| test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | test.cpp:19:34:19:38 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:19:34:19:38 | ... * ... | multiplication | -| test.cpp:23:33:23:37 | size1 | test.cpp:22:17:22:21 | ... * ... | test.cpp:23:33:23:37 | size1 | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:22:17:22:21 | ... * ... | multiplication | -| test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | test.cpp:30:18:30:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:30:18:30:32 | ... * ... | multiplication | -| test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | test.cpp:31:18:31:32 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:31:18:31:32 | ... * ... | multiplication | -| test.cpp:37:46:37:49 | size | test.cpp:45:36:45:40 | ... * ... | test.cpp:37:46:37:49 | size | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | -| test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | test.cpp:45:36:45:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:45:36:45:40 | ... * ... | multiplication | -| test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | test.cpp:46:36:46:40 | ... * ... | Potentially overflowing value from $@ is used in the size of this allocation. | test.cpp:46:36:46:40 | ... * ... | multiplication | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref index 7bb108b6628..fc48bdd1c2b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/AllocMultiplicationOverflow.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql +query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp index 3f49ebdece6..63044b1a3a9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/AllocMultiplicationOverflow/test.cpp @@ -10,31 +10,31 @@ void test() int y = getAnInt(); char *buffer1 = (char *)malloc(x + y); // GOOD - char *buffer2 = (char *)malloc(x * y); // BAD + char *buffer2 = (char *)malloc(x * y); // BAD // $ Alert int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD - int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD + int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD // $ Alert if ((x <= 1000) && (y <= 1000)) { - char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE] + char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE] // $ Alert } - size_t size1 = x * y; - char *buffer5 = (char *)malloc(size1); // BAD + size_t size1 = x * y; // $ Source + char *buffer5 = (char *)malloc(size1); // BAD // $ Alert size_t size2 = x; size2 *= y; char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED] char *buffer7 = new char[x * 10]; // GOOD - char *buffer8 = new char[x * y]; // BAD - char *buffer9 = new char[x * x]; // BAD + char *buffer8 = new char[x * y]; // BAD // $ Alert + char *buffer9 = new char[x * x]; // BAD // $ Alert } // --- custom allocators --- -void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here] +void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here] // $ Alert void *MyMalloc2(size_t size); void customAllocatorTests() @@ -42,6 +42,6 @@ void customAllocatorTests() int x = getAnInt(); int y = getAnInt(); - char *buffer1 = (char *)MyMalloc1(x * y); // BAD - char *buffer2 = (char *)MyMalloc2(x * y); // BAD + char *buffer1 = (char *)MyMalloc1(x * y); // BAD // $ Alert Source + char *buffer2 = (char *)MyMalloc2(x * y); // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref index 84f717acda7..ec83c625619 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/DangerousUseOfTransformationAfterOperation.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql +query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp index 472c8ac0afa..ab4d7f4c2e7 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation/test.cpp @@ -6,17 +6,17 @@ void functionWork(char aA[10],unsigned int aUI) { int aI; aI = (aUI*8)/10; // GOOD - aI = aUI*8; // BAD + aI = aUI*8; // BAD // $ Alert aP = aA+aI; aI = (int)aUI*8; // GOOD - aL = (unsigned long)(aI*aI); // BAD + aL = (unsigned long)(aI*aI); // BAD // $ Alert aL = ((unsigned long)aI*aI); // GOOD - testCall((unsigned long)(aI*aI)); // BAD + testCall((unsigned long)(aI*aI)); // BAD // $ Alert testCall(((unsigned long)aI*aI)); // GOOD - if((unsigned long)(aI*aI) > aL) // BAD + if((unsigned long)(aI*aI) > aL) // BAD // $ Alert return; if(((unsigned long)aI*aI) > aL) // GOOD return; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref index 0873051581d..2a390e2a518 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/IfStatementAdditionOverflow.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql +query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp index 7c5ab91832e..4734e1bba8d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-190/IfStatementAdditionOverflow/test.cpp @@ -15,49 +15,49 @@ void test() unsigned short b1 = getAnUnsignedShort(); unsigned short c1 = getAnUnsignedShort(); - if (a+b>c) a = c-b; // BAD - if (a+b>c) { a = c-b; } // BAD - if (b+a>c) a = c-b; // BAD - if (b+a>c) { a = c-b; } // BAD - if (c>a+b) a = c-b; // BAD - if (c>a+b) { a = c-b; } // BAD - if (c>b+a) a = c-b; // BAD - if (c>b+a) { a = c-b; } // BAD + if (a+b>c) a = c-b; // BAD // $ Alert + if (a+b>c) { a = c-b; } // BAD // $ Alert + if (b+a>c) a = c-b; // BAD // $ Alert + if (b+a>c) { a = c-b; } // BAD // $ Alert + if (c>a+b) a = c-b; // BAD // $ Alert + if (c>a+b) { a = c-b; } // BAD // $ Alert + if (c>b+a) a = c-b; // BAD // $ Alert + if (c>b+a) { a = c-b; } // BAD // $ Alert - if (a+b>=c) a = c-b; // BAD - if (a+b>=c) { a = c-b; } // BAD - if (b+a>=c) a = c-b; // BAD - if (b+a>=c) { a = c-b; } // BAD - if (c>=a+b) a = c-b; // BAD - if (c>=a+b) { a = c-b; } // BAD - if (c>=b+a) a = c-b; // BAD - if (c>=b+a) { a = c-b; } // BAD + if (a+b>=c) a = c-b; // BAD // $ Alert + if (a+b>=c) { a = c-b; } // BAD // $ Alert + if (b+a>=c) a = c-b; // BAD // $ Alert + if (b+a>=c) { a = c-b; } // BAD // $ Alert + if (c>=a+b) a = c-b; // BAD // $ Alert + if (c>=a+b) { a = c-b; } // BAD // $ Alert + if (c>=b+a) a = c-b; // BAD // $ Alert + if (c>=b+a) { a = c-b; } // BAD // $ Alert - if (a+bd) a = d-b; // BAD + if (a+b>d) a = d-b; // BAD // $ Alert if (a+(double)b>c) a = c-b; // GOOD if (a+(-x)>c) a = c-(-y); // GOOD if (a+b>c) { b++; a = c-b; } // GOOD if (a+d>c) a = c-d; // GOOD if (a1+b1>c1) a1 = c1-b1; // GOOD - if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD - if (a+b<=c) { return; } a = c-b; // BAD + if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD // $ Alert + if (a+b<=c) { return; } a = c-b; // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected index b343a4b47ed..ec17b2bd2f4 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.expected @@ -1,3 +1,22 @@ +#select +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size | +| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size | +| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size | +| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size | +| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size | +| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size | +| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size | +| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size | +| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size | +| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size | edges | test.cpp:4:17:4:22 | call to malloc | test.cpp:4:17:4:22 | call to malloc | provenance | | | test.cpp:4:17:4:22 | call to malloc | test.cpp:6:9:6:11 | arr | provenance | | @@ -99,22 +118,3 @@ nodes | test.cpp:98:18:98:27 | test6_callee output argument [p] | semmle.label | test6_callee output argument [p] | subpaths | test.cpp:98:18:98:27 | *call to mk_array_p [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:87:28:87:30 | *arr [p] | test.cpp:98:18:98:27 | test6_callee output argument [p] | -#select -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:4:24:4:27 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:5:25:5:28 | size | size | -| test.cpp:10:9:10:11 | arr | test.cpp:4:17:4:22 | call to malloc | test.cpp:10:9:10:11 | arr | Off-by one error allocated at $@ bounded by $@. | test.cpp:4:17:4:22 | call to malloc | call to malloc | test.cpp:9:26:9:29 | size | size | -| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:30:29:30:32 | size | size | -| test.cpp:35:13:35:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:35:13:35:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:34:30:34:33 | size | size | -| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:40:29:40:32 | size | size | -| test.cpp:45:13:45:13 | p | test.cpp:21:13:21:18 | call to malloc | test.cpp:45:13:45:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:21:13:21:18 | call to malloc | call to malloc | test.cpp:44:30:44:33 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:55:20:55:23 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:5:56:19 | ... = ... | ... = ... | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:56:16:56:19 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:58:29:58:32 | size | size | -| test.cpp:63:13:63:13 | p | test.cpp:55:13:55:18 | call to malloc | test.cpp:63:13:63:13 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:55:13:55:18 | call to malloc | call to malloc | test.cpp:62:30:62:33 | size | size | -| test.cpp:83:14:83:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:83:14:83:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:82:31:82:34 | size | size | -| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:88:30:88:33 | size | size | -| test.cpp:93:14:93:14 | p | test.cpp:69:14:69:19 | call to malloc | test.cpp:93:14:93:14 | p | Off-by one error allocated at $@ bounded by $@. | test.cpp:69:14:69:19 | call to malloc | call to malloc | test.cpp:92:31:92:34 | size | size | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref index 8186dd0721b..0bcfeb90955 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/ArrayAccessProductFlow.qlref @@ -1 +1,2 @@ -experimental/Likely Bugs/ArrayAccessProductFlow.ql +query: experimental/Likely Bugs/ArrayAccessProductFlow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp index 12fc8947064..552b9070a30 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/array-access/test.cpp @@ -1,13 +1,13 @@ char *malloc(int size); void test1(int size) { - char *arr = malloc(size); + char *arr = malloc(size); // $ Source for (int i = 0; i < size; i++) { arr[i] = 0; // GOOD } for (int i = 0; i <= size; i++) { - arr[i] = i; // BAD + arr[i] = i; // BAD // $ Alert } } @@ -18,7 +18,7 @@ typedef struct { array_t mk_array(int size) { array_t arr; - arr.p = malloc(size); + arr.p = malloc(size); // $ Source arr.size = size; return arr; @@ -32,7 +32,7 @@ void test2(int size) { } for (int i = 0; i <= arr.size; i++) { - arr.p[i] = i; // BAD + arr.p[i] = i; // BAD // $ Alert } } @@ -42,7 +42,7 @@ void test3_callee(array_t arr) { } for (int i = 0; i <= arr.size; i++) { - arr.p[i] = i; // BAD + arr.p[i] = i; // BAD // $ Alert } } @@ -52,7 +52,7 @@ void test3(int size) { void test4(int size) { array_t arr; - arr.p = malloc(size); + arr.p = malloc(size); // $ Source arr.size = size; for (int i = 0; i < arr.size; i++) { @@ -60,13 +60,13 @@ void test4(int size) { } for (int i = 0; i <= arr.size; i++) { - arr.p[i] = i; // BAD + arr.p[i] = i; // BAD // $ Alert } } array_t *mk_array_p(int size) { array_t *arr = (array_t*) malloc(sizeof(array_t)); - arr->p = malloc(size); + arr->p = malloc(size); // $ Source arr->size = size; return arr; @@ -80,7 +80,7 @@ void test5(int size) { } for (int i = 0; i <= arr->size; i++) { - arr->p[i] = i; // BAD + arr->p[i] = i; // BAD // $ Alert } } @@ -90,7 +90,7 @@ void test6_callee(array_t *arr) { } for (int i = 0; i <= arr->size; i++) { - arr->p[i] = i; // BAD + arr->p[i] = i; // BAD // $ Alert } } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected index a4c154c0694..1aa7c546e12 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected @@ -1,3 +1,25 @@ +#select +| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write | +| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write | +| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write | +| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write | +| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write | +| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write | +| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write | +| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write | +| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write | +| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write | +| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | +| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | +| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | +| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | +| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | +| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | +| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | +| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | +| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | edges | test.cpp:34:10:34:12 | buf | test.cpp:34:5:34:24 | access to array | provenance | Config | | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | provenance | Config | @@ -178,25 +200,3 @@ nodes | test.cpp:325:24:325:26 | end | semmle.label | end | | test.cpp:325:24:325:26 | end | semmle.label | end | subpaths -#select -| test.cpp:35:5:35:22 | PointerAdd: access to array | test.cpp:35:10:35:12 | buf | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write | -| test.cpp:36:5:36:24 | PointerAdd: access to array | test.cpp:36:10:36:12 | buf | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write | -| test.cpp:43:9:43:19 | PointerAdd: access to array | test.cpp:43:14:43:16 | buf | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write | -| test.cpp:49:5:49:22 | PointerAdd: access to array | test.cpp:49:10:49:12 | buf | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write | -| test.cpp:50:5:50:24 | PointerAdd: access to array | test.cpp:50:10:50:12 | buf | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write | -| test.cpp:57:9:57:19 | PointerAdd: access to array | test.cpp:57:14:57:16 | buf | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write | -| test.cpp:61:9:61:19 | PointerAdd: access to array | test.cpp:61:14:61:16 | buf | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write | -| test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write | -| test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write | -| test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write | -| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write | -| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read | -| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | -| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write | -| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write | -| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write | -| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read | -| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write | -| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref index 082e8951c70..3be7645c1a8 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp index 03de927073a..2c458170a51 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp @@ -32,60 +32,60 @@ void testOneArray(OneArray *arr) { void testBig(BigArray *arr) { arr->buf[MAX_SIZE-1] = 0; // GOOD - arr->buf[MAX_SIZE] = 0; // BAD - arr->buf[MAX_SIZE+1] = 0; // BAD + arr->buf[MAX_SIZE] = 0; // BAD // $ Alert + arr->buf[MAX_SIZE+1] = 0; // BAD // $ Alert for(int i = 0; i < MAX_SIZE; i++) { arr->buf[i] = 0; // GOOD } for(int i = 0; i <= MAX_SIZE; i++) { - arr->buf[i] = 0; // BAD + arr->buf[i] = 0; // BAD // $ Alert } } void testFields(ArrayAndFields *arr) { arr->buf[MAX_SIZE-1] = 0; // GOOD - arr->buf[MAX_SIZE] = 0; // BAD? - arr->buf[MAX_SIZE+1] = 0; // BAD? + arr->buf[MAX_SIZE] = 0; // BAD? // $ Alert + arr->buf[MAX_SIZE+1] = 0; // BAD? // $ Alert for(int i = 0; i < MAX_SIZE; i++) { arr->buf[i] = 0; // GOOD } for(int i = 0; i <= MAX_SIZE; i++) { - arr->buf[i] = 0; // BAD? + arr->buf[i] = 0; // BAD? // $ Alert } for(int i = 0; i < MAX_SIZE+2; i++) { - arr->buf[i] = 0; // BAD? + arr->buf[i] = 0; // BAD? // $ Alert } // is this different if it's a memcpy? } -void assignThroughPointer(int *p) { +void assignThroughPointer(int *p) { // $ Sink *p = 0; // ??? should the result go at a flow source? } void addToPointerAndAssign(int *p) { p[MAX_SIZE-1] = 0; // GOOD - p[MAX_SIZE] = 0; // BAD + p[MAX_SIZE] = 0; // BAD // $ Alert } void testInterproc(BigArray *arr) { assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD - assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD + assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD // $ Alert - addToPointerAndAssign(arr->buf); + addToPointerAndAssign(arr->buf); // $ Source } #define MAX_SIZE_BYTES 4096 void testCharIndex(BigArray *arr) { - char *charBuf = (char*) arr->buf; + char *charBuf = (char*) arr->buf; // $ Source charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD - charBuf[MAX_SIZE_BYTES] = 0; // BAD + charBuf[MAX_SIZE_BYTES] = 0; // BAD // $ Alert } void testEqRefinement() { @@ -125,7 +125,7 @@ void testStackAllocated() { char *arr[MAX_SIZE]; for(int i = 0; i <= MAX_SIZE; i++) { - arr[i] = 0; // BAD + arr[i] = 0; // BAD // $ Alert } } @@ -133,18 +133,18 @@ int strncmp(const char*, const char*, int); char testStrncmp2(char *arr) { if(strncmp(arr, "", 6) == 0) { - arr += 6; + arr += 6; // $ Alert } - return *arr; // GOOD [FALSE POSITIVE] + return *arr; // GOOD [FALSE POSITIVE] // $ Sink } void testStrncmp1() { char asdf[5]; - testStrncmp2(asdf); + testStrncmp2(asdf); // $ Source } void countdownBuf1(int **p) { - *--(*p) = 1; // GOOD [FALSE POSITIVE] + *--(*p) = 1; // GOOD [FALSE POSITIVE] // $ Sink *--(*p) = 2; // GOOD *--(*p) = 3; // GOOD *--(*p) = 4; // GOOD @@ -153,7 +153,7 @@ void countdownBuf1(int **p) { void countdownBuf2() { int buf[4]; - int *x = buf + 4; + int *x = buf + 4; // $ Alert countdownBuf1(&x); } @@ -215,10 +215,10 @@ int countdownLength2() { void pointer_size_larger_than_array_element_size() { unsigned char buffer[100]; // getByteSize() = 100 - int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25 + int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25 // $ Source ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99 - ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103 + ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103 // $ Alert } struct vec2 { int x, y; }; @@ -226,10 +226,10 @@ struct vec3 { int x, y, z; }; void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() { vec3 array[3]; // getByteSize() = 9 * sizeof(int) - vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4 + vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4 // $ Source ptr[3] = vec2{}; // GOOD: writes ints 6, 7 - ptr[4] = vec2{}; // BAD: writes ints 8, 9 + ptr[4] = vec2{}; // BAD: writes ints 8, 9 // $ Alert } void pointer_size_larger_than_array_element_size_and_does_not_divide_it() { @@ -258,7 +258,7 @@ void call_use(unsigned char* p, int n) { if(n == 3) { unsigned char x = p[0]; unsigned char y = p[1]; - unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point. + unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point. // $ Alert use(x, y, z); } } @@ -283,7 +283,7 @@ void test_call_use2() { call_call_use(buffer1,1); unsigned char buffer2[2]; - call_call_use(buffer2,2); + call_call_use(buffer2,2); // $ Source unsigned char buffer3[3]; call_call_use(buffer3,3); @@ -296,7 +296,7 @@ int guardingCallee(int *arr, int size) { int sum; for (int i = 0; i < size; i++) { - sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size + sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size // $ Alert } return sum; } @@ -306,7 +306,7 @@ int guardingCaller() { guardingCallee(arr1, MAX_SIZE); int arr2[10]; - guardingCallee(arr2, 10); + guardingCallee(arr2, 10); // $ Source } // simplified md5 padding @@ -319,10 +319,10 @@ void correlatedCondition(int num) { end = temp + 56; } else if (num < 64) { - end = temp + 64; // GOOD [FALSE POSITVE] + end = temp + 64; // GOOD [FALSE POSITVE] // $ Alert } char *temp2 = temp + num; - while(temp2 != end) { + while(temp2 != end) { // $ Sink *temp2 = 0; temp2++; } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref index 0fa00ffe3ab..ff0854782f9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/ExposureSensitiveInformationUnauthorizedActor.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp index 6323d617ff1..a8df26ccae1 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test1/test.cpp @@ -9,7 +9,7 @@ int main(int argc, char *argv[]) { //umask(0022); FILE *fp; - fp = fopen("myFile.txt","w"); // BAD + fp = fopen("myFile.txt","w"); // BAD // $ Alert //chmod("myFile.txt",0644); fprintf(fp,"%s\n","data to file"); fclose(fp); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref index 0fa00ffe3ab..ff0854782f9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test2/ExposureSensitiveInformationUnauthorizedActor.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref index 0fa00ffe3ab..ff0854782f9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-200/test3/ExposureSensitiveInformationUnauthorizedActor.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref index 6e521340437..2689b2c1bc0 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/IncorrectChangingWorkingDirectory.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql +query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp index 24ff440d140..5d5dddf6ef8 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-243/semmle/tests/test.cpp @@ -9,7 +9,7 @@ int chdir(char *path); void exit(int status); int funTest1(){ - if (chroot("/myFold/myTmp") == -1) { // BAD + if (chroot("/myFold/myTmp") == -1) { // BAD // $ Alert exit(-1); } return 0; @@ -26,7 +26,7 @@ int funTest2(){ } int funTest3(){ - chdir("/myFold/myTmp"); // BAD + chdir("/myFold/myTmp"); // BAD // $ Alert return 0; } int main(int argc, char *argv[]) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref index 9012747f4ba..835b6c80fb1 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/IncorrectPrivilegeAssignment.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql +query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp index 57333e8f586..85484793e98 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-266/semmle/tests/test.cpp @@ -6,7 +6,7 @@ int fclose(FILE *stream); void funcTest1() { - umask(0666); // BAD + umask(0666); // BAD // $ Alert FILE *fe; fe = fopen("myFile.txt", "wt"); fclose(fe); @@ -27,7 +27,7 @@ void funcTest2(int mode) FILE *fe; fe = fopen("myFile.txt", "wt"); fclose(fe); - chmod("myFile.txt",0555-mode); // BAD + chmod("myFile.txt",0555-mode); // BAD // $ Alert } void funcTest2g(int mode) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref index f1135f7d536..77270c3533a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/PamAuthorization.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-285/PamAuthorization.ql +query: experimental/Security/CWE/CWE-285/PamAuthorization.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp index e2753f10775..eb6628850ea 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-285/test.cpp @@ -26,7 +26,7 @@ bool PamAuthBad(const std::string &username_in, return false; } - err = pam_authenticate(pamh, 0); + err = pam_authenticate(pamh, 0); // $ Alert if (err != PAM_SUCCESS) return err; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp index 60a34889e05..451ce5423e6 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.cpp @@ -22,8 +22,8 @@ char host[] = "codeql.com"; void bad(void) { std::unique_ptr curl = std::unique_ptr(curl_easy_init()); - curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); - curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); + curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); // $ Alert + curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); // $ Alert curl_easy_setopt(curl.get(), CURLOPT_URL, host); curl_easy_perform(curl.get()); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref index 6b09ac53c9b..e2dd11da1e8 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-295/CurlSSL.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-295/CurlSSL.ql +query: experimental/Security/CWE/CWE-295/CurlSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected index df8b26486f3..99a27a46989 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected @@ -1,3 +1,15 @@ +#select +| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | +| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | +| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. | +| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | +| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | edges | test.cpp:45:18:45:23 | buffer | test.cpp:47:10:47:15 | buffer | provenance | | | test.cpp:47:10:47:15 | buffer | test.cpp:45:7:45:10 | *func | provenance | | @@ -32,15 +44,3 @@ nodes | test.cpp:99:61:99:70 | theZipcode | semmle.label | theZipcode | subpaths | test.cpp:81:22:81:28 | medical | test.cpp:45:18:45:23 | buffer | test.cpp:45:7:45:10 | *func | test.cpp:81:17:81:20 | call to func | -#select -| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:57:9:57:18 | theZipcode | this source of private data. | -| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:78:24:78:27 | temp | test.cpp:74:24:74:30 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:74:24:74:30 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:74:24:74:30 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:77:16:77:22 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:77:16:77:22 | medical | this source of private data. | -| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@. | test.cpp:81:22:81:28 | medical | this source of private data. | -| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:96:37:96:46 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:42:99:51 | theZipcode | this source of private data. | -| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:61:99:70 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@. | test.cpp:99:61:99:70 | theZipcode | this source of private data. | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref index 65c8c9c2dd4..0952582b406 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp index 4d69ee5b2b7..b123603654c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/test.cpp @@ -54,7 +54,7 @@ void file() FILE *file; // BAD: write zipcode to file in cleartext - fputs(theZipcode, file); + fputs(theZipcode, file); // $ Alert // GOOD: encrypt first char *encrypted = encrypt(theZipcode); @@ -71,15 +71,15 @@ int main(int argc, char **argv) char *buff4; // BAD: write medical to buffer in cleartext - sprintf(buff1, "%s", medical); + sprintf(buff1, "%s", medical); // $ Alert Source // BAD: write medical to buffer in cleartext - char *temp = medical; - sprintf(buff2, "%s", temp); + char *temp = medical; // $ Source + sprintf(buff2, "%s", temp); // $ Alert // BAD: write medical to buffer in cleartext - char *buff5 = func(medical); - sprintf(buff3, "%s", buff5); + char *buff5 = func(medical); // $ Source + sprintf(buff3, "%s", buff5); // $ Alert char *buff6 = encrypt(medical); // GOOD: encrypt first @@ -93,10 +93,10 @@ void stream() ofstream mystream; // BAD: write zipcode to file in cleartext - mystream << "the zipcode is: " << theZipcode; + mystream << "the zipcode is: " << theZipcode; // $ Alert Source // BAD: write zipcode to file in cleartext - (mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); + (mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); // $ Alert // GOOD: encrypt first char *encrypted = encrypt(theZipcode); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref index e134a5229da..77407cfd825 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/DivideByZeroUsingReturnValue.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql +query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp index 882f6618485..3ea20ea8c44 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-369/semmle/tests/test.cpp @@ -44,13 +44,13 @@ int getSize2(int type) { int badTestf1(int type, int met) { int is = getSize(type); - if (met == 1) return 123 / is; // BAD - else return 123 / getSize2(type); // BAD + if (met == 1) return 123 / is; // BAD // $ Alert + else return 123 / getSize2(type); // BAD // $ Alert } int badTestf2(int type) { int is; is = getSize(type); - return 123 / is; // BAD + return 123 / is; // BAD // $ Alert } int badTestf3(int type, int met) { @@ -62,23 +62,23 @@ int badTestf3(int type, int met) { case 2: if (0 == is) return 123 / is; // BAD [NOT DETECTED] case 3: - if (!is & 123 / is) // BAD + if (!is & 123 / is) // BAD // $ Alert return 123; case 4: - if (!is | 123 / is) // BAD + if (!is | 123 / is) // BAD // $ Alert return 123; case 5: - if (123 / is || !is) // BAD + if (123 / is || !is) // BAD // $ Alert return 123; case 6: - if (123 / is && !is) // BAD + if (123 / is && !is) // BAD // $ Alert return 123; case 7: - if (!is) return 123 / is; // BAD + if (!is) return 123 / is; // BAD // $ Alert case 8: - if (is > -1) return 123 / is; // BAD + if (is > -1) return 123 / is; // BAD // $ Alert case 9: - if (is < 2) return 123 / is; // BAD + if (is < 2) return 123 / is; // BAD // $ Alert } if (is != 0) return -1; if (is == 0) type += 1; @@ -125,20 +125,20 @@ int badTestf4(int type) { int is = getSize(type); int d; d = type * is; - return 123 / d; // BAD + return 123 / d; // BAD // $ Alert } int badTestf5(int type) { int is = getSize(type); int d; d = is / type; - return 123 / d; // BAD + return 123 / d; // BAD // $ Alert } int badTestf6(int type) { int is = getSize(type); int d; d = is / type; - return type * 123 / d; // BAD + return type * 123 / d; // BAD // $ Alert } int badTestf7(int type, int met) { @@ -150,7 +150,7 @@ int badTestf7(int type, int met) { return 123 / is; // GOOD } quit: - return 123 / is; // BAD + return 123 / is; // BAD // $ Alert } int goodTestf7(int type, int met) { @@ -169,8 +169,8 @@ int goodTestf7(int type, int met) { int badTestf8(int type) { int is = getSize(type); - type /= is; // BAD - type %= is; // BAD + type /= is; // BAD // $ Alert + type %= is; // BAD // $ Alert return type; } @@ -184,7 +184,7 @@ float getSizeFloat(float type) { } float badTestf9(float type) { float is = getSizeFloat(type); - return 123 / is; // BAD + return 123 / is; // BAD // $ Alert } float goodTestf9(float type) { float is = getSizeFloat(type); @@ -196,18 +196,18 @@ int badTestf10(int type) { int out = type; int is = getSize(type); if (is > -2) { - out /= 123 / (is + 1); // BAD + out /= 123 / (is + 1); // BAD // $ Alert } if (is > 0) { - return 123 / (is - 1); // BAD + return 123 / (is - 1); // BAD // $ Alert } if (is <= 0) return 0; - return 123 / (is - 1); // BAD + return 123 / (is - 1); // BAD // $ Alert return 0; } int badTestf11(int type) { int is = getSize(type); - return 123 / (is - 3); // BAD + return 123 / (is - 3); // BAD // $ Alert } int goodTestf11(int type) { @@ -255,12 +255,12 @@ int badMySubDiv(int type, int is) { void badTestf13(int type) { int is = getSize(type); - badMyDiv(type, is); // BAD - badMyDiv(type, is - 2); // BAD - badMySubDiv(type, is); // BAD + badMyDiv(type, is); // BAD // $ Alert + badMyDiv(type, is - 2); // BAD // $ Alert + badMySubDiv(type, is); // BAD // $ Alert goodMyDiv(type, is); // GOOD if (is < 5) - badMySubDiv(type, is); // BAD + badMySubDiv(type, is); // BAD // $ Alert if (is < 0) badMySubDiv(type, is); // BAD [NOT DETECTED] if (is > 5) @@ -270,9 +270,9 @@ void badTestf13(int type) { if (is > 0) badMyDiv(type, is); // GOOD if (is < 5) - badMyDiv(type, is - 3); // BAD + badMyDiv(type, is - 3); // BAD // $ Alert if (is < 0) - badMyDiv(type, is + 1); // BAD + badMyDiv(type, is + 1); // BAD // $ Alert if (is > 5) badMyDiv(type, is - 3); // GOOD } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref index beec38ab5dc..d4fa44200b1 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/InsecureTemporaryFile.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql +query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp index 07efea49e78..9adc5304984 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-377/semmle/tests/test.cpp @@ -13,7 +13,7 @@ int fclose(FILE *stream); int funcTest1() { FILE *fp; - char *filename = tmpnam(NULL); // BAD + char *filename = tmpnam(NULL); // BAD // $ Alert fp = fopen(filename,"w"); fprintf(fp,"%s\n","data to file"); fclose(fp); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref index e80e86cbdcc..d3ede250c5b 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c index df33fc19ef6..f5b58b8438f 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c @@ -31,7 +31,7 @@ unsigned char * badResize_0(unsigned char * buffer,size_t currentSize,size_t new // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } return buffer; } @@ -60,7 +60,7 @@ unsigned char * badResize_1_0(unsigned char * buffer,size_t currentSize,size_t n // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } return buffer; } @@ -136,7 +136,7 @@ unsigned char * badResize_1_1(unsigned char * buffer,size_t currentSize,size_t n // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } if(!buffer) aFakeFailed_1(1, 1); @@ -183,7 +183,7 @@ unsigned char * badResize_2_0(unsigned char * buffer,size_t currentSize,size_t n assert(buffer!=0); if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } return buffer; } @@ -279,7 +279,7 @@ unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t unsigned char *tmp = buffer; if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert if (buffer == NULL) { free(tmp); @@ -296,7 +296,7 @@ unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t unsigned char *tmp = buffer; if (currentSize < newSize) { - tmp = (unsigned char *)realloc(tmp, newSize); + tmp = (unsigned char *)realloc(tmp, newSize); // $ Alert if (tmp != 0) { buffer = tmp; @@ -325,7 +325,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert } if (cond) { @@ -339,7 +339,7 @@ unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t // BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block if (currentSize < newSize) { - buffer = (unsigned char *)realloc(buffer, newSize); + buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert assert(cond); // irrelevant } return buffer; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected index b813f8532cb..363b2aafa0f 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.expected @@ -1,3 +1,17 @@ +#select +| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress | +| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream | +| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block | +| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read | +| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | +| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | +| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen | +| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate | +| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread | +| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread | +| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets | +| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress | +| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream | edges | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:15:41:15:44 | **argv | provenance | | | brotliTest.cpp:15:41:15:44 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | provenance | | @@ -214,17 +228,3 @@ subpaths | zlibTest.cpp:83:19:83:25 | *access to array | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:16:26:16:30 | *input | zlibTest.cpp:83:19:83:25 | UnsafeInflate output argument | | zlibTest.cpp:84:18:84:24 | *access to array | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:37:25:37:32 | *fileName | zlibTest.cpp:84:18:84:24 | UnsafeGzread output argument | | zlibTest.cpp:85:19:85:25 | *access to array | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:71:26:71:30 | *input | zlibTest.cpp:85:19:85:25 | InflateString output argument | -#select -| brotliTest.cpp:18:35:18:53 | *access to array | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:18:35:18:53 | *access to array | The decompression output of $@ is not limited | brotliTest.cpp:18:5:18:27 | call to BrotliDecoderDecompress | BrotliDecoderDecompress | -| brotliTest.cpp:24:51:24:58 | **& ... | main.cpp:7:33:7:36 | **argv | brotliTest.cpp:24:51:24:58 | **& ... | The decompression output of $@ is not limited | brotliTest.cpp:24:5:24:33 | call to BrotliDecoderDecompressStream | BrotliDecoderDecompressStream | -| libarchiveTests.cpp:22:41:22:42 | *ar | main.cpp:7:33:7:36 | **argv | libarchiveTests.cpp:22:41:22:42 | *ar | The decompression output of $@ is not limited | libarchiveTests.cpp:22:17:22:39 | call to archive_read_data_block | archive_read_data_block | -| minizipTest.cpp:17:52:17:67 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:17:52:17:67 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:17:22:17:38 | call to mz_zip_entry_read | mz_zip_entry_read | -| minizipTest.cpp:26:30:26:39 | **zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | **zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | -| minizipTest.cpp:26:30:26:39 | *zip_reader | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:26:30:26:39 | *zip_reader | The decompression output of $@ is not limited | minizipTest.cpp:26:5:26:28 | call to mz_zip_reader_entry_save | mz_zip_reader_entry_save | -| minizipTest.cpp:28:13:28:19 | *access to array | main.cpp:7:33:7:36 | **argv | minizipTest.cpp:28:13:28:19 | *access to array | The decompression output of $@ is not limited | minizipTest.cpp:28:5:28:11 | call to UnzOpen | UnzOpen | -| zlibTest.cpp:25:13:25:22 | & ... | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:25:13:25:22 | & ... | The decompression output of $@ is not limited | zlibTest.cpp:25:5:25:11 | call to inflate | inflate | -| zlibTest.cpp:41:20:41:26 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:41:20:41:26 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:41:13:41:18 | call to gzread | gzread | -| zlibTest.cpp:51:38:51:44 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:51:38:51:44 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:51:14:51:20 | call to gzfread | gzfread | -| zlibTest.cpp:62:25:62:31 | inFileZ | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:62:25:62:31 | inFileZ | The decompression output of $@ is not limited | zlibTest.cpp:62:18:62:23 | call to gzgets | gzgets | -| zlibTest.cpp:77:45:77:59 | *input | main.cpp:7:33:7:36 | **argv | zlibTest.cpp:77:45:77:59 | *input | The decompression output of $@ is not limited | zlibTest.cpp:77:5:77:14 | call to uncompress | uncompress | -| zstdTest.cpp:39:69:39:74 | & ... | main.cpp:7:33:7:36 | **argv | zstdTest.cpp:39:69:39:74 | & ... | The decompression output of $@ is not limited | zstdTest.cpp:39:32:39:52 | call to ZSTD_decompressStream | ZSTD_decompressStream | diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref index 3dcbc9db9ff..b5c3a8e483d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/DecompressionBombs.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-409/DecompressionBombs.ql +query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp index 90274943473..649373d326d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp @@ -15,12 +15,12 @@ BrotliDecoderResult BrotliDecoderDecompressStream( void brotli_test(int argc, const char **argv) { uint8_t output[1024]; size_t output_size = sizeof(output); - BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD + BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD // $ Alert size_t input_size = 1024; const uint8_t *input_p = (const uint8_t*)argv[2]; uint8_t *output_p = output; size_t out_size; - BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD + BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD // $ Alert &output_p, &out_size); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp index 5988c9d0fc5..9b8dfe19409 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp @@ -19,7 +19,7 @@ static int read_data(archive *ar) { size_t size; la_int64_t offset; - int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD + int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD // $ Alert if (r == ARCHIVE_EOF) return ARCHIVE_OK; if (r < ARCHIVE_OK) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp index 47f76ff079b..f890ba397a9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/main.cpp @@ -4,7 +4,7 @@ void minizip_test(int argc, const char **argv); void zlib_test(int argc, const char **argv); void zstd_test(int argc, const char **argv); -int main(int argc, const char **argv) { +int main(int argc, const char **argv) { // $ Source brotli_test(argc, argv); libarchive_test(argc, argv); minizip_test(argc, argv); diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp index 636f579feea..b69eb27a3d7 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp @@ -14,7 +14,7 @@ void minizip_test(int argc, const char **argv) { int32_t bytes_read; char buf[4096]; while(true) { - bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD + bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD // $ Alert if (bytes_read <= 0) { break; } @@ -23,7 +23,7 @@ void minizip_test(int argc, const char **argv) { void *zip_reader = mz_zip_reader_create(); mz_zip_reader_open_file(zip_reader, argv[1]); mz_zip_reader_goto_first_entry(zip_reader); - mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD + mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD // $ Alert - UnzOpen(argv[3]); // BAD + UnzOpen(argv[3]); // BAD // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp index 7643a607407..bb2df6e1d34 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp @@ -22,7 +22,7 @@ void UnsafeInflate(char *input) { infstream.next_out = output; // output char array inflateInit(&infstream); - inflate(&infstream, 0); // BAD + inflate(&infstream, 0); // BAD // $ Alert } @@ -38,7 +38,7 @@ void UnsafeGzread(char *fileName) { gzFile inFileZ = gzopen(fileName, "rb"); unsigned char unzipBuffer[8192]; while (true) { - if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD + if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD // $ Alert break; } } @@ -48,7 +48,7 @@ void UnsafeGzfread(char *fileName) { gzFile inFileZ = gzopen(fileName, "rb"); while (true) { char buffer[1000]; - if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD + if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD // $ Alert break; } } @@ -59,7 +59,7 @@ void UnsafeGzgets(char *fileName) { char *buffer = new char[4000000000]; char *result; while (true) { - result = gzgets(inFileZ, buffer, 1000000000); // BAD + result = gzgets(inFileZ, buffer, 1000000000); // BAD // $ Alert if (result == nullptr) { break; } @@ -74,7 +74,7 @@ void InflateString(char *input) { uLong source_length = 500; uLong destination_length = sizeof(output); - uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD + uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD // $ Alert } void zlib_test(int argc, char **argv) { diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp index 42455185823..8fa15ee39b6 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zstdTest.cpp @@ -36,7 +36,7 @@ void zstd_test(int argc, const char **argv) { ZSTD_inBuffer input = {buffIn, read, 0}; while (input.pos < input.size) { ZSTD_outBuffer output = {buffOut, buffOutSize, 0}; - size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD + size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD // $ Alert CHECK_ZSTD(ret); } } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref index 242beb593f8..c6f50940328 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-415/DoubleFree.ql +query: experimental/Security/CWE/CWE-415/DoubleFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c index 1c154c03094..85130e5971e 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c @@ -8,14 +8,14 @@ void workFunction_0(char *s) { char *buf; buf = (char *) malloc(intSize); free(buf); // GOOD - if(buf) free(buf); // BAD + if(buf) free(buf); // BAD // $ Alert } void workFunction_1(char *s) { int intSize = 10; char *buf; buf = (char *) malloc(intSize); free(buf); // GOOD - free(buf); // BAD + free(buf); // BAD // $ Alert } void workFunction_2(char *s) { int intSize = 10; @@ -54,7 +54,7 @@ void workFunction_5(char *s, int intFlag) { if(intFlag) { free(buf); // GOOD } - free(buf); // BAD + free(buf); // BAD // $ Alert } void workFunction_6(char *s, int intFlag) { int intSize = 10; @@ -75,7 +75,7 @@ void workFunction_7(char *s) { char *buf1; buf = (char *) malloc(intSize); buf1 = (char *) realloc(buf,intSize*4); - free(buf); // BAD + free(buf); // BAD // $ Alert } void workFunction_8(char *s) { int intSize = 10; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref index c67adb8774b..5a285aaa56c 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/DangerousUseOfExceptionBlocks.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql +query: experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp index de0be1efff2..9d7478548fd 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-476/semmle/tests/test.cpp @@ -68,7 +68,7 @@ void funcWork1b() { } delete [] bufMyData; - } + } // $ Alert } void funcWork1() { @@ -97,7 +97,7 @@ void funcWork1() { } delete [] bufMyData; - } + } // $ Alert } void funcWork2() { @@ -125,7 +125,7 @@ void funcWork2() { } delete [] bufMyData; - } + } // $ Alert } void funcWork3() { int a; @@ -148,7 +148,7 @@ void funcWork3() { } delete [] bufMyData; - } + } // $ Alert } @@ -180,7 +180,7 @@ void funcWork4b() { catch (...) { delete valData; // BAD - } + } // $ Alert } void funcWork5() { int a; @@ -218,7 +218,7 @@ void funcWork5b() { catch (...) { delete valData; // BAD - } + } // $ Alert } void funcWork6() { int a; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref index b16a5e484a6..aeadfbd0d1a 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/FindIncorrectlyUsedSwitch.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql +query: experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c index ede4b87d249..ecb421991a4 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-561/semmle/tests/test.c @@ -25,7 +25,7 @@ void testFunction(char c1,int i1) case 9: break; dafault: - } + } // $ Alert switch(c1){ // BAD c1=c1*2; @@ -35,7 +35,7 @@ void testFunction(char c1,int i1) break; case 9: break; - } + } // $ Alert if((c1<6)&&(c1>0)) switch(c1){ // BAD @@ -47,7 +47,7 @@ void testFunction(char c1,int i1) break; case 1: break; - } + } // $ Alert if((c1<6)&&(c1>0)) switch(c1){ // BAD @@ -55,6 +55,6 @@ void testFunction(char c1,int i1) break; case 1: break; - } + } // $ Alert } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref index 0c2096f68ff..ee351aa3cfb 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/DangerousUseSSL_shutdown.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql +query: experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp index 9ebe1cc10a5..ce550684d08 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-670/semmle/tests/test.cpp @@ -42,7 +42,7 @@ int gootTest2(SSL *ssl) int badTest1(SSL *ssl) { int ret; - switch ((ret = SSL_shutdown(ssl))) { + switch ((ret = SSL_shutdown(ssl))) { // $ Alert case 1: break; case 0: @@ -58,7 +58,7 @@ int badTest1(SSL *ssl) int badTest2(SSL *ssl) { int ret; - ret = SSL_shutdown(ssl); + ret = SSL_shutdown(ssl); // $ Alert switch (ret) { case 1: break; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref index 3edd226abaa..7d28602c7e9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/DoubleRelease.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-675/DoubleRelease.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-675/DoubleRelease.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp index 986a95b1ce9..143572b34c2 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-675/semmle/tests/test.cpp @@ -17,7 +17,7 @@ void test2() FILE *f; f = fopen("myFile.txt", "wt"); - fclose(f); // BAD + fclose(f); // BAD // $ Alert fclose(f); } @@ -28,14 +28,14 @@ void test3() f = fopen("myFile.txt", "wt"); g = f; - fclose(f); // BAD + fclose(f); // BAD // $ Alert fclose(g); } int fGtest4_1() { fe = fopen("myFile.txt", "wt"); - fclose(fe); // BAD + fclose(fe); // BAD // $ Alert return -1; } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref index 496d5f1b7be..50143aaec22 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql +query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref index 9bf28db3c8a..2e5848da6d2 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql +query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c index 1f41f499ded..58c687d5300 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c @@ -5,25 +5,25 @@ void workFunction_0(char *s) { int intSize; char buf[80]; if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD - if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD + if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations] if(intSize>0 && tmpFunction()) return; - if(intSize<0 & tmpFunction()) return; // BAD + if(intSize<0 & tmpFunction()) return; // BAD // $ Alert[cpp/errors-when-using-bit-operations] } void workFunction_1(char *s) { int intA,intB; - if(intA + intB) return; // BAD + if(intA + intB) return; // BAD // $ Alert[cpp/errors-after-refactoring] if(intA + intB>4) return; // GOOD - if(intA>0 && (intA + intB)) return; // BAD + if(intA>0 && (intA + intB)) return; // BAD // $ Alert[cpp/errors-after-refactoring] while(intA>0) { if(intB - intA<10) break; intA--; - }while(intA>0); // BAD + }while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring] for(intA=100; intA>0; intA--) { if(intB - intA<10) break; - }while(intA>0); // BAD + }while(intA>0); // BAD // $ Alert[cpp/errors-after-refactoring] while(intA>0) { if(intB - intA<10) break; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref index 85ac9ad2fd4..5dbfe0957a7 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql +query: experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp index f255aabbb42..303728e9731 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp @@ -32,13 +32,13 @@ void funcTest2() void funcTest3() { - std::runtime_error("msg error"); // BAD + std::runtime_error("msg error"); // BAD // $ Alert throw std::runtime_error("msg error"); // GOOD } void TestFunc() { - funcTest1(); - DllMain(); + funcTest1(); // $ Alert + DllMain(); // $ Alert funcTest2(); } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref index f0cb9dd57c1..1bc37310f27 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/ImproperCheckReturnValueScanf.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql +query: experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp index b9608b757b9..749dc9bdc67 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp @@ -49,9 +49,9 @@ int functionWork1b(int retIndex) { char a[10]; int b; int *p = &b; - scanf("%i", &i); // BAD - scanf("%s", a); // BAD - scanf("%i", p); // BAD + scanf("%i", &i); // BAD // $ Alert + scanf("%s", a); // BAD // $ Alert + scanf("%i", p); // BAD // $ Alert if(retIndex == 0) return (int)*a; if(retIndex == 1) @@ -102,9 +102,9 @@ int functionWork2b() { char a[10]; int b; int *p = &b; - scanf("%i", &i); // BAD - scanf("%s", a); // BAD - scanf("%i", p); // BAD + scanf("%i", &i); // BAD // $ Alert + scanf("%s", a); // BAD // $ Alert + scanf("%i", p); // BAD // $ Alert globalVal = i; globalVala = a; globalValp = p; @@ -112,12 +112,12 @@ int functionWork2b() { } int functionWork2b_() { char a[10]; - scanf("%s", a); // BAD + scanf("%s", a); // BAD // $ Alert globalVala2 = a[0]; return 0; } int functionWork3b(int * i) { - scanf("%i", i); // BAD + scanf("%i", i); // BAD // $ Alert return 0; } int functionWork3() { diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref index e178bc348e9..933f46a7abf 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/UndefinedOrImplementationDefinedBehavior.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql +query: experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c index 01d8e666cdd..f05eed27629 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-758/semmle/tests/test.c @@ -10,10 +10,10 @@ char tmpFunction2(char * buf) } void workFunction_0(char *s, char * buf) { int intA; - intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD + intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD // $ Alert intA = tmpFunction1(buf); //GOOD intA += tmpFunction2(buf); // GOOD - buf[intA] = intA++; // BAD + buf[intA] = intA++; // BAD // $ Alert intA++; buf[intA] = intA; // GOOD } diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref index 0c3f1c1c6a6..e2b7ace55b9 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql +query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp index 479a4e5d6a3..834ea271921 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-783/semmle/tests/test.cpp @@ -1,14 +1,14 @@ void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1) { - if(b1||b2&&b3) //BAD + if(b1||b2&&b3) //BAD // $ Alert return; if((b1||b2)&&b3) //GOOD return; if(b1||(b2&&b3)) //GOOD return; - if(b1||b2&i1) //BAD + if(b1||b2&i1) //BAD // $ Alert return; if((b1||b2)&i1) //GOOD return; @@ -16,26 +16,26 @@ void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1) return; if(b1&&b2&0) //GOOD return; - if(b1||b2|i1) //BAD + if(b1||b2|i1) //BAD // $ Alert return; if((b1||b2)|i1) //GOOD return; - if(i1|i2&c1) //BAD + if(i1|i2&c1) //BAD // $ Alert return; if((i1|i2)&i3) //GOOD return; - if(i1^i2&c1) //BAD + if(i1^i2&c1) //BAD // $ Alert return; if((i1^i2)&i3) //GOOD return; - if(i1|i2^c1) //BAD + if(i1|i2^c1) //BAD // $ Alert return; if((i1|i2)^i3) //GOOD return; - if(b1|b2^b3) //BAD + if(b1|b2^b3) //BAD // $ Alert return; if((b1|b2)^b3) //GOOD return; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref index 6ba005d087a..c3aaa7d65a0 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql +query: experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref index 5189abcce5d..47c4540803d 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql +query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c index a204aa4db29..1fb546aa696 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c @@ -13,15 +13,15 @@ void strlen_test1(){ struct buffers buffAll; struct buffers * buffAll1; - buff1[strlen(buff1)]=0; // BAD - buffAll.array[strlen(buffAll.array)]=0; // BAD - buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD - buffAll1->array[strlen(buffAll1->array)]=0; // BAD - buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD - globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD - globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD - globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD - globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD + buff1[strlen(buff1)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll.array[strlen(buffAll.array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll1->array[strlen(buffAll1->array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] + globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] } void strlen_test2(){ diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp index f08d2a45757..7f12385e68f 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp @@ -7,13 +7,13 @@ void testFunction() int i1,i2,i3; bool b1,b2,b3; char c1,c2,c3; - b1 = -b2; //BAD + b1 = -b2; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] b1 = !b2; //GOOD - b1++; //BAD - ++b1; //BAD - if(i1=tmpFunc()!=i2) //BAD + b1++; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] + ++b1; //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] + if(i1=tmpFunc()!=i2) //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] return; - if(i1=tmpFunc()!=11) //BAD + if(i1=tmpFunc()!=11) //BAD // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] return; if((i1=tmpFunc())!=i2) //GOOD return; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref index 6cbb5527211..e92957d34a8 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/BufferAccessWithIncorrectLengthValue.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql +query: experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp index 26c33abab65..6ba89565047 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-805/semmle/tests/test.cpp @@ -24,7 +24,7 @@ bool badTest1(SSL *ssl,char *text) char buf[256]; if( peer = SSL_get_peer_certificate(ssl)) { - X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD + X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD // $ Alert if((char*)strcasestr(buf,text)) return true; } return false; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp index 09506cbc087..1c0f5382935 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.cpp @@ -16,7 +16,7 @@ int main(int argc, char **argv) // BAD, do not use scanf without specifying a length first char buf1[10]; - scanf("%s", buf1); + scanf("%s", buf1); // $ Alert // GOOD, length is specified. The length should be one less than the size of the destination buffer, since the last character is the NULL terminator. char buf2[20]; @@ -25,7 +25,7 @@ int main(int argc, char **argv) // BAD, do not use scanf without specifying a length first char file[10]; - fscanf(file, "%s", buf2); + fscanf(file, "%s", buf2); // $ Alert // GOOD, with 'sscanf' the input can be checked first and enough room allocated [FALSE POSITIVE] if (argc >= 1) @@ -33,7 +33,7 @@ int main(int argc, char **argv) char *src = argv[0]; char *dest = (char *)malloc(strlen(src) + 1); - sscanf(src, "%s", dest); + sscanf(src, "%s", dest); // $ Alert } return 0; diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref index 428d988a161..b8d5ea8dbe3 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/semmle/tests/MemoryUnsafeFunctionScan.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref b/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref index 6f85a6dbe69..645e39136f5 100644 --- a/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref +++ b/cpp/ql/test/library-tests/c11_generic/PrintAST.qlref @@ -1 +1 @@ -semmle/code/cpp/PrintAST.ql +query: semmle/code/cpp/PrintAST.ql diff --git a/cpp/ql/test/library-tests/conversions/consistency.qlref b/cpp/ql/test/library-tests/conversions/consistency.qlref index 183c1b1ffe1..e4b883a499a 100644 --- a/cpp/ql/test/library-tests/conversions/consistency.qlref +++ b/cpp/ql/test/library-tests/conversions/consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ASTConsistency.ql +query: semmle/code/cpp/ASTConsistency.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref b/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref index fd0c287c00d..85408a38cdf 100644 --- a/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/CompilerErrors.qlref @@ -1 +1 @@ -Telemetry/CompilerErrors.ql +query: Telemetry/CompilerErrors.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref b/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref index b2c536f00d7..9e81d9d2160 100644 --- a/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/DatabaseQuality.qlref @@ -1 +1 @@ -Telemetry/DatabaseQuality.ql +query: Telemetry/DatabaseQuality.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref b/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref index 80547fdfd98..1e0348487e8 100644 --- a/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/ExtractionMetrics.qlref @@ -1 +1 @@ -Telemetry/ExtractionMetrics.ql \ No newline at end of file +query: Telemetry/ExtractionMetrics.ql diff --git a/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref b/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref index 055b6af49a7..949a011697d 100644 --- a/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref +++ b/cpp/ql/test/library-tests/extraction_errors/SucceededIncludes.qlref @@ -1 +1 @@ -Telemetry/SucceededIncludes.ql +query: Telemetry/SucceededIncludes.ql diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref index 0c9100ea043..4e659ed8cc9 100644 --- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref index d0a29f0641a..11a9e601a07 100644 --- a/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/aliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref b/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref index eb7cc77b316..6c4fdc743eb 100644 --- a/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref +++ b/cpp/ql/test/library-tests/ir/ir/raw_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/raw/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/raw/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref index 1d0a3543932..a7c519f7dcd 100644 --- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref index fd03efbc267..3ac4894b14e 100644 --- a/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ir/unaliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref index 0c9100ea043..4e659ed8cc9 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref index 7d4b2950a35..981d95d4400 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/PrintIR.ql \ No newline at end of file +query: semmle/code/cpp/ir/PrintIR.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref index d0a29f0641a..11a9e601a07 100644 --- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref index 1d0a3543932..a7c519f7dcd 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref index 3f776444036..ad25a00416b 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref index fd03efbc267..3ac4894b14e 100644 --- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref +++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ssa_consistency_unsound.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql diff --git a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c index 8f76cdb42f2..4c91a819add 100644 --- a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c +++ b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.c @@ -6,11 +6,11 @@ void f(void) { long long int z; z = (long long int)p1; // OK: long long int is big enough - i = (short int)p2; // Bad: short is too small + i = (short int)p2; // Bad: short is too small // $ Alert i = (short int)(long long int)p3; // OK: we assume they know what // they are doing if they go // via a large-enough type - i = (short int)(void *)p4; // Bad: Going via a pointer type is + i = (short int)(void *)p4; // Bad: Going via a pointer type is // $ Alert // not convincing } diff --git a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref index d202b53c6aa..69e313c34ee 100644 --- a/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref +++ b/cpp/ql/test/library-tests/lossy_pointer_cast/lossy_pointer_cast.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/LossyPointerCast.ql +query: Likely Bugs/Conversion/LossyPointerCast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref b/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref index 6fcb30ac7a6..645e39136f5 100644 --- a/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref +++ b/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref @@ -1 +1 @@ -semmle/code/cpp/PrintAST.ql \ No newline at end of file +query: semmle/code/cpp/PrintAST.ql diff --git a/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref b/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref index 0c9100ea043..4e659ed8cc9 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref +++ b/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref b/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref index eb7cc77b316..6c4fdc743eb 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref +++ b/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/raw/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/raw/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref b/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref index 1d0a3543932..a7c519f7dcd 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref +++ b/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.qlref @@ -1 +1 @@ -semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql \ No newline at end of file +query: semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql diff --git a/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref b/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref index e5e0e3cdf43..6b61b46a179 100644 --- a/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref +++ b/cpp/ql/test/library-tests/types/integral_types_ms/integral_type.qlref @@ -1 +1 @@ -../integral_types/integral_type.ql +query: ../integral_types/integral_type.ql diff --git a/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref b/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref index 9d7833eccae..dc898fca718 100644 --- a/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref +++ b/cpp/ql/test/query-tests/AlertSuppression/AlertSuppression.qlref @@ -1 +1 @@ -AlertSuppression.ql +query: AlertSuppression.ql diff --git a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref index cbb26c9c3bf..0c7c0f33b1e 100644 --- a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref +++ b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/FeatureEnvy.qlref @@ -1 +1,2 @@ -Architecture/FeatureEnvy.ql +query: Architecture/FeatureEnvy.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp index 588364e7309..059908b3486 100644 --- a/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp +++ b/cpp/ql/test/query-tests/Architecture/FeatureEnvy/a.cpp @@ -7,7 +7,7 @@ void local3(void) { } void local4(void) { } void local5(void) { } -void f1(void) { +void f1(void) { // $ Alert g(); h(); i(); @@ -15,7 +15,7 @@ void f1(void) { k(); } -void f2(void) { +void f2(void) { // $ Alert local1(); g(); h(); @@ -45,7 +45,7 @@ void f4(void) { j(); } -void f5(void) { +void f5(void) { // $ Alert MyClass m; m.mg(); diff --git a/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref b/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref index dc7e4d5cd05..18947060c36 100644 --- a/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref +++ b/cpp/ql/test/query-tests/Architecture/InappropriateIntimacy/InappropriateIntimacy.qlref @@ -1 +1 @@ -Architecture/InappropriateIntimacy.ql +query: Architecture/InappropriateIntimacy.ql diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp index 374ad8b6337..183cae6b690 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.cpp @@ -6,12 +6,12 @@ struct aa { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; class bb { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; union cc_not_flagged_up_because_unions_are_not_classes_in_this_sense { @@ -22,13 +22,13 @@ union cc_not_flagged_up_because_unions_are_not_classes_in_this_sense { template struct dd { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; template struct ee { TEN(int_f) - TEN(int_g) + TEN(int_g) // $ Alert }; void instantiate() { @@ -54,10 +54,10 @@ struct MyParticle { unsigned char r2, g2, b2, a2; class texture *tex; - float u1, v1, u2, v2; + float u1, v1, u2, v2; // $ Alert }; -struct MyAlphaClass1 { +struct MyAlphaClass1 { // $ Alert int a1, b1, c1, d1, e1, f1, g1, h1, i1, j1; int k1, l1, m1, n1, o1, p1, q1, r1, s1, t1; int u1, v1, w1, x1, y1, z1; @@ -71,7 +71,7 @@ struct MyAlphaClass1 { int u2, v2, w2, x2, y2, z2; }; -struct MyAlphaClass2 { +struct MyAlphaClass2 { // $ Alert int x; // ... diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref index 1afc89cceef..6d9540acb23 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/cwmf.qlref @@ -1 +1,2 @@ -Architecture/Refactoring Opportunities/ClassesWithManyFields.ql +query: Architecture/Refactoring Opportunities/ClassesWithManyFields.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h index 3e2a6c6e4ce..11aea5dc11c 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ClassesWithManyFields/different_types.h @@ -30,6 +30,6 @@ class DifferentTypes2 { int j6; int j7; int j8; - int j9; + int j9; // $ Alert }; diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref index 22bc3d27663..a00aeaa47cf 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/ComplexFunctions.qlref @@ -1 +1,2 @@ -Architecture/Refactoring Opportunities/ComplexFunctions.ql +query: Architecture/Refactoring Opportunities/ComplexFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c index 6499a1bc38d..be209ddbf45 100644 --- a/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c +++ b/cpp/ql/test/query-tests/Architecture/Refactoring Opportunities/ComplexFunctions/complex.c @@ -11,7 +11,7 @@ void g(void) { f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); } -void h(void) { +void h(void) { // $ Alert f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); f(); diff --git a/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref b/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref index d64671f08c3..8abe92507f2 100644 --- a/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref +++ b/cpp/ql/test/query-tests/Best Practices/GuardedFree/GuardedFree.qlref @@ -1 +1,2 @@ -Best Practices/GuardedFree.ql +query: Best Practices/GuardedFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp b/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp index d52bcef72d1..04b6cc061d4 100644 --- a/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/GuardedFree/test.cpp @@ -2,12 +2,12 @@ extern "C" void free(void *ptr); extern "C" int strcmp(const char *s1, const char *s2); void test0(int *x) { - if (x) // BAD + if (x) // BAD // $ Alert free(x); } void test1(int *x) { - if (x) { // BAD + if (x) { // BAD // $ Alert free(x); } } @@ -39,14 +39,14 @@ bool test4(char *x, char *y) { void test5(char *x) { if (x) *x = 42; - if (x) { // BAD + if (x) { // BAD // $ Alert free(x); } } void test6(char *x) { *x = 42; - if (x) { // BAD + if (x) { // BAD // $ Alert free(x); } } @@ -103,7 +103,7 @@ bool test12(char *x) { } void test13(char *x) { - if (x != nullptr) // BAD + if (x != nullptr) // BAD // $ Alert free(x); } diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref index c3e02ee7f47..339ba0c6888 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/DeclarationHidesParameter.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/DeclarationHidesParameter.ql +query: Best Practices/Hiding/DeclarationHidesParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp index 0b08a0ae612..4aa7effb0fb 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesParameter/hiding.cpp @@ -1,7 +1,7 @@ void f(int ii) { if (1) { - for(int ii = 1; ii < 10; ii++) { // local variable hides parameter of the same name + for(int ii = 1; ii < 10; ii++) { // local variable hides parameter of the same name // $ Alert ; } } @@ -12,7 +12,7 @@ namespace foo { void f2(int ii, int kk) { try { for (ii = 0; ii < 3; ii++) { - int kk; // local variable hides parameter of the same name + int kk; // local variable hides parameter of the same name // $ Alert } } catch (int ee) { @@ -25,7 +25,7 @@ void myFunction(int a, int b, int c); void myFunction(int a, int b, int _c) { { - int a = a; // local variable hides parameter of the same name + int a = a; // local variable hides parameter of the same name // $ Alert int _b = b; int c = _c; @@ -42,7 +42,7 @@ public: template void MyTemplateClass :: myMethod(int a, int b, int _c) { { - int a = a; // local variable hides parameter of the same name + int a = a; // local variable hides parameter of the same name // $ Alert int _b = b; int c = _c; @@ -61,7 +61,7 @@ void test() { void testMacro(int i) { MYMACRO; - for (int i = 0; i < 10; i++) {}; // local variable hides parameter of the same name + for (int i = 0; i < 10; i++) {}; // local variable hides parameter of the same name // $ Alert } #include "hiding.h" @@ -75,7 +75,7 @@ void myClass::myMethod(int arg1, T arg2) { { int protoArg1; T protoArg2; - int arg1; // local variable hides parameter of the same name - T arg2; // local variable hides parameter of the same name + int arg1; // local variable hides parameter of the same name // $ Alert + T arg2; // local variable hides parameter of the same name // $ Alert } } diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref index 8f9a1799e06..73e5d81ddce 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/DeclarationHidesVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/DeclarationHidesVariable.ql +query: Best Practices/Hiding/DeclarationHidesVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp index 3a96933db7d..b75dfbd5530 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/DeclarationHidesVariable/hiding.cpp @@ -3,7 +3,7 @@ void f(void) { if (1) { int i; - for(int i = 1; i < 10; i++) { // BAD + for(int i = 1; i < 10; i++) { // BAD // $ Alert ; } } @@ -15,7 +15,7 @@ namespace foo { int k; try { for (i = 0; i < 3; i++) { - int k; // BAD + int k; // BAD // $ Alert } } catch (int e) { @@ -35,7 +35,7 @@ void structuredBinding() { int xs[1] = {1}; auto [x] = xs; { - auto [x] = xs; // BAD + auto [x] = xs; // BAD // $ Alert auto [y] = xs; // GOOD } } diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref index 8f9a1799e06..73e5d81ddce 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/DeclarationHidesVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/DeclarationHidesVariable.ql +query: Best Practices/Hiding/DeclarationHidesVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c index f055d2fff89..9f4b900239a 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/Hiding.c @@ -12,16 +12,16 @@ void f(void) { if(1) { int k; if(1) { - int i; // BAD (hides local) - int j; // BAD (hides local) - int k; // BAD (hides local) + int i; // BAD (hides local) // $ Alert[cpp/declaration-hides-variable] + int j; // BAD (hides local) // $ Alert[cpp/declaration-hides-variable] + int k; // BAD (hides local) // $ Alert[cpp/declaration-hides-variable] int l; int m; int n; - int gi; // BAD (hides global) - int gj; // BAD (hides global) - int gk; // BAD (hides global) + int gi; // BAD (hides global) // $ Alert[cpp/local-variable-hides-global-variable] + int gj; // BAD (hides global) // $ Alert[cpp/local-variable-hides-global-variable] + int gk; // BAD (hides global) // $ Alert[cpp/local-variable-hides-global-variable] } int l; // GOOD (scopes do not overlap) } @@ -34,7 +34,7 @@ int g1, g2, g3, g4, g5; void function1(int g1); // GOOD (the hiding name isn't associated with a code block) extern void function2(int g2); // GOOD (the hiding name isn't associated with a code block) -void function3(int g3) {}; // BAD +void function3(int g3) {}; // BAD // $ Alert[cpp/local-variable-hides-global-variable] void function4(int g4); // GOOD (the hiding name isn't associated with a code block) -void function4(int g5) {}; // BAD +void function4(int g5) {}; // BAD // $ Alert[cpp/local-variable-hides-global-variable] diff --git a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref index 0267b31251d..326ddde08d3 100644 --- a/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Hiding/LocalVariableHidesGlobalVariable/LocalVariableHidesGlobalVariable.qlref @@ -1 +1,2 @@ -Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref index 02b5f38e358..97f91b75c95 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/CommaBeforeMisleadingIndentation.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql +query: Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp index dbf792db338..49040bf6f48 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation/test.cpp @@ -46,10 +46,10 @@ int Foo::test(int (*baz)(int)) if (i) (void)i, // BAD - (void)j; + (void)j; // $ Alert if (1) FOO(i), - (void)x.foo(j); // BAD + (void)x.foo(j); // BAD // $ Alert // Parenthesized comma (borderline example): @@ -157,13 +157,13 @@ int Foo::test(int (*baz)(int)) if (i) (void)i, // GOOD if tab >= 4 spaces else BAD -- can't exclude w/o source code text :/ - (void)j; + (void)j; // $ Alert // LHS ends on same line RHS begins on: if (1) foo( i++ - ), j++; // GOOD? [FALSE POSITIVE] + ), j++; // GOOD? [FALSE POSITIVE] // $ Alert if (1) baz( i++ @@ -175,7 +175,7 @@ int Foo::test(int (*baz)(int)) return i++ , i++ // GOOD(?) [FALSE POSITIVE] -- can't exclude w/o source code text :/ ? 1 - : 2; + : 2; // $ Alert int quux = (tata->titi.tutu(), diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref index c794984448a..889bef274a4 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/EmptyBlock.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/EmptyBlock.ql +query: Best Practices/Likely Errors/EmptyBlock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp index 8a8714d310f..1c6819e3683 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/EmptyBlock/empty_block.cpp @@ -6,11 +6,11 @@ void f() { int f(int x) { // BAD: - if (x) {} + if (x) {} // $ Alert // BAD: if (x) { - } + } // $ Alert if (x) { // GOOD (has comment) @@ -18,7 +18,7 @@ int f(int x) { // BAD (comment comes after): if (x) { - } + } // $ Alert // comment // GOOD (exception for loops with block on same line): diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref index d934901f174..0e9b8f83382 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/OffsetUseBeforeRangeCheck.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql \ No newline at end of file +query: Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp index 0c7baf7b7ff..2cf1d8e43c6 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck/test.cpp @@ -8,11 +8,11 @@ void test(char *buffer, int bufferSize) while ((i < bufferSize) && (buffer[i] == ' ')) { i++; } // GOOD i = 0; - while ((buffer[i] == ' ') && (i < bufferSize)) { i++; } // BAD + while ((buffer[i] == ' ') && (i < bufferSize)) { i++; } // BAD // $ Alert // check for 'x' if ((i < bufferSize) && (buffer[i] == 'x')) {} // GOOD - if ((buffer[i] == 'x') && (i < bufferSize)) {} // BAD + if ((buffer[i] == 'x') && (i < bufferSize)) {} // BAD // $ Alert if ((bufferSize > i) && (buffer[i] == 'x')) {} // GOOD if ((buffer[i] == 'x') && (bufferSize > i)) {} // BAD [NOT DETECTED] @@ -24,7 +24,7 @@ void test(char *buffer, int bufferSize) if ((buffer[i] == 'x') && (bufferSize >= i + 1)) {} // BAD [NOT DETECTED] if ((i < bufferSize) && (true) && (buffer[i] == 'x')) {} // GOOD - if ((buffer[i] == 'x') && (true) && (i < bufferSize)) {} // BAD + if ((buffer[i] == 'x') && (true) && (i < bufferSize)) {} // BAD // $ Alert if ((i < bufferSize - 1) && (buffer[i + 1] == 'x')) {} // GOOD if ((buffer[i + 1] == 'x') && (i < bufferSize - 1)) {} // BAD [NOT DETECTED] @@ -36,15 +36,15 @@ void test(char *buffer, int bufferSize) // look for 'ab' for (i = 0; i < bufferSize; i++) { - if ((buffer[i] == 'a') && (i < bufferSize - 1) && (buffer[i + 1] == 'b')) // GOOD [FALSE POSITIVE] + if ((buffer[i] == 'a') && (i < bufferSize - 1) && (buffer[i + 1] == 'b')) // GOOD [FALSE POSITIVE] // $ Alert break; } if ((i < bufferSize) && (buffer[i])) {} // GOOD - if ((buffer[i]) && (i < bufferSize)) {} // BAD + if ((buffer[i]) && (i < bufferSize)) {} // BAD // $ Alert if ((i < bufferSize) && (buffer[i] + 1 == 'x')) {} // GOOD - if ((buffer[i] + 1 == 'x') && (i < bufferSize)) {} // BAD + if ((buffer[i] + 1 == 'x') && (i < bufferSize)) {} // BAD // $ Alert if ((buffer != 0) && (i < bufferSize)) {} // GOOD } diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref index 03280a5c23d..eb0ac9eff2e 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/Slicing.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/Slicing.ql +query: Best Practices/Likely Errors/Slicing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp index b46c749e70e..7b28598afee 100644 --- a/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Likely Errors/Slicing/test.cpp @@ -10,7 +10,7 @@ struct Point3 : Point2 { void f() { Point2 p2; Point3 p3; - p2 = p3; + p2 = p3; // $ Alert } void g() { diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp index 2720aa8f403..8c11a811cd6 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/ConstructorOrMethodWithExactDate.cpp @@ -24,20 +24,20 @@ int Main() { // BAD: constructor creating a EraInfo with exact Heisei era start date - EraInfo * pDateTimeUtil = new EraInfo(1989, 1, 8); + EraInfo * pDateTimeUtil = new EraInfo(1989, 1, 8); // $ Alert // BAD: constructor creating a EraInfo with exact Heisei era start date - EraInfo * pDateTimeUtil1 = new EraInfo(1, 2, 1989, 1, 8, L"\u5e73\u6210"); + EraInfo * pDateTimeUtil1 = new EraInfo(1, 2, 1989, 1, 8, L"\u5e73\u6210"); // $ Alert // Good: constructor creating a EraInfo with another date EraInfo * pDateTimeUtil2 = new EraInfo(1, 2, 1900, 1, 1, L"foo"); // BAD: method call passing exact Haisei era start date as parameters - EraInfo * pDateTimeUtil3 = EraInfo::EraInfoFromDate(1, 2, 1989, 1, 8, L"\u5e73\u6210"); + EraInfo * pDateTimeUtil3 = EraInfo::EraInfoFromDate(1, 2, 1989, 1, 8, L"\u5e73\u6210"); // $ Alert // GOOD: method call with the same parameters in a different order (we only track year, month, day) EraInfo * pDateTimeUtil4 = EraInfo::EraInfoFromDate(1, 2, 8, 1, 1989, L"\u5e73\u6210"); // BAD: constructor creating a EraInfo with exact Reiwa era start date - EraInfo * pDateTimeUtil5 = new EraInfo(2019, 5, 1); + EraInfo * pDateTimeUtil5 = new EraInfo(2019, 5, 1); // $ Alert } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref index 4240387a36c..652bac2ede7 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/JapaneseEraDate.qlref @@ -1 +1,2 @@ -Best Practices/Magic Constants/JapaneseEraDate.ql +query: Best Practices/Magic Constants/JapaneseEraDate.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp index 7bbf3397ff9..aca98d53185 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/Japanese Era/StructWithExactDate.cpp @@ -28,7 +28,7 @@ int main() { // BAD: Creation of tm stuct corresponding to the beginning of Heisei era tm *timeTm = new tm(); - timeTm->tm_year = 1989; + timeTm->tm_year = 1989; // $ Alert timeTm->tm_mon = 1; timeTm->tm_mday = 8; @@ -43,7 +43,7 @@ int main() SYSTEMTIME st; st.wDay = 8; st.wMonth = 1; - st.wYear = 1989; + st.wYear = 1989; // $ Alert // GOOD: Creation of SYSTEMTIME stuct with a different date @@ -57,7 +57,7 @@ int main() SYSTEMTIME st2; st2.wDay = 1; st2.wMonth = 5; - st2.wYear = 2019; + st2.wYear = 2019; // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref index 46d0c7be3af..2e58ec2fd5f 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/MagicConstantsNumbers.qlref @@ -1 +1,2 @@ -Best Practices/Magic Constants/MagicConstantsNumbers.ql +query: Best Practices/Magic Constants/MagicConstantsNumbers.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c index f4d259ee5b9..61fc525f550 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/a123.c @@ -2,6 +2,6 @@ static void f(void) { int i; - i = 123; + i = 123; // $ Alert } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c index dc4dfd79f8f..3551b7898d2 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/b123.c @@ -1,5 +1,5 @@ static void f(void) { - char str[123]; + char str[123]; // $ Alert } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c index 73b67768c95..ad76feb2615 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/case.c @@ -1,7 +1,7 @@ void f(int i) { switch(i) { - case 123 ... 129: + case 123 ... 129: // $ Alert break; } } diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h index 7136026997f..3026ecf39bf 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/constants.h @@ -2,7 +2,7 @@ void FUN(void) { int i, j, k; - i = 123; + i = 123; // $ Alert i = 123; i = 123; i = 123; @@ -57,7 +57,7 @@ void FUN(void) { k = 789; k = 789; - i = 0x0078; + i = 0x0078; // $ Alert i = 0x0078; i = 0x0078; i = 0x0078; @@ -88,7 +88,7 @@ void FUN(void) { i = 0x0078; i = 0x0078; - i = 0x01f8; + i = 0x01f8; // $ Alert i = 0x01f8; i = 0x01f8; i = 0x01f8; @@ -119,7 +119,7 @@ void FUN(void) { i = 0x01f8; i = 0x01f8; - i = 278UL; + i = 278UL; // $ Alert i = 278UL; i = 278UL; i = 278UL; @@ -150,7 +150,7 @@ void FUN(void) { i = 278UL; i = 278UL; - i = -129; + i = -129; // $ Alert i = -129; i = -129; i = -129; diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h index 43e7b089389..db7e962a5e4 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/functions.h @@ -1,6 +1,6 @@ int myFunction1(int x = - 102 + 102 + 102 + + 102 + 102 + 102 + // $ Alert 102 + 102 + 102 + 102 + 102 + 102 + 102 + 102 + 102 + @@ -9,7 +9,7 @@ int myFunction1(int x = 102 + 102 + 102); void myFunction2( - int p1 = 103, + int p1 = 103, // $ Alert int p2 = 103, int p3 = 103, int p4 = 103, diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp index be73c87951c..0ee90dc2460 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsNumbers/templates.cpp @@ -1,7 +1,7 @@ template void f(T x) { - 23; + 23; // $ Alert 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 23; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; 'A'; @@ -10,7 +10,7 @@ void f(T x) { void g(void) { int i; f(i); - 25; + 25; // $ Alert 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 25; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; 'B'; diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref index 9caedcf3cc4..a75d078753d 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/MagicConstantsString.qlref @@ -1 +1,2 @@ -Best Practices/Magic Constants/MagicConstantsString.ql +query: Best Practices/Magic Constants/MagicConstantsString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h index 231fb35a85d..42537352dff 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/constants.h @@ -2,7 +2,7 @@ void FUN(void) { const char *s; - s = "abcabcabc"; + s = "abcabcabc"; // $ Alert s = "abcabcabc"; s = "abcabcabc"; s = "abcabcabc"; diff --git a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp index 766de394c49..ab0a4545445 100644 --- a/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Magic Constants/MagicConstantsString/joining.cpp @@ -36,7 +36,7 @@ void fn(const string &str1); void joining_test(const string &x, const string &y) \ { - fn("testrepo.git"); // BAD: "testrepo.git" + fn("testrepo.git"); // BAD: "testrepo.git" // $ Alert fn("testrepo.git"); fn("testrepo.git"); fn("testrepo.git"); @@ -104,7 +104,7 @@ void joining_test(const string &x, const string &y) \ ostream os; - os << "NO T_VOID CONSTRUCT"; // BAD: "NO T_VOID CONSTRUCT" + os << "NO T_VOID CONSTRUCT"; // BAD: "NO T_VOID CONSTRUCT" // $ Alert os << "NO T_VOID CONSTRUCT"; os << "NO T_VOID CONSTRUCT"; os << "NO T_VOID CONSTRUCT"; @@ -170,7 +170,7 @@ void joining_test(const string &x, const string &y) \ os << "writeString(" << x << ")"; os << "writeString(" << x << ")"; // (21 times) - os << "compiler error: no const of base type " + x; // BAD: "compiler error: no const of base type " + os << "compiler error: no const of base type " + x; // BAD: "compiler error: no const of base type " // $ Alert os << "compiler error: no const of base type " + x; os << "compiler error: no const of base type " + x; os << "compiler error: no const of base type " + x; diff --git a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp index b28d6c809da..946d024691b 100644 --- a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp +++ b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.cpp @@ -1,13 +1,13 @@ // NOT OK struct CopyButNoAssign { CopyButNoAssign() : n(0) {} - CopyButNoAssign(const CopyButNoAssign& copy_from) : n(copy_from.n) {} + CopyButNoAssign(const CopyButNoAssign& copy_from) : n(copy_from.n) {} // $ Alert int n; }; // NOT OK struct AssignButNoCopy { - AssignButNoCopy& operator=(const AssignButNoCopy& assign_from) { return *this; } + AssignButNoCopy& operator=(const AssignButNoCopy& assign_from) { return *this; } // $ Alert }; // OK: before C++11, marking a constructor as private was an @@ -78,7 +78,7 @@ struct NotFriend { // friend of CopyableByFriend. struct MyClassFriend { CopyableByFriend x; - MyClassFriend& operator=(const MyClassFriend& that) { return *this; } + MyClassFriend& operator=(const MyClassFriend& that) { return *this; } // $ Alert }; // OK or NOT OK? An explicit default and an explicit implementation. @@ -141,7 +141,7 @@ protected: // NOT OK: this class gets a copy assignment operator because it can access the // (protected) copy assignment operator of its base class. struct IsAProtectedAssign: public ProtectedAssign { - IsAProtectedAssign(const IsAProtectedAssign& that) {} + IsAProtectedAssign(const IsAProtectedAssign& that) {} // $ Alert }; // OK: this class gets no copy assignment operator. It cannot access the @@ -164,7 +164,7 @@ protected: // NOT OK: this class gets a copy constructor because it can access the // (protected) copy constructor of its base class. struct IsAProtectedCC: public ProtectedCC { - IsAProtectedCC& operator=(const IsAProtectedCC& that) { return *this; } + IsAProtectedCC& operator=(const IsAProtectedCC& that) { return *this; } // $ Alert }; // OK: this class gets no copy constructor. It cannot access the (protected) @@ -309,5 +309,5 @@ class R1_B { // is generated by the compiler and callable outside the class. class R1_C { public: - R1_C(const R1_C& c) {} + R1_C(const R1_C& c) {} // $ Alert }; diff --git a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref index eb42b255e97..1a88c867141 100644 --- a/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref +++ b/cpp/ql/test/query-tests/Best Practices/RuleOfTwo/RuleOfTwo.qlref @@ -1 +1,2 @@ -Best Practices/RuleOfTwo.ql +query: Best Practices/RuleOfTwo.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref index eb57378dea6..6d979e18a56 100644 --- a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref +++ b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/SloppyGlobal.qlref @@ -1 +1,2 @@ -Best Practices/SloppyGlobal.ql +query: Best Practices/SloppyGlobal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp index e279fbf0257..3fec0534280 100644 --- a/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp +++ b/cpp/ql/test/query-tests/Best Practices/SloppyGlobal/main.cpp @@ -1,19 +1,19 @@ // main.cpp -int x; // BAD: too short -int ys[1000000]; // BAD: too short +int x; // BAD: too short // $ Alert +int ys[1000000]; // BAD: too short // $ Alert int descriptive_name; // GOOD: sufficient static int z; // GOOD: not a global -int v1; // BAD: too short -int v2; // BAD: too short +int v1; // BAD: too short // $ Alert +int v2; // BAD: too short // $ Alert template -T v3; // BAD: too short +T v3; // BAD: too short // $ Alert template -T v4; // BAD: too short +T v4; // BAD: too short // $ Alert template -T v5; // BAD: too short +T v5; // BAD: too short // $ Alert void use_some_fs() { v2 = 100; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp index b4d0012cd92..98a530cb276 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.cpp @@ -1,12 +1,12 @@ // unusedIncludes.cpp -#include "a.h" // unused +#include "a.h" // unused // $ Alert #include "b.h" #include "c.h" #include "d.hpp" -#include "e.hpp" // unused -#include "f.fwd.hpp" // unused -#include "g" // unused +#include "e.hpp" // unused // $ Alert +#include "f.fwd.hpp" // unused // $ Alert +#include "g" // unused // $ Alert int val_b = my_func_b(); int *my_c_ptr = &my_var_c; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref index 9759b522cf3..c268214a8bf 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedIncludes/unusedIncludes.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedIncludes.ql +query: Best Practices/Unused Entities/UnusedIncludes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref index a206090d0f8..645e1ecaebd 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/UnusedLocals.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedLocals.ql +query: Best Practices/Unused Entities/UnusedLocals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c index 74385634c41..313f5048d80 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.c @@ -7,16 +7,16 @@ void f1(unsigned int x) { } void f2(unsigned int x) { - unsigned int y = x + 1; // BAD: 'y' is unused - unsigned int z = x + 2; // BAD: 'z' is unused + unsigned int y = x + 1; // BAD: 'y' is unused // $ Alert + unsigned int z = x + 2; // BAD: 'z' is unused // $ Alert } #define my_int int #define COMPLEX_MACRO do { int z = 3; } while(0) void f3() { - int x = 1; // BAD: 'x' is unused - my_int y = 2; // BAD: 'y' is unused + int x = 1; // BAD: 'x' is unused // $ Alert + my_int y = 2; // BAD: 'y' is unused // $ Alert COMPLEX_MACRO; // GOOD: unused locals declared in macros are considered OK. } @@ -27,7 +27,7 @@ void write_ptr(int *ptr) { #define ZERO(x) x = 0 int f4() { - int a, b, c, d, e, f, g, h, i, j, k, l, m, n; // BAD: 'n' is unused + int a, b, c, d, e, f, g, h, i, j, k, l, m, n; // BAD: 'n' is unused // $ Alert a = b; c++; @@ -43,13 +43,13 @@ int f4() { } void f5() { - int x; // BAD: 'x' is unused + int x; // BAD: 'x' is unused // $ Alert { int x; { - int x; // BAD: 'x' is unused + int x; // BAD: 'x' is unused // $ Alert } x = 12; @@ -64,7 +64,7 @@ void f6() { int arr2[10]; int arr3[10]; int arr4[10]; - int arr5[10]; // BAD: 'arr5' is unused + int arr5[10]; // BAD: 'arr5' is unused // $ Alert int *ptr; int x; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp index 3b9904a9a29..af4d2aa33f5 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code.cpp @@ -14,7 +14,7 @@ private: MyClass :: MyClass() { - int a, b, c, d, e; // BAD: 'e' is unused + int a, b, c, d, e; // BAD: 'e' is unused // $ Alert int &f = d; write_ref(a); @@ -29,8 +29,8 @@ MyClass :: ~MyClass() void test() { MyClass mc; // GOOD: constructor and destructor may have side-effects - MyClass *mc_ptr; // BAD: 'mc_ptr' is unused - MyClass &mc_ref = mc; // BAD: 'mc_ref' is unused + MyClass *mc_ptr; // BAD: 'mc_ptr' is unused // $ Alert + MyClass &mc_ref = mc; // BAD: 'mc_ref' is unused // $ Alert } // --- @@ -101,7 +101,7 @@ template void *instantiatedTemplateFunction3() // static unused int variable in twice instantiated template function template void *instantiatedTemplateFunction4() { - static int my_static; // BAD + static int my_static; // BAD // $ Alert static void* my_ptr = 0; return my_ptr; } @@ -129,7 +129,7 @@ void *nonTemplateFunction() // This is a non-template version of the above. void *nonTemplateFunction2() { - static int *my_static; // BAD + static int *my_static; // BAD // $ Alert static void* my_ptr = 0; return my_ptr; } @@ -245,7 +245,7 @@ private: void testFunction() { - MyMethodClass mmc; // BAD: unused + MyMethodClass mmc; // BAD: unused // $ Alert MyConstructorClass mcc; // GOOD MyDerivedClass mdc; // GOOD MyContainingClass mcc2; // GOOD diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp index 9a70fe98906..8ec61366ada 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/code2.cpp @@ -2,13 +2,13 @@ int test_const_init() { - int v1; // BAD: unused + int v1; // BAD: unused // $ Alert int v2; // GOOD - int v3 = 0; // BAD: unused + int v3 = 0; // BAD: unused // $ Alert int v4 = 0; // GOOD const int v5 = 0; // BAD: unused [NOT DETECTED] const int v6 = 0; // GOOD - constexpr int v7 = 0; // BAD: unused + constexpr int v7 = 0; // BAD: unused // $ Alert constexpr int v8 = 0; // GOOD return v2 + v4 + v6 + v8; @@ -23,7 +23,7 @@ void myFunction() void test_template_parameter() { - constexpr int v1 = 0; // BAD: unused + constexpr int v1 = 0; // BAD: unused // $ Alert constexpr int v2 = 0; // GOOD: used as a template parameter below myFunction(); @@ -39,7 +39,7 @@ public: void test_unused() { - MyBuffer myVar1; // BAD: unused + MyBuffer myVar1; // BAD: unused // $ Alert MyBuffer myVar2; // GOOD: used in deliberate void cast below MyBuffer myVar3 __attribute((__unused__)); // GOOD: unused but acknowledged @@ -61,7 +61,7 @@ void test_expect() { int v1 = getter(); // GOOD: v1 is used int v2 = getter(); // GOOD: v2 is used - int v3 = getter(); // BAD: unused + int v3 = getter(); // BAD: unused // $ Alert if (unlikely(v1 < 0)) { @@ -105,7 +105,7 @@ void test_range_based_for() output(v1); } - for (int v2 : myContainer) // BAD: v2 is not used + for (int v2 : myContainer) // BAD: v2 is not used // $ Alert { } } @@ -125,7 +125,7 @@ int test_lambdas1() int test_lambdas2() { - int a, b; // BAD: b is not used + int a, b; // BAD: b is not used // $ Alert auto myLambda = [=]() -> int // BAD: myLambda is not used [NOT DETECTED] (due to containing a Constructor) { return a; diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c index 5b62ac7500d..4c3ad88e6d0 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedLocals/errors.c @@ -7,7 +7,7 @@ void f_error(void) { } void g_error(void) { - int x, y, z; + int x, y, z; // $ Alert // This one should be reported despite the error in another function. z = y + y; } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref index dbf4c4e9172..4865dfd4d43 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/UnusedStaticFunctions.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedStaticFunctions.ql +query: Best Practices/Unused Entities/UnusedStaticFunctions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c index e3c2bc809e4..d9290b80d93 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_functions.c @@ -13,15 +13,15 @@ static void used_function2(void) { printf("Gets run 2\n"); } -static void unused_function(void) { +static void unused_function(void) { // $ Alert printf("Doesn't get run\n"); } -static void unused_function2(void) { +static void unused_function2(void) { // $ Alert printf("Doesn't get run 2\n"); } -static void unused_function3(void) { +static void unused_function3(void) { // $ Alert printf("Doesn't get run 3\n"); unused_function2(); } @@ -60,5 +60,5 @@ static void __attribute__ ((used)) h1(void) { static void __attribute__ ((unused)) h3(void) { } -static void h4(void) { +static void h4(void) { // $ Alert } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c index 7ce51610eef..3d824228dbd 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_mut.c @@ -2,11 +2,11 @@ static void mut_unused_function(void); static void mut_unused_function2(void); -static void mut_unused_function(void) { +static void mut_unused_function(void) { // $ Alert mut_unused_function2(); } -static void mut_unused_function2(void) { +static void mut_unused_function2(void) { // $ Alert mut_unused_function(); } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp index c0d83b52a57..0c36cf719e4 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/unused_static_functions.cpp @@ -16,7 +16,7 @@ const funstr myClass::fs[] = { }; // f2 is unreachable -static void f2(void) { } +static void f2(void) { } // $ Alert // f3 is reachable via f4/pf3 static void f3(void) { } @@ -30,8 +30,8 @@ void f4(void) { // f5 and f6 are mutually recursive unreachable static functions static void f6(void); -static void f5(void) { f6(); } -static void f6(void) { f5(); } +static void f5(void) { f6(); } // $ Alert +static void f6(void) { f5(); } // $ Alert // f7 and f8 are reachable from `function_caller` static int f7() { return 1; } // GOOD diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c index dc8c1009545..bbbab66f8f4 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticFunctions/used_by_var_ref.c @@ -5,9 +5,9 @@ typedef struct _num_fun { } num_fun; static void f(void) {} // Used, via n1 -static void g(void) {} // Not used (n2 is static) +static void g(void) {} // Not used (n2 is static) // $ Alert static void h(void) {} // Used, via n3, via j -static void i(void) {} // Not used (k is static) +static void i(void) {} // Not used (k is static) // $ Alert num_fun n1 = {1, f}; static num_fun n2 = {1, g}; @@ -17,7 +17,7 @@ void j(void) { // Used (not static) num_fun n = n3; } -static void k(void) { // Not used (static) +static void k(void) { // Not used (static) // $ Alert num_fun n = {1, i}; n1.fun = i; } diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref index 1b03ed4104b..1240fc64dc5 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/UnusedStaticVariables.qlref @@ -1 +1,2 @@ -Best Practices/Unused Entities/UnusedStaticVariables.ql +query: Best Practices/Unused Entities/UnusedStaticVariables.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp index 2a5eeef6f0f..0e25037f051 100644 --- a/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp +++ b/cpp/ql/test/query-tests/Best Practices/Unused Entities/UnusedStaticVariables/test.cpp @@ -4,12 +4,12 @@ static int staticVar1; // GOOD (used) static int staticVar2; // GOOD (used) static int staticVar3 = 3; // GOOD (used) static int staticVar4 = staticVar3; // GOOD (used) -static int staticVar5; // BAD (unused) -static int staticVar6 = 6; // BAD (unused) +static int staticVar5; // BAD (unused) // $ Alert +static int staticVar6 = 6; // BAD (unused) // $ Alert static __attribute__((__unused__)) int staticVar7; // GOOD (unused but this is expected) -const int constVar8 = 8; // BAD (const defaults to static) +const int constVar8 = 8; // BAD (const defaults to static) // $ Alert extern const int constVar9 = 9; // GOOD -static int staticVar10 = 10; // GOOD [FALSE POSITIVE] (referenced in a never instantiated template) +static int staticVar10 = 10; // GOOD [FALSE POSITIVE] (referenced in a never instantiated template) // $ Alert void f() { diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref index d15cbbfecd3..20ad76f506d 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref +++ b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/DeadCodeFunction.qlref @@ -1 +1,2 @@ -Critical/DeadCodeFunction.ql +query: Critical/DeadCodeFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp index 8654b6facd6..e828c24fb8b 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp +++ b/cpp/ql/test/query-tests/Critical/DeadCodeFunction/test.cpp @@ -2,7 +2,7 @@ static void usedByUnused() { } -static void unused() { +static void unused() { // $ Alert usedByUnused(); } diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref index 0786047da5f..b76abda209d 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref +++ b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/DeadCodeGoto.qlref @@ -1 +1,2 @@ -Critical/DeadCodeGoto.ql +query: Critical/DeadCodeGoto.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp index 12bef76a1e8..dd4b5a9c325 100644 --- a/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp +++ b/cpp/ql/test/query-tests/Critical/DeadCodeGoto/test.cpp @@ -1,12 +1,12 @@ int test1(int x) { - goto label; // BAD + goto label; // BAD // $ Alert x++; label: return x; } int test2(int x) { do { - break; // BAD + break; // BAD // $ Alert x++; } while(false); return x; @@ -34,7 +34,7 @@ int test5(int x, int y) { goto label; // GOOD break; case 2: - break; // BAD + break; // BAD // $ Alert return x; case 3: return x; diff --git a/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref b/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref index 0f09c329e84..8d189be099b 100644 --- a/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref +++ b/cpp/ql/test/query-tests/Critical/FileClosed/FileMayNotBeClosed.qlref @@ -1 +1,2 @@ -Critical/FileMayNotBeClosed.ql +query: Critical/FileMayNotBeClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref b/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref index 825ac26f500..25b57b1736d 100644 --- a/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref +++ b/cpp/ql/test/query-tests/Critical/FileClosed/FileNeverClosed.qlref @@ -1 +1,2 @@ -Critical/FileNeverClosed.ql +query: Critical/FileNeverClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/FileClosed/file.c b/cpp/ql/test/query-tests/Critical/FileClosed/file.c index 3d4bd39b1dc..fcc10863150 100644 --- a/cpp/ql/test/query-tests/Critical/FileClosed/file.c +++ b/cpp/ql/test/query-tests/Critical/FileClosed/file.c @@ -5,7 +5,7 @@ int fclose(FILE *fp); #define NULL ((FILE *)0) void f1(int i) { - FILE *f = fopen("somefile.txt", "r"); + FILE *f = fopen("somefile.txt", "r"); // $ Alert[cpp/file-may-not-be-closed] if (!f) return; @@ -15,7 +15,7 @@ void f1(int i) { } FILE *f2(int i) { - FILE *f = fopen("somefile.txt", "r"); + FILE *f = fopen("somefile.txt", "r"); // $ Alert[cpp/file-may-not-be-closed] if (!f) return NULL; @@ -31,7 +31,7 @@ void g2(int i) { } void f3(int i) { - FILE *f = fopen("somefile.txt", "r"); // Never closed + FILE *f = fopen("somefile.txt", "r"); // Never closed // $ Alert[cpp/file-never-closed] if (!f) return; @@ -63,7 +63,7 @@ void g5(void) { int f6(int b) { FILE *f; - f = fopen("somefile.txt", "r"); // Not always closed + f = fopen("somefile.txt", "r"); // Not always closed // $ Alert[cpp/file-may-not-be-closed] if (f) { if (b) { diff --git a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref index a186cc827ec..7d2be720b2a 100644 --- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref +++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref @@ -1 +1,2 @@ -Critical/GlobalUseBeforeInit.ql +query: Critical/GlobalUseBeforeInit.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp index 81883a1a8a1..0a3ceabaef8 100644 --- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp +++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp @@ -25,7 +25,7 @@ int my_printf(const char * fmt, ...) return ret; } -int f1() +int f1() // $ Alert { my_printf("%d\n", a + 2); my_printf("%d\n", b + 2); // BAD @@ -36,7 +36,7 @@ void f2() { my_printf("%d\n", b); // GOOD } -int main() +int main() // $ Alert { unsigned size = sizeof(*c); // GOOD my_printf("%d\n", b); // BAD diff --git a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref index 7012169e894..611d7f42e82 100644 --- a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref +++ b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/InitialisationNotRun.qlref @@ -1 +1,2 @@ -Critical/InitialisationNotRun.ql +query: Critical/InitialisationNotRun.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp index ee0d070df08..3a02dc9be82 100644 --- a/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp +++ b/cpp/ql/test/query-tests/Critical/InitialisationNotRun/test.cpp @@ -9,9 +9,9 @@ public: char name[1000]; }; -GlobalStorage *g1; // BAD +GlobalStorage *g1; // BAD // $ Alert static GlobalStorage g2; // GOOD -static GlobalStorage *g3; // BAD +static GlobalStorage *g3; // BAD // $ Alert // static variables are initialized by compilers static int a; // GOOD static int b = 0; // GOOD diff --git a/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref b/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref index 6ddcc778554..379794ff5e7 100644 --- a/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref +++ b/cpp/ql/test/query-tests/Critical/LargeParameter/LargeParameter.qlref @@ -1 +1,2 @@ -Critical/LargeParameter.ql +query: Critical/LargeParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp b/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp index bf6d3d414fc..aeddebf3e67 100644 --- a/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp +++ b/cpp/ql/test/query-tests/Critical/LargeParameter/test.cpp @@ -13,7 +13,7 @@ class myTemplateClass public: myTemplateClass() {} - void set(T _t) { // BAD: T can be myLargeStruct, which is large + void set(T _t) { // BAD: T can be myLargeStruct, which is large // $ Alert t = _t; } @@ -21,11 +21,11 @@ public: }; template -void myTemplateFunction(myTemplateClass mtc_t) // BAD: T can be myLargeStruct, which is large +void myTemplateFunction(myTemplateClass mtc_t) // BAD: T can be myLargeStruct, which is large // $ Alert { } -void myFunction1(mySmallStruct a, myLargeStruct b) // BAD: b is large +void myFunction1(mySmallStruct a, myLargeStruct b) // BAD: b is large // $ Alert { myTemplateClass mtc_a; myTemplateClass mtc_b; @@ -101,12 +101,12 @@ void myFunction4( } void myFunction5( - MyLargeClass a, // BAD - MyLargeClass b, // BAD - MyLargeClass c, // BAD - MyLargeClass d, // BAD - MyLargeClass e, // BAD - MyLargeClass f // BAD + MyLargeClass a, // BAD // $ Alert + MyLargeClass b, // BAD // $ Alert + MyLargeClass c, // BAD // $ Alert + MyLargeClass d, // BAD // $ Alert + MyLargeClass e, // BAD // $ Alert + MyLargeClass f // BAD // $ Alert ) { const MyLargeClass *mlc_ptr; @@ -158,7 +158,7 @@ struct big void myFunction7( big a, // GOOD - big b // BAD + big b // BAD // $ Alert ) { a.xs[0]++; // modifies a diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected index 9636f170e0b..290b5d8a991 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.expected @@ -1,3 +1,18 @@ +#select +| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:14:10:14:10 | a | a | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:31:27:31:27 | a | a | test_free.cpp:30:5:30:8 | call to free | call to free | +| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:37:27:37:27 | a | a | test_free.cpp:35:5:35:8 | call to free | call to free | +| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:42:22:42:25 | call to free | call to free | +| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:44:22:44:25 | call to free | call to free | +| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:51:10:51:10 | a | a | test_free.cpp:50:22:50:25 | call to free | call to free | +| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:72:14:72:14 | a | a | test_free.cpp:69:5:69:8 | call to free | call to free | +| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:85:12:85:12 | a | a | test_free.cpp:83:5:83:13 | delete | delete | +| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:103:10:103:10 | a | a | test_free.cpp:101:5:101:8 | call to free | call to free | +| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:129:10:129:11 | * ... | * ... | test_free.cpp:128:5:128:8 | call to free | call to free | +| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:154:10:154:10 | a | a | test_free.cpp:152:22:152:25 | call to free | call to free | +| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:209:10:209:10 | a | a | test_free.cpp:207:5:207:8 | call to free | call to free | +| test_free.cpp:302:12:302:14 | buf | test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:302:12:302:14 | buf | buf | test_free.cpp:301:5:301:10 | call to g_free | call to g_free | +| test_free.cpp:322:12:322:12 | a | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:322:12:322:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:322:12:322:12 | a | a | test_free.cpp:319:9:319:16 | delete | delete | edges | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | provenance | | | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | provenance | | @@ -43,18 +58,3 @@ nodes | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument | | test_free.cpp:322:12:322:12 | a | semmle.label | a | subpaths -#select -| test_free.cpp:14:10:14:10 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:14:10:14:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:14:10:14:10 | a | a | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:31:27:31:27 | a | test_free.cpp:30:10:30:10 | pointer to free output argument | test_free.cpp:31:27:31:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:31:27:31:27 | a | a | test_free.cpp:30:5:30:8 | call to free | call to free | -| test_free.cpp:37:27:37:27 | a | test_free.cpp:35:10:35:10 | pointer to free output argument | test_free.cpp:37:27:37:27 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:37:27:37:27 | a | a | test_free.cpp:35:5:35:8 | call to free | call to free | -| test_free.cpp:46:10:46:10 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:42:22:42:25 | call to free | call to free | -| test_free.cpp:46:10:46:10 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:46:10:46:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:46:10:46:10 | a | a | test_free.cpp:44:22:44:25 | call to free | call to free | -| test_free.cpp:51:10:51:10 | a | test_free.cpp:50:27:50:27 | pointer to free output argument | test_free.cpp:51:10:51:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:51:10:51:10 | a | a | test_free.cpp:50:22:50:25 | call to free | call to free | -| test_free.cpp:72:14:72:14 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:72:14:72:14 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:72:14:72:14 | a | a | test_free.cpp:69:5:69:8 | call to free | call to free | -| test_free.cpp:85:12:85:12 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:85:12:85:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:85:12:85:12 | a | a | test_free.cpp:83:5:83:13 | delete | delete | -| test_free.cpp:103:10:103:10 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:103:10:103:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:103:10:103:10 | a | a | test_free.cpp:101:5:101:8 | call to free | call to free | -| test_free.cpp:129:10:129:11 | * ... | test_free.cpp:128:10:128:11 | pointer to free output argument | test_free.cpp:129:10:129:11 | * ... | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:129:10:129:11 | * ... | * ... | test_free.cpp:128:5:128:8 | call to free | call to free | -| test_free.cpp:154:10:154:10 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:154:10:154:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:154:10:154:10 | a | a | test_free.cpp:152:22:152:25 | call to free | call to free | -| test_free.cpp:209:10:209:10 | a | test_free.cpp:207:10:207:10 | pointer to free output argument | test_free.cpp:209:10:209:10 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:209:10:209:10 | a | a | test_free.cpp:207:5:207:8 | call to free | call to free | -| test_free.cpp:302:12:302:14 | buf | test_free.cpp:301:12:301:14 | pointer to g_free output argument | test_free.cpp:302:12:302:14 | buf | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:302:12:302:14 | buf | buf | test_free.cpp:301:5:301:10 | call to g_free | call to g_free | -| test_free.cpp:322:12:322:12 | a | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:322:12:322:12 | a | Memory pointed to by $@ may already have been freed by $@. | test_free.cpp:322:12:322:12 | a | a | test_free.cpp:319:9:319:16 | delete | delete | diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref index 8e68f14ce22..eab98ddcb53 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/DoubleFree.qlref @@ -1 +1,2 @@ -Critical/DoubleFree.ql +query: Critical/DoubleFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref index 33da8e296e2..84fd18014db 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryMayNotBeFreed.ql \ No newline at end of file +query: Critical/MemoryMayNotBeFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref index 2d1336a55eb..108a872987d 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryNeverFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryNeverFreed.ql \ No newline at end of file +query: Critical/MemoryNeverFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected index 891141f56f1..153350b2a99 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected @@ -1,3 +1,28 @@ +#select +| test.cpp:214:2:214:2 | a | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | Memory may have been previously freed by $@. | test.cpp:213:2:213:5 | call to free | call to free | +| test.cpp:220:2:220:2 | a | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | Memory may have been previously freed by $@. | test.cpp:219:2:219:5 | call to free | call to free | +| test.cpp:229:4:229:8 | data1 | test.cpp:228:14:228:18 | pointer to operator delete[] output argument | test.cpp:229:4:229:8 | data1 | Memory may have been previously freed by $@. | test.cpp:228:2:228:18 | delete[] | delete[] | +| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | +| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free | +| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free | +| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free | +| test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete | +| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free | +| test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free | +| test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free | +| test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free | +| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free | +| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free | +| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free | +| test_free.cpp:278:15:278:17 | buf | test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:278:15:278:17 | buf | Memory may have been previously freed by $@. | test_free.cpp:277:3:277:6 | call to free | call to free | +| test_free.cpp:283:14:283:16 | buf | test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:283:14:283:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:282:3:282:6 | call to free | call to free | +| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free | +| test_free.cpp:321:5:321:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:321:5:321:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:313:16:313:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:313:9:313:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | +| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:322:12:322:12 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:322:5:322:12 | delete | delete | +| test_free.cpp:332:5:332:6 | * ... | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | test_free.cpp:332:5:332:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:331:5:331:12 | delete | delete | edges | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | provenance | | | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | provenance | | @@ -93,28 +118,3 @@ nodes | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | semmle.label | pointer to operator delete output argument | | test_free.cpp:332:5:332:6 | * ... | semmle.label | * ... | subpaths -#select -| test.cpp:214:2:214:2 | a | test.cpp:213:7:213:7 | pointer to free output argument | test.cpp:214:2:214:2 | a | Memory may have been previously freed by $@. | test.cpp:213:2:213:5 | call to free | call to free | -| test.cpp:220:2:220:2 | a | test.cpp:219:7:219:7 | pointer to free output argument | test.cpp:220:2:220:2 | a | Memory may have been previously freed by $@. | test.cpp:219:2:219:5 | call to free | call to free | -| test.cpp:229:4:229:8 | data1 | test.cpp:228:14:228:18 | pointer to operator delete[] output argument | test.cpp:229:4:229:8 | data1 | Memory may have been previously freed by $@. | test.cpp:228:2:228:18 | delete[] | delete[] | -| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | pointer to free output argument | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free | -| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free | -| test_free.cpp:45:5:45:5 | a | test_free.cpp:44:27:44:27 | pointer to free output argument | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:44:22:44:25 | call to free | call to free | -| test_free.cpp:71:9:71:9 | a | test_free.cpp:69:10:69:10 | pointer to free output argument | test_free.cpp:71:9:71:9 | a | Memory may have been previously freed by $@. | test_free.cpp:69:5:69:8 | call to free | call to free | -| test_free.cpp:84:5:84:5 | a | test_free.cpp:83:12:83:12 | pointer to operator delete output argument | test_free.cpp:84:5:84:5 | a | Memory may have been previously freed by $@. | test_free.cpp:83:5:83:13 | delete | delete | -| test_free.cpp:91:5:91:5 | a | test_free.cpp:90:10:90:10 | pointer to free output argument | test_free.cpp:91:5:91:5 | a | Memory may have been previously freed by $@. | test_free.cpp:90:5:90:8 | call to free | call to free | -| test_free.cpp:96:9:96:9 | a | test_free.cpp:95:10:95:10 | pointer to free output argument | test_free.cpp:96:9:96:9 | a | Memory may have been previously freed by $@. | test_free.cpp:95:5:95:8 | call to free | call to free | -| test_free.cpp:102:23:102:23 | a | test_free.cpp:101:10:101:10 | pointer to free output argument | test_free.cpp:102:23:102:23 | a | Memory may have been previously freed by $@. | test_free.cpp:101:5:101:8 | call to free | call to free | -| test_free.cpp:153:5:153:5 | a | test_free.cpp:152:27:152:27 | pointer to free output argument | test_free.cpp:153:5:153:5 | a | Memory may have been previously freed by $@. | test_free.cpp:152:22:152:25 | call to free | call to free | -| test_free.cpp:236:9:236:10 | * ... | test_free.cpp:233:14:233:15 | pointer to free output argument | test_free.cpp:236:9:236:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:233:9:233:12 | call to free | call to free | -| test_free.cpp:241:9:241:10 | * ... | test_free.cpp:239:14:239:15 | pointer to free output argument | test_free.cpp:241:9:241:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:239:9:239:12 | call to free | call to free | -| test_free.cpp:246:9:246:10 | * ... | test_free.cpp:245:10:245:11 | pointer to free output argument | test_free.cpp:246:9:246:10 | * ... | Memory may have been previously freed by $@. | test_free.cpp:245:5:245:8 | call to free | call to free | -| test_free.cpp:278:15:278:17 | buf | test_free.cpp:277:8:277:13 | pointer to free output argument | test_free.cpp:278:15:278:17 | buf | Memory may have been previously freed by $@. | test_free.cpp:277:3:277:6 | call to free | call to free | -| test_free.cpp:283:14:283:16 | buf | test_free.cpp:282:8:282:12 | pointer to free output argument | test_free.cpp:283:14:283:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:282:3:282:6 | call to free | call to free | -| test_free.cpp:295:14:295:16 | buf | test_free.cpp:293:8:293:10 | pointer to free output argument | test_free.cpp:295:14:295:16 | buf | Memory may have been previously freed by $@. | test_free.cpp:293:3:293:6 | call to free | call to free | -| test_free.cpp:321:5:321:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:321:5:321:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:313:16:313:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:313:9:313:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:319:16:319:16 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:319:9:319:16 | delete | delete | -| test_free.cpp:324:5:324:6 | * ... | test_free.cpp:322:12:322:12 | pointer to operator delete output argument | test_free.cpp:324:5:324:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:322:5:322:12 | delete | delete | -| test_free.cpp:332:5:332:6 | * ... | test_free.cpp:331:12:331:12 | pointer to operator delete output argument | test_free.cpp:332:5:332:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:331:5:331:12 | delete | delete | diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref index e299a3055e0..09609096489 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.qlref @@ -1 +1,2 @@ -Critical/UseAfterFree.ql \ No newline at end of file +query: Critical/UseAfterFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp index e7c00bdf004..dbd6e90bed4 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/my_auto_ptr.cpp @@ -52,9 +52,9 @@ template class AutoContainer2 { public: - AutoContainer2() : v(new T) // GOOD [FALSE POSITIVE] + AutoContainer2() : v(new T) // GOOD [FALSE POSITIVE] // $ Alert[cpp/memory-never-freed] { - ns::my_auto_ptr ap(new T); // GOOD [FALSE POSITIVE] + ns::my_auto_ptr ap(new T); // GOOD [FALSE POSITIVE] // $ Alert[cpp/memory-never-freed] } ns::my_auto_ptr v; @@ -68,7 +68,7 @@ public: AutoCloner(AutoCloner &from) : val(from.val) {}; ns::my_auto_ptr clone() { - return ns::my_auto_ptr(new AutoCloner(*this)); // GOOD [FALSE POSITIVE] + return ns::my_auto_ptr(new AutoCloner(*this)); // GOOD [FALSE POSITIVE] // $ Alert[cpp/memory-never-freed] } private: @@ -77,9 +77,9 @@ private: int main() { - int *i1 = new int; // BAD: never deleted - int *i2 = id(new int); // BAD: never deleted - ignore(new int); // BAD: never deleted + int *i1 = new int; // BAD: never deleted // $ Alert[cpp/memory-never-freed] + int *i2 = id(new int); // BAD: never deleted // $ Alert[cpp/memory-never-freed] + ignore(new int); // BAD: never deleted // $ Alert[cpp/memory-never-freed] ns::my_auto_ptr a1(new char); // GOOD ns::my_auto_ptr a2(new short); // GOOD diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp index 7f3afc95550..7f2fd2b6101 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test.cpp @@ -23,7 +23,7 @@ myClass1 :: myClass1() array1 = (int *)malloc(sizeof(int) * 100); array2 = (int *)malloc(sizeof(int) * 100); array3 = (int *)malloc(sizeof(int) * 100); - array4 = (int *)malloc(sizeof(int) * 100); // never freed + array4 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array1); } @@ -39,7 +39,7 @@ void myClass1 :: method1() array5 = (int *)malloc(sizeof(int) * 100); array6 = (int *)malloc(sizeof(int) * 100); array7 = (int *)malloc(sizeof(int) * 100); - array8 = (int *)malloc(sizeof(int) * 100); // never freed + array8 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array3); free(array5); @@ -70,7 +70,7 @@ myClass2 :: myClass2() array1 = (int *)malloc(sizeof(int) * 100); array2 = (int *)malloc(sizeof(int) * 100); array3 = (int *)malloc(sizeof(int) * 100); - array4 = (int *)malloc(sizeof(int) * 100); // never freed + array4 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array1); } @@ -86,7 +86,7 @@ void myClass2 :: method1() array5 = (int *)malloc(sizeof(int) * 100); array6 = (int *)malloc(sizeof(int) * 100); array7 = (int *)malloc(sizeof(int) * 100); - array8 = (int *)malloc(sizeof(int) * 100); // never freed + array8 = (int *)malloc(sizeof(int) * 100); // never freed // $ Alert[cpp/memory-never-freed] free(array3); free(array5); @@ -153,8 +153,8 @@ int overloadedNew() { new(buf) int[1]; // GOOD *(int*)buf = 4; - new(std::nothrow) int(3); // BAD - new(std::nothrow) int[2]; // BAD + new(std::nothrow) int(3); // BAD // $ Alert[cpp/memory-never-freed] + new(std::nothrow) int[2]; // BAD // $ Alert[cpp/memory-never-freed] return 0; } @@ -166,7 +166,7 @@ void output_msg(const char *msg); void test_strdup() { char msg[] = "OctoCat"; - char *cpy = strdup(msg); // BAD + char *cpy = strdup(msg); // BAD // $ Alert[cpp/memory-never-freed] output_msg(cpy); } @@ -210,14 +210,14 @@ void test_reassignment() { char *a = (char *)malloc(128); char *b = (char *)malloc(128); - free(a); - a[0] = 0; // BAD + free(a); // $ Source[cpp/use-after-free] + a[0] = 0; // BAD // $ Alert[cpp/use-after-free] a = b; a[0] = 0; // GOOD - free(a); - a[0] = 0; // BAD + free(a); // $ Source[cpp/use-after-free] + a[0] = 0; // BAD // $ Alert[cpp/use-after-free] DataPair p; p.data1 = new char[128]; @@ -225,8 +225,8 @@ void test_reassignment() { p.data1[0] = 0; // GOOD p.data2[0] = 0; // GOOD - delete [] p.data1; - p.data1[0] = 0; // BAD + delete [] p.data1; // $ Source[cpp/use-after-free] + p.data1[0] = 0; // BAD // $ Alert[cpp/use-after-free] p.data2[0] = 0; // GOOD p.data1 = new char[128]; diff --git a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp index 0a6532015a7..afc0b428f06 100644 --- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp +++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp @@ -8,10 +8,10 @@ int asprintf(char ** strp, const char * fmt, ...); void* test_double_free1(int *a) { - free(a); // GOOD - a[5] = 5; // BAD - *a = 5; // BAD - free(a); // BAD + free(a); // GOOD // $ Source[cpp/double-free] Source[cpp/use-after-free] + a[5] = 5; // BAD // $ Alert[cpp/use-after-free] + *a = 5; // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] a = (int*) malloc(8); free(a); // GOOD a = (int*) malloc(8); @@ -27,28 +27,28 @@ void test_double_free_aliasing(void *a, void* b) { } void test_dominance1(void *a) { - free(a); - if (condition()) free(a); // BAD + free(a); // $ Source[cpp/double-free] + if (condition()) free(a); // BAD // $ Alert[cpp/double-free] } void test_dominance2(void *a) { - free(a); - if (condition()) a = malloc(10); - if (condition()) free(a); // BAD + free(a); // $ Source[cpp/double-free] + if (condition()) a = malloc(10); // $ Alert[cpp/memory-may-not-be-freed] + if (condition()) free(a); // BAD // $ Alert[cpp/double-free] } void test_post_dominance1(int *a) { - if (condition()) free(a); + if (condition()) free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] if (condition()) a[2] = 5; // BAD [NOT DETECTED] - if (condition()) free(a); // BAD [NOT DETECTED] - a[2] = 5; // BAD - free(a); // BAD + if (condition()) free(a); // BAD [NOT DETECTED] // $ Source[cpp/double-free] Source[cpp/use-after-free] + a[2] = 5; // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] } void test_post_dominance2(void *a) { - if (condition()) free(a); - free(a); // BAD + if (condition()) free(a); // $ Source[cpp/double-free] + free(a); // BAD // $ Alert[cpp/double-free] } void test_post_dominance3(void *a) { @@ -66,10 +66,10 @@ void test_use_after_free6(int *a, int *b) { void test_use_after_free7(int *a) { a[0] = 42; - free(a); + free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] - if (a[3]) { // BAD - free(a); // BAD + if (a[3]) { // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] } } @@ -80,27 +80,27 @@ public: void test_new1() { A *a = new A(); - delete(a); - a->f(); // BAD - delete(a); // BAD + delete(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] + a->f(); // BAD // $ Alert[cpp/use-after-free] + delete(a); // BAD // $ Alert[cpp/double-free] } void test_dereference1(A *a) { a->f(); // GOOD - free(a); - a->f(); // BAD + free(a); // $ Source[cpp/use-after-free] + a->f(); // BAD // $ Alert[cpp/use-after-free] } void* use_after_free(void *a) { - free(a); - use(a); // BAD + free(a); // $ Source[cpp/use-after-free] + use(a); // BAD // $ Alert[cpp/use-after-free] return a; // BAD } void test_realloc1(void *a) { - free(a); - void *b = realloc(a, sizeof(a)*3); // BAD [NOT DETECTED by cpp/double-free] - free(a); // BAD + free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] + void *b = realloc(a, sizeof(a)*3); // BAD [NOT DETECTED by cpp/double-free] // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] free(b); // GOOD } void* test_realloc2(char *a) { @@ -125,8 +125,8 @@ void test_realloc3(void *a) { void test_ptr_deref(void ** a) { free(*a); *a = malloc(10); - free(*a); // GOOD - free(*a); // BAD + free(*a); // GOOD // $ Source[cpp/double-free] + free(*a); // BAD // $ Alert[cpp/double-free] *a = malloc(10); free(a[0]); // GOOD free(a[1]); // GOOD @@ -149,9 +149,9 @@ void test_loop1(struct list ** list_ptr) { } void test_use_after_free8(struct list * a) { - if (condition()) free(a); - a->data = malloc(10); // BAD - free(a); // BAD + if (condition()) free(a); // $ Source[cpp/double-free] Source[cpp/use-after-free] + a->data = malloc(10); // BAD // $ Alert[cpp/use-after-free] + free(a); // BAD // $ Alert[cpp/double-free] } void test_loop2(char ** a) { @@ -164,7 +164,7 @@ void test_loop2(char ** a) { void* test_realloc4() { void *a = 0; - void *b = realloc(a, 10); // BAD for cpp/memory-never-freed + void *b = realloc(a, 10); // BAD for cpp/memory-never-freed // $ Alert[cpp/memory-never-freed] if (!b) { return a; } return b; } @@ -204,9 +204,9 @@ char* test_return2(char *a) { void test_condition1(char *a) { free(a); if (asprintf(&a, "Hello world") || condition()); - free(a); //GOOD + free(a); //GOOD // $ Source[cpp/double-free] if (condition() || asprintf(&a, "Hello world")); - free(a); // BAD + free(a); // BAD // $ Alert[cpp/double-free] } void test_condition2(char *a) { @@ -230,27 +230,27 @@ void test_ms_free(void * memory_descriptor_list) { void test_loop3(char ** a, char ** b) { if (*a) { - free(*a); + free(*a); // $ Source[cpp/use-after-free] a++; } - use(*a); // GOOD [FALSE POSITIVE] + use(*a); // GOOD [FALSE POSITIVE] // $ Alert[cpp/use-after-free] for (;*b; b++) { - free(*b); + free(*b); // $ Source[cpp/use-after-free] } - use(*b); // GOOD [FALSE POSITIVE] + use(*b); // GOOD [FALSE POSITIVE] // $ Alert[cpp/use-after-free] } void test_deref(char **a) { - free(*a); - use(*a); // GOOD [FALSE POSITIVE] + free(*a); // $ Source[cpp/use-after-free] + use(*a); // GOOD [FALSE POSITIVE] // $ Alert[cpp/use-after-free] } // Refs void test_ref(char *&p) { free(p); - p = (char *)malloc(sizeof(char)*10); + p = (char *)malloc(sizeof(char)*10); // $ Alert[cpp/memory-never-freed] use(p); // GOOD free(p); // GOOD } @@ -258,13 +258,13 @@ void test_ref(char *&p) { void test_ref_delete(int *&p) { delete p; - p = new int; + p = new int; // $ Alert[cpp/memory-never-freed] use(p); // GOOD delete p; // GOOD } void test_free_assign() { - void *a = malloc(10); + void *a = malloc(10); // $ Alert[cpp/memory-may-not-be-freed] void *b; free(b = a); // GOOD } @@ -274,13 +274,13 @@ struct MyStruct { }; void test_free_struct(MyStruct* s) { - free(s->buf); - char c = s->buf[0]; // BAD + free(s->buf); // $ Source[cpp/use-after-free] + char c = s->buf[0]; // BAD // $ Alert[cpp/use-after-free] } void test_free_struct2(MyStruct s) { - free(s.buf); - char c = s.buf[0]; // BAD + free(s.buf); // $ Source[cpp/use-after-free] + char c = s.buf[0]; // BAD // $ Alert[cpp/use-after-free] } void test_free_struct3(MyStruct s) { @@ -290,16 +290,16 @@ void test_free_struct3(MyStruct s) { } void test_free_struct4(char* buf, MyStruct s) { - free(buf); + free(buf); // $ Source[cpp/use-after-free] s.buf = buf; - char c = s.buf[0]; // BAD + char c = s.buf[0]; // BAD // $ Alert[cpp/use-after-free] } void g_free (void*); void test_g_free(char* buf) { - g_free(buf); - g_free(buf); // BAD + g_free(buf); // $ Source[cpp/double-free] + g_free(buf); // BAD // $ Alert[cpp/double-free] } // inspired by real world FPs @@ -310,26 +310,26 @@ void test_goto() { *a = 1; // GOOD if (condition()) { - delete a; + delete a; // $ Source[cpp/use-after-free] goto after; } *a = 1; // GOOD if (condition()) { - delete a; + delete a; // $ Source[cpp/double-free] Source[cpp/use-after-free] } - *a = 1; // BAD (use after free) - delete a; // BAD (double free) + *a = 1; // BAD (use after free) // $ Alert[cpp/use-after-free] + delete a; // BAD (double free) // $ Alert[cpp/double-free] Source[cpp/use-after-free] after: - *a = 1; // BAD (use after free) + *a = 1; // BAD (use after free) // $ Alert[cpp/use-after-free] } void test_reassign() { int *a = (int *)malloc(sizeof(int)); *a = 1; // GOOD - delete a; - *a = 1; // BAD (use after free) + delete a; // $ Source[cpp/use-after-free] + *a = 1; // BAD (use after free) // $ Alert[cpp/use-after-free] a = (int *)malloc(sizeof(int)); *a = 1; // GOOD delete a; @@ -362,10 +362,10 @@ void test(E* e) { void test_return_by_parameter(int **out_i, MyStruct **out_ms) { int *a = (int *)malloc(sizeof(int)); // GOOD (freed) int *b = (int *)malloc(sizeof(int)); // GOOD (out parameter) - int *d = (int *)malloc(sizeof(int)); // BAD (not freed) + int *d = (int *)malloc(sizeof(int)); // BAD (not freed) // $ Alert[cpp/memory-never-freed] MyStruct *e = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD (freed) MyStruct *f = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD (out parameter) - MyStruct *h = (MyStruct *)malloc(sizeof(MyStruct)); // BAD (not freed) + MyStruct *h = (MyStruct *)malloc(sizeof(MyStruct)); // BAD (not freed) // $ Alert[cpp/memory-never-freed] free(a); *out_i = b; diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref index b166b6b60b9..39a4f630f4c 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/IncorrectCheckScanf.qlref @@ -1 +1,2 @@ -Critical/IncorrectCheckScanf.ql \ No newline at end of file +query: Critical/IncorrectCheckScanf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected index 9b7564b9123..e9c1038e5a4 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.expected @@ -1,3 +1,25 @@ +#select +| test.cpp:35:7:35:7 | i | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf | +| test.cpp:68:7:68:7 | i | test.cpp:67:15:67:16 | scanf output argument | test.cpp:68:7:68:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:67:3:67:7 | call to scanf | call to scanf | +| test.cpp:80:7:80:7 | i | test.cpp:79:15:79:16 | scanf output argument | test.cpp:80:7:80:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:79:3:79:7 | call to scanf | call to scanf | +| test.cpp:90:7:90:8 | * ... | test.cpp:89:15:89:15 | scanf output argument | test.cpp:90:7:90:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:89:3:89:7 | call to scanf | call to scanf | +| test.cpp:98:7:98:8 | * ... | test.cpp:97:15:97:15 | scanf output argument | test.cpp:98:7:98:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:97:3:97:7 | call to scanf | call to scanf | +| test.cpp:108:7:108:7 | i | test.cpp:107:32:107:33 | fscanf output argument | test.cpp:108:7:108:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:107:3:107:8 | call to fscanf | call to fscanf | +| test.cpp:115:7:115:7 | i | test.cpp:114:32:114:33 | sscanf output argument | test.cpp:115:7:115:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:114:3:114:8 | call to sscanf | call to sscanf | +| test.cpp:224:8:224:8 | j | test.cpp:221:26:221:27 | scanf output argument | test.cpp:224:8:224:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:221:7:221:11 | call to scanf | call to scanf | +| test.cpp:248:9:248:9 | d | test.cpp:246:44:246:45 | scanf output argument | test.cpp:248:9:248:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:246:25:246:29 | call to scanf | call to scanf | +| test.cpp:252:9:252:9 | d | test.cpp:250:33:250:34 | scanf output argument | test.cpp:252:9:252:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:250:14:250:18 | call to scanf | call to scanf | +| test.cpp:272:7:272:7 | i | test.cpp:271:15:271:16 | scanf output argument | test.cpp:272:7:272:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:271:3:271:7 | call to scanf | call to scanf | +| test.cpp:280:7:280:7 | i | test.cpp:279:15:279:16 | scanf output argument | test.cpp:280:7:280:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:279:3:279:7 | call to scanf | call to scanf | +| test.cpp:292:7:292:7 | i | test.cpp:291:15:291:16 | scanf output argument | test.cpp:292:7:292:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:291:3:291:7 | call to scanf | call to scanf | +| test.cpp:404:25:404:25 | u | test.cpp:403:29:403:30 | sscanf output argument | test.cpp:404:18:404:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:403:6:403:11 | call to sscanf | call to sscanf | +| test.cpp:416:7:416:7 | i | test.cpp:413:19:413:20 | scanf output argument | test.cpp:416:7:416:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:413:7:413:11 | call to scanf | call to scanf | +| test.cpp:423:7:423:7 | i | test.cpp:420:19:420:20 | scanf output argument | test.cpp:423:7:423:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:420:7:420:11 | call to scanf | call to scanf | +| test.cpp:460:6:460:10 | value | test.cpp:455:41:455:46 | sscanf output argument | test.cpp:460:6:460:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:455:12:455:17 | call to sscanf | call to sscanf | +| test.cpp:474:6:474:10 | value | test.cpp:467:20:467:25 | scanf output argument | test.cpp:474:6:474:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:467:8:467:12 | call to scanf | call to scanf | +| test.cpp:484:9:484:9 | i | test.cpp:480:25:480:26 | scanf output argument | test.cpp:484:9:484:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:480:13:480:17 | call to scanf | call to scanf | +| test.cpp:495:8:495:8 | i | test.cpp:491:25:491:26 | scanf output argument | test.cpp:495:8:495:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:491:13:491:17 | call to scanf | call to scanf | +| test.cpp:545:8:545:8 | f | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 3. | test.cpp:541:10:541:15 | call to sscanf | call to sscanf | edges | test.c:10:31:10:32 | sscanf output argument | test.c:11:7:11:7 | x | provenance | | | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | provenance | | @@ -164,25 +186,3 @@ nodes | test.cpp:575:30:575:31 | scanf output argument | semmle.label | scanf output argument | | test.cpp:577:9:577:9 | i | semmle.label | i | subpaths -#select -| test.cpp:35:7:35:7 | i | test.cpp:34:15:34:16 | scanf output argument | test.cpp:35:7:35:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:34:3:34:7 | call to scanf | call to scanf | -| test.cpp:68:7:68:7 | i | test.cpp:67:15:67:16 | scanf output argument | test.cpp:68:7:68:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:67:3:67:7 | call to scanf | call to scanf | -| test.cpp:80:7:80:7 | i | test.cpp:79:15:79:16 | scanf output argument | test.cpp:80:7:80:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:79:3:79:7 | call to scanf | call to scanf | -| test.cpp:90:7:90:8 | * ... | test.cpp:89:15:89:15 | scanf output argument | test.cpp:90:7:90:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:89:3:89:7 | call to scanf | call to scanf | -| test.cpp:98:7:98:8 | * ... | test.cpp:97:15:97:15 | scanf output argument | test.cpp:98:7:98:8 | * ... | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:97:3:97:7 | call to scanf | call to scanf | -| test.cpp:108:7:108:7 | i | test.cpp:107:32:107:33 | fscanf output argument | test.cpp:108:7:108:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:107:3:107:8 | call to fscanf | call to fscanf | -| test.cpp:115:7:115:7 | i | test.cpp:114:32:114:33 | sscanf output argument | test.cpp:115:7:115:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:114:3:114:8 | call to sscanf | call to sscanf | -| test.cpp:224:8:224:8 | j | test.cpp:221:26:221:27 | scanf output argument | test.cpp:224:8:224:8 | j | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:221:7:221:11 | call to scanf | call to scanf | -| test.cpp:248:9:248:9 | d | test.cpp:246:44:246:45 | scanf output argument | test.cpp:248:9:248:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:246:25:246:29 | call to scanf | call to scanf | -| test.cpp:252:9:252:9 | d | test.cpp:250:33:250:34 | scanf output argument | test.cpp:252:9:252:9 | d | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 2. | test.cpp:250:14:250:18 | call to scanf | call to scanf | -| test.cpp:272:7:272:7 | i | test.cpp:271:15:271:16 | scanf output argument | test.cpp:272:7:272:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:271:3:271:7 | call to scanf | call to scanf | -| test.cpp:280:7:280:7 | i | test.cpp:279:15:279:16 | scanf output argument | test.cpp:280:7:280:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:279:3:279:7 | call to scanf | call to scanf | -| test.cpp:292:7:292:7 | i | test.cpp:291:15:291:16 | scanf output argument | test.cpp:292:7:292:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:291:3:291:7 | call to scanf | call to scanf | -| test.cpp:404:25:404:25 | u | test.cpp:403:29:403:30 | sscanf output argument | test.cpp:404:18:404:25 | u | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:403:6:403:11 | call to sscanf | call to sscanf | -| test.cpp:416:7:416:7 | i | test.cpp:413:19:413:20 | scanf output argument | test.cpp:416:7:416:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:413:7:413:11 | call to scanf | call to scanf | -| test.cpp:423:7:423:7 | i | test.cpp:420:19:420:20 | scanf output argument | test.cpp:423:7:423:7 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:420:7:420:11 | call to scanf | call to scanf | -| test.cpp:460:6:460:10 | value | test.cpp:455:41:455:46 | sscanf output argument | test.cpp:460:6:460:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:455:12:455:17 | call to sscanf | call to sscanf | -| test.cpp:474:6:474:10 | value | test.cpp:467:20:467:25 | scanf output argument | test.cpp:474:6:474:10 | value | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:467:8:467:12 | call to scanf | call to scanf | -| test.cpp:484:9:484:9 | i | test.cpp:480:25:480:26 | scanf output argument | test.cpp:484:9:484:9 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:480:13:480:17 | call to scanf | call to scanf | -| test.cpp:495:8:495:8 | i | test.cpp:491:25:491:26 | scanf output argument | test.cpp:495:8:495:8 | i | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 1. | test.cpp:491:13:491:17 | call to scanf | call to scanf | -| test.cpp:545:8:545:8 | f | test.cpp:541:43:541:44 | sscanf output argument | test.cpp:545:8:545:8 | f | This variable is read, but may not have been written. It should be guarded by a check that the $@ returns at least 3. | test.cpp:541:10:541:15 | call to sscanf | call to sscanf | diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref index 97e85b5abbe..7d6dbd18683 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/MissingCheckScanf.qlref @@ -1 +1,2 @@ -Critical/MissingCheckScanf.ql \ No newline at end of file +query: Critical/MissingCheckScanf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp index 346cf607977..f1f5e36ed25 100644 --- a/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp +++ b/cpp/ql/test/query-tests/Critical/MissingCheckScanf/test.cpp @@ -31,8 +31,8 @@ int main() { int i; - scanf("%d", &i); - use(i); // BAD: may not have written `i` + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: may not have written `i` // $ Alert[cpp/missing-check-scanf] } { @@ -64,8 +64,8 @@ int main() { int i; // Reused variable - scanf("%d", &i); - use(i); // BAD + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD // $ Alert[cpp/missing-check-scanf] if (scanf("%d", &i) == 1) { @@ -76,8 +76,8 @@ int main() { int i; // Reset variable - scanf("%d", &i); - use(i); // BAD + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD // $ Alert[cpp/missing-check-scanf] i = 1; use(i); // GOOD @@ -86,16 +86,16 @@ int main() { int *i = (int*)malloc(sizeof(int)); // Allocated variable - scanf("%d", i); - use(*i); // BAD + scanf("%d", i); // $ Source[cpp/missing-check-scanf] + use(*i); // BAD // $ Alert[cpp/missing-check-scanf] free(i); // GOOD } { int *i = new int; // Allocated variable - scanf("%d", i); - use(*i); // BAD + scanf("%d", i); // $ Source[cpp/missing-check-scanf] + use(*i); // BAD // $ Alert[cpp/missing-check-scanf] delete i; // GOOD } @@ -104,15 +104,15 @@ int main() { int i; - fscanf(get_a_stream(), "%d", &i); - use(i); // BAD: may not have written `i` + fscanf(get_a_stream(), "%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: may not have written `i` // $ Alert[cpp/missing-check-scanf] } { int i; - sscanf(get_a_string(), "%d", &i); - use(i); // BAD: may not have written `i` + sscanf(get_a_string(), "%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: may not have written `i` // $ Alert[cpp/missing-check-scanf] } { @@ -159,7 +159,7 @@ int main() { int i; - if (scanf("%d", &i) != 0) + if (scanf("%d", &i) != 0) // $ Alert[cpp/incorrectly-checked-scanf] { use(i); // BAD: scanf can return EOF } @@ -168,7 +168,7 @@ int main() { int i; - if (scanf("%d", &i) == 0) + if (scanf("%d", &i) == 0) // $ Alert[cpp/incorrectly-checked-scanf] { use(i); // BAD: checks return value incorrectly } @@ -190,7 +190,7 @@ int main() bool b; int i; - b = scanf("%d", &i); + b = scanf("%d", &i); // $ Alert[cpp/incorrectly-checked-scanf] if (b >= 1) { @@ -201,7 +201,7 @@ int main() { int i; - if (scanf("%d", &i)) + if (scanf("%d", &i)) // $ Alert[cpp/incorrectly-checked-scanf] use(i); // BAD } @@ -218,10 +218,10 @@ int main() { int i, j; - if (scanf("%d %d", &i, &j) >= 1) + if (scanf("%d %d", &i, &j) >= 1) // $ Source[cpp/missing-check-scanf] { use(i); // GOOD - use(j); // BAD: checks return value incorrectly + use(j); // BAD: checks return value incorrectly // $ Alert[cpp/missing-check-scanf] } } @@ -243,13 +243,13 @@ int main() if (maybe()) { break; } - else if (maybe() && (scanf("%5c %d", c, &d) == 1)) { // GOOD + else if (maybe() && (scanf("%5c %d", c, &d) == 1)) { // GOOD // $ Source[cpp/missing-check-scanf] use(*(int *)c); // GOOD - use(d); // BAD + use(d); // BAD // $ Alert[cpp/missing-check-scanf] } - else if ((scanf("%5c %d", c, &d) == 1) && maybe()) { // GOOD + else if ((scanf("%5c %d", c, &d) == 1) && maybe()) { // GOOD // $ Source[cpp/missing-check-scanf] use(*(int *)c); // GOOD - use(d); // BAD + use(d); // BAD // $ Alert[cpp/missing-check-scanf] } } } @@ -268,16 +268,16 @@ int main() int i; set_by_ref(i); - scanf("%d", &i); - use(i); // GOOD [FALSE POSITIVE] + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // GOOD [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } { int i; set_by_ptr(&i); - scanf("%d", &i); - use(i); // GOOD [FALSE POSITIVE] + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // GOOD [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } { @@ -288,8 +288,8 @@ int main() i = 0; } - scanf("%d", &i); - use(i); // BAD: `i` may not have been initialized + scanf("%d", &i); // $ Source[cpp/missing-check-scanf] + use(i); // BAD: `i` may not have been initialized // $ Alert[cpp/missing-check-scanf] } // --- different use --- @@ -400,8 +400,8 @@ char *my_string_copy() { for (int i = 0; i < len; i += 2) { unsigned int u; - sscanf(src + i, "%2x", &u); - *ptr++ = (char) u; // GOOD [FALSE POSITIVE]? src+i+{0,1} are always valid %x digits, so this should be OK. + sscanf(src + i, "%2x", &u); // $ Source[cpp/missing-check-scanf] + *ptr++ = (char) u; // GOOD [FALSE POSITIVE]? src+i+{0,1} are always valid %x digits, so this should be OK. // $ Alert[cpp/missing-check-scanf] } *ptr++ = 0; return DST_STRING; @@ -410,17 +410,17 @@ char *my_string_copy() { void scan_and_write() { { int i; - if (scanf("%d", &i) < 1) { + if (scanf("%d", &i) < 1) { // $ Source[cpp/missing-check-scanf] i = 0; } - use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails + use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails // $ Alert[cpp/missing-check-scanf] } { int i; - if (scanf("%d", &i) != 1) { + if (scanf("%d", &i) != 1) { // $ Source[cpp/missing-check-scanf] i = 0; } - use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails + use(i); // GOOD [FALSE POSITIVE]: variable is overwritten with a default value when scanf fails // $ Alert[cpp/missing-check-scanf] } } @@ -433,14 +433,14 @@ void scan_and_static_variable() { void bad_check() { { int i = 0; - if (scanf("%d", &i) != 0) { + if (scanf("%d", &i) != 0) { // $ Alert[cpp/incorrectly-checked-scanf] return; } use(i); // GOOD [FALSE POSITIVE]: Technically no security issue, but code is incorrect. } { int i = 0; - int r = scanf("%d", &i); + int r = scanf("%d", &i); // $ Alert[cpp/incorrectly-checked-scanf] if (!r) { return; } @@ -452,47 +452,47 @@ void bad_check() { void disjunct_boolean_condition(const char* modifier_data) { long value; - auto rc = sscanf(modifier_data, "%lx", &value); + auto rc = sscanf(modifier_data, "%lx", &value); // $ Source[cpp/missing-check-scanf] if((rc == EOF) || (rc == 0)) { return; } - use(value); // GOOD + use(value); // GOOD // $ Alert[cpp/missing-check-scanf] } void check_for_negative_test() { int res; int value; - res = scanf("%d", &value); // GOOD + res = scanf("%d", &value); // GOOD // $ Source[cpp/missing-check-scanf] if(res == 0) { return; } if (res < 0) { return; } - use(value); + use(value); // $ Alert[cpp/missing-check-scanf] } void multiple_checks() { { int i; - int res = scanf("%d", &i); + int res = scanf("%d", &i); // $ Source[cpp/missing-check-scanf] if (res >= 0) { if (res != 0) { - use(i); // GOOD: checks return value [FALSE POSITIVE] + use(i); // GOOD: checks return value [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } } } { int i; - int res = scanf("%d", &i); + int res = scanf("%d", &i); // $ Source[cpp/missing-check-scanf] if (res < 0) return; if (res != 0) { - use(i); // GOOD: checks return value [FALSE POSITIVE] + use(i); // GOOD: checks return value [FALSE POSITIVE] // $ Alert[cpp/missing-check-scanf] } } @@ -538,11 +538,11 @@ void switch_cases(const char *data) { float d, e, f; - switch (sscanf(data, "%f %f %f", &d, &e, &f)) { + switch (sscanf(data, "%f %f %f", &d, &e, &f)) { // $ Source[cpp/missing-check-scanf] case 2: use(d); // GOOD use(e); // GOOD - use(f); // BAD + use(f); // BAD // $ Alert[cpp/missing-check-scanf] break; case 3: use(d); // GOOD diff --git a/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref b/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref index f4e1c9888cb..f9517d2a96f 100644 --- a/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref +++ b/cpp/ql/test/query-tests/Critical/MissingNullTest/MissingNullTest.qlref @@ -1 +1,2 @@ -Critical/MissingNullTest.ql \ No newline at end of file +query: Critical/MissingNullTest.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp b/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp index 73ebe8b56fe..6a5d98466f1 100644 --- a/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp +++ b/cpp/ql/test/query-tests/Critical/MissingNullTest/test.cpp @@ -20,7 +20,7 @@ void test1(bool cond) y = *p; // BAD (p is uninitialized and could be 0) [NOT DETECTED] p = NULL; - y = *p; // BAD (p is 0) + y = *p; // BAD (p is 0) // $ Alert p = &x; y = *p; // GOOD (p points to x) p = q; @@ -32,7 +32,7 @@ void test1(bool cond) int *q = 0; memcpy(p, &y, sizeof(int)); // GOOD (p points to x) - memcpy(q, &y, sizeof(int)); // BAD (p is 0) + memcpy(q, &y, sizeof(int)); // BAD (p is 0) // $ Alert } { @@ -40,7 +40,7 @@ void test1(bool cond) int *q = 0; bcopy(&y, p, sizeof(int)); // GOOD (p points to x) - bcopy(&y, q, sizeof(int)); // BAD (p is 0) + bcopy(&y, q, sizeof(int)); // BAD (p is 0) // $ Alert } { @@ -48,14 +48,14 @@ void test1(bool cond) int *q = 0; mycopyint(&y, p); // GOOD (p points to x) - mycopyint(&y, q); // BAD (p is 0) + mycopyint(&y, q); // BAD (p is 0) // $ Alert } { int *p = 0; int *q = &x; - y = *p; // BAD (p is 0) + y = *p; // BAD (p is 0) // $ Alert memcpy(&p, &q, sizeof(p)); y = *p; // GOOD (p points to x) } @@ -64,7 +64,7 @@ void test1(bool cond) int *p = 0; int *q = &x; - y = *p; // BAD (p is 0) + y = *p; // BAD (p is 0) // $ Alert bcopy(&q, &p, sizeof(p)); y = *p; // GOOD (p points to x) } diff --git a/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref b/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref index 72039b834eb..885b813268e 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref +++ b/cpp/ql/test/query-tests/Critical/NewFree/NewArrayDeleteMismatch.qlref @@ -1 +1,2 @@ -Critical/NewArrayDeleteMismatch.ql +query: Critical/NewArrayDeleteMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref b/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref index 0acb486d300..93e6941508c 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref +++ b/cpp/ql/test/query-tests/Critical/NewFree/NewDeleteArrayMismatch.qlref @@ -1 +1,2 @@ -Critical/NewDeleteArrayMismatch.ql +query: Critical/NewDeleteArrayMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref b/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref index c7d3dfbdf08..f42f4eb16b9 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref +++ b/cpp/ql/test/query-tests/Critical/NewFree/NewFreeMismatch.qlref @@ -1 +1,2 @@ -Critical/NewFreeMismatch.ql +query: Critical/NewFreeMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NewFree/test.cpp b/cpp/ql/test/query-tests/Critical/NewFree/test.cpp index 0807eadb333..bec4798a2b0 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/test.cpp +++ b/cpp/ql/test/query-tests/Critical/NewFree/test.cpp @@ -33,12 +33,12 @@ void f1() void f2() { delete global_p1; // GOOD - delete global_p2; // BAD: malloc -> delete + delete global_p2; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } void f3() { - free(global_p1); // BAD: new -> delete + free(global_p1); // BAD: new -> delete // $ Alert[cpp/new-free-mismatch] free(global_p2); // GOOD } @@ -65,15 +65,15 @@ int main() delete p1; // GOOD delete [] p2; // GOOD - delete p3; // BAD: malloc -> delete + delete p3; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } { myClass *p1 = new myClass; myClass *p2 = new myClass[10]; myClass *p3 = (myClass *)malloc(sizeof(myClass)); - free(p1); // BAD: new -> free - free(p2); // BAD: new[] -> free + free(p1); // BAD: new -> free // $ Alert[cpp/new-free-mismatch] + free(p2); // BAD: new[] -> free // $ Alert[cpp/new-free-mismatch] free(p3); // GOOD } @@ -88,7 +88,7 @@ int main() myClass *p1 = (myClass *)my_malloc(sizeof(myClass)); myClass *p2 = (myClass *)my_malloc(sizeof(myClass)); - delete p1; // BAD: malloc -> delete + delete p1; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] free(p2); // GOOD } { @@ -96,7 +96,7 @@ int main() myClass *p2 = (myClass *)malloc(sizeof(myClass)); my_delete(p1); // GOOD - my_delete(p2); // BAD: malloc -> delete + my_delete(p2); // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } // overwritten @@ -135,7 +135,7 @@ void test2() void *b = my_malloc_2(10); free(a); // GOOD - delete b; // BAD: malloc -> delete + delete b; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } void *my_malloc_3(size_t size) @@ -152,7 +152,7 @@ void test3() void *b = my_malloc_3(10); free(a); // GOOD - delete b; // BAD: malloc -> delete + delete b; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] } void test4(bool do_array_delete) @@ -162,11 +162,11 @@ void test4(bool do_array_delete) if (do_array_delete) { - delete [] mc; // BAD + delete [] mc; // BAD // $ Alert[cpp/new-delete-array-mismatch] delete [] mc_array; // GOOD } else { delete mc; // GOOD - delete mc_array; // BAD + delete mc_array; // BAD // $ Alert[cpp/new-array-delete-mismatch] } } @@ -179,7 +179,7 @@ void test5(bool do_array_delete) { delete [] c_array_ptr_2; // GOOD } else { - delete c_array_ptr_2; // BAD + delete c_array_ptr_2; // BAD // $ Alert[cpp/new-array-delete-mismatch] } } @@ -211,7 +211,7 @@ void test7(bool do_array_delete) { if (do_array_delete) { - delete [] global_mc; // BAD + delete [] global_mc; // BAD // $ Alert[cpp/new-delete-array-mismatch] } else { delete global_mc; // GOOD } @@ -229,15 +229,15 @@ void test8(bool cond) } free(a); // GOOD - delete a; // BAD: malloc -> delete - delete [] a; // BAD: malloc -> delete[] + delete a; // BAD: malloc -> delete // $ Alert[cpp/new-free-mismatch] + delete [] a; // BAD: malloc -> delete[] // $ Alert[cpp/new-free-mismatch] - free(b); // BAD: new -> free + free(b); // BAD: new -> free // $ Alert[cpp/new-free-mismatch] delete b; // GOOD - delete [] b; // BAD: new -> delete[] + delete [] b; // BAD: new -> delete[] // $ Alert[cpp/new-delete-array-mismatch] - free(c); // BAD: new[] -> free - delete c; // BAD: new[] -> delete + free(c); // BAD: new[] -> free // $ Alert[cpp/new-free-mismatch] + delete c; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] delete [] c; // GOOD } @@ -268,8 +268,8 @@ public: ~ClassWithMembers() { delete a; // GOOD - delete [] b; // BAD: new -> delete[] - free(c); // BAD: new -> free + delete [] b; // BAD: new -> delete[] // $ Alert[cpp/new-delete-array-mismatch] + free(c); // BAD: new -> free // $ Alert[cpp/new-free-mismatch] } private: @@ -292,7 +292,7 @@ static void map_init() static void map_shutdown() { - delete map; // BAD: new[] -> delete + delete map; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] map = 0; } @@ -307,7 +307,7 @@ public: ~Test10() { - delete data; // BAD: new[] -> delete + delete data; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] } char *data; @@ -332,7 +332,7 @@ public: ~Test11() { - delete data; // BAD: new[] -> delete + delete data; // BAD: new[] -> delete // $ Alert[cpp/new-array-delete-mismatch] } char *data; @@ -438,10 +438,10 @@ void test14() wchar_t *s5 = wcsdup(L"string"); wchar_t *s6 = wcsdup(L"string"); - delete s1; // BAD: strdup -> delete + delete s1; // BAD: strdup -> delete // $ Alert[cpp/new-free-mismatch] free(s2); // GOOD - delete s3; // BAD: strndup -> delete + delete s3; // BAD: strndup -> delete // $ Alert[cpp/new-free-mismatch] free(s4); // GOOD - delete s5; // BAD: wcsdup -> delete + delete s5; // BAD: wcsdup -> delete // $ Alert[cpp/new-free-mismatch] free(s6); // GOOD } diff --git a/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp b/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp index 43a286f6f97..a39ff1c4ee9 100644 --- a/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp +++ b/cpp/ql/test/query-tests/Critical/NewFree/test2.cpp @@ -16,14 +16,14 @@ public: MyTest2Class() { int *a = new int; - free(a); // BAD + free(a); // BAD // $ Alert[cpp/new-free-mismatch] int *ptr_b = (int *)malloc(sizeof(int)); int *b = new(ptr_b) int; free(b); // GOOD c = new int; - free(c); // BAD + free(c); // BAD // $ Alert[cpp/new-free-mismatch] int *ptr_d = (int *)malloc(sizeof(int)); d = new(ptr_d) int; @@ -48,13 +48,13 @@ void test_operator_new() delete ptr_new; // GOOD ::operator delete(ptr_new); // GOOD - free(ptr_new); // BAD + free(ptr_new); // BAD // $ Alert[cpp/new-free-mismatch] delete ptr_opnew; // GOOD ::operator delete(ptr_opnew); // GOOD - free(ptr_opnew); // BAD + free(ptr_opnew); // BAD // $ Alert[cpp/new-free-mismatch] - delete ptr_malloc; // BAD - ::operator delete(ptr_malloc); // BAD + delete ptr_malloc; // BAD // $ Alert[cpp/new-free-mismatch] + ::operator delete(ptr_malloc); // BAD // $ Alert[cpp/new-free-mismatch] free(ptr_malloc); // GOOD } diff --git a/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref b/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref index b261c020f53..2a0f2052bea 100644 --- a/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref +++ b/cpp/ql/test/query-tests/Critical/NotInitialised/NotInitialised.qlref @@ -1 +1,2 @@ -Critical/NotInitialised.ql \ No newline at end of file +query: Critical/NotInitialised.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp b/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp index bc9093cd53d..c83dabba53d 100644 --- a/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp +++ b/cpp/ql/test/query-tests/Critical/NotInitialised/test.cpp @@ -1,6 +1,6 @@ void test1() { int local; - int x = local; // BAD + int x = local; // BAD // $ Alert static int static_local; int y = static_local; // GOOD @@ -9,7 +9,7 @@ void test1() { int z = initialised; // GOOD } -int uninitialised_global; // BAD +int uninitialised_global; // BAD // $ Alert static int uninitialised_static_global; // GOOD int initialized_global = 0; // GOOD diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref b/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref index 53beb09ebd7..0459fddee60 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/NoSpaceForZeroTerminator.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +query: Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref b/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref index 9895980e241..7625942ee0f 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/OverflowCalculated.qlref @@ -1 +1,2 @@ -Critical/OverflowCalculated.ql +query: Critical/OverflowCalculated.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp index a47679bafc2..8cbaaf3c2e7 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests1.cpp @@ -23,7 +23,7 @@ void tests1(int case_num) switch (case_num) { case 1: - buffer = (char *)malloc(strlen(str)); // BAD + buffer = (char *)malloc(strlen(str)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -33,7 +33,7 @@ void tests1(int case_num) break; case 3: - buffer = (char *)malloc(strlen(str) * sizeof(char)); // BAD + buffer = (char *)malloc(strlen(str) * sizeof(char)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -53,7 +53,7 @@ void tests1(int case_num) break; case 7: - buffer = (char *)realloc(buffer, strlen(str)); // BAD + buffer = (char *)realloc(buffer, strlen(str)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -64,7 +64,7 @@ void tests1(int case_num) case 9: int len1 = strlen(str); - buffer = (char *)malloc(len1); // BAD + buffer = (char *)malloc(len1); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str); break; @@ -86,7 +86,7 @@ void tests1(int case_num) break; case 101: - wbuffer = (wchar_t *)malloc(wcslen(wstr)); // BAD + wbuffer = (wchar_t *)malloc(wcslen(wstr)); // BAD // $ Alert[cpp/no-space-for-terminator] wcscpy(wbuffer, wstr); break; @@ -106,7 +106,7 @@ void tests1(int case_num) break; case 105: - wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // BAD + wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // BAD // $ Alert[cpp/no-space-for-terminator] wcscpy(wbuffer, wstr); break; diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp index 696b566329a..db6928a7015 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests2.cpp @@ -31,7 +31,7 @@ void tests2(int case_num) case 1: buffer = (char *)malloc(strlen(str1) + 1); // BAD strcpy(buffer, str1); - strcat(buffer, str2); + strcat(buffer, str2); // $ Alert[cpp/overflow-calculated] break; case 2: @@ -49,7 +49,7 @@ void tests2(int case_num) case 4: buffer = (char *)malloc((strlen(str1) + 1) * sizeof(char)); // BAD strcpy(buffer, str1); - strcat(buffer, str2); + strcat(buffer, str2); // $ Alert[cpp/overflow-calculated] break; case 5: diff --git a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp index 7a2cc19d269..c50addfdd50 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowCalculated/tests3.cpp @@ -22,12 +22,12 @@ void tests3(int case_num) switch (case_num) { case 1: - buffer = (char *)std::malloc(strlen(str3global)); // BAD + buffer = (char *)std::malloc(strlen(str3global)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str3global); break; case 2: - buffer = (char *)std::malloc(strlen(str3local)); // BAD + buffer = (char *)std::malloc(strlen(str3local)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str3local); break; @@ -50,7 +50,7 @@ void tests3(int case_num) void test3b() { - char *buffer = new char[strlen(str3global)]; // BAD + char *buffer = new char[strlen(str3global)]; // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer, str3global); @@ -78,9 +78,9 @@ void tests4() char *buffer1 = 0; char *buffer2 = 0; - buffer1 = (char *)MyMalloc1(strlen(str4)); // BAD + buffer1 = (char *)MyMalloc1(strlen(str4)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer1, str4); - buffer2 = (char *)MyMalloc2(strlen(str4)); // BAD + buffer2 = (char *)MyMalloc2(strlen(str4)); // BAD // $ Alert[cpp/no-space-for-terminator] strcpy(buffer2, str4); } diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref b/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref index 477af9d71d0..93d88e7802a 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.qlref @@ -1 +1,2 @@ -Critical/OverflowStatic.ql +query: Critical/OverflowStatic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c index 3c726a452b9..9072df0feb6 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c @@ -11,14 +11,14 @@ void f(void) { c = xs[-1]; // BAD [NOT DETECTED] c = xs[0]; // GOOD c = xs[4]; // GOOD - c = xs[5]; // BAD - c = xs[6]; // BAD + c = xs[5]; // BAD // $ Alert + c = xs[6]; // BAD // $ Alert c = stru.ys[-1]; // BAD [NOT DETECTED] c = stru.ys[0]; // GOOD c = stru.ys[4]; // GOOD - c = stru.ys[5]; // BAD - c = stru.ys[6]; // BAD + c = stru.ys[5]; // BAD // $ Alert + c = stru.ys[6]; // BAD // $ Alert c = stru.zs[-1]; // BAD [NOT DETECTED] c = stru.zs[0]; // GOOD (zs is variable size) diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp index deeb70ffd57..0248f71e30b 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.cpp @@ -16,14 +16,14 @@ void f1(void) } for (i = 0; i < 4; i++) { - buffer1[i] = 0; // BAD - buffer2[i] = 0; // BAD + buffer1[i] = 0; // BAD // $ Alert + buffer2[i] = 0; // BAD // $ Alert } memcpy(buffer1, buffer2, 3); // GOOD - memcpy(buffer1, buffer2, 4); // BAD + memcpy(buffer1, buffer2, 4); // BAD // $ Alert memcpy(buffer2, buffer1, 3); // GOOD - memcpy(buffer2, buffer1, 4); // BAD + memcpy(buffer2, buffer1, 4); // BAD // $ Alert } void f2(char *src) @@ -37,7 +37,7 @@ void f2(char *src) amount = amount + 1; memcpy(buffer, src, amount); // BAD [NOT DETECTED] amount = 101; - memcpy(buffer, src, amount); // BAD + memcpy(buffer, src, amount); // BAD // $ Alert ptr = buffer; memcpy(ptr, src, 101); // BAD [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c b/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c index cd836d75988..f1f28fbc76e 100644 --- a/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c +++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/test2.c @@ -25,14 +25,14 @@ size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream); void bad0(char *src, FILE *f, va_list ap) { char buffer[40]; - fgets(buffer, 41, f); // BAD: Too many characters read - strncpy(buffer, src, 43); // BAD: Too many characters copied + fgets(buffer, 41, f); // BAD: Too many characters read // $ Alert + strncpy(buffer, src, 43); // BAD: Too many characters copied // $ Alert buffer[0] = 0; - strncat(buffer, src, 44); // BAD: Too many characters copied - memcpy(buffer, src, 45); // BAD: Too many characters copied - memmove(buffer, src, 46); // BAD: Too many characters copied - snprintf(buffer, 47, "%s", src); // BAD: Too many characters copied - vsnprintf(buffer, 48, "%s", ap); // BAD: Too many characters copied + strncat(buffer, src, 44); // BAD: Too many characters copied // $ Alert + memcpy(buffer, src, 45); // BAD: Too many characters copied // $ Alert + memmove(buffer, src, 46); // BAD: Too many characters copied // $ Alert + snprintf(buffer, 47, "%s", src); // BAD: Too many characters copied // $ Alert + vsnprintf(buffer, 48, "%s", ap); // BAD: Too many characters copied // $ Alert } void good0(char *src, FILE *f, va_list ap) { diff --git a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref index 102d4b7138c..cd7a89e3ea5 100644 --- a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref +++ b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/ReturnValueIgnored.qlref @@ -1 +1,2 @@ -Critical/ReturnValueIgnored.ql +query: Critical/ReturnValueIgnored.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp index 4fbf1f00e33..f5f138faea5 100644 --- a/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp +++ b/cpp/ql/test/query-tests/Critical/ReturnValueIgnored/test.cpp @@ -29,7 +29,7 @@ int main() check(myFunction()); // GOOD - myFunction(); // BAD (return value is ignored) + myFunction(); // BAD (return value is ignored) // $ Alert (void)myFunction(); // GOOD } diff --git a/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref b/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref index ca677973aea..b23dbb86fd8 100644 --- a/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref +++ b/cpp/ql/test/query-tests/Critical/SizeCheck/SizeCheck2.qlref @@ -1 +1,2 @@ -Critical/SizeCheck2.ql +query: Critical/SizeCheck2.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c b/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c index 714ca5de9c8..2dedb4e9047 100644 --- a/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c +++ b/cpp/ql/test/query-tests/Critical/SizeCheck/test2.c @@ -13,8 +13,8 @@ void free(void *ptr); void bad0(void) { - long long *lptr = malloc(27); // BAD -- Not a multiple of sizeof(long long) - double *dptr = malloc(33); // BAD -- Not a multiple of sizeof(double) + long long *lptr = malloc(27); // BAD -- Not a multiple of sizeof(long long) // $ Alert + double *dptr = malloc(33); // BAD -- Not a multiple of sizeof(double) // $ Alert free(lptr); free(dptr); } @@ -29,8 +29,8 @@ void good0(void) { void bad1(void) { - long long *lptr = malloc(sizeof(long long)*7/2); // BAD -- Not a multiple of sizeof(long long) - double *dptr = malloc(sizeof(double)*5/2); // BAD -- Not a multiple of sizeof(double) + long long *lptr = malloc(sizeof(long long)*7/2); // BAD -- Not a multiple of sizeof(long long) // $ Alert + double *dptr = malloc(sizeof(double)*5/2); // BAD -- Not a multiple of sizeof(double) // $ Alert free(lptr); free(dptr); } @@ -82,5 +82,5 @@ void varStructTests() { MyVarStruct1 *a = malloc(sizeof(MyVarStruct1) + 127); // GOOD MyVarStruct2 *b = malloc(sizeof(MyVarStruct2) + 127); // GOOD MyVarStruct3 *c = malloc(sizeof(MyVarStruct3) + 127); // GOOD - MyFixedStruct *d = malloc(sizeof(MyFixedStruct) + 127); // BAD --- Not a multiple of sizeof(MyFixedStruct) + MyFixedStruct *d = malloc(sizeof(MyFixedStruct) + 127); // BAD --- Not a multiple of sizeof(MyFixedStruct) // $ Alert } diff --git a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref index 086427166cb..9c104719c2c 100644 --- a/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref +++ b/cpp/ql/test/query-tests/Critical/UnsafeUseOfThis/UnsafeUseOfThis.qlref @@ -1 +1 @@ -Likely Bugs/OO/UnsafeUseOfThis.ql \ No newline at end of file +query: Likely Bugs/OO/UnsafeUseOfThis.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref b/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref index e900e9c5314..58bc903a431 100644 --- a/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/ExtractedFiles.qlref @@ -1 +1 @@ -Diagnostics/ExtractedFiles.ql +query: Diagnostics/ExtractedFiles.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref b/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref index 1bf951f1899..9f9498e49c7 100644 --- a/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref @@ -1 +1 @@ -Diagnostics/Internal/ExtractionErrors.ql +query: Diagnostics/Internal/ExtractionErrors.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref b/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref index 2df3d933e8a..68969e9bbf1 100644 --- a/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.qlref @@ -1 +1 @@ -Diagnostics/ExtractionWarnings.ql +query: Diagnostics/ExtractionWarnings.ql diff --git a/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref b/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref index e3f6cd687d3..3484d485f1e 100644 --- a/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref +++ b/cpp/ql/test/query-tests/Diagnostics/FailedExtractorInvocations.qlref @@ -1 +1 @@ -Diagnostics/FailedExtractorInvocations.ql +query: Diagnostics/FailedExtractorInvocations.ql diff --git a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref index ae0fe399adc..2597ad4e923 100644 --- a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref +++ b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/CommentedOutCode.qlref @@ -1 +1,2 @@ -Documentation/CommentedOutCode.ql +query: Documentation/CommentedOutCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c index 2fce1b0e982..b3cbe90b4f8 100644 --- a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c +++ b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test.c @@ -1,16 +1,16 @@ -// commented out code; +// commented out code; // $ Alert // some; // commented; // out; -// code; +// code; // $ Alert // also; // this // is; // commented-out -// code; +// code; // $ Alert // this // is; @@ -23,7 +23,7 @@ commented; out; code; -*/ +*/ // $ Alert /* also; @@ -31,7 +31,7 @@ is; commented-out code; -*/ +*/ // $ Alert /* this diff --git a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp index e7a8019286f..4818430d85d 100644 --- a/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp +++ b/cpp/ql/test/query-tests/Documentation/CommentedOutCode/test2.cpp @@ -34,21 +34,21 @@ // Example: { 1, 2, 3, 4 } -// int myFunction() { return myValue; } +// int myFunction() { return myValue; } // $ Alert -// int myFunction() const { return myValue; } +// int myFunction() const { return myValue; } // $ Alert -// int myFunction() const noexcept { return myValue; } +// int myFunction() const noexcept { return myValue; } // $ Alert -// #define MYMACRO +// #define MYMACRO // $ Alert -// #include "include.h" +// #include "include.h" // $ Alert /* #ifdef void myFunction(); #endif -*/ +*/ // $ Alert // define some constants @@ -56,15 +56,15 @@ void myFunction(); // #hashtag -// #if(defined(MYMACRO)) +// #if(defined(MYMACRO)) // $ Alert // #iffy -// #pragma once +// #pragma once // $ Alert -// # pragma once +// # pragma once // $ Alert -/*#error"myerror"*/ +/*#error"myerror"*/ // $ Alert #ifdef MYMACRO @@ -92,7 +92,7 @@ void myFunction(); #ifdef MYMACRO // ... #endif // #ifdef MYMACRO -*/ +*/ // $ Alert #ifdef MYMACRO1 @@ -104,7 +104,7 @@ void myFunction(); #endif // #ifdef MYMACRO2 #endif // #ifdef MYMACRO1 -#include "config.h" // #include "config2.h" +#include "config.h" // #include "config2.h" // $ Alert #ifdef MYMACRO @@ -112,10 +112,10 @@ void myFunction(); #endif /* #ifdef MYMACRO */ -#error "error" /* #ifdef MYMACRO */ +#error "error" /* #ifdef MYMACRO */ // $ Alert -// commented_out_code(); +// commented_out_code(); // $ Alert #if 0 - // commented_out_code(); + // commented_out_code(); // $ Alert #endif diff --git a/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref b/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref index 41bcfe740bb..f46b3b82925 100644 --- a/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref +++ b/cpp/ql/test/query-tests/Documentation/DocumentApi/DocumentApi.qlref @@ -1 +1,2 @@ -Documentation/DocumentApi.ql +query: Documentation/DocumentApi.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c b/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c index bb05ef8c015..398e84f6f6a 100644 --- a/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c +++ b/cpp/ql/test/query-tests/Documentation/DocumentApi/comment_prototypes.c @@ -26,12 +26,12 @@ void proto5(void) { int i2; int i3; } -void proto6(void) { +void proto6(void) { // $ Alert int i1; int i2; int i3; } -void proto7(void) { +void proto7(void) { // $ Alert int i1; int i2; int i3; @@ -42,17 +42,17 @@ void proto8(void) { int i2; int i3; } -void proto9(void) { +void proto9(void) { // $ Alert int i1; int i2; int i3; } -void proto10(void) { +void proto10(void) { // $ Alert int i1; int i2; int i3; } -void proto11(void) { +void proto11(void) { // $ Alert int i1; int i2; int i3; @@ -63,7 +63,7 @@ void proto12(void) { int i2; int i3; } -void proto13(void) { +void proto13(void) { // $ Alert int i1; int i2; int i3; diff --git a/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c b/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c index 1894482d62f..650bac038a0 100644 --- a/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c +++ b/cpp/ql/test/query-tests/Documentation/DocumentApi/definition.c @@ -1,5 +1,5 @@ -void f1(void) { +void f1(void) { // $ Alert int x1; int x2; int x3; @@ -29,7 +29,7 @@ void f5(void) { int x3; } -void f6(void) { +void f6(void) { // $ Alert int x1; int x2; int x3; diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref b/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref index 8392f493657..b81e1a2fcbe 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/FixmeComments.qlref @@ -1 +1,2 @@ -Documentation/FixmeComments.ql +query: Documentation/FixmeComments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref b/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref index bb57dbe50ce..9bee8d3dbfb 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/TodoComments.qlref @@ -1 +1,2 @@ -Documentation/TodoComments.ql +query: Documentation/TodoComments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c b/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c index da16a664092..e20f4be9754 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/todo.c @@ -1,14 +1,14 @@ -/* TODO This is a simple to do comment */ +/* TODO This is a simple to do comment */ // $ Alert[cpp/todo-comment] -/* TODO */ +/* TODO */ // $ Alert[cpp/todo-comment] /* TODO This is a - * multi-line comment */ + * multi-line comment */ // $ Alert[cpp/todo-comment] /* Some comment * TODO This is a mid-comment - * multi-line comment */ + * multi-line comment */ // $ Alert[cpp/todo-comment] /* Some comment * with a TODO This is a mid-comment mid-line @@ -18,9 +18,9 @@ * TODO This is a mid-comment * multi-line comment with two * TODO comments - * inside it */ + * inside it */ // $ Alert[cpp/todo-comment] -/* TODO This comment mentions TODO in its body too */ +/* TODO This comment mentions TODO in its body too */ // $ Alert[cpp/todo-comment] -// TODO: Can have C++-style comments too +// TODO: Can have C++-style comments too // $ Alert[cpp/todo-comment] diff --git a/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp b/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp index 5162d68f39a..a5563e803eb 100644 --- a/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp +++ b/cpp/ql/test/query-tests/Documentation/TodoComments/todo_fixme.cpp @@ -1,13 +1,13 @@ -// TODO: Thing 1. -/* TODO: Thing 2. */ +// TODO: Thing 1. // $ Alert[cpp/todo-comment] +/* TODO: Thing 2. */ // $ Alert[cpp/todo-comment] /** * TODO: Thing 3. - */ + */ // $ Alert[cpp/todo-comment] // For more things, read the /usr/local/doc/TODO file. -// FIXME: Bug 1. -/* FIXME: Bug 2. */ +// FIXME: Bug 1. // $ Alert[cpp/fixme-comment] +/* FIXME: Bug 2. */ // $ Alert[cpp/fixme-comment] /** * FIXME: Bug 3. - */ + */ // $ Alert[cpp/fixme-comment] // For more bugs, read the /usr/local/doc/FIXME file. diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref index 1e431289b17..d179ad8e238 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/Cleanup-DuplicateIncludeGuard.qlref @@ -1 +1,2 @@ -Header Cleanup/Cleanup-DuplicateIncludeGuard.ql \ No newline at end of file +query: Header Cleanup/Cleanup-DuplicateIncludeGuard.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h index a0fa07dbb50..7de21f0b2b3 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header1.h @@ -1,6 +1,6 @@ // header1.h -#ifndef INCLUDED_HEADER1 +#ifndef INCLUDED_HEADER1 // $ Alert #define INCLUDED_HEADER1 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h index 9e4ad972812..cf39b45c0fa 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header2.h @@ -1,6 +1,6 @@ // header2.h -#ifndef INCLUDED_HEADER1 // oops! +#ifndef INCLUDED_HEADER1 // oops! // $ Alert #define INCLUDED_HEADER1 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h index 57b36896ebd..a3e19a07615 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header4.h @@ -1,6 +1,6 @@ // header4.h -#ifndef INCLUDED_HEADER4 +#ifndef INCLUDED_HEADER4 // $ Alert #define INCLUDED_HEADER4 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h index 2148e608917..89c2abaa331 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header6.h @@ -1,6 +1,6 @@ // header6.h -#ifndef INCLUDED_HEADER6 +#ifndef INCLUDED_HEADER6 // $ Alert #define INCLUDED_HEADER6 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h index 4dd8875d69d..d8ea8f603ce 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/header7.h @@ -1,6 +1,6 @@ // header7.h -#ifndef INCLUDED_HEADER6 // oops! +#ifndef INCLUDED_HEADER6 // oops! // $ Alert #define INCLUDED_HEADER6(x) (x) // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h index c5e44813dcd..566227074b5 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header4.h @@ -1,6 +1,6 @@ // header4.h -#ifndef INCLUDED_HEADER4 // duplicate +#ifndef INCLUDED_HEADER4 // duplicate // $ Alert #define INCLUDED_HEADER4 // ... diff --git a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h index ed54e7ea68c..8dc0e496ebf 100644 --- a/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h +++ b/cpp/ql/test/query-tests/Header Cleanup/Cleanup-DuplicateIncludeGuard/subfolder/header5.h @@ -1,6 +1,6 @@ // header5.h -#ifndef INCLUDED_HEADER4 // duplicate +#ifndef INCLUDED_HEADER4 // duplicate // $ Alert #define INCLUDED_HEADER4 // ... diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref index 5e38f12f938..15b0c53ec24 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/LimitedScopeFile.qlref @@ -1 +1,2 @@ -JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql +query: JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c index 96e8dc7ce86..b1a66e8f312 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFile/file1.c @@ -1,6 +1,6 @@ // file1.c -int globalInt1; // BAD [only accessed in this file] +int globalInt1; // BAD [only accessed in this file] // $ Alert int globalInt2; // GOOD [accessed in file1.c and file2.c] int globalInt3; // GOOD [referenced in file1.h] int globalInt4; // GOOD [only accessed in one function, should be function scope instead] diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref index c5e632ca9b6..26d720a2ac8 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/LimitedScopeFunction.qlref @@ -1 +1,2 @@ -JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql +query: JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c index a2089446ca7..80e7993e4f4 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 13/LimitedScopeFunction/test.c @@ -5,9 +5,9 @@ int globalInt1; // GOOD [used in func1, func2] int globalInt2; // GOOD [used in func1, func2] int globalInt3; // GOOD [used in func1, func2] -int globalInt4; // BAD [only used in func1] -int globalInt5; // BAD [only used in func1] -int globalInt6; // BAD [only used in func1] +int globalInt4; // BAD [only used in func1] // $ Alert +int globalInt5; // BAD [only used in func1] // $ Alert +int globalInt6; // BAD [only used in func1] // $ Alert int globalInt7; // GOOD [not used, should be reported by another query] int globalInt8; // GOOD [used at file level] int *addrGlobalInt8 = &globalInt8; // GOOD [used in func1, func2] diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref index 687711a321c..e1e64db86c7 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/BasicIntTypes.qlref @@ -1 +1,2 @@ -JPL_C/LOC-3/Rule 17/BasicIntTypes.ql +query: JPL_C/LOC-3/Rule 17/BasicIntTypes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c index 2becb75d916..ef0f79598fb 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-3/Rule 17/test.c @@ -3,7 +3,7 @@ typedef uint8_t U8; typedef U8 something_else; void test1(U8* xptr) { } void test2(U8 x) { } -void test3(unsigned char x) { } +void test3(unsigned char x) { } // $ Alert void test4(uint8_t x){ } void test5(something_else x){ } static U8 test6; diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref index 80637efae7a..256adc1b4f8 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/NonConstFunctionPointer.qlref @@ -1 +1,2 @@ -JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql +query: JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c index 9999d95be10..5e721206670 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer/test.c @@ -15,7 +15,7 @@ void test() funPtr2 = &myFunc2; //funPtr3 = &myFunc2; --- this would be a compilation error - funPtr1(); // BAD - funPtr2(); // BAD - funPtr3(); // GOOD [FALSE POSITIVE] + funPtr1(); // BAD // $ Alert + funPtr2(); // BAD // $ Alert + funPtr3(); // GOOD [FALSE POSITIVE] // $ Alert } diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref index 48e8f90bf59..803c795dc84 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/FunctionPointerConversions.qlref @@ -1 +1,2 @@ -JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql +query: JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c index a36c9f396fe..73a8aad87bd 100644 --- a/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c +++ b/cpp/ql/test/query-tests/JPL_C/LOC-4/Rule 30/FunctionPointerConversions/test.c @@ -8,14 +8,14 @@ void test() { void (*funPtr1)() = &myFunc1; // GOOD voidFunPtr funPtr2 = &myFunc1; // GOOD - int *intPtr = &myFunc1; // BAD (function pointer -> int pointer) - void *voidPtr = &myFunc1; // BAD (function pointer -> void pointer) + int *intPtr = &myFunc1; // BAD (function pointer -> int pointer) // $ Alert + void *voidPtr = &myFunc1; // BAD (function pointer -> void pointer) // $ Alert int i = &myFunc1; // GOOD (permitted) funPtr1 = funPtr1; // GOOD funPtr2 = funPtr1; // GOOD - intPtr = funPtr1; // BAD (function pointer -> int pointer) - voidPtr = funPtr1; // BAD (function pointer -> void pointer) + intPtr = funPtr1; // BAD (function pointer -> int pointer) // $ Alert + voidPtr = funPtr1; // BAD (function pointer -> void pointer) // $ Alert i = funPtr1; // GOOD (permitted) funPtr1 = funPtr2; // GOOD @@ -26,7 +26,7 @@ void test() funPtr1 = (void (*)())funPtr1; // GOOD funPtr2 = (voidFunPtr)funPtr1; // GOOD - intPtr = (int *)funPtr1; // BAD (function pointer -> int pointer) - voidPtr = (void *)funPtr1; // BAD (function pointer -> void pointer) + intPtr = (int *)funPtr1; // BAD (function pointer -> int pointer) // $ Alert + voidPtr = (void *)funPtr1; // BAD (function pointer -> void pointer) // $ Alert i = (int)funPtr1; // GOOD (permitted) } diff --git a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref index 78378f7b299..c2826b9bade 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/AmbiguouslySignedBitField.qlref @@ -1 +1,2 @@ -Likely Bugs/AmbiguouslySignedBitField.ql +query: Likely Bugs/AmbiguouslySignedBitField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp index 19aa4ef2e64..7f2453b942d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/AmbiguouslySignedBitField/test.cpp @@ -9,18 +9,18 @@ enum myEnum { }; struct { - int nosign : 2; // BAD + int nosign : 2; // BAD // $ Alert signed int sign1 : 2; // GOOD unsigned int sign2 : 2; // GOOD signed sign3: 2; // GOOD unsigned sign4 : 2; // GOOD BOOL typedefbool: 2; // GOOD bool cppbool : 2; // GOOD - char nosignchar : 2; // BAD - short nosignshort : 2; // BAD - myAmbiguousType nosigntypedef : 2; // BAD + char nosignchar : 2; // BAD // $ Alert + short nosignshort : 2; // BAD // $ Alert + myAmbiguousType nosigntypedef : 2; // BAD // $ Alert mySignedType signedtypedef : 2; // GOOD - const int nosignconst : 2; // BAD + const int nosignconst : 2; // BAD // $ Alert const signed int signedconst : 2; myEnum nosignenum : 2; const myEnum constnosignenum : 2; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref index ae8cc803b69..75f106ffa07 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/BadAdditionOverflowCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql +query: Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref index d17e547e8e6..153457ea990 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/ComparisonWithCancelingSubExpr.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql +query: Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref index 92873b89759..55be0938e34 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/PointlessSelfComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/PointlessSelfComparison.ql +query: Likely Bugs/Arithmetic/PointlessSelfComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp index e359fb098eb..31d27420906 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.cpp @@ -5,7 +5,7 @@ bool cannotHoldAnother8(int n1) { // clang 8.0.0 -O2: deleted (silently) // gcc 9.2 -O2: deleted (silently) // msvc 19.22 /O2: not deleted - return n1 + 8 < n1; // BAD + return n1 + 8 < n1; // BAD // $ Alert[cpp/signed-overflow-check] } /* 2. Signed comparison with a narrower unsigned type. The narrower @@ -15,7 +15,7 @@ bool cannotHoldAnotherUShort(int n1, unsigned short delta) { // clang 8.0.0 -O2: deleted (silently) // gcc 9.2 -O2: deleted (silently) // msvc 19.22 /O2: not deleted - return n1 + delta < n1; // BAD + return n1 + delta < n1; // BAD // $ Alert[cpp/signed-overflow-check] } /* 3. Signed comparison with a non-narrower unsigned type. The @@ -32,7 +32,7 @@ bool shortShort1(unsigned short n1, unsigned short delta) { // BAD [BadAdditionOverflowCheck.ql] // GOOD [SigneOverflowCheck.ql]: Test always fails, but will never overflow. - return n1 + delta < n1; + return n1 + delta < n1; // $ Alert[cpp/bad-addition-overflow-check] } bool shortShort2(unsigned short n1, unsigned short delta) { @@ -70,7 +70,7 @@ extern se *getSo(void); bool func1(se *so) { se *o = getSo(); - if (so->xPos + so->xSize < so->xPos // BAD + if (so->xPos + so->xSize < so->xPos // BAD // $ Alert[cpp/signed-overflow-check] || so->xPos > o->xPos + o->xSize) { // GOOD // clang 8.0.0 -O2: not deleted // gcc 9.2 -O2: not deleted @@ -96,7 +96,7 @@ int checkOverflow4(unsigned int ioff, C c) { int overflow12(int n) { // not deleted by gcc or clang - return (n + 32 <= (unsigned)n? -1: 1); // BAD: n + 32 can overflow + return (n + 32 <= (unsigned)n? -1: 1); // BAD: n + 32 can overflow // $ Alert[cpp/signed-overflow-check] } bool multipleCasts(char x) { @@ -110,7 +110,7 @@ bool multipleCasts2(char x) { // BAD [BadAdditionOverflowCheck.ql] // GOOD [SigneOverflowCheck.ql]: Test always fails, but will never overflow. - return (int)(unsigned short)(x + '1') < (int)(unsigned short)x; + return (int)(unsigned short)(x + '1') < (int)(unsigned short)x; // $ Alert[cpp/bad-addition-overflow-check] } int does_it_overflow(int n1, unsigned short delta) { @@ -119,7 +119,7 @@ int does_it_overflow(int n1, unsigned short delta) { int overflow12b(int n) { // not deleted by gcc or clang - return ((unsigned)(n + 32) <= (unsigned)n? -1: 1); // BAD: n + 32 may overflow + return ((unsigned)(n + 32) <= (unsigned)n? -1: 1); // BAD: n + 32 may overflow // $ Alert[cpp/signed-overflow-check] } #define MACRO(E1, E2) (E1) <= (E2)? -1: 1 diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref index dde64840202..a8d760f993f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/SignedOverflowCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/SignedOverflowCheck.ql +query: Likely Bugs/Arithmetic/SignedOverflowCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp index 7aa83440fd5..546ff7488fc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/templates.cpp @@ -14,7 +14,7 @@ bool compareValues() { return T1::value < T2::value || // GOOD T1::value < T1::value || // BAD [NOT DETECTED] - C1::value < C1::value ; // BAD + C1::value < C1::value ; // BAD // $ Alert[cpp/comparison-of-identical-expressions] } bool callCompareValues() { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp index e36956f9c69..af3462aaee8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadAdditionOverflowCheck/test.cpp @@ -1,6 +1,6 @@ // Test for BadAdditionOverflowCheck. bool checkOverflow1(unsigned short a, unsigned short b) { - return (a + b < a); // BAD: comparison always false (due to promotion). + return (a + b < a); // BAD: comparison always false (due to promotion). // $ Alert[cpp/bad-addition-overflow-check] } // Test for BadAdditionOverflowCheck. @@ -10,7 +10,7 @@ bool checkOverflow2(unsigned short a, unsigned short b) { // Test for PointlessSelfComparison. bool selfCmp1(int x) { - return (x == (int)x); // BAD: always returns true. + return (x == (int)x); // BAD: always returns true. // $ Alert[cpp/comparison-of-identical-expressions] } // Test for PointlessSelfComparison. @@ -26,8 +26,8 @@ bool isnan(double x) { // Tests for ComparisonWithCancelingSubExpr. void cmpWithCancelingVar1(unsigned short x, unsigned short y, unsigned short z) { bool b; - b = x + y < x + z; // BAD: x can be canceled - b = x + y - x < z; // BAD: x can be canceled + b = x + y < x + z; // BAD: x can be canceled // $ Alert[cpp/comparison-canceling-subexpr] + b = x + y - x < z; // BAD: x can be canceled // $ Alert[cpp/comparison-canceling-subexpr] b = 2*x + y < 2*x + z; // BAD: x can be canceled b = 3*x + y - 2*x < z + x; // BAD: x can be canceled b = (-x) - (+x) < z - 2*x; // BAD: x can be canceled @@ -76,18 +76,18 @@ bool cmpWithCancelingVar3(int x) { bool selfCmp3(unsigned short x) { x++; - return (x == (unsigned short)x); // BAD: always returns true. + return (x == (unsigned short)x); // BAD: always returns true. // $ Alert[cpp/comparison-of-identical-expressions] } bool selfCmp4(int x) { - while (x == x) // BAD: always returns true. + while (x == x) // BAD: always returns true. // $ Alert[cpp/comparison-of-identical-expressions] { x = x + 1; } } bool selfCmp5(int x) { - while (x == x) // BAD: always returns true. [NOT DETECTED] + while (x == x) // BAD: always returns true. [NOT DETECTED] // $ Alert[cpp/comparison-of-identical-expressions] { x++; } @@ -105,7 +105,7 @@ bool checkOverflow3(unsigned int a, unsigned short b) { return false; } - return (a + b < a); // GOOD: b is automatically promoted to unsigned int + return (a + b < a); // GOOD: b is automatically promoted to unsigned int // $ Alert[cpp/comparison-canceling-subexpr] } // We imagine that the next two lines come from a platform-specific header. @@ -115,7 +115,7 @@ typedef unsigned long long size_t; int isSmallEnough(unsigned long long x) { // The cast is to the same syntactic type, and there is no macro involved. // That makes the cast redundant, and therefore the comparison is redundant. - if ((unsigned long long)x != x) { // BAD + if ((unsigned long long)x != x) { // BAD // $ Alert[cpp/comparison-of-identical-expressions] return 0; } // These comparisons are pointless on the platform where this test runs, but @@ -148,5 +148,5 @@ void useMarkRange(int offs) { #define MY_MACRO(x) (x) void myMacroTest(int x) { - MY_MACRO(x == x); // BAD + MY_MACRO(x == x); // BAD // $ Alert[cpp/comparison-of-identical-expressions] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref index 14c3e5c97e1..544f107b3ff 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/BadCheckOdd.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BadCheckOdd.ql +query: Likely Bugs/Arithmetic/BadCheckOdd.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp index 14d030f14ef..2d5dbab0906 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BadCheckOdd/test.cpp @@ -1,5 +1,5 @@ int test1(int x) { - return x % 2 == 1; // BAD + return x % 2 == 1; // BAD // $ Alert } int test2(unsigned int x) { @@ -7,7 +7,7 @@ int test2(unsigned int x) { } int test3(short x) { - return x % 2 == 1; // BAD + return x % 2 == 1; // BAD // $ Alert } int test4(unsigned short x) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref index 27d5a87962e..0a74257ab6e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/BitwiseSignCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BitwiseSignCheck.ql \ No newline at end of file +query: Likely Bugs/Arithmetic/BitwiseSignCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp index 8aab27bcf4d..a869af36612 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/BitwiseSignCheck/bsc.cpp @@ -1,9 +1,9 @@ bool is_bit_set_v1(int x, int bitnum) { - return (x & (1 << bitnum)) > 0; // BAD + return (x & (1 << bitnum)) > 0; // BAD // $ Alert } bool is_bit_set_v2(int x, int bitnum) { - return ((1 << bitnum) & x) > 0; // BAD + return ((1 << bitnum) & x) > 0; // BAD // $ Alert } bool plain_wrong(int x, int bitnum) { @@ -15,11 +15,11 @@ bool is_bit24_set(int x) { } bool is_bit31_set_bad_v1(int x) { - return (x & (1 << 31)) > 0; // BAD + return (x & (1 << 31)) > 0; // BAD // $ Alert } bool is_bit31_set_bad_v2(int x) { - return 0 < (x & (1 << 31)); // BAD + return 0 < (x & (1 << 31)); // BAD // $ Alert } bool is_bit31_set_good(int x) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref index 1fd4cfa3e18..1ffebc3c0cb 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/ComparisonPrecedence.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/ComparisonPrecedence.ql +query: Likely Bugs/Arithmetic/ComparisonPrecedence.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp index 37280b8da75..8898124b566 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/template.cpp @@ -1,7 +1,7 @@ template void templateFunc1(T x, T y, T z) { - if (x < y < z) {} // BAD (though dubious as we can imagine other instantiations using an overloaded `operator<`) + if (x < y < z) {} // BAD (though dubious as we can imagine other instantiations using an overloaded `operator<`) // $ Alert if (x < y && y < z) {} // GOOD }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp index 3a82d5c37d5..73ff07e6bbc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/ComparisonPrecedence/test.cpp @@ -39,19 +39,19 @@ public: void test1(int x, int y, int z) { // built-in comparison - if (x < y < z) {} // BAD - if (x > y > z) {} // BAD - if (x <= y <= z) {} // BAD - if (x <= y <= z) {} // BAD - if (x < y > z) {} // BAD + if (x < y < z) {} // BAD // $ Alert + if (x > y > z) {} // BAD // $ Alert + if (x <= y <= z) {} // BAD // $ Alert + if (x <= y <= z) {} // BAD // $ Alert + if (x < y > z) {} // BAD // $ Alert if ((x < y) && (y < z)) {} // GOOD if (x < y && y < z) {} // GOOD - if ((x + 1) < (y + 1) < (z + 1)) {} // BAD - if (x < x + y < z) {} // BAD + if ((x + 1) < (y + 1) < (z + 1)) {} // BAD // $ Alert + if (x < x + y < z) {} // BAD // $ Alert if ((x < y) < z) {} // GOOD (this is deliberately allowed) - if (!(x < y < z)) {} // BAD + if (!(x < y < z)) {} // BAD // $ Alert // overloaded comparison { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref index 7a65c3a0dee..2984d2c1968 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/FloatComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/FloatComparison.ql +query: Likely Bugs/Arithmetic/FloatComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c index 9cf59f342c0..5b78d4d4aa7 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/FloatComparison/c.c @@ -7,13 +7,13 @@ void c_f(void) { x == 3.0; 3.0 == x; x == x; - x == y; + x == y; // $ Alert g() == 3.0; 3.0 == g(); - g() == g(); + g() == g(); // $ Alert - x == g(); - g() == x; + x == g(); // $ Alert + g() == x; // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c index 3d01a28fae0..57b04c28b82 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c @@ -3,7 +3,7 @@ void test_float_double1(float f, double d) { float r1 = f * f; // GOOD float r2 = f * d; // GOOD - double r3 = f * f; // BAD + double r3 = f * f; // BAD // $ Alert double r4 = f * d; // GOOD float f1 = fabsf(f * f); // GOOD @@ -18,7 +18,7 @@ float fabsf(float f); void test_float_double2(float f, double d) { float r1 = f * f; // GOOD float r2 = f * d; // GOOD - double r3 = f * f; // BAD + double r3 = f * f; // BAD // $ Alert double r4 = f * d; // GOOD float f1 = fabsf(f * f); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c index 7639c76bd8f..c8d396d1da5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.c @@ -1,10 +1,10 @@ long long f(short x, int y, long long z) { y == x * x; // safe y == x * (int)x; // safe - z == y * x; // unsafe + z == y * x; // unsafe // $ Alert z == (long long)(y * x); // we assume the user knows what they are doing if(x == 56) - return y * y; // unsafe + return y * y; // unsafe // $ Alert if(x == 56) return (long long)(y * y); // we assume the user knows what they are doing return 42 * 23; // safe @@ -15,10 +15,10 @@ void int_float(int i, int j, long long ll, float f, float g, double h, char c) { // but the target type does not imply that the developer anticipates one as with // an int -> long long conversion. We should therefore not flag these cases. - double v1_1 = f * g; // unsafe (float -> double) + double v1_1 = f * g; // unsafe (float -> double) // $ Alert double v1_2 = f * (double)g; // safe - double v2_1 = (i + j) * f; // unsafe (float -> double) + double v2_1 = (i + j) * f; // unsafe (float -> double) // $ Alert double v2_2 = (i + j) * (double)f; // safe double v3_1 = i * j; // dubious (int -> double) @@ -35,7 +35,7 @@ void int_float(int i, int j, long long ll, float f, float g, double h, char c) { int v6_1 = f * g; // safe (float -> int) int v6_2 = (int)f * g; // safe - double v7_1 = f * f; // unsafe (float -> double) + double v7_1 = f * f; // unsafe (float -> double) // $ Alert double v7_2 = h * h; // safe double v7_3 = (f * f); // unsafe (float -> double) [NOT DETECTED] @@ -56,11 +56,11 @@ void int_float(int i, int j, long long ll, float f, float g, double h, char c) { float v12_2 = 1.0f + f * f + f * f; // safe double v13_1 = f * f * 2.0; // unsafe (float -> double) [NOT DETECTED] - double v13_2 = f * f * 2.0f; // unsafe (float -> double) + double v13_2 = f * f * 2.0f; // unsafe (float -> double) // $ Alert - long long v14_1 = i * (i + 2) + ll; // unsafe (int -> long long) + long long v14_1 = i * (i + 2) + ll; // unsafe (int -> long long) // $ Alert long long v14_2 = i * (i + 2ll) * ll; // safe - long long v14_3 = i * (i + (int)2ll) + ll; // unsafe (int -> long long) + long long v14_3 = i * (i + (int)2ll) + ll; // unsafe (int -> long long) // $ Alert } typedef unsigned long long size_t; @@ -72,7 +72,7 @@ void use_size_t(int W, int H) int y = 20; const int vs[] = {10, 20}; - malloc(W * H); // unsafe (int -> size_t) + malloc(W * H); // unsafe (int -> size_t) // $ Alert malloc((size_t)W * (size_t)H); // safe malloc(10 * 20); // safe (small values) @@ -96,16 +96,16 @@ size_t three_chars(unsigned char a, unsigned char b, unsigned char c) { void g(unsigned char uchar1, unsigned char uchar2, unsigned char uchar3, int i) { unsigned long ulong1, ulong2, ulong3, ulong4, ulong5; ulong1 = (uchar1 + 1) * (uchar2 + 1); // GOOD - ulong2 = (i + 1) * (uchar2 + 1); // BAD + ulong2 = (i + 1) * (uchar2 + 1); // BAD // $ Alert ulong3 = (uchar1 + 1) * (uchar2 + 1) * (uchar3 + 1); // GOOD ulong4 = (uchar1 + (uchar1 + 1)) * (uchar2 + 1); // GOOD - ulong5 = (i + (uchar1 + 1)) * (uchar2 + 1); // BAD + ulong5 = (i + (uchar1 + 1)) * (uchar2 + 1); // BAD // $ Alert ulong5 = (uchar1 + 1073741824) * uchar2; // BAD [NOT DETECTED] ulong5 = (uchar1 + (1 << 30)) * uchar2; // BAD [NOT DETECTED] ulong5 = uchar1 * uchar1 * uchar1 * uchar2 * uchar2 * uchar2; // BAD [NOT DETECTED] - ulong5 = (uchar1 + (unsigned short)(-1)) * (uchar2 + (unsigned short)(-1)); // BAD + ulong5 = (uchar1 + (unsigned short)(-1)) * (uchar2 + (unsigned short)(-1)); // BAD // $ Alert } struct A { @@ -116,13 +116,13 @@ struct A { void g2(struct A* a, short n) { unsigned long ulong1, ulong2; ulong1 = (a->s - 1) * ((*a).s + 1); // GOOD - ulong2 = a->i * (*a).i; // BAD + ulong2 = a->i * (*a).i; // BAD // $ Alert } int global_i; unsigned char global_uchar; void g3() { unsigned long ulong1, ulong2; - ulong1 = global_i * global_i; // BAD + ulong1 = global_i * global_i; // BAD // $ Alert ulong2 = (global_uchar + 1) * 2; // GOOD } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp index 28f22194ff7..4266c3c3af5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.cpp @@ -1,5 +1,5 @@ int i = 2000000000; -long j = i * i; // BAD +long j = i * i; // BAD // $ Alert long k = (long) i * i; // GOOD long l = (long) (i * i); // permitted as the conversion is explicit long m = static_cast (i) * i; // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref index d2ced015575..4616a5ea9dc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/IntMultToLong.ql +query: Likely Bugs/Arithmetic/IntMultToLong.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp index b04f344c26a..c993f180005 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/ConstVirtual.cpp @@ -21,7 +21,7 @@ int g(C *c, int i) { return -1; } - if (i > 0) { // BAD + if (i > 0) { // BAD // $ Alert[cpp/constant-comparison] return 1; } else { return 0; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c index fd1bc655051..71447e6d88d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.c @@ -4,19 +4,19 @@ void myFunction1() { for (i = 0;; i = i+1) { - if (i < 20) result++; - if (i <= 20) result++; - if (i > 20) result++; - if (i >= 20) result++; - if (i == 20) result++; - if (i != 20) result++; + if (i < 20) result++; // $ Alert[cpp/constant-comparison] + if (i <= 20) result++; // $ Alert[cpp/constant-comparison] + if (i > 20) result++; // $ Alert[cpp/constant-comparison] + if (i >= 20) result++; // $ Alert[cpp/constant-comparison] + if (i == 20) result++; // $ Alert[cpp/constant-comparison] + if (i != 20) result++; // $ Alert[cpp/constant-comparison] - if (i < -1) result++; - if (i <= -1) result++; - if (i > -1) result++; - if (i >= -1) result++; - if (i == -1) result++; - if (i != -1) result++; + if (i < -1) result++; // $ Alert[cpp/constant-comparison] + if (i <= -1) result++; // $ Alert[cpp/constant-comparison] + if (i > -1) result++; // $ Alert[cpp/constant-comparison] + if (i >= -1) result++; // $ Alert[cpp/constant-comparison] + if (i == -1) result++; // $ Alert[cpp/constant-comparison] + if (i != -1) result++; // $ Alert[cpp/constant-comparison] if (i < 5) result++; if (i <= 5) result++; @@ -35,19 +35,19 @@ void myFunction2() { for (i = 0;; i++) { - if (i < 20) result++; - if (i <= 20) result++; - if (i > 20) result++; - if (i >= 20) result++; - if (i == 20) result++; - if (i != 20) result++; + if (i < 20) result++; // $ Alert[cpp/constant-comparison] + if (i <= 20) result++; // $ Alert[cpp/constant-comparison] + if (i > 20) result++; // $ Alert[cpp/constant-comparison] + if (i >= 20) result++; // $ Alert[cpp/constant-comparison] + if (i == 20) result++; // $ Alert[cpp/constant-comparison] + if (i != 20) result++; // $ Alert[cpp/constant-comparison] - if (i < -1) result++; - if (i <= -1) result++; - if (i > -1) result++; - if (i >= -1) result++; - if (i == -1) result++; - if (i != -1) result++; + if (i < -1) result++; // $ Alert[cpp/constant-comparison] + if (i <= -1) result++; // $ Alert[cpp/constant-comparison] + if (i > -1) result++; // $ Alert[cpp/constant-comparison] + if (i >= -1) result++; // $ Alert[cpp/constant-comparison] + if (i == -1) result++; // $ Alert[cpp/constant-comparison] + if (i != -1) result++; // $ Alert[cpp/constant-comparison] if (i < 5) result++; if (i <= 5) result++; @@ -62,7 +62,7 @@ void myFunction2() { int myFunction3(int i) { if (i < 4) { - if (i < 5) { + if (i < 5) { // $ Alert[cpp/constant-comparison] return 1; } } @@ -100,11 +100,11 @@ int myFunction4() { // Pointless checks for unsigned values being negative int unsignedBounds(unsigned int a, unsigned long b, unsigned long long c) { - if (a < 0) { + if (a < 0) { // $ Alert[cpp/constant-comparison] return 1; } - if (b >= 0) { // UnsignedGEZero - if (b > 0 && c < 0) { // Only the test of c is bad here + if (b >= 0) { // UnsignedGEZero // $ Alert[cpp/unsigned-comparison-zero] + if (b > 0 && c < 0) { // Only the test of c is bad here // $ Alert[cpp/constant-comparison] return 1; } } @@ -113,20 +113,20 @@ int unsignedBounds(unsigned int a, unsigned long b, unsigned long long c) { int twoReasons(int a, int b) { if (a <= 0 && b > 5) { - return a < b; + return a < b; // $ Alert[cpp/constant-comparison] } if (a <= 100 && b > 105) { // BUG [Not detected - this clause is always false] - return a > b; + return a > b; // $ Alert[cpp/constant-comparison] } return 0; } int repeatedComparisons(int a) { if (a >= 20) { - return a >= 20; + return a >= 20; // $ Alert[cpp/constant-comparison] } if (a <= 3) { - return a > 3; + return a > 3; // $ Alert[cpp/constant-comparison] } return 0; } @@ -194,7 +194,7 @@ int myFunction5(int x) { i++; } d = i; - if (x < 0) { // Comparison is always false. + if (x < 0) { // Comparison is always false. // $ Alert[cpp/constant-comparison] if (d > -x) { // Unreachable code. return 1; } @@ -239,7 +239,7 @@ void macroExpansionTest() { int x; MAYBE_DO(x = 1); // GOOD (the problem is in the macro) - MAYBE_DO(if (global_setting >= 0) {x = 2;}); // BAD (the problem is in the invocation) + MAYBE_DO(if (global_setting >= 0) {x = 2;}); // BAD (the problem is in the invocation) // $ Alert[cpp/unsigned-comparison-zero] } int overeager_wraparound(unsigned int u32bound, unsigned long long u64bound) { @@ -261,7 +261,7 @@ int overeager_wraparound(unsigned int u32bound, unsigned long long u64bound) { int negative_zero(double dbl) { if (dbl >= 0) { - return dbl >= -dbl; // GOOD [FALSE POSITIVE] + return dbl >= -dbl; // GOOD [FALSE POSITIVE] // $ Alert[cpp/constant-comparison] } return 0; } @@ -270,7 +270,7 @@ typedef unsigned char u8; int widening_cast1(u8 c) { if (c == 0) { - if ((int)c > 0) { // BAD + if ((int)c > 0) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -280,7 +280,7 @@ int widening_cast1(u8 c) { int widening_cast2(u8 c) { if (c <= 10) return -1; - else if ((c >= 11) /* BAD */ && (c <= 47)) + else if ((c >= 11) /* BAD */ && (c <= 47)) // $ Alert[cpp/constant-comparison] return 0; else return 1; @@ -291,7 +291,7 @@ int unsigned_implicit_conversion(unsigned int ui1) { // implicit signedness conversion is on the constants (0 and 5), not on the // variables (ui1). if (ui1 == 0) { - if (ui1 >= 5) { // BAD + if (ui1 >= 5) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -300,7 +300,7 @@ int unsigned_implicit_conversion(unsigned int ui1) { int signedness_cast1(u8 c) { if ((signed char)c == 0) { - if (c >= 5) { // BAD + if (c >= 5) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -309,7 +309,7 @@ int signedness_cast1(u8 c) { int signedness_cast2(signed char c) { if ((u8)c == 0) { - if (c >= 5) { // BAD + if (c >= 5) { // BAD // $ Alert[cpp/constant-comparison] return 1; } } @@ -334,7 +334,7 @@ int nan2(double x) { if (x < 0.0) { return 100; } - else if (x >= 0.0) { // BAD [Always true] + else if (x >= 0.0) { // BAD [Always true] // $ Alert[cpp/constant-comparison] return 200; } else { @@ -369,8 +369,8 @@ void shifts(void) { unsigned int x = 3; - if (x >> 1 >= 1) {} // always true - if (x >> 1 >= 2) {} // always false + if (x >> 1 >= 1) {} // always true // $ Alert[cpp/constant-comparison] + if (x >> 1 >= 2) {} // always false // $ Alert[cpp/constant-comparison] if (x >> 1 == 1) {} // always true [NOT DETECTED] } @@ -380,15 +380,15 @@ void bitwise_ands() if ((x & 2) >= 1) {} if ((x & 2) >= 2) {} - if ((x & 2) >= 3) {} // always false + if ((x & 2) >= 3) {} // always false // $ Alert[cpp/constant-comparison] } void unsigned_mult(unsigned int x, unsigned int y) { if(x < 13 && y < 35) { - if(x * y > 1024) {} // always false + if(x * y > 1024) {} // always false // $ Alert[cpp/constant-comparison] if(x * y < 204) {} if(x >= 3 && y >= 2) { - if(x * y < 5) {} // always false + if(x * y < 5) {} // always false // $ Alert[cpp/constant-comparison] } } } @@ -411,7 +411,7 @@ void mult_overflow() { // to 64-bit unsigned. x = 274177UL; y = 67280421310721UL; - if (x * y == 1) {} // always true [BUG: reported as always false] + if (x * y == 1) {} // always true [BUG: reported as always false] // $ Alert[cpp/constant-comparison] // This bug appears to be caused by // `RangeAnalysisUtils::typeUpperBound(unsigned long)` having a result of diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp index ce04ddcf081..fe779ad2844 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.cpp @@ -33,13 +33,13 @@ int extreme_values(void) unsigned long long int x = 0xFFFFFFFFFFFFFFFF; unsigned long long int y = 0xFFFFFFFFFFFF; - if (x >> 1 >= 0xFFFFFFFFFFFFFFFF) {} // always false + if (x >> 1 >= 0xFFFFFFFFFFFFFFFF) {} // always false // $ Alert[cpp/constant-comparison] if (x >> 1 >= 0x8000000000000000) {} // always false [NOT DETECTED] if (x >> 1 >= 0x7FFFFFFFFFFFFFFF) {} // always true [NOT DETECTED] if (x >> 1 >= 0xFFFFFFFFFFFFFFF) {} // always true [NOT DETECTED] - if (y >> 1 >= 0xFFFFFFFFFFFF) {} // always false - if (y >> 1 >= 0x800000000000) {} // always false - if (y >> 1 >= 0x7FFFFFFFFFFF) {} // always true - if (y >> 1 >= 0xFFFFFFFFFFF) {} // always true + if (y >> 1 >= 0xFFFFFFFFFFFF) {} // always false // $ Alert[cpp/constant-comparison] + if (y >> 1 >= 0x800000000000) {} // always false // $ Alert[cpp/constant-comparison] + if (y >> 1 >= 0x7FFFFFFFFFFF) {} // always true // $ Alert[cpp/constant-comparison] + if (y >> 1 >= 0xFFFFFFFFFFF) {} // always true // $ Alert[cpp/constant-comparison] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref index e3713c2911d..150f789c59d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/PointlessComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/PointlessComparison.ql +query: Likely Bugs/Arithmetic/PointlessComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp index 0ba766eda1d..2496e5faf29 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/RegressionTests.cpp @@ -54,7 +54,7 @@ static int foo(size_t *size) { int bar; - if (*size <= MAX_VAL) // BAD (pointless comparison) [NO LONGER REPORTED] + if (*size <= MAX_VAL) // BAD (pointless comparison) [NO LONGER REPORTED] // $ Alert[cpp/constant-comparison] *size = MAX_VAL; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp index a211b230780..258ceea379d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/Templates.cpp @@ -6,7 +6,7 @@ bool sometimesPointless(T param) { template bool alwaysPointless(T param) { short local = param; - return local <= 0xFFFF; // BAD (in all instantiations) + return local <= 0xFFFF; // BAD (in all instantiations) // $ Alert[cpp/constant-comparison] } static int caller(int i) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref index 4cf4c8eb094..7a798dc7e91 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/PointlessComparison/UnsignedGEZero.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/UnsignedGEZero.ql +query: Likely Bugs/Arithmetic/UnsignedGEZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp index a56f9c88c81..80f2fc6bc87 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/Templates.cpp @@ -6,7 +6,7 @@ bool sometimesPointless(T param) { template bool alwaysPointless(T param) { unsigned int local = param; - return local >= 0; // BAD (in all instantiations) + return local >= 0; // BAD (in all instantiations) // $ Alert } static int caller(int i) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c index 749468450ef..4ef600cc877 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.c @@ -37,7 +37,7 @@ void myFunction() { myEnum1 e1; myEnum2 e2; - if (ui >= 0) { // violation + if (ui >= 0) { // violation // $ Alert } if (ui >= 1) { } @@ -45,21 +45,21 @@ void myFunction() { } if (ui < 0) { } - if (UI >= ZERO) { // violation + if (UI >= ZERO) { // violation // $ Alert } if (si >= 0) { } if (ui_ptr >= NULL) { // unsafe, but not a violation of UnsignedGEZero.ql } - if (uc >= 0) { // violation + if (uc >= 0) { // violation // $ Alert } if (sc >= 0) { } - if (u16 >= 0) { // violation + if (u16 >= 0) { // violation // $ Alert } if (s16 >= 0) { } - if (ull >= 0) { // violation + if (ull >= 0) { // violation // $ Alert } if (sll >= 0) { } @@ -72,33 +72,33 @@ void myFunction() { if (e2 >= 0) { } - if (ui >= const_zero) { // violation + if (ui >= const_zero) { // violation // $ Alert } if (ui >= maybe_zero) { } - if ((unsigned int)si >= 0) { // violation + if ((unsigned int)si >= 0) { // violation // $ Alert } if ((signed int)ui >= 0) { } - if ((unsigned char)ui >= 0) { // violation + if ((unsigned char)ui >= 0) { // violation // $ Alert } if ((signed char)ui >= 0) { } - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } if ((signed char)si >= 0) { } - if ((signed int)uc >= 0) { // violation + if ((signed int)uc >= 0) { // violation // $ Alert } - if ((unsigned int)uc >= 0) { // violation + if ((unsigned int)uc >= 0) { // violation // $ Alert } if ((signed int)sc >= 0) { } - if ((unsigned int)sc >= 0) { // violation + if ((unsigned int)sc >= 0) { // violation // $ Alert } - assert(ui >= 0); // violation + assert(ui >= 0); // violation // $ Alert assert(si >= 0); CHECK_RANGE(ui, 0, 10); // reasonable use @@ -108,32 +108,32 @@ void myFunction() { CHECK_RANGE(e2, BANANA, PEAR); CHECK_RANGE(e2, 0, PEAR); - assert(ui >= 0 && ui <= 100); // violation + assert(ui >= 0 && ui <= 100); // violation // $ Alert assert(CHECK_RANGE(ui, 0, 10)); // reasonable use assert(UI >= ZERO); // violation (not detected) - assert(ui GE 0); // violation + assert(ui GE 0); // violation // $ Alert - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed int)si >= 0) { // violation + if ((unsigned char)(signed int)si >= 0) { // violation // $ Alert } - if ((signed int)(unsigned char)si >= 0) { // violation + if ((signed int)(unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed char)si >= 0) { // violation + if ((unsigned char)(signed char)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)si >= 0) { } - if ((signed int)(unsigned char)(signed int)si >= 0) { // violation + if ((signed int)(unsigned char)(signed int)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)(signed int)si >= 0) { } - if ((signed int)(unsigned char)(signed char)si >= 0) { // violation + if ((signed int)(unsigned char)(signed char)si >= 0) { // violation // $ Alert } if (ui <= 0) { } - if (0 <= ui) { // violation + if (0 <= ui) { // violation // $ Alert } if (0 < ui) { } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp index 6b939e29b76..c07e278d5b4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.cpp @@ -37,7 +37,7 @@ void myFunction() { myEnum1 e1; myEnum2 e2; - if (ui >= 0) { // violation + if (ui >= 0) { // violation // $ Alert } if (ui >= 1) { } @@ -45,21 +45,21 @@ void myFunction() { } if (ui < 0) { } - if (UI >= ZERO) { // violation + if (UI >= ZERO) { // violation // $ Alert } if (si >= 0) { } if (ui_ptr >= NULL) { // unsafe, but not a violation of UnsignedGEZero.ql } - if (uc >= 0) { // violation + if (uc >= 0) { // violation // $ Alert } if (sc >= 0) { } - if (u16 >= 0) { // violation + if (u16 >= 0) { // violation // $ Alert } if (s16 >= 0) { } - if (ull >= 0) { // violation + if (ull >= 0) { // violation // $ Alert } if (sll >= 0) { } @@ -72,33 +72,33 @@ void myFunction() { if (e2 >= 0) { } - if (ui >= const_zero) { // violation + if (ui >= const_zero) { // violation // $ Alert } if (ui >= maybe_zero) { } - if ((unsigned int)si >= 0) { // violation + if ((unsigned int)si >= 0) { // violation // $ Alert } if ((signed int)ui >= 0) { } - if ((unsigned char)ui >= 0) { // violation + if ((unsigned char)ui >= 0) { // violation // $ Alert } if ((signed char)ui >= 0) { } - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } if ((signed char)si >= 0) { } - if ((signed int)uc >= 0) { // violation + if ((signed int)uc >= 0) { // violation // $ Alert } - if ((unsigned int)uc >= 0) { // violation + if ((unsigned int)uc >= 0) { // violation // $ Alert } if ((signed int)sc >= 0) { } - if ((unsigned int)sc >= 0) { // violation + if ((unsigned int)sc >= 0) { // violation // $ Alert } - assert(ui >= 0); // violation + assert(ui >= 0); // violation // $ Alert assert(si >= 0); CHECK_RANGE(ui, 0, 10); // reasonable use @@ -108,32 +108,32 @@ void myFunction() { CHECK_RANGE(e2, BANANA, PEAR); CHECK_RANGE(e2, 0, PEAR); - assert(ui >= 0 && ui <= 100); // violation + assert(ui >= 0 && ui <= 100); // violation // $ Alert assert(CHECK_RANGE(ui, 0, 10)); // reasonable use assert(UI >= ZERO); // violation (not detected) - assert(ui GE 0); // violation + assert(ui GE 0); // violation // $ Alert - if ((unsigned char)si >= 0) { // violation + if ((unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed int)si >= 0) { // violation + if ((unsigned char)(signed int)si >= 0) { // violation // $ Alert } - if ((signed int)(unsigned char)si >= 0) { // violation + if ((signed int)(unsigned char)si >= 0) { // violation // $ Alert } - if ((unsigned char)(signed char)si >= 0) { // violation + if ((unsigned char)(signed char)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)si >= 0) { } - if ((signed int)(unsigned char)(signed int)si >= 0) { // violation + if ((signed int)(unsigned char)(signed int)si >= 0) { // violation // $ Alert } if ((signed char)(unsigned char)(signed int)si >= 0) { } - if ((signed int)(unsigned char)(signed char)si >= 0) { // violation + if ((signed int)(unsigned char)(signed char)si >= 0) { // violation // $ Alert } if (ui <= 0) { } - if (0 <= ui) { // violation + if (0 <= ui) { // violation // $ Alert } if (0 < ui) { } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref index 4cf4c8eb094..7a798dc7e91 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Arithmetic/UnsignedGEZero/UnsignedGEZero.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/UnsignedGEZero.ql +query: Likely Bugs/Arithmetic/UnsignedGEZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref index 48d9feb2072..2ba384a7922 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/ContinueInFalseLoop.qlref @@ -1 +1,2 @@ -Likely Bugs/ContinueInFalseLoop.ql +query: Likely Bugs/ContinueInFalseLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp index 0ece8727e66..ec59c0aca23 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ContinueInFalseLoop/test.cpp @@ -10,7 +10,7 @@ void test1(int x) do { if (cond()) - continue; // BAD + continue; // BAD // $ Alert if (cond()) break; } while (false); @@ -56,7 +56,7 @@ void test1(int x) do { if (cond()) - continue; // BAD + continue; // BAD // $ Alert if (cond()) break; } while (false); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref index 2e2747737a9..2e410dcc8c8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/ArrayArgSizeMismatch.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/ArrayArgSizeMismatch.ql +query: Likely Bugs/Conversion/ArrayArgSizeMismatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp index 52b8f41bf22..122d6b3a6cc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ArrayArgSizeMismatch/test.cpp @@ -21,7 +21,7 @@ void test(float f3[3], float f4[4], float f5[5], float *fp) f(arr3); // GOOD f(arr4); // GOOD f(arr5); // GOOD - g(arr3); // BAD + g(arr3); // BAD // $ Alert g(arr4); // GOOD g(arr5); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected index 75e2e581664..0b8acb7030d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.expected @@ -1,3 +1,13 @@ +#select +| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | +| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | +| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | +| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | +| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | edges | test.cpp:26:29:26:29 | b | test.cpp:27:2:27:2 | b | provenance | | | test.cpp:30:34:30:34 | b | test.cpp:31:2:31:2 | b | provenance | | @@ -28,13 +38,3 @@ nodes | test.cpp:87:25:87:26 | d2 | semmle.label | d2 | | test.cpp:88:21:88:22 | d2 | semmle.label | d2 | subpaths -#select -| test.cpp:27:2:27:2 | b | test.cpp:57:19:57:19 | d | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:57:19:57:19 | d | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:74:19:74:21 | dss | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:74:19:74:21 | dss | this cast | -| test.cpp:27:2:27:2 | b | test.cpp:86:19:86:20 | d2 | test.cpp:27:2:27:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:86:19:86:20 | d2 | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:58:25:58:25 | d | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:58:25:58:25 | d | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:75:25:75:27 | dss | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:75:25:75:27 | dss | this cast | -| test.cpp:31:2:31:2 | b | test.cpp:87:25:87:26 | d2 | test.cpp:31:2:31:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:87:25:87:26 | d2 | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:59:21:59:21 | d | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:59:21:59:21 | d | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:76:21:76:23 | dss | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:76:21:76:23 | dss | this cast | -| test.cpp:35:2:35:2 | b | test.cpp:88:21:88:22 | d2 | test.cpp:35:2:35:2 | b | This pointer arithmetic may be done with the wrong type because of $@. | test.cpp:88:21:88:22 | d2 | this cast | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref index 4e95e41b5cb..dc496d3c7c6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/CastArrayPointerArithmetic.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/CastArrayPointerArithmetic.ql +query: Likely Bugs/Conversion/CastArrayPointerArithmetic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp index fce974f6012..95d6200f11e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/CastArrayPointerArithmetic/test.cpp @@ -24,15 +24,15 @@ public: }; void dereference_base(Base *b) { - b[2].x; + b[2].x; // $ Alert } void dereference_array_base(Base b[]) { - b[2].x; + b[2].x; // $ Alert } void pointer_arith_base(Base *b) { - b + 2; + b + 2; // $ Alert } void dereference_derived(Derived *d) { @@ -54,9 +54,9 @@ void char_pointer_arith(Base *b) { void test () { Derived d[4]; - dereference_base(d); // BAD: implicit conversion to Base* - dereference_array_base(d); // BAD: implicit conversion to Base* - pointer_arith_base(d); // BAD: implicit conversion to Base* + dereference_base(d); // BAD: implicit conversion to Base* // $ Source + dereference_array_base(d); // BAD: implicit conversion to Base* // $ Source + pointer_arith_base(d); // BAD: implicit conversion to Base* // $ Source dereference_derived(d); // GOOD: implicit conversion to Derived*, which will be the right size dereference_array_derived(d); // GOOD: implicit conversion to Derived*, which will be the right size @@ -71,9 +71,9 @@ void test () { DerivedSameSize dss[4]; - dereference_base(dss); // BAD: same size on Linux but different on Windows - dereference_array_base(dss); // BAD: same size on Linux but different on Windows - pointer_arith_base(dss); // BAD: same size on Linux but different on Windows + dereference_base(dss); // BAD: same size on Linux but different on Windows // $ Source + dereference_array_base(dss); // BAD: same size on Linux but different on Windows // $ Source + pointer_arith_base(dss); // BAD: same size on Linux but different on Windows // $ Source DerivedNoField dnf[4]; @@ -83,9 +83,9 @@ void test () { Derived2 d2[4]; - dereference_base(d2); // BAD: implicit conversion to Base* - dereference_array_base(d2); // BAD: implicit conversion to Base* - pointer_arith_base(d2); // BAD: implicit conversion to Base* + dereference_base(d2); // BAD: implicit conversion to Base* // $ Source + dereference_array_base(d2); // BAD: implicit conversion to Base* // $ Source + pointer_arith_base(d2); // BAD: implicit conversion to Base* // $ Source dereference_derived(d2); // GOOD: implicit conversion to Derived*, which will be the right size dereference_array_derived(d2); // GOOD: implicit conversion to Derived*, which will be the right size diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref index ff7d11977d9..7ae992bd752 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/ImplicitDowncastFromBitfield.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql +query: Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp index 3bcb6afe4b4..0cef06d32e2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/ImplicitDowncastFromBitfield/test.cpp @@ -7,7 +7,7 @@ int getX1(my_struct m) { } short getX2(my_struct m) { - return m.x; // BAD + return m.x; // BAD // $ Alert } short getX3(my_struct m) { @@ -23,7 +23,7 @@ short getX5(my_struct m) { } const char& getx6(my_struct& m) { - const char& result = m.x; // BAD + const char& result = m.x; // BAD // $ Alert return result; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref index cb6a31a262e..a1dd642e798 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/LossyFunctionResultCast.qlref @@ -1 +1,2 @@ -Likely Bugs/Conversion/LossyFunctionResultCast.ql +query: Likely Bugs/Conversion/LossyFunctionResultCast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp index 552f3eecc39..d12fe791049 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Conversion/LossyFunctionResultCast/test.cpp @@ -30,19 +30,19 @@ void test1() setPosInt(getInt()); setPosFloat(getInt()); } - if (getFloat()) // BAD + if (getFloat()) // BAD // $ Alert { - setPosInt(getFloat()); // BAD + setPosInt(getFloat()); // BAD // $ Alert setPosFloat(getFloat()); } - if (getDouble()) // BAD + if (getDouble()) // BAD // $ Alert { - setPosInt(getDouble()); // BAD + setPosInt(getDouble()); // BAD // $ Alert setPosFloat(getDouble()); } - if (getMyLD()) // BAD + if (getMyLD()) // BAD // $ Alert { - setPosInt(getMyLD()); // BAD + setPosInt(getMyLD()); // BAD // $ Alert setPosFloat(getMyLD()); } if (getFloatPtr()) @@ -98,11 +98,11 @@ int test2(double v, double w, int n) case 2: return pow(10, v); // GOOD case 3: - return pow(2.5, v); // BAD + return pow(2.5, v); // BAD // $ Alert case 4: - return pow(v, 2); // BAD + return pow(v, 2); // BAD // $ Alert case 5: - return pow(v, w); // BAD + return pow(v, w); // BAD // $ Alert }; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c index d7b60aebe88..8ff9ddbf376 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.c @@ -25,9 +25,9 @@ extern char *any_random_function(const char *); #define NULL ((void*)0) #define _(X) gettext(X) -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source if(argc > 1) - printf(argv[1]); // BAD + printf(argv[1]); // BAD // $ Alert else printf("No argument supplied.\n"); // GOOD @@ -38,11 +38,11 @@ int main(int argc, char **argv) { printf(ngettext("One argument\n", "%d arguments\n", argc-1), argc-1); // GOOD printf(gettext("%d arguments\n"), argc-1); // GOOD - printf(any_random_function("%d arguments\n"), argc-1); // BAD + printf(any_random_function("%d arguments\n"), argc-1); // BAD // $ Alert - printf(_(any_random_function("%d arguments\n")), argc-1); // BAD + printf(_(any_random_function("%d arguments\n")), argc-1); // BAD // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected index 63851030bba..20ac0f055a1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected @@ -1,3 +1,23 @@ +#select +| NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf | +| NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf | +| NonConstantFormat.c:45:9:45:48 | *call to gettext | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:45:2:45:7 | call to printf | printf | +| nested.cpp:21:23:21:26 | *fmt0 | nested.cpp:42:24:42:34 | *call to ext_fmt_str | nested.cpp:21:23:21:26 | *fmt0 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:21:5:21:12 | call to snprintf | snprintf | +| nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:79:5:79:14 | call to diagnostic | diagnostic | +| nested.cpp:87:18:87:20 | *fmt | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:87:7:87:16 | call to diagnostic | diagnostic | +| test.cpp:130:20:130:26 | *access to array | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:130:2:130:10 | call to sprintf | sprintf | +| test.cpp:170:12:170:14 | *res | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:170:5:170:10 | call to printf | printf | +| test.cpp:195:31:195:33 | *str | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:195:3:195:18 | call to StringCchPrintfW | StringCchPrintfW | +| test.cpp:197:11:197:14 | *wstr | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:197:3:197:9 | call to wprintf | wprintf | +| test.cpp:205:12:205:20 | *... + ... | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:205:5:205:10 | call to printf | printf | +| test.cpp:206:12:206:16 | *hello | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:206:5:206:10 | call to printf | printf | +| test.cpp:211:12:211:16 | *hello | test.cpp:209:25:209:36 | *call to get_string | test.cpp:211:12:211:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:211:5:211:10 | call to printf | printf | +| test.cpp:217:12:217:16 | *hello | test.cpp:215:25:215:36 | *call to get_string | test.cpp:217:12:217:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:217:5:217:10 | call to printf | printf | +| test.cpp:223:12:223:16 | *hello | test.cpp:221:25:221:36 | *call to get_string | test.cpp:223:12:223:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:223:5:223:10 | call to printf | printf | +| test.cpp:228:12:228:18 | *++ ... | test.cpp:227:25:227:36 | *call to get_string | test.cpp:228:12:228:18 | *++ ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:228:5:228:10 | call to printf | printf | +| test.cpp:235:12:235:16 | *hello | test.cpp:232:25:232:36 | *call to get_string | test.cpp:235:12:235:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:235:5:235:10 | call to printf | printf | +| test.cpp:242:12:242:16 | *hello | test.cpp:239:25:239:36 | *call to get_string | test.cpp:242:12:242:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:242:5:242:10 | call to printf | printf | +| test.cpp:247:12:247:16 | *hello | test.cpp:245:25:245:36 | *call to get_string | test.cpp:247:12:247:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:247:5:247:10 | call to printf | printf | edges | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | provenance | | | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | provenance | DataFlowFunction | @@ -98,23 +118,3 @@ nodes | test.cpp:247:12:247:16 | *hello | semmle.label | *hello | subpaths | test.cpp:195:31:195:33 | *str | test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | test.cpp:195:20:195:23 | StringCchPrintfW output argument | -#select -| NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf | -| NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf | -| NonConstantFormat.c:45:9:45:48 | *call to gettext | NonConstantFormat.c:45:11:45:47 | *call to any_random_function | NonConstantFormat.c:45:9:45:48 | *call to gettext | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:45:2:45:7 | call to printf | printf | -| nested.cpp:21:23:21:26 | *fmt0 | nested.cpp:42:24:42:34 | *call to ext_fmt_str | nested.cpp:21:23:21:26 | *fmt0 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:21:5:21:12 | call to snprintf | snprintf | -| nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | nested.cpp:79:32:79:38 | *call to get_fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:79:5:79:14 | call to diagnostic | diagnostic | -| nested.cpp:87:18:87:20 | *fmt | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | nested.cpp:87:7:87:16 | call to diagnostic | diagnostic | -| test.cpp:130:20:130:26 | *access to array | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:130:2:130:10 | call to sprintf | sprintf | -| test.cpp:170:12:170:14 | *res | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:170:5:170:10 | call to printf | printf | -| test.cpp:195:31:195:33 | *str | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:195:3:195:18 | call to StringCchPrintfW | StringCchPrintfW | -| test.cpp:197:11:197:14 | *wstr | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:197:3:197:9 | call to wprintf | wprintf | -| test.cpp:205:12:205:20 | *... + ... | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:205:5:205:10 | call to printf | printf | -| test.cpp:206:12:206:16 | *hello | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:206:5:206:10 | call to printf | printf | -| test.cpp:211:12:211:16 | *hello | test.cpp:209:25:209:36 | *call to get_string | test.cpp:211:12:211:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:211:5:211:10 | call to printf | printf | -| test.cpp:217:12:217:16 | *hello | test.cpp:215:25:215:36 | *call to get_string | test.cpp:217:12:217:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:217:5:217:10 | call to printf | printf | -| test.cpp:223:12:223:16 | *hello | test.cpp:221:25:221:36 | *call to get_string | test.cpp:223:12:223:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:223:5:223:10 | call to printf | printf | -| test.cpp:228:12:228:18 | *++ ... | test.cpp:227:25:227:36 | *call to get_string | test.cpp:228:12:228:18 | *++ ... | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:228:5:228:10 | call to printf | printf | -| test.cpp:235:12:235:16 | *hello | test.cpp:232:25:232:36 | *call to get_string | test.cpp:235:12:235:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:235:5:235:10 | call to printf | printf | -| test.cpp:242:12:242:16 | *hello | test.cpp:239:25:239:36 | *call to get_string | test.cpp:242:12:242:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:242:5:242:10 | call to printf | printf | -| test.cpp:247:12:247:16 | *hello | test.cpp:245:25:245:36 | *call to get_string | test.cpp:247:12:247:16 | *hello | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | test.cpp:247:5:247:10 | call to printf | printf | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref index ef8de5d288a..cb71273232c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/NonConstantFormat.ql +query: Likely Bugs/Format/NonConstantFormat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp index 1c3d2513da5..d77fa253d7e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/nested.cpp @@ -18,7 +18,7 @@ extern "C" int snprintf ( char * s, int n, const char * format, ... ); struct A { void do_print(const char *fmt0) { char buf[32]; - snprintf(buf, 32, fmt0); // BAD, all paths from unknown const char*, not assuming literal + snprintf(buf, 32, fmt0); // BAD, all paths from unknown const char*, not assuming literal // $ Alert } }; @@ -39,7 +39,7 @@ struct C { void foo(void) { C c; - c.do_some_printing(c.ext_fmt_str()); + c.do_some_printing(c.ext_fmt_str()); // $ Source } struct some_class { @@ -76,15 +76,15 @@ void diagnostic(const char *fmt, ...) } void bar(void) { - diagnostic (some_instance->get_fmt()); // BAD const char* but not assuming literal + diagnostic (some_instance->get_fmt()); // BAD const char* but not assuming literal // $ Alert } namespace ns { class blab { void out1(void) { - char *fmt = (char *)__builtin_alloca(10); - diagnostic(fmt); // BAD + char *fmt = (char *)__builtin_alloca(10); // $ Source + diagnostic(fmt); // BAD // $ Alert } }; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp index e60db94f9b1..26cc4808022 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/test.cpp @@ -43,7 +43,7 @@ const char *const_wash(char *str) { return str; } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source const char *message = messages[2]; printf(choose_message(argc - 1), argc - 1); // GOOD printf(messages[1]); // GOOD @@ -127,7 +127,7 @@ int main(int argc, char **argv) { char buffer[1024]; MYSPRINTF(buffer, "constant"); // GOOD - MYSPRINTF(buffer, argv[0]); // BAD + MYSPRINTF(buffer, argv[0]); // BAD // $ Alert } } @@ -164,10 +164,10 @@ void fmt_with_assignment() { printf(y); // GOOD } -void fmt_via_strcpy_bad(char *data) { +void fmt_via_strcpy_bad(char *data) { // $ Source char res[100]; strcpy(res, data); - printf(res); // BAD + printf(res); // BAD // $ Alert } @@ -190,61 +190,61 @@ void wchar_t_test_good(){ wprintf(wstr); // GOOD } -void wchar_t_test_bad(wchar_t* str){ +void wchar_t_test_bad(wchar_t* str){ // $ Source wchar_t wstr[100]; - StringCchPrintfW(wstr, 100, str); // BAD + StringCchPrintfW(wstr, 100, str); // BAD // $ Alert - wprintf(wstr); // BAD + wprintf(wstr); // BAD // $ Alert } char* get_string(); void pointer_arithmetic_test_on_bad_string(){ { - const char *hello = get_string(); - printf(hello + 1); // BAD - printf(hello); // BAD + const char *hello = get_string(); // $ Source + printf(hello + 1); // BAD // $ Alert + printf(hello); // BAD // $ Alert } { - const char *hello = get_string(); + const char *hello = get_string(); // $ Source hello += 1; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but using "x = x + 1" syntax - const char *hello = get_string(); + const char *hello = get_string(); // $ Source hello = hello + 1; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but using "x++" syntax - const char *hello = get_string(); + const char *hello = get_string(); // $ Source hello++; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but using "++x" as subexpression - const char *hello = get_string(); - printf(++hello); // BAD + const char *hello = get_string(); // $ Source + printf(++hello); // BAD // $ Alert } { // Same as above block but through a pointer - const char *hello = get_string(); + const char *hello = get_string(); // $ Source const char **p = &hello; (*p)++; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { // Same as above block but through a C++ reference - const char *hello = get_string(); + const char *hello = get_string(); // $ Source const char *&p = hello; p++; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } { - const char *hello = get_string(); + const char *hello = get_string(); // $ Source const char *const *p = &hello; - printf(hello); // BAD + printf(hello); // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref index 1c3184fc6a7..0cda33d916e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/SnprintfOverflow.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/SnprintfOverflow.ql +query: Likely Bugs/Format/SnprintfOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp index d2785d845b9..5dd172d81c3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/SnprintfOverflow/test.cpp @@ -22,7 +22,7 @@ void test1(queue &numbers) while (numbers.has_number()) { - pos += snprintf(&(buffer[pos]), 100 - pos, "%i, ", numbers.get_number()); // BAD + pos += snprintf(&(buffer[pos]), 100 - pos, "%i, ", numbers.get_number()); // BAD // $ Alert } } @@ -59,7 +59,7 @@ void test4(queue &numbers) while (numbers.has_number()) { - amount = snprintf(ptr, remaining, "%i, ", numbers.get_number()); // BAD + amount = snprintf(ptr, remaining, "%i, ", numbers.get_number()); // BAD // $ Alert ptr += amount; remaining -= amount; } @@ -73,7 +73,7 @@ void test5(queue &numbers) while (numbers.has_number()) { - ptr += snprintf(ptr, end - ptr, "%i, ", numbers.get_number()); // BAD + ptr += snprintf(ptr, end - ptr, "%i, ", numbers.get_number()); // BAD // $ Alert } } @@ -97,7 +97,7 @@ void test7(const char *strings) // separated by \0, terminated by \0\0 while (*strings != 0) { - pos += snprintf_s(buffer + pos, sizeof(buffer) - pos, "%s\n", strings); // BAD + pos += snprintf_s(buffer + pos, sizeof(buffer) - pos, "%s\n", strings); // BAD // $ Alert // (note that the protections built into `snprintf_s` appear to mean this is less likely // to be exploitable than with `snprintf`) strings += strlen(strings) + 1; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref index 131a39abcf7..56274d702c0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/TooManyFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/TooManyFormatArguments.ql +query: Likely Bugs/Format/TooManyFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref index d5e2e86d6e6..38acf3d8308 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/WrongNumberOfFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongNumberOfFormatArguments.ql +query: Likely Bugs/Format/WrongNumberOfFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c index ec28ef51144..3e7eb8c547d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/a.c @@ -13,9 +13,9 @@ void myMultiplyDefinedPrintf3(const char *extraArg, const char *format, ...); void test_custom_printf1() { - myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) + myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] myMultiplyDefinedPrintf("%i", 0, 1); // GOOD - myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) + myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] myMultiplyDefinedPrintf2("%i", 0); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1, 2); // BAD (too many format arguments regardless of which definition is correct) [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c index da7f09123af..ce70464e24d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/b.c @@ -10,9 +10,9 @@ void myMultiplyDefinedPrintf3(const char *format, ...); void test_custom_printf2() { - myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) + myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] myMultiplyDefinedPrintf("%i", 0, 1); // GOOD - myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) + myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] myMultiplyDefinedPrintf2("%i", 0); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1, 2); // BAD (too many format arguments regardless of which definition is correct) [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c index 74183c2374f..5066d606d3f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/c.c @@ -2,9 +2,9 @@ void test_custom_printf2() { // (implicitly defined) - myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) + myMultiplyDefinedPrintf("%i", 0); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] myMultiplyDefinedPrintf("%i", 0, 1); // GOOD - myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) + myMultiplyDefinedPrintf("%i", 0, 1, 2); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] myMultiplyDefinedPrintf2("%i", 0); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1); // GOOD (we can't tell which definition is correct so we have to assume this is OK) myMultiplyDefinedPrintf2("%i", 0, 1, 2); // BAD (too many format arguments regardless of which definition is correct) [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp index 9c04f7a0049..cf2655400fd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/custom_printf.cpp @@ -26,9 +26,9 @@ void test_custom_printf() { myClass mc; - mc.myPrintf("%i%i", 1); // BAD (too few format arguments) + mc.myPrintf("%i%i", 1); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] mc.myPrintf("%i%i", 1, 2); // GOOD - mc.myPrintf("%i%i", 1, 2, 3); // BAD (too many format arguments) + mc.myPrintf("%i%i", 1, 2, 3); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] mc.myPrintf(NULL, 1, 2, 3); // GOOD (should not be analyzed) } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp index 4d8257b776b..e94c4b18caf 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/macros.cpp @@ -9,16 +9,16 @@ extern int printf(const char *fmt, ...); void testMacros(int a, int b, int c) { - GOODPRINTF("%i %i\n", a, b, 0); // BAD: too many format arguments + GOODPRINTF("%i %i\n", a, b, 0); // BAD: too many format arguments // $ Alert[cpp/too-many-format-arguments] GOODPRINTF("%i %i %i\n", a, b, c); // GOOD - GOODPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments + GOODPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments // $ Alert[cpp/wrong-number-format-arguments] - BADPRINTF("%i %i\n", a, b, 0); // DUBIOUS: too many format arguments + BADPRINTF("%i %i\n", a, b, 0); // DUBIOUS: too many format arguments // $ Alert[cpp/too-many-format-arguments] // ^ here there are too many format arguments, but the design of the Macro forces the user // to do this, and the extra argument is harmlessly ignored in practice. Reporting these // results can be extremely noisy (e.g. in openldap). BADPRINTF("%i %i %i\n", a, b, c); // GOOD - BADPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments + BADPRINTF("%i %i %i %i\n", a, b, c); // BAD: too few format arguments // $ Alert[cpp/wrong-number-format-arguments] } #define DOTHING(x) \ @@ -29,5 +29,5 @@ void testMacros2() int x; DOTHING(x++); // GOOD - DOTHING(printf("%i", x)); // BAD: the printf inside the macro has too few format arguments + DOTHING(printf("%i", x)); // BAD: the printf inside the macro has too few format arguments // $ Alert[cpp/wrong-number-format-arguments] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c index d10d1025b8f..df4cd972f50 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/syntax_errors.c @@ -12,7 +12,7 @@ void test_syntax_error() { (UNDEFINED_MACRO)2); // GOOD [FALSE POSITIVE] - printf("%d%d" + printf("%d%d" // $ Alert[cpp/wrong-number-format-arguments] UNDEFINED_MACRO, 1, 2); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c index 0079d0f0d21..9da418751bc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongNumberOfFormatArguments/test.c @@ -4,41 +4,41 @@ extern int printf(const char *fmt, ...); void test(int i, const char *str) { printf("\n"); // GOOD - printf("\n", i); // BAD (too many format arguments) + printf("\n", i); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] - printf("%i\n"); // BAD (too few format arguments) + printf("%i\n"); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%i\n", i); // GOOD - printf("%*s\n", str); // BAD (too few format arguments) + printf("%*s\n", str); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%*s\n", i, str); // GOOD - printf("%i %i %i\n", 1, 2); // BAD (too few format arguments) + printf("%i %i %i\n", 1, 2); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%i %i %i\n", 1, 2, 3); // GOOD // indexed format arguments - printf("%2$i \n", 1); // BAD (too few format arguments) + printf("%2$i \n", 1); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] printf("%2$i \n", 1, 2); // GOOD - printf("%2$i \n", 1, 2, 3); // BAD (too many format arguments) + printf("%2$i \n", 1, 2, 3); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] printf("%2$i %2$i %2$i \n", 1, 2); // GOOD printf("%2$02i %1$4.2f \n", 3.3333f, 6); // GOOD { int width, num; - printf("%2$*1$d", 0, width, num); // BAD (too many format arguments) + printf("%2$*1$d", 0, width, num); // BAD (too many format arguments) // $ Alert[cpp/too-many-format-arguments] printf("%2$*1$d", width, num); // GOOD - printf("%2$*1$d", width); // BAD (too few format arguments) + printf("%2$*1$d", width); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] - printf("%1$*2$d", 0, num, width); // BAD (too many format arguments) [INCORRECT MESSAGE] - printf("%1$*2$d", num, width); // GOOD [FALSE POSITIVE] + printf("%1$*2$d", 0, num, width); // BAD (too many format arguments) [INCORRECT MESSAGE] // $ Alert[cpp/too-many-format-arguments] + printf("%1$*2$d", num, width); // GOOD [FALSE POSITIVE] // $ Alert[cpp/too-many-format-arguments] printf("%1$*2$d", width); // BAD (too few format arguments) [NOT DETECTED] } { int precision; float num; - printf("%2$.*4$f", 0, 0, num, 0, precision); // BAD (too many format arguments) [INCORRECT MESSAGE] - printf("%2$.*4$f", 0, num, 0, precision); // GOOD [FALSE POSITIVE] - printf("%2$.*4$f", num, 0, precision); // BAD (too few format arguments) [INCORRECT MESSAGE] + printf("%2$.*4$f", 0, 0, num, 0, precision); // BAD (too many format arguments) [INCORRECT MESSAGE] // $ Alert[cpp/too-many-format-arguments] + printf("%2$.*4$f", 0, num, 0, precision); // GOOD [FALSE POSITIVE] // $ Alert[cpp/too-many-format-arguments] + printf("%2$.*4$f", num, 0, precision); // BAD (too few format arguments) [INCORRECT MESSAGE] // $ Alert[cpp/too-many-format-arguments] } printf("%@ %i %i", 1, 2); // GOOD @@ -50,7 +50,7 @@ void test(int i, const char *str) // Implicit logger function declaration my_logger(0, "%i %i %i %i %i %i\n", 1, 2, 3, 4, 5, 6); // GOOD my_logger(0, "%i %i %i\n", 1, 2, 3); // GOOD - my_logger(0, "%i %i %i\n", 1, 2); // BAD (too few format arguments) + my_logger(0, "%i %i %i\n", 1, 2); // BAD (too few format arguments) // $ Alert[cpp/wrong-number-format-arguments] } // A spurious definition of my_logger diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp index 0345e8352be..e1c086f235a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp @@ -23,10 +23,10 @@ void test_size_t() { printf("%zi", &buffer[1023] - buffer); // GOOD printf("%zu", &buffer[1023] - buffer); // GOOD printf("%zx", &buffer[1023] - buffer); // GOOD - printf("%d", &buffer[1023] - buffer); // BAD + printf("%d", &buffer[1023] - buffer); // BAD // $ Alert printf("%ld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED] printf("%lld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED] - printf("%u", &buffer[1023] - buffer); // BAD + printf("%u", &buffer[1023] - buffer); // BAD // $ Alert // (for the `%ld` and `%lld` cases, the signedness and type sizes match, `%zd` would be most correct // and robust but the developer may know enough to make this safe) } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c index c5b3d1df493..fa1d7a7ff32 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/tests.c @@ -4,7 +4,7 @@ int printf(const char * format, ...); int fprintf(); void f(UNKNOWN_CHAR * str) { - printf("%s", 1); // BAD + printf("%s", 1); // BAD // $ Alert printf("%s", implicit_function()); // GOOD - we should ignore the type sprintf(0, "%s", ""); // GOOD fprintf(0, "%s", ""); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c index f94e01251ee..19e84bf1517 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Builtin/tests.c @@ -1,5 +1,5 @@ void f() { char buf[35]; - __builtin___sprintf_chk(buf, 0, __builtin_object_size(buf, 1), "%s", 1); + __builtin___sprintf_chk(buf, 0, __builtin_object_size(buf, 1), "%s", 1); // $ Alert __builtin___sprintf_chk(buf, 0, __builtin_object_size(buf, 1), "%d", 1); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp index 5762ded379d..0024faa557e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_byte_wprintf/tests.cpp @@ -15,34 +15,34 @@ void tests() { char16_t buffer[BUF_SIZE]; printf("%s", "Hello"); // GOOD - printf("%s", u"Hello"); // BAD: expecting char - printf("%s", L"Hello"); // BAD: expecting char + printf("%s", u"Hello"); // BAD: expecting char // $ Alert + printf("%s", L"Hello"); // BAD: expecting char // $ Alert - printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t + printf("%S", "Hello"); // BAD: expecting wchar_t or char16_t // $ Alert printf("%S", u"Hello"); // GOOD printf("%S", L"Hello"); // GOOD wprintf(L"%s", "Hello"); // GOOD - wprintf(L"%s", u"Hello"); // BAD: expecting char + wprintf(L"%s", u"Hello"); // BAD: expecting char // $ Alert wprintf(L"%s", L"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms] wprintf(L"%S", "Hello"); // BAD: expecting wchar_t [NOT DETECTED; correct on Microsoft platforms] - wprintf(L"%S", u"Hello"); // BAD: expecting wchar_t + wprintf(L"%S", u"Hello"); // BAD: expecting wchar_t // $ Alert wprintf(L"%S", L"Hello"); // GOOD swprintf(buffer, BUF_SIZE, u"%s", "Hello"); // GOOD swprintf(buffer, BUF_SIZE, u"%s", u"Hello"); // BAD: expecting char [NOT DETECTED; correct on Microsoft platforms] - swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char + swprintf(buffer, BUF_SIZE, u"%s", L"Hello"); // BAD: expecting char // $ Alert swprintf(buffer, BUF_SIZE, u"%S", "Hello"); // BAD: expecting char16_t [NOT DETECTED; correct on Microsoft platforms] swprintf(buffer, BUF_SIZE, u"%S", u"Hello"); // GOOD - swprintf(buffer, BUF_SIZE, u"%S", L"Hello"); // BAD: expecting char16_t + swprintf(buffer, BUF_SIZE, u"%S", L"Hello"); // BAD: expecting char16_t // $ Alert swprintf(buffer, BUF_SIZE, u"%hs", "Hello"); // GOOD - swprintf(buffer, BUF_SIZE, u"%hs", u"Hello"); // BAD: expecting char - swprintf(buffer, BUF_SIZE, u"%hs", L"Hello"); // BAD: expecting char + swprintf(buffer, BUF_SIZE, u"%hs", u"Hello"); // BAD: expecting char // $ Alert + swprintf(buffer, BUF_SIZE, u"%hs", L"Hello"); // BAD: expecting char // $ Alert - swprintf(buffer, BUF_SIZE, u"%ls", "Hello"); // BAD: expecting char16_t + swprintf(buffer, BUF_SIZE, u"%ls", "Hello"); // BAD: expecting char16_t // $ Alert swprintf(buffer, BUF_SIZE, u"%ls", u"Hello"); // GOOD - swprintf(buffer, BUF_SIZE, u"%ls", L"Hello"); // BAD: expecting char16_t + swprintf(buffer, BUF_SIZE, u"%ls", L"Hello"); // BAD: expecting char16_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp index 3c9b802a7a7..7f2f3fb8d67 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_32.cpp @@ -11,7 +11,7 @@ void test_32() void *void_ptr; printf("%li", l); // GOOD - printf("%li", void_ptr); // BAD - printf("%p", l); // BAD + printf("%li", void_ptr); // BAD // $ Alert + printf("%p", l); // BAD // $ Alert printf("%p", void_ptr); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp index 6b38c4e0245..05b3d950b19 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_mixed_word_size/tests_64.cpp @@ -11,7 +11,7 @@ void test_64() void *void_ptr; printf("%li", l); // GOOD - printf("%li", void_ptr); // BAD - printf("%p", l); // BAD + printf("%li", void_ptr); // BAD // $ Alert + printf("%p", l); // BAD // $ Alert printf("%p", void_ptr); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h index 889dd2f58c8..e5421e760a3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp index 9b26de4f54e..971fa07446d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux.cpp @@ -12,7 +12,7 @@ struct S { template void template_func_calling_printf(S &obj) { ::printf("%d\n", obj.get_int()); - ::printf("%d\n", obj.get_template_value()); + ::printf("%d\n", obj.get_template_value()); // $ Alert } void instantiate() { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c index bc6468c593b..75af114da68 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/linux_c.c @@ -8,5 +8,5 @@ void restrict_cases(char * restrict str1, const char * restrict str2, short * re { printf("%s", str1); // GOOD printf("%s", str2); // GOOD - printf("%s", str3); // BAD + printf("%s", str3); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h index 782ee23faf3..2222b7e4251 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h index 2cc67497c6e..7157e8fbb6e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -110,8 +110,8 @@ void extensions() printf("%Lg", ld); // GOOD printf("%llg", ld); // GOOD (nonstandard equivalent to %Lg) - printf("%Lg", d); // BAD (should be %g) - printf("%llg", d); // BAD (should be %g) + printf("%Lg", d); // BAD (should be %g) // $ Alert + printf("%llg", d); // BAD (should be %g) // $ Alert } { @@ -144,8 +144,8 @@ void fun4() long long ll; unsigned long long ull; - printf("%qi\n", i); // BAD - printf("%qu\n", ui); // BAD + printf("%qi\n", i); // BAD // $ Alert + printf("%qu\n", ui); // BAD // $ Alert printf("%qi\n", l); // GOOD printf("%qu\n", ul); // GOOD printf("%qi\n", ll); // GOOD @@ -157,82 +157,82 @@ void complexFormatSymbols(int i, const char *s) // positional arguments printf("%1$i", i, s); // GOOD printf("%2$s", i, s); // GOOD - printf("%1$s", i, s); // BAD - printf("%2$i", i, s); // BAD + printf("%1$s", i, s); // BAD // $ Alert + printf("%2$i", i, s); // BAD // $ Alert // width / precision printf("%4i", i); // GOOD printf("%.4i", i); // GOOD printf("%4.4i", i); // GOOD - printf("%4s", i); // BAD - printf("%.4s", i); // BAD - printf("%4.4s", i); // BAD + printf("%4s", i); // BAD // $ Alert + printf("%.4s", i); // BAD // $ Alert + printf("%4.4s", i); // BAD // $ Alert printf("%4s", s); // GOOD printf("%.4s", s); // GOOD printf("%4.4s", s); // GOOD - printf("%4i", s); // BAD - printf("%.4i", s); // BAD - printf("%4.4i", s); // BAD + printf("%4i", s); // BAD // $ Alert + printf("%.4i", s); // BAD // $ Alert + printf("%4.4i", s); // BAD // $ Alert // variable width / precision printf("%*s", i, s); // GOOD - printf("%*s", s, s); // BAD - printf("%*s", i, i); // BAD + printf("%*s", s, s); // BAD // $ Alert + printf("%*s", i, i); // BAD // $ Alert printf("%.*s", i, s); // GOOD - printf("%.*s", s, s); // BAD - printf("%.*s", i, i); // BAD + printf("%.*s", s, s); // BAD // $ Alert + printf("%.*s", i, i); // BAD // $ Alert printf("%*.4s", i, s); // GOOD - printf("%*.4s", s, s); // BAD - printf("%*.4s", i, i); // BAD + printf("%*.4s", s, s); // BAD // $ Alert + printf("%*.4s", i, i); // BAD // $ Alert printf("%4.*s", i, s); // GOOD - printf("%4.*s", s, s); // BAD - printf("%4.*s", i, i); // BAD + printf("%4.*s", s, s); // BAD // $ Alert + printf("%4.*s", i, i); // BAD // $ Alert printf("%*.*s", i, i, s); // GOOD - printf("%*.*s", s, i, s); // BAD - printf("%*.*s", i, s, s); // BAD - printf("%*.*s", i, i, i); // BAD + printf("%*.*s", s, i, s); // BAD // $ Alert + printf("%*.*s", i, s, s); // BAD // $ Alert + printf("%*.*s", i, i, i); // BAD // $ Alert // positional arguments mixed with variable width / precision printf("%2$*1$s", i, s); // GOOD - printf("%2$*2$s", i, s); // BAD - printf("%1$*1$s", i, s); // BAD + printf("%2$*2$s", i, s); // BAD // $ Alert + printf("%1$*1$s", i, s); // BAD // $ Alert printf("%2$*1$.4s", i, s); // GOOD - printf("%2$*2$.4s", i, s); // BAD - printf("%1$*1$.4s", i, s); // BAD + printf("%2$*2$.4s", i, s); // BAD // $ Alert + printf("%1$*1$.4s", i, s); // BAD // $ Alert printf("%2$.*1$s", i, s); // GOOD - printf("%2$.*2$s", i, s); // BAD - printf("%1$.*1$s", i, s); // BAD + printf("%2$.*2$s", i, s); // BAD // $ Alert + printf("%1$.*1$s", i, s); // BAD // $ Alert printf("%2$4.*1$s", i, s); // GOOD - printf("%2$4.*2$s", i, s); // BAD - printf("%1$4.*1$s", i, s); // BAD + printf("%2$4.*2$s", i, s); // BAD // $ Alert + printf("%1$4.*1$s", i, s); // BAD // $ Alert printf("%2$*1$.*1$s", i, s); // GOOD - printf("%2$*2$.*1$s", i, s); // BAD - printf("%2$*1$.*2$s", i, s); // BAD - printf("%1$*1$.*1$s", i, s); // BAD + printf("%2$*2$.*1$s", i, s); // BAD // $ Alert + printf("%2$*1$.*2$s", i, s); // BAD // $ Alert + printf("%1$*1$.*1$s", i, s); // BAD // $ Alert // left justify flag printf("%-4s", s); // GOOD printf("%1$-4s", s); // GOOD - printf("%-4i", s); // BAD - printf("%1$-4i", s); // BAD + printf("%-4i", s); // BAD // $ Alert + printf("%1$-4i", s); // BAD // $ Alert printf("%1$-4s", s, i); // GOOD - printf("%2$-4s", s, i); // BAD + printf("%2$-4s", s, i); // BAD // $ Alert printf("%1$-.4s", s, i); // GOOD - printf("%2$-.4s", s, i); // BAD + printf("%2$-.4s", s, i); // BAD // $ Alert printf("%1$-4.4s", s, i); // GOOD - printf("%2$-4.4s", s, i); // BAD + printf("%2$-4.4s", s, i); // BAD // $ Alert printf("%1$-*2$s", s, i); // GOOD - printf("%2$-*2$s", s, i); // BAD - printf("%1$-*1$s", s, i); // BAD + printf("%2$-*2$s", s, i); // BAD // $ Alert + printf("%1$-*1$s", s, i); // BAD // $ Alert } void myvsnprintf(const char *format_string, char *target, size_t buffer_size, va_list args) @@ -273,7 +273,7 @@ void usemyprintf(int i, char *s) char buffer[1024]; mysprintf("%i", buffer, 1024, i); // GOOD - mysprintf("%i", buffer, 1024, s); // BAD + mysprintf("%i", buffer, 1024, s); // BAD // $ Alert myprintf("%i", i); // GOOD - myprintf("%i", s); // BAD + myprintf("%i", s); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h index eefb84993e7..6e592a95dc0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h index 73bdee5b8b1..65042f84300 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_signed_chars/wide_string.h @@ -22,7 +22,7 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp index 596e7ac73fc..7eaeefab48e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_two_byte_wprintf/printf.cpp @@ -40,12 +40,12 @@ void test2() { void test3() { char string[20]; - sprintf(string, "test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string + sprintf(string, "test %s", u"test"); // BAD: `char16_t` string parameter read as `char` string // $ Alert } void test4() { char string[20]; - sprintf(string, "test %S", L"test"); // BAD: `wchar_t` string parameter read as `char16_t` string + sprintf(string, "test %S", L"test"); // BAD: `wchar_t` string parameter read as `char16_t` string // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h index 889dd2f58c8..e5421e760a3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h index 782ee23faf3..2222b7e4251 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h index 60ee2c8caad..6b2151e013b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -127,7 +127,7 @@ void fun3(void *p1, VOIDPTR p2, FUNPTR p3, char *p4) printf("%p\n", p3); // GOOD printf("%p\n", p4); // GOOD printf("%p\n", p4 + 1); // GOOD - printf("%p\n", 0); // GOOD [FALSE POSITIVE] + printf("%p\n", 0); // GOOD [FALSE POSITIVE] // $ Alert } typedef unsigned int wint_t; @@ -165,8 +165,8 @@ void fun4() long long ll; unsigned long long ull; - printf("%qi\n", i); // BAD - printf("%qu\n", ui); // BAD + printf("%qi\n", i); // BAD // $ Alert + printf("%qu\n", ui); // BAD // $ Alert printf("%qi\n", l); // GOOD printf("%qu\n", ul); // GOOD printf("%qi\n", ll); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h index eefb84993e7..6e592a95dc0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h index 73bdee5b8b1..65042f84300 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Linux_unsigned_chars/wide_string.h @@ -22,7 +22,7 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h index 889dd2f58c8..e5421e760a3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h index 782ee23faf3..2222b7e4251 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h index 2fb361d485c..80e8b74d9a3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -59,20 +59,20 @@ void g() const SIZE_T C_ST = sizeof(st); ssize_t sst; - printf("%zu", ul); // not ok + printf("%zu", ul); // not ok // $ Alert printf("%zu", st); // ok printf("%zu", ST); // ok printf("%zu", c_st); // ok printf("%zu", C_ST); // ok printf("%zu", sizeof(ul)); // ok - printf("%zu", sst); // not ok + printf("%zu", sst); // not ok // $ Alert printf("%zd", ul); // not ok [NOT DETECTED] - printf("%zd", st); // not ok - printf("%zd", ST); // not ok - printf("%zd", c_st); // not ok - printf("%zd", C_ST); // not ok - printf("%zd", sizeof(ul)); // not ok + printf("%zd", st); // not ok // $ Alert + printf("%zd", ST); // not ok // $ Alert + printf("%zd", c_st); // not ok // $ Alert + printf("%zd", C_ST); // not ok // $ Alert + printf("%zd", sizeof(ul)); // not ok // $ Alert printf("%zd", sst); // ok { char *ptr_a, *ptr_b; @@ -81,7 +81,7 @@ void g() printf("%tu", ptr_a - ptr_b); // ok printf("%td", ptr_a - ptr_b); // ok printf("%zu", ptr_a - ptr_b); // ok (dubious) - printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] + printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] // $ Alert } } @@ -113,8 +113,8 @@ void fun2() { printf("%S", myString1); // GOOD printf("%S", myString2); // GOOD - printf("%S", myString3); // BAD - printf("%S", myString4); // BAD + printf("%S", myString3); // BAD // $ Alert + printf("%S", myString4); // BAD // $ Alert } typedef void *VOIDPTR; @@ -127,7 +127,7 @@ void fun3(void *p1, VOIDPTR p2, FUNPTR p3, char *p4) printf("%p\n", p3); // GOOD printf("%p\n", p4); // GOOD printf("%p\n", p4 + 1); // GOOD - printf("%p\n", 0); // GOOD [FALSE POSITIVE] + printf("%p\n", 0); // GOOD [FALSE POSITIVE] // $ Alert } typedef unsigned int wint_t; @@ -178,21 +178,21 @@ void fun4() printf("%I32u\n", ui); // GOOD printf("%I32i\n", l); // GOOD printf("%I32u\n", ul); // GOOD - printf("%I32i\n", ll); // BAD - printf("%I32u\n", ull); // BAD + printf("%I32i\n", ll); // BAD // $ Alert + printf("%I32u\n", ull); // BAD // $ Alert printf("%I32i\n", i32); // GOOD printf("%I32u\n", u32); // GOOD - printf("%I32i\n", i64); // BAD - printf("%I32u\n", u64); // BAD + printf("%I32i\n", i64); // BAD // $ Alert + printf("%I32u\n", u64); // BAD // $ Alert - printf("%I64i\n", i); // BAD - printf("%I64u\n", ui); // BAD - printf("%I64i\n", l); // BAD - printf("%I64u\n", ul); // BAD + printf("%I64i\n", i); // BAD // $ Alert + printf("%I64u\n", ui); // BAD // $ Alert + printf("%I64i\n", l); // BAD // $ Alert + printf("%I64u\n", ul); // BAD // $ Alert printf("%I64i\n", ll); // GOOD printf("%I64u\n", ull); // GOOD - printf("%I64i\n", i32); // BAD - printf("%I64u\n", u32); // BAD + printf("%I64i\n", i32); // BAD // $ Alert + printf("%I64u\n", u32); // BAD // $ Alert printf("%I64i\n", i64); // GOOD printf("%I64u\n", u64); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h index e88d0318bb0..9eb5fd0bb23 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h index 672329b6270..3f9abeb0182 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/wide_string.h @@ -22,9 +22,9 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD - printf("%wc", L"c"); // BAD + printf("%wc", L"c"); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref index 6f557ace55a..370dae334d6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/WrongTypeFormatArguments.ql +query: Likely Bugs/Format/WrongTypeFormatArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h index 889dd2f58c8..e5421e760a3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/format.h @@ -13,5 +13,5 @@ static void error(int x1, int x2, int x3, int x4, int x5, void format2(char *str, int i, double d) { error(1, 2, 3, 4, 5, "%s %d %f", 1, 2, 3, 4, 5, 6, 7, str, i, d); - error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); + error(1, 2, 3, 4, 5, "%d %f %s", 1, 2, 3, 4, 5, 6, 7, str, i, d); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h index 782ee23faf3..2222b7e4251 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/pri_macros.h @@ -12,5 +12,5 @@ void test_PRI_macros() { printf("my_u64 = %" PRIu64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIx64 "\n", my_u64); // GOOD printf("my_u64 = %" PRIi64 "\n", my_u64); // BAD: uint64_t read as int64_t [NOT DETECTED] - printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t + printf("my_u64 = %" PRIu32 "\n", my_u64); // BAD: uint64_t read as uint32_t // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h index 8222cfa67b2..90fd490c954 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h @@ -9,22 +9,22 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char const char cc = 'x'; printf("%s: %d\n", s, i); // ok - printf("%s: %f\n", s, i); // not ok (int -> float) + printf("%s: %f\n", s, i); // not ok (int -> float) // $ Alert printf("%s", us); // ok printf("%s", cs); // ok printf("%s", ss); // ok printf("%p", cs); // ok - printf("%p", i); // not ok (int -> void *) + printf("%p", i); // not ok (int -> void *) // $ Alert printf("%p", &f); // ok printf("%*s", i, cs); // ok printf("%*s", mi, cs); // ok printf("%*s", c, cs); // ok printf("%*s", cc, cs); // ok - printf("%*s", i, i); // not ok (int -> char *) + printf("%*s", i, i); // not ok (int -> char *) // $ Alert printf("%d %% %*s", i, i, cs); // ok - printf("%*s", cs, cs); // not ok (the width argument should be integer) + printf("%*s", cs, cs); // not ok (the width argument should be integer) // $ Alert printf("%c", 10); // ok printf("%c", 1000); // not ok [NOT DETECTED] @@ -35,15 +35,15 @@ void f(char *s, int i, unsigned char *us, const char *cs, signed char *ss, char printf("%u", 1000); // ok printf("%i", MYONETHOUSAND); // ok - printf("%s", MYONETHOUSAND); // not ok (enum -> char *) + printf("%s", MYONETHOUSAND); // not ok (enum -> char *) // $ Alert printf("%c", MYONETHOUSAND); // not ok (enum -> char) [NOT DETECTED] printf("%i", mi); // ok printf("%u", mi); // not ok (int -> unsigned int) [NOT DETECTED] - printf("%d", ull); // not ok (unsigned long long -> int) - printf("%u", ull); // not ok (unsigned long long -> unsigned int) - printf("%x", ull); // not ok (unsigned long long -> unsigned int) + printf("%d", ull); // not ok (unsigned long long -> int) // $ Alert + printf("%u", ull); // not ok (unsigned long long -> unsigned int) // $ Alert + printf("%x", ull); // not ok (unsigned long long -> unsigned int) // $ Alert printf("%Lx", ull); // ok printf("%llx", ull); // ok } @@ -59,20 +59,20 @@ void g() const SIZE_T C_ST = sizeof(st); ssize_t sst; - printf("%zu", ul); // not ok + printf("%zu", ul); // not ok // $ Alert printf("%zu", st); // ok printf("%zu", ST); // ok printf("%zu", c_st); // ok printf("%zu", C_ST); // ok printf("%zu", sizeof(ul)); // ok - printf("%zu", sst); // not ok + printf("%zu", sst); // not ok // $ Alert printf("%zd", ul); // not ok [NOT DETECTED] - printf("%zd", st); // not ok - printf("%zd", ST); // not ok - printf("%zd", c_st); // not ok - printf("%zd", C_ST); // not ok - printf("%zd", sizeof(ul)); // not ok + printf("%zd", st); // not ok // $ Alert + printf("%zd", ST); // not ok // $ Alert + printf("%zd", c_st); // not ok // $ Alert + printf("%zd", C_ST); // not ok // $ Alert + printf("%zd", sizeof(ul)); // not ok // $ Alert printf("%zd", sst); // ok { char *ptr_a, *ptr_b; @@ -81,7 +81,7 @@ void g() printf("%tu", ptr_a - ptr_b); // ok printf("%td", ptr_a - ptr_b); // ok printf("%zu", ptr_a - ptr_b); // ok (dubious) - printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] + printf("%zd", ptr_a - ptr_b); // ok (dubious) [FALSE POSITIVE] // $ Alert } } @@ -127,7 +127,7 @@ void fun3(void *p1, VOIDPTR p2, FUNPTR p3, char *p4) printf("%p\n", p3); // GOOD printf("%p\n", p4); // GOOD printf("%p\n", p4 + 1); // GOOD - printf("%p\n", 0); // GOOD [FALSE POSITIVE] + printf("%p\n", 0); // GOOD [FALSE POSITIVE] // $ Alert } void fun4() @@ -152,21 +152,21 @@ void fun4() printf("%I32u\n", ui); // GOOD printf("%I32i\n", l); // GOOD printf("%I32u\n", ul); // GOOD - printf("%I32i\n", ll); // BAD - printf("%I32u\n", ull); // BAD + printf("%I32i\n", ll); // BAD // $ Alert + printf("%I32u\n", ull); // BAD // $ Alert printf("%I32i\n", i32); // GOOD printf("%I32u\n", u32); // GOOD - printf("%I32i\n", i64); // BAD - printf("%I32u\n", u64); // BAD + printf("%I32i\n", i64); // BAD // $ Alert + printf("%I32u\n", u64); // BAD // $ Alert - printf("%I64i\n", i); // BAD - printf("%I64u\n", ui); // BAD - printf("%I64i\n", l); // BAD - printf("%I64u\n", ul); // BAD + printf("%I64i\n", i); // BAD // $ Alert + printf("%I64u\n", ui); // BAD // $ Alert + printf("%I64i\n", l); // BAD // $ Alert + printf("%I64u\n", ul); // BAD // $ Alert printf("%I64i\n", ll); // GOOD printf("%I64u\n", ull); // GOOD - printf("%I64i\n", i32); // BAD - printf("%I64u\n", u32); // BAD + printf("%I64i\n", i32); // BAD // $ Alert + printf("%I64u\n", u32); // BAD // $ Alert printf("%I64i\n", i64); // GOOD printf("%I64u\n", u64); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h index eefb84993e7..6e592a95dc0 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/real_world.h @@ -58,9 +58,9 @@ void bar() printf("check %n", &i); // GOOD printf("check %n", &ui); // GOOD [dubious: int is written to unsigned int] printf("check %n", &si); // GOOD - printf("check %n", &s); // BAD: int is written to short - printf("check %hn", &i); // BAD: short is written to int - printf("check %hn", &ui); // BAD: short is written to unsigned int - printf("check %hn", &si); // BAD: short is written to signed int + printf("check %n", &s); // BAD: int is written to short // $ Alert + printf("check %hn", &i); // BAD: short is written to int // $ Alert + printf("check %hn", &ui); // BAD: short is written to unsigned int // $ Alert + printf("check %hn", &si); // BAD: short is written to signed int // $ Alert printf("check %hn", &s); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h index 672329b6270..3f9abeb0182 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h +++ b/cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/wide_string.h @@ -22,9 +22,9 @@ void test_wchar4(char c, const char cc, wchar_t wc, const wchar_t wcc) { printf("%c", c); // GOOD printf("%c", cc); // GOOD printf("%c", 'c'); // GOOD - printf("%c", "c"); // BAD + printf("%c", "c"); // BAD // $ Alert printf("%wc", wc); // GOOD printf("%wc", wcc); // GOOD printf("%wc", L'c'); // GOOD - printf("%wc", L"c"); // BAD + printf("%wc", L"c"); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref index 8ede85c2d6f..676a003f058 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/InconsistentCheckReturnNull.qlref @@ -1 +1,2 @@ -Likely Bugs/InconsistentCheckReturnNull.ql +query: Likely Bugs/InconsistentCheckReturnNull.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c index 0f7887666df..f2383982771 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/InconsistentCheckReturnNull/test.c @@ -26,7 +26,7 @@ void f() { int* x7 = maybe_null_func(); if (x7) *x7 = 0; - int* x8 = maybe_null_func(); + int* x8 = maybe_null_func(); // $ Alert *x8 = 0; int* x9 = maybe_null_func(); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref index 4420b542ca4..9352fe408e8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/Adding365daysPerYear.qlref @@ -1 +1,2 @@ -Likely Bugs/Leap Year/Adding365DaysPerYear.ql +query: Likely Bugs/Leap Year/Adding365DaysPerYear.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp index a14667c75ca..8fb6d8e0155 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/Adding365DaysPerYear/test.cpp @@ -170,8 +170,8 @@ void antipattern2() qwLongTime += 365 * 24 * 60 * 60 * 10000000LLU; // copy back to a FILETIME - ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // BAD - ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // BAD + ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // BAD // $ Alert + ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // BAD // $ Alert // convert back to SYSTEMTIME for display or other usage FileTimeToSystemTime(&ft, &st); @@ -190,7 +190,7 @@ time_t mkTime(int days) tm.tm_hour = 0; tm.tm_mday = 0; tm.tm_mon = 0; - tm.tm_year = days / 365; // BAD + tm.tm_year = days / 365; // BAD // $ Alert // ... t = mktime(&tm); // convert tm -> time_t @@ -214,8 +214,8 @@ void checkedExample() qwLongTime += 365 * 24 * 60 * 60 * 10000000LLU; // copy back to a FILETIME - ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // GOOD [FALSE POSITIVE] - ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // GOOD [FALSE POSITIVE] + ft.dwLowDateTime = (DWORD)(qwLongTime & 0xFFFFFFFF); // GOOD [FALSE POSITIVE] // $ Alert + ft.dwHighDateTime = (DWORD)(qwLongTime >> 32); // GOOD [FALSE POSITIVE] // $ Alert // convert back to SYSTEMTIME for display or other usage if (FileTimeToSystemTime(&ft, &st) == 0) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref index 70eae8e7edc..d453e0c83be 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.qlref @@ -1 +1 @@ -Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql +query: Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref index 4271a41e0fa..e0d1519153c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/UnsafeArrayForDaysOfYear.qlref @@ -1 +1,2 @@ -Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql +query: Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp index 7f6f2cfd3fe..f76167c1893 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear/test.cpp @@ -14,7 +14,7 @@ public: void ArrayOfDays_Bug(int dayOfYear, int x) { // BUG - int items[365]; + int items[365]; // $ Alert items[dayOfYear - 1] = x; } @@ -22,7 +22,7 @@ void ArrayOfDays_Bug(int dayOfYear, int x) void ArrayOfDays_Bug2(int dayOfYear, int x) { // BUG - int *items = new int[365]; + int *items = new int[365]; // $ Alert items[dayOfYear - 1] = x; delete items; @@ -49,7 +49,7 @@ void ArrayOfDays_FalsePositive(int dayOfYear, int x) void VectorOfDays_Bug(int dayOfYear, int x) { // BUG - vector items(365); + vector items(365); // $ Alert items[dayOfYear - 1] = x; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref index ca70196fa6b..e4598d92043 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql +query: Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp index 3cd18125467..c4dd2ff4510 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp @@ -24,25 +24,25 @@ public: }; void f(int x) { - if (x = 3) { // BAD + if (x = 3) { // BAD // $ Alert } if ((x = 3)) { // GOOD: explicitly bracketed } - if (!(x = 3)) { // BAD + if (!(x = 3)) { // BAD // $ Alert } if (!((x = 3))) { // GOOD: explicitly bracketed } do { - } while (x = 0); // BAD + } while (x = 0); // BAD // $ Alert do { } while ((x = 0)); // GOOD: explicitly bracketed - if ((x = 3) && (x = 4)) { // BAD (x2) + if ((x = 3) && (x = 4)) { // BAD (x2) // $ Alert } if (((x = 3)) && ((x = 4))) { // GOOD: explicitly bracketed } - x = (x = 3) ? 2 : 1; // BAD + x = (x = 3) ? 2 : 1; // BAD // $ Alert x = ((x = 3)) ? 2 : 1; // GOOD: explicitly bracketed - assert(x = 2); // BAD + assert(x = 2); // BAD // $ Alert assert((x = 2)); // GOOD: explicitly bracketed int y; @@ -50,12 +50,12 @@ void f(int x) { if (y = 1) { // GOOD: y was not initialized so it is probably intentional. } y = 2; - if (y = 3) { // BAD: y has been initialized so it is probably a mistake. + if (y = 3) { // BAD: y has been initialized so it is probably a mistake. // $ Alert } int z = 1; - if (z = 2) { // BAD: z has been initialized so it is probably a mistake. + if (z = 2) { // BAD: z has been initialized so it is probably a mistake. // $ Alert } IntHolder holder1(x); IntHolder holder2(x); @@ -73,15 +73,15 @@ void g(int *i_p, int cond) { int i, j, k, x, y; static int s, t = 0; - if (global = 0) { // BAD: this is unlikely to be a deliberate initialization of global + if (global = 0) { // BAD: this is unlikely to be a deliberate initialization of global // $ Alert } - if (*i_p = 0) { // BAD + if (*i_p = 0) { // BAD // $ Alert } - if (s = 0) { // BAD + if (s = 0) { // BAD // $ Alert } - if (s = 0) { // BAD + if (s = 0) { // BAD // $ Alert } - if (t = 0) { // BAD + if (t = 0) { // BAD // $ Alert } for (i = 0, j = 0; i < 10; i++) { // GOOD @@ -89,7 +89,7 @@ void g(int *i_p, int cond) { } } - for (k = 0; !(k = 10); k++) { // BAD + for (k = 0; !(k = 10); k++) { // BAD // $ Alert } if (cond) { @@ -110,7 +110,7 @@ void h() { } int z = 0; - if(z = 1) { // BAD + if(z = 1) { // BAD // $ Alert } } @@ -131,26 +131,26 @@ void f3(int x, int y) { // as an assignment } - if((x == 1) && (y = 2)) { // BAD + if((x == 1) && (y = 2)) { // BAD // $ Alert } long z = x; - if(((z == 42) || (y = 2)) && (x == 1)) { // BAD + if(((z == 42) || (y = 2)) && (x == 1)) { // BAD // $ Alert } if((y = 2) && (x == z || x == 1)) { // GOOD } - if(((x == 42) || x == 1) && (y = 2)) { // BAD + if(((x == 42) || x == 1) && (y = 2)) { // BAD // $ Alert } if(x == 10 || (x == 42 && x == 1) && (y = 2)) { // GOOD } - if(x == 10 || ((x == 42) && (y = 2)) && (z == 1)) { // BAD + if(x == 10 || ((x == 42) && (y = 2)) && (z == 1)) { // BAD // $ Alert } - if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD + if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD // $ Alert } } @@ -163,11 +163,11 @@ void f4(int x, bool b) { if((x = 10) && use(x) && b) {} // GOOD: Same reason as above if((x = 10) && (use(x) && b)) {} // GOOD: Same reason as above - if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison. + if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison. // $ Alert // This doesn't match the usual pattern. - if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above - if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above + if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above // $ Alert + if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above // $ Alert - if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in + if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in // $ Alert // a boolean check. } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref index 54f62d41b7b..c197f000896 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/CompareWhereAssignMeant.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql +query: Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref index 82a90f5413a..662600c07dd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp index 2fa42105905..845acbb8192 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/CompareWhereAssignMeant/test.cpp @@ -25,30 +25,30 @@ void f(void) { i = 1; - i == 1; + i == 1; // $ Alert[cpp/compare-where-assign-meant] - i == 1, i == 2; + i == 1, i == 2; // $ Alert[cpp/compare-where-assign-meant] Alert[cpp/useless-expression] - i = i == 1, i == 2; + i = i == 1, i == 2; // $ Alert[cpp/compare-where-assign-meant] - i = (i == 1, i == 2); + i = (i == 1, i == 2); // $ Alert[cpp/compare-where-assign-meant] if (({ int x = 3; x == 3; })) { return; } - if (({ int x = 3; x == 3; x; })) { + if (({ int x = 3; x == 3; x; })) { // $ Alert[cpp/compare-where-assign-meant] return; } - if (({ int x = 3; x == 3; x = 4; })) { + if (({ int x = 3; x == 3; x = 4; })) { // $ Alert[cpp/compare-where-assign-meant] return; } - i != 1; + i != 1; // $ Alert[cpp/useless-expression] IntHolder holder1(i); IntHolder holder2(i); holder1 = holder2; - holder1 == holder2; + holder1 == holder2; // $ Alert[cpp/compare-where-assign-meant] if(holder1 = holder2) { } if(holder1 == holder1) { @@ -69,6 +69,6 @@ void report_error(const char*); void test_inside_macro_expansion(int x, int y) { DOES_NOT_THROW(x == y); // GOOD - x == y; // BAD - x == ID(y); // BAD + x == y; // BAD // $ Alert[cpp/compare-where-assign-meant] + x == ID(y); // BAD // $ Alert[cpp/compare-where-assign-meant] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp index 0c7f9edacd1..58a2680f3b9 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.cpp @@ -10,7 +10,7 @@ struct person { bool hasName(person* p) { return p != NULL // This check is sensible, && p->name != NULL // as is this one. - && &p->name != NULL; // But this check is dubious. (BAD) + && &p->name != NULL; // But this check is dubious. (BAD) // $ Alert } // another example @@ -26,11 +26,11 @@ public: assert(this->y != NULL); assert(&this->y != NULL); // BAD [NOT DETECTED] assert(ptr->y != NULL); - assert(&ptr->y != NULL); // BAD + assert(&ptr->y != NULL); // BAD // $ Alert assert((ptr->y) != NULL); - assert(&(ptr->y) != NULL); // BAD + assert(&(ptr->y) != NULL); // BAD // $ Alert assert(ref.y != NULL); - assert(&(ref.y) != NULL); // BAD + assert(&(ref.y) != NULL); // BAD // $ Alert }; private: diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref index 4e0443db790..da788f52f50 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/DubiousNullCheck/DubiousNullCheck.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/DubiousNullCheck.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/DubiousNullCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref index 82a90f5413a..662600c07dd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/CMakeFiles/CMakeScratch/TryCompile-abcdef/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref index 82a90f5413a..662600c07dd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref index 82a90f5413a..662600c07dd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c index 4ff7c225335..8f949d876da 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c @@ -1,6 +1,6 @@ #include "conftest.h" int main3() { - strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. + strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c index 88215d7434c..102cfa4a8c2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c @@ -1,6 +1,6 @@ #include "conftest.h" int main1() { - strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. + strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers. // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp index 2acdfcf80f8..2de0aec1e36 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/calls.cpp @@ -5,11 +5,11 @@ int external(); class Base { public: virtual int thingy() { - 1; // BAD + 1; // BAD // $ Alert } int our_thingy() { - Base::thingy(); // BAD + Base::thingy(); // BAD // $ Alert return 2; } }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp index 56809a4e05f..76a1669c321 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/expr.cpp @@ -5,9 +5,9 @@ int i; void comma_expr_test() { i++, i++; // GOOD - 0, i++; // BAD (first part) - i++, 0; // BAD (second part) - 0, 0; // BAD (whole) + 0, i++; // BAD (first part) // $ Alert + i++, 0; // BAD (second part) // $ Alert + 0, 0; // BAD (whole) // $ Alert } } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref index 82a90f5413a..662600c07dd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/meson-private/tmp_abc/ExprHasNoEffect.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ExprHasNoEffect.ql +query: Likely Bugs/Likely Typos/ExprHasNoEffect.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c index 2761476c474..063bdd74376 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/preproc.c @@ -86,10 +86,10 @@ void test() fn1(); fn2(); fn3(); - fn4(); // has no effect + fn4(); // has no effect // $ Alert fn5(); fn6(); fn7(); fn8(); - fn9(); // has no effect + fn9(); // has no effect // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp index ecc3d624603..e6d6e6362c1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/template.cpp @@ -16,7 +16,7 @@ void myTemplateTest() { Nothing n; i++; // GOOD (always has an effect) - n++; // BAD (never has an effect) + n++; // BAD (never has an effect) // $ Alert Increment(i); Increment(n); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp index 7d2b6b19777..12665301e6c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/templatey.cpp @@ -36,5 +36,5 @@ void call_add_numbers() int accum = 0; add_numbers(accum, 4); // GOOD add_numbers(accum, 10); // GOOD - pointless_add_numbers(accum, 20); // BAD + pointless_add_numbers(accum, 20); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c index 1b2530fdff5..d7b65299dad 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.c @@ -4,27 +4,27 @@ extern int g(void); void f(int b) { int i; - 0; + 0; // $ Alert - ({ 1; 2; 3; }); - i = ({ 4; 5; 6; }); - i = ({ 7; 8; 9, 10; }); + ({ 1; 2; 3; }); // $ Alert + i = ({ 4; 5; 6; }); // $ Alert + i = ({ 7; 8; 9, 10; }); // $ Alert - i = 11, 12; - i = 13, 14, 15; - i = (16, 17); - i = (18, 19, 20); - 21, 22; - 23, 24, 25; + i = 11, 12; // $ Alert + i = 13, 14, 15; // $ Alert + i = (16, 17); // $ Alert + i = (18, 19, 20); // $ Alert + 21, 22; // $ Alert + 23, 24, 25; // $ Alert i = b ? 26 : 27; i = b ? g() : 28; i = b ? 29 : g(); i = b ? g() : g(); - b ? 30 : 31; - b ? g() : 32; - b ? 33 : g(); + b ? 30 : 31; // $ Alert + b ? g() : 32; // $ Alert + b ? 33 : g(); // $ Alert b ? g() : g(); } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp index da4398f4105..f46ed1d6722 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/test.cpp @@ -59,10 +59,10 @@ class MyAssignable : public Assignable void testFunc2() { Assignable u1, u2; - u2 = u1; + u2 = u1; // $ Alert MyAssignable v1, v2; - v2 = v1; + v2 = v1; // $ Alert } namespace std { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c index c34e0818f19..940d38a9511 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/volatile.c @@ -6,18 +6,18 @@ char *pc; volatile char *pv; void f(void) { - c; // BAD + c; // BAD // $ Alert v; // (accesses to volatile variables are considered impure) - pc[5]; // BAD + pc[5]; // BAD // $ Alert pv[5]; ((volatile char *)pc)[5]; - *pc; // BAD + *pc; // BAD // $ Alert *pv; *((volatile char *)pc); - *(pc + 5); // BAD + *(pc + 5); // BAD // $ Alert *(pv + 5); *((volatile char *)(pc + 5)); *(((volatile char *)pc) + 5); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c index ef4bff22948..c76452eda93 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/weak.c @@ -15,6 +15,6 @@ int __attribute__((__weak__)) myWeakNothingFunction() } void testWeak() { - myNothingFunction(); // BAD + myNothingFunction(); // BAD // $ Alert myWeakNothingFunction(); // GOOD } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c index d2a13e17c83..8a9ce769696 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.c @@ -3,7 +3,7 @@ void C6317_positive(int i) { - if (i & !FLAGS) // BUG + if (i & !FLAGS) // BUG // $ Alert { } } @@ -28,9 +28,9 @@ void bitwiseAndUsage(unsigned int l, unsigned int r) unsigned int x; unsigned z = 0; - x = l & !r; //BUG - x = !FLAGS & r; //BUG - x = !FLAGS & !!r; //BUG + x = l & !r; //BUG // $ Alert + x = !FLAGS & r; //BUG // $ Alert + x = !FLAGS & !!r; //BUG // $ Alert x = !!l & r; // Not a bug - double negation x = !!!l & r; // Not a bug - double negation @@ -44,9 +44,9 @@ void bitwiseOrUsage(unsigned int l, unsigned int r) { unsigned int x; - x = l | !r; //BUG - x = !FLAGS | r; //BUG - x = !FLAGS | !!r; //BUG + x = l | !r; //BUG // $ Alert + x = !FLAGS | r; //BUG // $ Alert + x = !FLAGS | !!r; //BUG // $ Alert x = !!l | r; // Not a bug - double negation x = !!!l | r; // Not a bug - double negation @@ -67,7 +67,7 @@ void bitwiseOperatorsNotCovered(unsigned int l, unsigned int r) void macroUsage(unsigned int arg1, unsigned int arg2) { - if (((!cap_valid(arg1)) | arg2)) { // BUG + if (((!cap_valid(arg1)) | arg2)) { // BUG // $ Alert } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp index ac3f1ab3ed5..68231c364ca 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.cpp @@ -3,7 +3,7 @@ void C6317_positive(int i) { - if (i & !FLAGS) // BUG + if (i & !FLAGS) // BUG // $ Alert { } } @@ -28,9 +28,9 @@ void bitwiseAndUsage(unsigned int l, unsigned int r) unsigned int x; unsigned z = 0; - x = l & !r; //BUG - x = !FLAGS & r; //BUG - x = !FLAGS & !!r; //BUG + x = l & !r; //BUG // $ Alert + x = !FLAGS & r; //BUG // $ Alert + x = !FLAGS & !!r; //BUG // $ Alert x = !!l & r; // Not a bug - double negation x = !!!l & r; // Not a bug - double negation @@ -44,9 +44,9 @@ void bitwiseOrUsage(unsigned int l, unsigned int r) { unsigned int x; - x = l | !r; //BUG - x = !FLAGS | r; //BUG - x = !FLAGS | !!r; //BUG + x = l | !r; //BUG // $ Alert + x = !FLAGS | r; //BUG // $ Alert + x = !FLAGS | !!r; //BUG // $ Alert x = !!l | r; // Not a bug - double negation x = !!!l | r; // Not a bug - double negation @@ -67,14 +67,14 @@ void bitwiseOperatorsNotCovered(unsigned int l, unsigned int r) void macroUsage(unsigned int arg1, unsigned int arg2) { - if (((!cap_valid(arg1)) | arg2)) { // BUG + if (((!cap_valid(arg1)) | arg2)) { // BUG // $ Alert } } void bool_examples(bool a, bool b) { - if (a & !b) // dubious (confusing intent, but shouldn't produce a wrong result) + if (a & !b) // dubious (confusing intent, but shouldn't produce a wrong result) // $ Alert { } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref index d50294defe2..2defdf04575 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage/IncorrectNotOperatorUsage.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref index be55343c0a6..8819dc134bf 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/ShortCircuitBitMask.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ShortCircuitBitMask.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/ShortCircuitBitMask.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp index 0f87c3d2fbf..f404a063d98 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ShortCircuitBitMask/big_ints.cpp @@ -1,14 +1,14 @@ static void bad(int x) { - x && 2; - x && 4; - x && 16; - x && 256; - x && 0x10000; - x && 0x80000000; - x && 0x100000000LL; - x && 0x800000000LL; - x && 0x10000000000LL; - x && 0x123456789ABLL; + x && 2; // $ Alert + x && 4; // $ Alert + x && 16; // $ Alert + x && 256; // $ Alert + x && 0x10000; // $ Alert + x && 0x80000000; // $ Alert + x && 0x100000000LL; // $ Alert + x && 0x800000000LL; // $ Alert + x && 0x10000000000LL; // $ Alert + x && 0x123456789ABLL; // $ Alert } static void good(int x) { @@ -29,7 +29,7 @@ static void good(int x) { template void templateFunc() { (i & (i - 1)) && true; - 4 && true; + 4 && true; // $ Alert } void templateTest() { @@ -66,4 +66,4 @@ void testMacro() #define MYFLAG (0x80) unsigned int calc1 = 123 & MYFLAG; // OK -unsigned int calc2 = 123 && MYFLAG; // BAD +unsigned int calc2 = 123 && MYFLAG; // BAD // $ Alert diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref index 6ae254cc974..008951cee5c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql +query: Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c index d08742a5add..feefc4566f3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c @@ -31,37 +31,37 @@ void PositiveCases() char szbuf2[100]; int result; - if (strcpy(szbuf1, "test")) // Bug, direct usage + if (strcpy(szbuf1, "test")) // Bug, direct usage // $ Alert { } - if (!strcpy(szbuf1, "test")) // Bug, unary binary operator + if (!strcpy(szbuf1, "test")) // Bug, unary binary operator // $ Alert { } - if (strcpy(szbuf1, "test") == 0) // Bug, equality operator + if (strcpy(szbuf1, "test") == 0) // Bug, equality operator // $ Alert { } - if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator + if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator // $ Alert { } - if (strncpy(szbuf1, "test", 100)) // Bug + if (strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - if (!strncpy(szbuf1, "test", 100)) // Bug + if (!strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - result = !strncpy(szbuf1, "test", 100); // Bug - result = strcpy(szbuf1, "test") ? 1 : 0; // Bug - result = strcpy(szbuf1, "test") && 1; // Bug + result = !strncpy(szbuf1, "test", 100); // Bug // $ Alert + result = strcpy(szbuf1, "test") ? 1 : 0; // Bug // $ Alert + result = strcpy(szbuf1, "test") && 1; // Bug // $ Alert - result = strcpy(szbuf1, "test") == 0; // Bug + result = strcpy(szbuf1, "test") == 0; // Bug // $ Alert - result = strcpy(szbuf1, "test") != 0; // Bug + result = strcpy(szbuf1, "test") != 0; // Bug // $ Alert } void NegativeCases() diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp index 707cf846614..6cb2434dbd4 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp @@ -72,71 +72,71 @@ void PositiveCases() locale_t x; *x = 0; - if (strcpy(szbuf1, "test")) // Bug, direct usage + if (strcpy(szbuf1, "test")) // Bug, direct usage // $ Alert { } - if (!strcpy(szbuf1, "test")) // Bug, unary binary operator + if (!strcpy(szbuf1, "test")) // Bug, unary binary operator // $ Alert { } - if (strcpy(szbuf1, "test") == 0) // Bug, equality operator + if (strcpy(szbuf1, "test") == 0) // Bug, equality operator // $ Alert { } - if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator + if (SomeFunction() && strcpy(szbuf1, "test")) // Bug, binary logical operator // $ Alert { } - if (WCSCPY_6324(wscbuf1, wscbuf2)) // Bug, using a macro + if (WCSCPY_6324(wscbuf1, wscbuf2)) // Bug, using a macro // $ Alert { } - if (wcscpy(wscbuf1, wscbuf2)) // Bug + if (wcscpy(wscbuf1, wscbuf2)) // Bug // $ Alert { } - if (_mbscpy(mbcbuf1, mbcbuf2)) // Bug + if (_mbscpy(mbcbuf1, mbcbuf2)) // Bug // $ Alert { } - if (strncpy(szbuf1, "test", 100)) // Bug + if (strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - if (wcsncpy(wscbuf1, wscbuf2, 100)) // Bug + if (wcsncpy(wscbuf1, wscbuf2, 100)) // Bug // $ Alert { } - if (_mbsncpy(mbcbuf1, (const unsigned char*)"test", 100)) // Bug + if (_mbsncpy(mbcbuf1, (const unsigned char*)"test", 100)) // Bug // $ Alert { } - if (_strncpy_l(szbuf1, "test", 100, x)) // Bug + if (_strncpy_l(szbuf1, "test", 100, x)) // Bug // $ Alert { } - if (_wcsncpy_l(wscbuf1, wscbuf2, 100, x)) // Bug + if (_wcsncpy_l(wscbuf1, wscbuf2, 100, x)) // Bug // $ Alert { } - if (_mbsncpy_l(mbcbuf1, (const unsigned char*)"test", 100, x)) //Bug + if (_mbsncpy_l(mbcbuf1, (const unsigned char*)"test", 100, x)) //Bug // $ Alert { } - if (!strncpy(szbuf1, "test", 100)) // Bug + if (!strncpy(szbuf1, "test", 100)) // Bug // $ Alert { } - bool b = strncpy(szbuf1, "test", 100); // Bug + bool b = strncpy(szbuf1, "test", 100); // Bug // $ Alert - bool result = !strncpy(szbuf1, "test", 100); // Bug - result = strcpy(szbuf1, "test") ? 1 : 0; // Bug - result = strcpy(szbuf1, "test") && 1; // Bug + bool result = !strncpy(szbuf1, "test", 100); // Bug // $ Alert + result = strcpy(szbuf1, "test") ? 1 : 0; // Bug // $ Alert + result = strcpy(szbuf1, "test") && 1; // Bug // $ Alert - result = strcpy(szbuf1, "test") == 0; // Bug + result = strcpy(szbuf1, "test") == 0; // Bug // $ Alert - result = strcpy(szbuf1, "test") != 0; // Bug + result = strcpy(szbuf1, "test") != 0; // Bug // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c index d66e027bdc1..74039347afd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.c @@ -4,7 +4,7 @@ void Signed() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -12,7 +12,7 @@ void Signed() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -26,7 +26,7 @@ void Unsigned() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -34,7 +34,7 @@ void Unsigned() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -47,7 +47,7 @@ void InitializationOutsideLoop() for (; i < 100; i--) //BUG { - } + } // $ Alert i = 0; for (; i < 100; i++) @@ -57,7 +57,7 @@ void InitializationOutsideLoop() i = 100; for (; i >= 0; i++) //BUG { - } + } // $ Alert i = 100; for (; i >= 0; i--) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp index 0642eb747c4..768ba77af86 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.cpp @@ -4,7 +4,7 @@ void Signed() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -12,7 +12,7 @@ void Signed() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -26,7 +26,7 @@ void Unsigned() for (i = 0; i < 100; i--) //BUG { - } + } // $ Alert for (i = 0; i < 100; i++) { @@ -34,7 +34,7 @@ void Unsigned() for (i = 100; i >= 0; i++) //BUG { - } + } // $ Alert for (i = 100; i >= 0; i--) { @@ -45,7 +45,7 @@ void DeclarationInLoop() { for (signed char i = 0; i < 100; --i) //BUG { - } + } // $ Alert for (signed char i = 0; i < 100; ++i) { @@ -53,7 +53,7 @@ void DeclarationInLoop() for (unsigned char i = 100; i >= 0; ++i) //BUG { - } + } // $ Alert for (unsigned char i = 100; i >= 0; --i) { @@ -68,7 +68,7 @@ void SignedWithVariables() for (i = min; i < max; i--) //BUG { - } + } // $ Alert for (i = min; i < max; i++) { @@ -76,7 +76,7 @@ void SignedWithVariables() for (i = max; i >= min; i++) //BUG { - } + } // $ Alert for (i = max; i >= min; i--) { @@ -90,7 +90,7 @@ void InitializationOutsideLoop() for (; i < 100; --i) //BUG { - } + } // $ Alert i = 0; for (; i < 100; ++i) @@ -100,7 +100,7 @@ void InitializationOutsideLoop() i = 100; for (; i >= 0; ++i) //BUG { - } + } // $ Alert i = 100; for (; i >= 0; --i) @@ -117,11 +117,11 @@ void InvalidCondition() for (i = max; i < min; i--) //BUG { - } + } // $ Alert for (i = min; i > max; i++) //BUG { - } + } // $ Alert } void InvalidConditionUnsignedCornerCase() @@ -132,14 +132,14 @@ void InvalidConditionUnsignedCornerCase() for (i = 100; i < 0; i--) //BUG { - } + } // $ Alert // Limitation. // Currently odasa will not detect this for-loop condition as always true // The rule will still detect the mismatch iterator, but the error message may change in the future. for (i = 200; i >= 0; i++) //BUG { - } + } // $ Alert } void NegativeTestCase() @@ -172,11 +172,11 @@ void FalseNegativeTestCases() { for (int i = 0; i < 10; i = i - 1) {} // For comparison - for (int i = 0; i < 10; i-- ) {} // BUG + for (int i = 0; i < 10; i-- ) {} // BUG // $ Alert for (int i = 100; i > 0; i += 2) {} // For comparison - for (int i = 100; i > 0; i ++ ) {} // BUG + for (int i = 100; i > 0; i ++ ) {} // BUG // $ Alert } void IntendedOverflow(unsigned char p) @@ -193,8 +193,8 @@ void IntendedOverflow(unsigned char p) for (i = m - 2; i < m; i--) {} // DUBIOUS for (i = m; i < m + 1; i--) {} // GOOD - for (s = 63; s < 64; s--) {} // BAD (signed numbers don't wrap at 0 / at all) - for (s = m + 1; s < m; s--) {} // BAD (never runs) + for (s = 63; s < 64; s--) {} // BAD (signed numbers don't wrap at 0 / at all) // $ Alert + for (s = m + 1; s < m; s--) {} // BAD (never runs) // $ Alert for (i = p - 1; i < p; i--) {} // GOOD for (s = p - 1; s < p; s--) {} // BAD [NOT DETECTED] @@ -212,7 +212,7 @@ void IntendedOverflow(unsigned char p) n = 64; for (s = n - 1; s < n; s--) {} // BAD [NOT DETECTED] n = 64; - for (s = n - 1; s < 64; s--) {} // BAD + for (s = n - 1; s < 64; s--) {} // BAD // $ Alert n = 64; for (s = 63; s < n; s--) {} // BAD [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref index af5f0a899cb..0436ab0d4bd 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/inconsistentLoopDirection/inconsistentLoopDirection.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/inconsistentLoopDirection.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/inconsistentLoopDirection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref index d5227c40ee4..301aedbb9c3 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/AllocaInLoop.ql +query: Likely Bugs/Memory Management/AllocaInLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp index 9071a1052b8..97debb86c22 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1.cpp @@ -28,7 +28,7 @@ void foo(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); @@ -52,7 +52,7 @@ void bar(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert } } } while (0); @@ -77,7 +77,7 @@ void baz(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); @@ -107,7 +107,7 @@ void case5() { char *buffer; do { - buffer = (char*)alloca(1024); // BAD + buffer = (char*)alloca(1024); // BAD // $ Alert continue; } while (1); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp index 9ebf4f17ba1..fd5433efff6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop1ms.cpp @@ -25,7 +25,7 @@ void foo(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) _alloca(w1); // BAD + b1 = (char*) _alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); @@ -49,7 +49,7 @@ void bar(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) _malloca(w1); // BAD + b1 = (char*) _malloca(w1); // BAD // $ Alert } } } while (0); @@ -76,7 +76,7 @@ void baz(const struct vtype* vec, int count) { b1 = new char[w1]; } else { // Allocate the buffer on stack - b1 = (char*) _alloca(w1); // BAD + b1 = (char*) _alloca(w1); // BAD // $ Alert } } memcpy(b1, v, w1); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c index 7f8ce7a07fe..f221740e33a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop2.c @@ -36,7 +36,7 @@ void foo(const struct vtype* vec, int count) { b1 = (char *)malloc(w1); } else { // Allocate the buffer on stack - b1 = (char*) alloca(w1); // BAD + b1 = (char*) alloca(w1); // BAD // $ Alert iter = 1; } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp index b3418829e48..575a7f2086b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/AllocaInLoop3.cpp @@ -42,7 +42,7 @@ char *baz(int count) { char *buf; do { buf = ({ - char *b = (char *)alloca(32); // BAD + char *b = (char *)alloca(32); // BAD // $ Alert sprintf(b, "Value is %d\n", count); b; }); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp index fbecb59588d..d1ee978df03 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/AllocaInLoop/BoundedLoop.cpp @@ -22,7 +22,7 @@ void forTwice() { void forEver() { for (;;) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -35,7 +35,7 @@ void doTwice() { void unknownStartingPoint(int i) { for (; i < 2; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -52,7 +52,7 @@ void atMostTwice() { void sometimesIncrement() { int i = 0; while (i < 2) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert if (getInt()) { i++; } @@ -61,7 +61,7 @@ void sometimesIncrement() { void upAndDown() { for (int i = 0; i < 2; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert if (getInt()) { i--; } @@ -70,7 +70,7 @@ void upAndDown() { void largeBound() { for (int i = 0; i < 10000; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -94,7 +94,7 @@ void maybeSmallOffset() { i = 9997; } for (; i < 10000; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -102,7 +102,7 @@ void incBefore() { int i = -1; i++; // not understood by data flow for (; i < 2; i++) { - alloca(100); // GOOD [FALSE POSITIVE] + alloca(100); // GOOD [FALSE POSITIVE] // $ Alert } } @@ -135,7 +135,7 @@ void eqFalse() { void eqFalseFlipped() { for (int stop = 0; stop == 0; stop = 0) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } @@ -173,7 +173,7 @@ void countDownAssignAdd() { void countDownWrong() { for (int i = 2-1; i >= 0; i++) { - alloca(100); // BAD + alloca(100); // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref index 3120e479150..c09d3d9d76a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTermination.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/ImproperNullTermination.ql \ No newline at end of file +query: Likely Bugs/Memory Management/ImproperNullTermination.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref index 6fbfb31d780..778616ca43c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/ImproperNullTerminationTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-170/ImproperNullTerminationTainted.ql +query: Security/CWE/CWE-170/ImproperNullTerminationTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp index 49dc01a40df..2b6d4ddd3f2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ImproperNullTermination/test.cpp @@ -23,8 +23,8 @@ void test_unassigned() char buffer1[1024]; char buffer2[1024]; - strdup(buffer1); // BAD - strdup(buffer2); // BAD + strdup(buffer1); // BAD // $ Alert[cpp/improper-null-termination] + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] memcpy(buffer2, buffer1, sizeof(buffer2)); strdup(buffer1); // BAD [NOT DETECTED] @@ -37,7 +37,7 @@ void test_unassigned() strcpy(buffer1, "content"); strdup(buffer1); // GOOD - strdup(buffer2); // BAD + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] memcpy(buffer2, buffer1, sizeof(buffer2)); strdup(buffer1); // GOOD @@ -57,7 +57,7 @@ void test_unassigned() char *ptr1; char *ptr2 = "content"; - strdup(ptr1); // BAD + strdup(ptr1); // BAD // $ Alert[cpp/improper-null-termination] strdup(ptr2); // GOOD } @@ -67,8 +67,8 @@ void test_unassigned() char *ptr; ptr = buffer1; - strdup(buffer1); // BAD - strdup(ptr); // BAD + strdup(buffer1); // BAD // $ Alert[cpp/improper-null-termination] + strdup(ptr); // BAD // $ Alert[cpp/improper-null-termination] strcpy(buffer1, "content"); strdup(buffer1); // GOOD @@ -79,8 +79,8 @@ void test_unassigned() strdup(ptr); // GOOD ptr = buffer2; - strdup(buffer2); // BAD - strdup(ptr); // BAD + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] + strdup(ptr); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -91,7 +91,7 @@ void test_unassigned() strcpy(buffer, "content"); strdup(buffer); // GOOD } - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -114,7 +114,7 @@ void test_unassigned() strcpy(buffer, "content"); strdup(buffer); // GOOD } - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } } @@ -128,7 +128,7 @@ void test_caller() char buffer[1024]; test_callee("content", buffer); // GOOD - test_callee(buffer, "content"); // BAD + test_callee(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } void test_readlink(int fd, const char *path, size_t sz) @@ -137,7 +137,7 @@ void test_readlink(int fd, const char *path, size_t sz) char buffer[1024]; readlink(path, buffer, sizeof(buffer)); - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -145,7 +145,7 @@ void test_readlink(int fd, const char *path, size_t sz) int v; readlinkat(fd, path, buffer, sizeof(buffer)); - v = strlen(buffer); // BAD + v = strlen(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -180,7 +180,7 @@ void test_readlink(int fd, const char *path, size_t sz) memset(buffer, 0, sizeof(buffer)); readlink(path, buffer, sizeof(buffer)); - strdup(buffer); // BAD + strdup(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -233,7 +233,7 @@ void test_strcat() { char buffer[1024]; - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -261,7 +261,7 @@ void test_strcat() char buffer[1024]; buffer[0] = 'a'; - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -282,7 +282,7 @@ void test_strcat() char buffer[1024]; doNothing(buffer); - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -299,7 +299,7 @@ void test_strcat() *buffer_ptr = 0; strcat(buffer1, "content"); // GOOD - strcat(buffer2, "content"); // BAD + strcat(buffer2, "content"); // BAD // $ Alert[cpp/improper-null-termination] strcat(buffer_ptr, "content"); // GOOD buffer_ptr = buffer2; @@ -311,7 +311,7 @@ void test_strcat() char *buffer_ptr = buffer; *buffer_ptr = 'a'; - strcat(buffer, "content"); // BAD + strcat(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -333,7 +333,7 @@ void test_strlen(bool cond1, bool cond2) { { char buffer[1024]; - int i = strlen(buffer); // BAD + int i = strlen(buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -418,7 +418,7 @@ void test_strcpy() char buffer1[1024]; char buffer2[1024]; - strcpy(buffer1, buffer2); // BAD + strcpy(buffer1, buffer2); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -445,13 +445,13 @@ void test_wrappers() { char buffer[1024]; - strcatWrapper(buffer, "content"); // BAD + strcatWrapper(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } { char buffer[1024]; - strcatWrapper2(buffer, "content"); // BAD + strcatWrapper2(buffer, "content"); // BAD // $ Alert[cpp/improper-null-termination] } } @@ -463,7 +463,7 @@ void test_read_fread(int read_src, FILE *s) char buffer[buffer_size]; read(read_src, buffer, buffer_size * sizeof(char)); - strlen(buffer); // BAD + strlen(buffer); // BAD // $ Alert[cpp/user-controlled-null-termination-tainted] } { @@ -478,7 +478,7 @@ void test_read_fread(int read_src, FILE *s) char buffer[buffer_size]; fread(buffer, sizeof(char), buffer_size, s); - strlen(buffer); // BAD + strlen(buffer); // BAD // $ Alert[cpp/user-controlled-null-termination-tainted] } { @@ -510,13 +510,13 @@ void test_printf(char *str) { char buffer[1024]; - printf(buffer, ""); // BAD + printf(buffer, ""); // BAD // $ Alert[cpp/improper-null-termination] } { char buffer[1024]; - printf("%s", buffer); // BAD + printf("%s", buffer); // BAD // $ Alert[cpp/improper-null-termination] } { @@ -555,7 +555,7 @@ void test_reassignment() strcpy(buffer_ptr, "content"); // null terminates buffer1 buffer_ptr = buffer2; - strdup(buffer2); // BAD + strdup(buffer2); // BAD // $ Alert[cpp/improper-null-termination] } { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref index 58e62b13e6d..d01f3942fc5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/NtohlArrayNoBound.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/NtohlArrayNoBound.ql \ No newline at end of file +query: Likely Bugs/Memory Management/NtohlArrayNoBound.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp index 24bdaee0f16..514dd72ca19 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/NtohlArrayNoBound/test.cpp @@ -10,7 +10,7 @@ void test1(const char *source, size_t len) char buffer[256]; size_t len2 = ntohl(len); - memcpy(buffer, source, ntohl(len)); // BAD + memcpy(buffer, source, ntohl(len)); // BAD // $ Alert if (len2 < 256) { @@ -19,7 +19,7 @@ void test1(const char *source, size_t len) if (source != 0) { - memcpy(buffer, source, len2); // BAD + memcpy(buffer, source, len2); // BAD // $ Alert } if ((len2 < 256) && (source != 0)) @@ -29,7 +29,7 @@ void test1(const char *source, size_t len) if ((len2 < 256) || (source != 0)) { - memcpy(buffer, source, len2); // BAD + memcpy(buffer, source, len2); // BAD // $ Alert } if (len2 < 256) @@ -59,10 +59,10 @@ void test1(const char *source, size_t len) if (strlen(source) < 256) { - memcpy(buffer, source, len2); // BAD + memcpy(buffer, source, len2); // BAD // $ Alert } - buffer[len2] = 0; // BAD + buffer[len2] = 0; // BAD // $ Alert if (len2 < 256) { @@ -71,7 +71,7 @@ void test1(const char *source, size_t len) { unsigned short lens = len2; - buffer[lens] = 0; // BAD + buffer[lens] = 0; // BAD // $ Alert } if (len2 < 256) @@ -84,7 +84,7 @@ void test1(const char *source, size_t len) if (len3 < 256) { len3 = ntohl(len); - buffer[len3] = 0; // BAD + buffer[len3] = 0; // BAD // $ Alert } } @@ -92,7 +92,7 @@ void test2(size_t len) { char buffer[256]; - buffer[len] = 0; // BAD + buffer[len] = 0; // BAD // $ Alert } void test3(size_t len) @@ -104,5 +104,5 @@ int test4(const char *source, size_t len) { char buffer[256]; - return memcmp(buffer, source, ntohl(len)); // BAD + return memcmp(buffer, source, ntohl(len)); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref index 614ac0198be..48d907018a8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/More64BitWaste.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/Padding/More64BitWaste.ql \ No newline at end of file +query: Likely Bugs/Memory Management/Padding/More64BitWaste.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp index 0703d4dfe78..c30d492d13b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/More64BitWaste/test.cpp @@ -14,7 +14,7 @@ struct test3 int x, y, z; }; -struct test4 // BAD +struct test4 // BAD // $ Alert { int a; long long b; @@ -26,7 +26,7 @@ struct test5 int b; }; -struct test6 // BAD +struct test6 // BAD // $ Alert { char as[4]; long long b; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref index ee9f4a7debb..7ba5352553d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/NonPortablePrintf.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql \ No newline at end of file +query: Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp index e197819ba10..7408440fa03 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/NonPortablePrintf/test.cpp @@ -7,10 +7,10 @@ void test1() void *ptr; printf("%ld\n", l); // GOOD - printf("%d\n", l); // BAD + printf("%d\n", l); // BAD // $ Alert printf("%p\n", ptr); // GOOD - printf("%d\n", ptr); // BAD - printf("%u\n", ptr); // BAD - printf("%x\n", ptr); // BAD + printf("%d\n", ptr); // BAD // $ Alert + printf("%u\n", ptr); // BAD // $ Alert + printf("%x\n", ptr); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref index 3ad68ed8cec..26c576ecaf9 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/Suboptimal64BitType.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql \ No newline at end of file +query: Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c index e4f86df394e..14533d57497 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/Padding/Suboptimal64BitType/types.c @@ -8,7 +8,7 @@ // - 6 bytes: char d[6] // - 2 bytes: trailing padding // Optimal layout removes 8 bytes padding, leaves 2 bytes trailing padding. -typedef struct a { +typedef struct a { // $ Alert int a; double b; int c; diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref index 2cad0c8bd7f..b24ce18e583 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/PointerOverflow.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/PointerOverflow.ql +query: Likely Bugs/Memory Management/PointerOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp index f4d3dbfe181..7baf2b138e8 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/PointerOverflow/test.cpp @@ -3,7 +3,7 @@ bool check_pointer_overflow(P *ptr) { // x86-64 gcc 9.2 -O2: deleted // x86-64 clang 9.9.9 -O2: deleted // x64 msvc v19.22 /O2: not deleted - return ptr + 0x12345678 < ptr; // BAD + return ptr + 0x12345678 < ptr; // BAD // $ Alert } bool check_pointer_overflow(P *ptr, P *ptr_end) { // x86-64 gcc 9.2 -O2: not deleted @@ -30,7 +30,7 @@ typedef unsigned long size_t; bool not_in_range_bad(Q *ptr, Q *ptr_end, size_t a) { return ptr + a >= ptr_end || // GOOD (for the purpose of this test) - ptr + a < ptr; // BAD + ptr + a < ptr; // BAD // $ Alert } bool not_in_range_good(Q *ptr, Q *ptr_end, size_t a) { @@ -46,9 +46,9 @@ extern "C" void abort(void); #define MYASSERT(cond) if (cond) abort() void assert_not_in_range_bad(Q *ptr, Q *ptr_end, size_t a) { - MYASSERT(ptr + a >= ptr_end || ptr + a < ptr); // BAD + MYASSERT(ptr + a >= ptr_end || ptr + a < ptr); // BAD // $ Alert MYASSERT(ptr + a >= ptr_end); // GOOD (for the purpose of this test) - MYASSERT(ptr + a < ptr); // BAD + MYASSERT(ptr + a < ptr); // BAD // $ Alert } #define IS_LESS_THAN(lhs, rhs) ((lhs) < (rhs)) diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref index e8864277b4f..1921529a00b 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/ReturnCstrOfLocalStdString.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql +query: Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp index c27cb77b1d8..9d34364339d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString/test.cpp @@ -21,7 +21,7 @@ namespace std { const char* bad000() { std::string localStr("Test string"); - return localStr.c_str(); + return localStr.c_str(); // $ Alert } const char* good001(const std::string& p) { @@ -29,7 +29,7 @@ const char* good001(const std::string& p) { } const char* bad001() { - return std::string("Test string").c_str(); + return std::string("Test string").c_str(); // $ Alert } @@ -42,7 +42,7 @@ public: jstring get_hello(_JNIEnv *env) { std::string hello = "Hello world"; - return env->NewStringUTF(hello.c_str()); + return env->NewStringUTF(hello.c_str()); // $ Alert } void good002_helper(std::string*); diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected index 6aa457b1e8a..f5304776140 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected @@ -1,3 +1,20 @@ +#select +| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | +| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | +| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc | +| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc | +| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc | +| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc | +| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr | +| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr | +| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr | +| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal | +| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray | +| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal | +| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p | +| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | +| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | +| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | edges | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | | test.cpp:23:17:23:19 | & ... | test.cpp:23:17:23:19 | & ... | @@ -114,20 +131,3 @@ nodes | test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa | | test.cpp:250:9:250:10 | (void *)... | semmle.label | (void *)... | | test.cpp:250:9:250:10 | s2 | semmle.label | s2 | -#select -| test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc | -| test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc | -| test.cpp:41:9:41:12 | CopyValue: & ... | test.cpp:39:17:39:18 | mc | test.cpp:41:9:41:12 | & ... | May return stack-allocated memory from $@. | test.cpp:39:17:39:18 | mc | mc | -| test.cpp:47:9:47:10 | CopyValue: (reference to) | test.cpp:47:9:47:10 | mc | test.cpp:47:9:47:10 | (reference to) | May return stack-allocated memory from $@. | test.cpp:47:9:47:10 | mc | mc | -| test.cpp:54:9:54:15 | CopyValue: & ... | test.cpp:54:11:54:12 | mc | test.cpp:54:9:54:15 | & ... | May return stack-allocated memory from $@. | test.cpp:54:11:54:12 | mc | mc | -| test.cpp:92:9:92:11 | Load: ptr | test.cpp:89:10:89:11 | mc | test.cpp:92:9:92:11 | ptr | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc | -| test.cpp:112:9:112:11 | Convert: array to pointer conversion | test.cpp:112:9:112:11 | arr | test.cpp:112:9:112:11 | array to pointer conversion | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr | -| test.cpp:119:9:119:18 | CopyValue: & ... | test.cpp:119:11:119:13 | arr | test.cpp:119:9:119:18 | & ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr | -| test.cpp:137:9:137:11 | Load: ptr | test.cpp:134:8:134:10 | arr | test.cpp:137:9:137:11 | ptr | May return stack-allocated memory from $@. | test.cpp:134:8:134:10 | arr | arr | -| test.cpp:171:10:171:23 | Load: pointerToLocal | test.cpp:170:35:170:41 | myLocal | test.cpp:171:10:171:23 | pointerToLocal | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal | -| test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray | -| test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal | -| test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p | -| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca | -| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa | -| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref index 9ca45682006..f35aff41b04 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql +query: Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp index 07e3520fa81..45d1431c04d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp @@ -14,15 +14,15 @@ MyClass *test1() { MyClass mc; - return &mc; // BAD + return &mc; // BAD // $ Alert } MyClass *test2() { MyClass mc; - MyClass *ptr = &mc; + MyClass *ptr = &mc; // $ Source - return ptr; // BAD + return ptr; // BAD // $ Alert } MyClass *test3() @@ -36,22 +36,22 @@ MyClass *test3() MyClass *test4() { MyClass mc; - MyClass &ref = mc; + MyClass &ref = mc; // $ Source - return &ref; // BAD + return &ref; // BAD // $ Alert } MyClass &test5() { MyClass mc; - return mc; // BAD + return mc; // BAD // $ Alert } int *test6() { MyClass mc; - return &(mc.a); // BAD + return &(mc.a); // BAD // $ Alert } MyClass test7() @@ -86,10 +86,10 @@ MyClass *test11() { MyClass mc; - ptr = &mc; + ptr = &mc; // $ Source } - return ptr; // BAD + return ptr; // BAD // $ Alert } MyClass *test12(MyClass *param) @@ -109,14 +109,14 @@ char *testArray1() { char arr[256]; - return arr; // BAD + return arr; // BAD // $ Alert } char *testArray2() { char arr[256]; - return &(arr[10]); // BAD + return &(arr[10]); // BAD // $ Alert } char testArray3() @@ -131,10 +131,10 @@ char *testArray4() char arr[256]; char *ptr; - ptr = arr + 1; + ptr = arr + 1; // $ Source ptr++; - return ptr; // BAD + return ptr; // BAD // $ Alert } char *testArray5() @@ -167,27 +167,27 @@ char *returnAfterCopy() { void *conversionBeforeDataFlow() { int myLocal; - void *pointerToLocal = (void *)&myLocal; // has conversion - return pointerToLocal; // BAD + void *pointerToLocal = (void *)&myLocal; // has conversion // $ Source + return pointerToLocal; // BAD // $ Alert } void *arrayConversionBeforeDataFlow() { int localArray[4]; - int *pointerToLocal = localArray; // has conversion - return pointerToLocal; // BAD + int *pointerToLocal = localArray; // has conversion // $ Source + return pointerToLocal; // BAD // $ Alert } int &dataFlowThroughReference() { int myLocal; - int &refToLocal = myLocal; // has conversion - return refToLocal; // BAD + int &refToLocal = myLocal; // has conversion // $ Source + return refToLocal; // BAD // $ Alert } int *&conversionInFlow() { int myLocal; int *p = &myLocal; - int *&pRef = p; // has conversion in the middle of data flow - return pRef; // BAD + int *&pRef = p; // has conversion in the middle of data flow // $ Source + return pRef; // BAD // $ Alert } namespace std { @@ -234,20 +234,20 @@ void f() { void *alloca(size_t); void* test_alloca() { - void* p = alloca(10); - return p; // BAD + void* p = alloca(10); // $ Source + return p; // BAD // $ Alert } char *strdupa(const char *); char *strndupa(const char *, size_t); char* test_strdupa(const char* s) { - return strdupa(s); // BAD + return strdupa(s); // BAD // $ Alert } void* test_strndupa(const char* s, size_t size) { - char* s2 = strndupa(s, size); - return s2; // BAD + char* s2 = strndupa(s, size); // $ Source + return s2; // BAD // $ Alert } int* f_rec(int *p) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref index 9442d89a36d..c5fff4b2234 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/StackAddressEscapes.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StackAddressEscapes.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StackAddressEscapes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp index 8b73bffb04a..02a67eb9761 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/manager.cpp @@ -48,7 +48,7 @@ manager *test_managers() std::vector vs; a.set_strings(vs); // BAD: stack address `&vs` escapes [NOT DETECTED] - glob_man = &man; // BAD: stack address `&man` escapes + glob_man = &man; // BAD: stack address `&man` escapes // $ Alert return &man; // BAD: stack address `&man` escapes [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp index 19cfd214e18..34717346978 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StackAddressEscapes/test.cpp @@ -19,7 +19,7 @@ int test101() { int x = 0; // BAD: local address is written to a static variable, which could // be unsafe. - s101.p = &x; + s101.p = &x; // $ Alert return x; } @@ -28,7 +28,7 @@ int test102() { static struct S100 s102; // BAD: local address is written to a local static variable, which could // be unsafe. - s102.p = &x; + s102.p = &x; // $ Alert return x; } @@ -36,7 +36,7 @@ void test103(int *p) { static struct S100 s103; // BAD: address is written to a local static variable, which could // be unsafe. - s103.p = p; + s103.p = p; // $ Alert } // Helper for test103. @@ -75,7 +75,7 @@ int test105() { p3++; // BAD: local address is written to a static variable, which could // be unsafe. - s101.p = p3; + s101.p = p3; // $ Alert return x; } @@ -86,7 +86,7 @@ void test106() { S100 s; // BAD: local address is written to a static variable, which could // be unsafe. - s106.p = &(s.i); + s106.p = &(s.i); // $ Alert } // Test for reference types. @@ -97,7 +97,7 @@ int test107() { r1++; // BAD: local address is written to a static variable, which could // be unsafe. - s101.p = &r1; + s101.p = &r1; // $ Alert return r1; } @@ -124,7 +124,7 @@ int test201() { int x = 0; // BAD: local address is written to a static variable, which could // be unsafe. - s201.p = &x; + s201.p = &x; // $ Alert return x; } @@ -133,7 +133,7 @@ int test202() { static struct S200 s202; // BAD: local address is written to a local static variable, which could // be unsafe. - s202.p = &x; + s202.p = &x; // $ Alert return x; } @@ -142,7 +142,7 @@ static const int* xptr; void example1() { int x = 0; - xptr = &x; // BAD: address of local variable stored in non-local memory. + xptr = &x; // BAD: address of local variable stored in non-local memory. // $ Alert } void example2() { @@ -166,27 +166,27 @@ void test301() { int b2[14][15]; int b3[13][14][15]; - s.p1 = b1; // BAD: address of local variable stored in non-local memory. - s.p1 = &b1[1]; // BAD: address of local variable stored in non-local memory. + s.p1 = b1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &b1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert - s.p2 = b2; // BAD: address of local variable stored in non-local memory. - s.p2 = &b2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = b2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = &b2[1][2]; // BAD: address of local variable stored in non-local memory. + s.p2 = b2; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &b2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert - s.p3 = b3; // BAD: address of local variable stored in non-local memory. - s.p3 = &b3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = b3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = &b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.p3 = b3; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p3 = &b3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = b3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert - s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } void test302() { @@ -212,41 +212,41 @@ void test302() { // Even though s is local, we don't know that s.pp is local because // there is a pointer indirection involved. - s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.pp[0] = b1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = b3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &b3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } void test303() { static S300 s; S300 x; - s.p1 = x.a1; // BAD: address of local variable stored in non-local memory. - s.p1 = &x.a1[1]; // BAD: address of local variable stored in non-local memory. + s.p1 = x.a1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &x.a1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert - s.p2 = x.a2; // BAD: address of local variable stored in non-local memory. - s.p2 = &x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.p1 = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. + s.p2 = x.a2; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert - s.p3 = x.a3; // BAD: address of local variable stored in non-local memory. - s.p3 = &x.a3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = x.a3[1]; // BAD: address of local variable stored in non-local memory. - s.p2 = &x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.p1 = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.p3 = x.a3; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p3 = &x.a3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = x.a3[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p2 = &x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.p1 = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert // Even though s is local, we don't know that s.pp is local because // there is a pointer indirection involved. - s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } void test304() { @@ -270,12 +270,12 @@ void test304() { // Even though s is local, we don't know that s.pp is local because // there is a pointer indirection involved. - s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. - s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. + s.pp[0] = x.a1; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a1[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a2[1]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a2[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = x.a3[1][2]; // BAD: address of local variable stored in non-local memory. // $ Alert + s.pp[0] = &x.a3[1][2][3]; // BAD: address of local variable stored in non-local memory. // $ Alert } struct S400 { @@ -309,11 +309,11 @@ int test400() { s.p0 = &x; // GOOD: s.p0 is on the stack. s.p1[1] = &x; // GOOD: s.p1 is on the stack. s.p2[1][2] = &x; // GOOD: s.p1 is on the stack. - s.q1[1] = &x; // BAD: pointer indirection to the heap. - s.q2[1][2] = &x; // BAD: pointer indirection to the heap. - s.q3[1][2][3] = &x; // BAD: pointer indirection to the heap. - s.r2[1][2] = &x; // BAD: pointer indirection to the heap. - s.r3[1][2][3] = &x; // BAD: pointer indirection to the heap. + s.q1[1] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.q2[1][2] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.q3[1][2][3] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.r2[1][2] = &x; // BAD: pointer indirection to the heap. // $ Alert + s.r3[1][2][3] = &x; // BAD: pointer indirection to the heap. // $ Alert return x; } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref index bf0bf1ea7d0..3a2ef158d3d 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/StrncpyFlippedArgs.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StrncpyFlippedArgs.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StrncpyFlippedArgs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c index 2ed60b96315..bba5318fc32 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.c @@ -19,7 +19,7 @@ void good0(char *arg) { void bad0(char *arg) { char buf[80]; // BAD: Checks size of source - strncpy(buf, arg, strlen(arg)); + strncpy(buf, arg, strlen(arg)); // $ Alert } @@ -30,6 +30,6 @@ void good1(const char *buf, char *arg) { void bad1(const char *buf, char *arg) { // BAD: Checks size of source - strncpy(buf, arg, strlen(arg)); + strncpy(buf, arg, strlen(arg)); // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp index ad2e39b748e..89fcbc432ed 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp @@ -18,9 +18,9 @@ void test1() const char *str = "01234567890123456789"; strncpy(buf1, str, sizeof(buf1)); - strncpy(buf1, str, strlen(str)); // BAD - strncpy(buf1, str, strlen(str) + 1); // BAD - strncpy(buf1, buf2, sizeof(buf2)); // BAD + strncpy(buf1, str, strlen(str)); // BAD // $ Alert + strncpy(buf1, str, strlen(str) + 1); // BAD // $ Alert + strncpy(buf1, buf2, sizeof(buf2)); // BAD // $ Alert } void test2() @@ -29,12 +29,12 @@ void test2() wchar_t buf2[20]; const wchar_t *str = L"01234567890123456789"; - wcsncpy(buf1, str, sizeof(buf1)); // (bad, but not a strncpyflippedargs bug) + wcsncpy(buf1, str, sizeof(buf1)); // (bad, but not a strncpyflippedargs bug) // $ Alert wcsncpy(buf1, str, sizeof(buf1) / sizeof(wchar_t)); - wcsncpy(buf1, str, wcslen(str)); // BAD - wcsncpy(buf1, str, wcslen(str) + 1); // BAD - wcsncpy(buf1, buf2, sizeof(buf2)); // BAD - wcsncpy(buf1, buf2, sizeof(buf2) / sizeof(wchar_t)); // BAD [NOT DETECTED] + wcsncpy(buf1, str, wcslen(str)); // BAD // $ Alert + wcsncpy(buf1, str, wcslen(str) + 1); // BAD // $ Alert + wcsncpy(buf1, buf2, sizeof(buf2)); // BAD // $ Alert + wcsncpy(buf1, buf2, sizeof(buf2) / sizeof(wchar_t)); // BAD [NOT DETECTED] // $ Alert } void test3() @@ -44,9 +44,9 @@ void test3() const char *str = "01234567890123456789"; strcpy_s(buf1, sizeof(buf1), str); - strcpy_s(buf1, strlen(str), str); // BAD - strcpy_s(buf1, strlen(str) + 1, str); // BAD - strcpy_s(buf1, sizeof(buf2), buf2); // BAD + strcpy_s(buf1, strlen(str), str); // BAD // $ Alert + strcpy_s(buf1, strlen(str) + 1, str); // BAD // $ Alert + strcpy_s(buf1, sizeof(buf2), buf2); // BAD // $ Alert } struct S { @@ -59,10 +59,10 @@ void test4(S *a, S *b) { strncpy(a->x, b->x, sizeof(a->x)); // GOOD strncpy(a->x, b->x, sizeof(b->x)); // GOOD (sizes match, so it's ok) - strncpy(a->x, b->z, sizeof(b->z)); // BAD + strncpy(a->x, b->z, sizeof(b->z)); // BAD // $ Alert strncpy(a->y, b->y, strlen(a->y) + 1); // GOOD - strncpy(a->y, b->y, strlen(b->y) + 1); // BAD + strncpy(a->y, b->y, strlen(b->y) + 1); // BAD // $ Alert } void test5(char *buf) @@ -78,10 +78,10 @@ void test6(T *a, T *b) { strncpy(a->s->x, b->s->x, sizeof(a->s->x)); // GOOD strncpy(a->s->x, b->s->x, sizeof(b->s->x)); // GOOD (sizes match, so it's ok) - strncpy(a->s->x, b->s->x, sizeof(b->s->z)); // BAD + strncpy(a->s->x, b->s->x, sizeof(b->s->z)); // BAD // $ Alert strncpy(a->s->y, b->s->y, strlen(a->s->y) + 1); // GOOD - strncpy(a->s->y, b->s->y, strlen(b->s->y) + 1); // BAD + strncpy(a->s->y, b->s->y, strlen(b->s->y) + 1); // BAD // $ Alert } void test7(char* x, char* y) { @@ -102,10 +102,10 @@ void test9() wchar_t buf2[20]; const wchar_t *str = L"01234567890123456789"; - wcsxfrm_l(buf1, str, sizeof(buf1), nullptr); // BAD (but not a StrncpyFlippedArgs bug) + wcsxfrm_l(buf1, str, sizeof(buf1), nullptr); // BAD (but not a StrncpyFlippedArgs bug) // $ Alert wcsxfrm_l(buf1, str, sizeof(buf1) / sizeof(wchar_t), nullptr); // GOOD - wcsxfrm_l(buf1, str, wcslen(str), nullptr); // BAD - wcsxfrm_l(buf1, str, wcslen(str) + 1, nullptr); // BAD - wcsxfrm_l(buf1, buf2, sizeof(buf2), nullptr); // BAD - wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD + wcsxfrm_l(buf1, str, wcslen(str), nullptr); // BAD // $ Alert + wcsxfrm_l(buf1, str, wcslen(str) + 1, nullptr); // BAD // $ Alert + wcsxfrm_l(buf1, buf2, sizeof(buf2), nullptr); // BAD // $ Alert + wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref index ab987b824e4..8a03a49d34e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/SuspiciousCallToMemset.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/SuspiciousCallToMemset.ql \ No newline at end of file +query: Likely Bugs/Memory Management/SuspiciousCallToMemset.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c index 1acf9e8e566..f13ea262403 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/doc_tests.c @@ -26,7 +26,7 @@ void tests() struct T *t2 = (struct T*)malloc(sizeof(struct T)); // the size of the struct is probably intended // but this takes the size of a pointer - memset(t2, 0, sizeof(t2)); // BAD + memset(t2, 0, sizeof(t2)); // BAD // $ Alert // correct but discouraged, use sizeof(struct T) instead memset(t1, 0, sizeof(*t2)); // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp index 6a8c8f904a7..a764eb799bb 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToMemset/test.cpp @@ -23,37 +23,37 @@ int main() memset(&ms, 0, sizeof(myStruct)); // GOOD memset(&ms, 0, sizeof(ms)); // GOOD memset(&ms, 0, 8); // BAD [NOT DETECTED] - memset(&ms, 0, sizeof(otherStruct)); // BAD + memset(&ms, 0, sizeof(otherStruct)); // BAD // $ Alert { myStruct *msPtr = &ms; void *vPtr = msPtr; - memset(&msPtr, 0, sizeof(myStruct)); // BAD + memset(&msPtr, 0, sizeof(myStruct)); // BAD // $ Alert memset(&msPtr, 0, sizeof(myStruct *)); // GOOD - memset(&msPtr, 0, sizeof(*msPtr)); // BAD + memset(&msPtr, 0, sizeof(*msPtr)); // BAD // $ Alert memset(&msPtr, 0, sizeof(msPtr)); // GOOD memset(msPtr, 0, sizeof(myStruct)); // GOOD - memset(msPtr, 0, sizeof(myStruct *)); // BAD + memset(msPtr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(msPtr, 0, sizeof(*msPtr)); // GOOD - memset(msPtr, 0, sizeof(msPtr)); // BAD + memset(msPtr, 0, sizeof(msPtr)); // BAD // $ Alert memset(vPtr, 0, sizeof(myStruct)); // GOOD - memset(vPtr, 0, sizeof(myStruct *)); // BAD + memset(vPtr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(vPtr, 0, sizeof(*msPtr)); // GOOD - memset(vPtr, 0, sizeof(msPtr)); // BAD + memset(vPtr, 0, sizeof(msPtr)); // BAD // $ Alert { myStruct **msPtrPtr = &msPtr; - memset(&msPtrPtr, 0, sizeof(myStruct)); // BAD - memset(&msPtrPtr, 0, sizeof(myStruct *)); // BAD + memset(&msPtrPtr, 0, sizeof(myStruct)); // BAD // $ Alert + memset(&msPtrPtr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(&msPtrPtr, 0, sizeof(myStruct **)); // GOOD - memset(msPtrPtr, 0, sizeof(myStruct)); // BAD + memset(msPtrPtr, 0, sizeof(myStruct)); // BAD // $ Alert memset(msPtrPtr, 0, sizeof(myStruct *)); // GOOD - memset(msPtrPtr, 0, sizeof(myStruct **)); // BAD + memset(msPtrPtr, 0, sizeof(myStruct **)); // BAD // $ Alert memset(*msPtrPtr, 0, sizeof(myStruct)); // GOOD - memset(*msPtrPtr, 0, sizeof(myStruct *)); // BAD - memset(*msPtrPtr, 0, sizeof(myStruct **)); // BAD + memset(*msPtrPtr, 0, sizeof(myStruct *)); // BAD // $ Alert + memset(*msPtrPtr, 0, sizeof(myStruct **)); // BAD // $ Alert } } } @@ -65,40 +65,40 @@ int main() memset(&msArr, 0, sizeof(myStruct) * NUM); // GOOD memset(&msArr, 0, sizeof(msArr)); // GOOD memset(&msArr, 0, sizeof(myStruct[NUM])); // GOOD - memset(&msArr, 0, sizeof(myStruct *)); // BAD + memset(&msArr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(msArr, 0, sizeof(myStruct) * NUM); // GOOD memset(msArr, 0, sizeof(msArr)); // GOOD memset(msArr, 0, sizeof(myStruct[NUM])); // GOOD - memset(msArr, 0, sizeof(myStruct *)); // BAD + memset(msArr, 0, sizeof(myStruct *)); // BAD // $ Alert memset(&(msArr[0]), 0, sizeof(myStruct) * NUM); // GOOD memset(&(msArr[0]), 0, sizeof(msArr)); // GOOD memset(&(msArr[0]), 0, sizeof(myStruct[NUM])); // GOOD - memset(&(msArr[0]), 0, sizeof(myStruct *)); // BAD + memset(&(msArr[0]), 0, sizeof(myStruct *)); // BAD // $ Alert memset(msPtr, 0, sizeof(myStruct) * NUM); // GOOD memset(msPtr, 0, sizeof(msArr)); // GOOD memset(msPtr, 0, sizeof(myStruct[NUM])); // GOOD - memset(msPtr, 0, sizeof(myStruct *)); // BAD + memset(msPtr, 0, sizeof(myStruct *)); // BAD // $ Alert } { myStructPtr msPtrArr[NUM]; - memset(&msPtrArr, 0, sizeof(myStruct) * NUM); // BAD + memset(&msPtrArr, 0, sizeof(myStruct) * NUM); // BAD // $ Alert memset(&msPtrArr, 0, sizeof(myStruct *) * NUM); // GOOD memset(&msPtrArr, 0, sizeof(myStructPtr) * NUM); // GOOD - memset(&msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD + memset(&msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD // $ Alert memset(msPtrArr, 0, sizeof(myStruct) * NUM); // BAD [NOT DETECTED] memset(msPtrArr, 0, sizeof(myStruct *) * NUM); // GOOD memset(msPtrArr, 0, sizeof(myStructPtr) * NUM); // GOOD - memset(msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD - memset(&(msPtrArr[0]), 0, sizeof(myStruct) * NUM); // BAD + memset(msPtrArr, 0, sizeof(myStruct **) * NUM); // BAD // $ Alert + memset(&(msPtrArr[0]), 0, sizeof(myStruct) * NUM); // BAD // $ Alert memset(&(msPtrArr[0]), 0, sizeof(myStruct *) * NUM); // GOOD memset(&(msPtrArr[0]), 0, sizeof(myStructPtr) * NUM); // GOOD - memset(&(msPtrArr[0]), 0, sizeof(myStruct **) * NUM); // BAD + memset(&(msPtrArr[0]), 0, sizeof(myStruct **) * NUM); // BAD // $ Alert memset(msPtrArr[0], 0, sizeof(myStruct) * NUM); // GOOD - memset(msPtrArr[0], 0, sizeof(myStruct *) * NUM); // BAD - memset(msPtrArr[0], 0, sizeof(myStructPtr) * NUM); // BAD - memset(msPtrArr[0], 0, sizeof(myStruct **) * NUM); // BAD + memset(msPtrArr[0], 0, sizeof(myStruct *) * NUM); // BAD // $ Alert + memset(msPtrArr[0], 0, sizeof(myStructPtr) * NUM); // BAD // $ Alert + memset(msPtrArr[0], 0, sizeof(myStruct **) * NUM); // BAD // $ Alert } { @@ -126,13 +126,13 @@ void myFunc(myStruct paramArray[80], myStruct &refStruct) memset(&localArray, 0, sizeof(localArray)); // GOOD memset(paramArray, 0, sizeof(myStruct) * 80); // GOOD - memset(paramArray, 0, sizeof(paramArray)); // GOOD [FALSE POSITIVE] - memset(¶mArray, 0, sizeof(myStruct) * 80); // BAD + memset(paramArray, 0, sizeof(paramArray)); // GOOD [FALSE POSITIVE] // $ Alert + memset(¶mArray, 0, sizeof(myStruct) * 80); // BAD // $ Alert memset(¶mArray, 0, sizeof(paramArray)); // BAD [NOT DETECTED] memset(&refStruct, 0, sizeof(myStruct)); // GOOD memset(&refStruct, 0, sizeof(refStruct)); // GOOD - memset(&refStruct, 0, sizeof(myStruct *)); // BAD + memset(&refStruct, 0, sizeof(myStruct *)); // BAD // $ Alert } class MyClass @@ -167,9 +167,9 @@ void more_tests_2() intArrayPointer iapa[88]; memset(iap, 0, sizeof(intArray)); // GOOD - memset(&iap, 0, sizeof(intArray)); // BAD + memset(&iap, 0, sizeof(intArray)); // BAD // $ Alert memset(iapa, 0, sizeof(iapa)); // GOOD - memset(iapa, 0, sizeof(intArrayPointer *)); // BAD + memset(iapa, 0, sizeof(intArrayPointer *)); // BAD // $ Alert } void more_tests_3() diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref index 37583da5e48..ed09b7cd912 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql +query: Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c index 13c18b75dbb..0ea05c6bf18 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c @@ -21,7 +21,7 @@ void good0(char *s) { void bad0(char *s) { char buf[80]; strcpy(buf, "s = "); - strncat(buf, s, sizeof(buf)); // BAD -- Forgot to allow for "s = " + strncat(buf, s, sizeof(buf)); // BAD -- Forgot to allow for "s = " // $ Alert strncat(buf, ".", 1); // BAD [NOT DETECTED] -- there might not be even 1 character of space } @@ -42,7 +42,7 @@ void bad1(char *s) { void strncat_test1(char *s) { char buf[80]; strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD - strncat(buf, s, sizeof(buf) - strlen(buf)); // BAD + strncat(buf, s, sizeof(buf) - strlen(buf)); // BAD // $ Alert } void* malloc(size_t); @@ -64,7 +64,7 @@ void strncat_test3(char* s, struct buffers* buffers) { unsigned len_array = strlen(buffers->array); unsigned max_size = sizeof(buffers->array); unsigned free_size = max_size - len_array; - strncat(buffers->array, s, free_size); // BAD + strncat(buffers->array, s, free_size); // BAD // $ Alert } #define MAX_SIZE 80 @@ -72,8 +72,8 @@ void strncat_test3(char* s, struct buffers* buffers) { void strncat_test4(char *s) { char buf[MAX_SIZE]; strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD - strncat(buf, s, MAX_SIZE - strlen(buf)); // BAD - strncat(buf, "...", MAX_SIZE - strlen(buf)); // BAD + strncat(buf, s, MAX_SIZE - strlen(buf)); // BAD // $ Alert + strncat(buf, "...", MAX_SIZE - strlen(buf)); // BAD // $ Alert } void strncat_test5(char *s) { @@ -88,7 +88,7 @@ void strncat_test6() { char dest[60]; dest[0] = '\0'; // Will write `dest[0 .. 5]` - strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] + strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] // $ Alert } { @@ -96,6 +96,6 @@ void strncat_test6() { memset(dest, 'a', sizeof(dest)); dest[54] = '\0'; // Will write `dest[54 .. 59]` - strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] + strncat(dest, "small", sizeof(dest)); // GOOD [FALSE POSITIVE] // $ Alert } } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref index b31c76e4583..846e202a48a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/SuspiciousSizeof.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/SuspiciousSizeof.ql \ No newline at end of file +query: Likely Bugs/Memory Management/SuspiciousSizeof.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp index f782badb55a..82da4edd17e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousSizeof/test.cpp @@ -3,21 +3,21 @@ typedef unsigned int size_t; void *memcpy(void *destination, const void *source, size_t num); void f1(char s[]) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert // s is now a char*, not an array. // sizeof(s) will evaluate to sizeof(char *) int size2 = sizeof(s[0]); // GOOD } void f2(char s[10]) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert int size2 = sizeof(s[0]); // GOOD } typedef char myarray[10]; void f3(myarray s) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert int size2 = sizeof(s[0]); // GOOD } @@ -28,7 +28,7 @@ struct container }; void f4(container *s) { - int size = sizeof(s); // (dubious) + int size = sizeof(s); // (dubious) // $ Alert int size3 = sizeof(s->ptr); // GOOD int size2 = sizeof(s->array); // GOOD } @@ -42,7 +42,7 @@ void f5(container *s) { void f6(container *s) { container t; - memcpy(&t, s, sizeof(s)); // BAD + memcpy(&t, s, sizeof(s)); // BAD // $ Alert } void f7(container *s) { @@ -55,5 +55,5 @@ class myClass {}; typedef myClass *myClassPtr; void f8(const myClassPtr s[]) { - int size = sizeof(s); // BAD + int size = sizeof(s); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c index ea723e1e0f5..efadee92900 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.c @@ -19,7 +19,7 @@ void f(void) { output4[0] = '\0'; strcat(output1, str1); strcat(output2, str1); - strcat(output3, str2); // Bad, as str2 gets reassigned - strcat(output4, str3); // Bad, as str3 gets fiddled with + strcat(output3, str2); // Bad, as str2 gets reassigned // $ Alert + strcat(output4, str3); // Bad, as str3 gets fiddled with // $ Alert } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref index 9790cddebab..7f1a1cf35f2 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UnsafeUseOfStrcat/strcat.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +query: Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected index 858dbea5932..bf50722ec86 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.expected @@ -1,3 +1,31 @@ +#select +| test.cpp:15:16:15:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:15:16:15:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | +| test.cpp:24:16:24:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:24:16:24:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | +| test.cpp:58:16:58:16 | Load: p | test.cpp:52:3:52:13 | Store: ... = ... | test.cpp:58:16:58:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:51:36:51:36 | y | y | test.cpp:52:3:52:13 | Store: ... = ... | this store | +| test.cpp:73:16:73:16 | Load: p | test.cpp:68:3:68:13 | Store: ... = ... | test.cpp:73:16:73:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:62:7:62:7 | x | x | test.cpp:68:3:68:13 | Store: ... = ... | this store | +| test.cpp:98:15:98:15 | Load: p | test.cpp:93:3:93:15 | Store: ... = ... | test.cpp:98:15:98:15 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:92:8:92:8 | s | s | test.cpp:93:3:93:15 | Store: ... = ... | this store | +| test.cpp:111:16:111:16 | Load: p | test.cpp:106:3:106:14 | Store: ... = ... | test.cpp:111:16:111:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:102:7:102:7 | x | x | test.cpp:106:3:106:14 | Store: ... = ... | this store | +| test.cpp:161:16:161:17 | Load: p1 | test.cpp:136:3:136:12 | Store: ... = ... | test.cpp:161:16:161:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:136:3:136:12 | Store: ... = ... | this store | +| test.cpp:162:16:162:17 | Load: p1 | test.cpp:137:3:137:16 | Store: ... = ... | test.cpp:162:16:162:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:137:3:137:16 | Store: ... = ... | this store | +| test.cpp:164:16:164:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:164:16:164:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | +| test.cpp:165:16:165:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:165:16:165:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | +| test.cpp:166:17:166:18 | Load: p2 | test.cpp:140:3:140:16 | Store: ... = ... | test.cpp:166:17:166:18 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:140:3:140:16 | Store: ... = ... | this store | +| test.cpp:167:16:167:17 | Load: p1 | test.cpp:141:3:141:15 | Store: ... = ... | test.cpp:167:16:167:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:141:3:141:15 | Store: ... = ... | this store | +| test.cpp:168:17:168:18 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:168:17:168:18 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | +| test.cpp:170:16:170:17 | Load: p3 | test.cpp:144:3:144:12 | Store: ... = ... | test.cpp:170:16:170:17 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:144:3:144:12 | Store: ... = ... | this store | +| test.cpp:171:17:171:18 | Load: p3 | test.cpp:145:3:145:16 | Store: ... = ... | test.cpp:171:17:171:18 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:145:3:145:16 | Store: ... = ... | this store | +| test.cpp:172:18:172:19 | Load: p2 | test.cpp:146:3:146:15 | Store: ... = ... | test.cpp:172:18:172:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:146:3:146:15 | Store: ... = ... | this store | +| test.cpp:173:18:173:19 | Load: p2 | test.cpp:147:3:147:19 | Store: ... = ... | test.cpp:173:18:173:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:147:3:147:19 | Store: ... = ... | this store | +| test.cpp:174:18:174:19 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:174:18:174:19 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | +| test.cpp:175:16:175:17 | Load: p1 | test.cpp:148:3:148:18 | Store: ... = ... | test.cpp:175:16:175:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:148:3:148:18 | Store: ... = ... | this store | +| test.cpp:177:14:177:21 | Load: access to array | test.cpp:151:3:151:15 | Store: ... = ... | test.cpp:177:14:177:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:151:3:151:15 | Store: ... = ... | this store | +| test.cpp:178:14:178:21 | Load: access to array | test.cpp:152:3:152:19 | Store: ... = ... | test.cpp:178:14:178:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:152:3:152:19 | Store: ... = ... | this store | +| test.cpp:179:14:179:21 | Load: access to array | test.cpp:153:3:153:18 | Store: ... = ... | test.cpp:179:14:179:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:153:3:153:18 | Store: ... = ... | this store | +| test.cpp:180:14:180:19 | Load: * ... | test.cpp:154:3:154:22 | Store: ... = ... | test.cpp:180:14:180:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:154:3:154:22 | Store: ... = ... | this store | +| test.cpp:181:13:181:20 | Load: access to array | test.cpp:155:3:155:21 | Store: ... = ... | test.cpp:181:13:181:20 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:155:3:155:21 | Store: ... = ... | this store | +| test.cpp:182:14:182:19 | Load: * ... | test.cpp:156:3:156:25 | Store: ... = ... | test.cpp:182:14:182:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:156:3:156:25 | Store: ... = ... | this store | +| test.cpp:239:17:239:17 | Load: p | test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:239:17:239:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:232:7:232:7 | x | x | test.cpp:234:3:234:13 | Store: ... = ... | this store | +| test.cpp:268:17:268:17 | Load: p | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:268:17:268:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:260:7:260:7 | x | x | test.cpp:263:3:263:13 | Store: ... = ... | this store | edges | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:14:3:14:9 | Call: call to escape1 | | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:19:3:19:9 | Call: call to escape1 | @@ -68,31 +96,3 @@ edges | test.cpp:238:3:238:9 | Call: call to escape2 | test.cpp:239:17:239:17 | Load: p | | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:267:3:267:9 | Call: call to escape3 | | test.cpp:267:3:267:9 | Call: call to escape3 | test.cpp:268:17:268:17 | Load: p | -#select -| test.cpp:15:16:15:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:15:16:15:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | -| test.cpp:24:16:24:16 | Load: p | test.cpp:10:3:10:13 | Store: ... = ... | test.cpp:24:16:24:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:9:7:9:7 | x | x | test.cpp:10:3:10:13 | Store: ... = ... | this store | -| test.cpp:58:16:58:16 | Load: p | test.cpp:52:3:52:13 | Store: ... = ... | test.cpp:58:16:58:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:51:36:51:36 | y | y | test.cpp:52:3:52:13 | Store: ... = ... | this store | -| test.cpp:73:16:73:16 | Load: p | test.cpp:68:3:68:13 | Store: ... = ... | test.cpp:73:16:73:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:62:7:62:7 | x | x | test.cpp:68:3:68:13 | Store: ... = ... | this store | -| test.cpp:98:15:98:15 | Load: p | test.cpp:93:3:93:15 | Store: ... = ... | test.cpp:98:15:98:15 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:92:8:92:8 | s | s | test.cpp:93:3:93:15 | Store: ... = ... | this store | -| test.cpp:111:16:111:16 | Load: p | test.cpp:106:3:106:14 | Store: ... = ... | test.cpp:111:16:111:16 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:102:7:102:7 | x | x | test.cpp:106:3:106:14 | Store: ... = ... | this store | -| test.cpp:161:16:161:17 | Load: p1 | test.cpp:136:3:136:12 | Store: ... = ... | test.cpp:161:16:161:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:136:3:136:12 | Store: ... = ... | this store | -| test.cpp:162:16:162:17 | Load: p1 | test.cpp:137:3:137:16 | Store: ... = ... | test.cpp:162:16:162:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:137:3:137:16 | Store: ... = ... | this store | -| test.cpp:164:16:164:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:164:16:164:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | -| test.cpp:165:16:165:17 | Load: p2 | test.cpp:139:3:139:12 | Store: ... = ... | test.cpp:165:16:165:17 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:139:3:139:12 | Store: ... = ... | this store | -| test.cpp:166:17:166:18 | Load: p2 | test.cpp:140:3:140:16 | Store: ... = ... | test.cpp:166:17:166:18 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:140:3:140:16 | Store: ... = ... | this store | -| test.cpp:167:16:167:17 | Load: p1 | test.cpp:141:3:141:15 | Store: ... = ... | test.cpp:167:16:167:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:141:3:141:15 | Store: ... = ... | this store | -| test.cpp:168:17:168:18 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:168:17:168:18 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | -| test.cpp:170:16:170:17 | Load: p3 | test.cpp:144:3:144:12 | Store: ... = ... | test.cpp:170:16:170:17 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:144:3:144:12 | Store: ... = ... | this store | -| test.cpp:171:17:171:18 | Load: p3 | test.cpp:145:3:145:16 | Store: ... = ... | test.cpp:171:17:171:18 | Load: p3 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:145:3:145:16 | Store: ... = ... | this store | -| test.cpp:172:18:172:19 | Load: p2 | test.cpp:146:3:146:15 | Store: ... = ... | test.cpp:172:18:172:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:146:3:146:15 | Store: ... = ... | this store | -| test.cpp:173:18:173:19 | Load: p2 | test.cpp:147:3:147:19 | Store: ... = ... | test.cpp:173:18:173:19 | Load: p2 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:147:3:147:19 | Store: ... = ... | this store | -| test.cpp:174:18:174:19 | Load: p1 | test.cpp:142:3:142:19 | Store: ... = ... | test.cpp:174:18:174:19 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:142:3:142:19 | Store: ... = ... | this store | -| test.cpp:175:16:175:17 | Load: p1 | test.cpp:148:3:148:18 | Store: ... = ... | test.cpp:175:16:175:17 | Load: p1 | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:148:3:148:18 | Store: ... = ... | this store | -| test.cpp:177:14:177:21 | Load: access to array | test.cpp:151:3:151:15 | Store: ... = ... | test.cpp:177:14:177:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:151:3:151:15 | Store: ... = ... | this store | -| test.cpp:178:14:178:21 | Load: access to array | test.cpp:152:3:152:19 | Store: ... = ... | test.cpp:178:14:178:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:132:7:132:8 | b1 | b1 | test.cpp:152:3:152:19 | Store: ... = ... | this store | -| test.cpp:179:14:179:21 | Load: access to array | test.cpp:153:3:153:18 | Store: ... = ... | test.cpp:179:14:179:21 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:153:3:153:18 | Store: ... = ... | this store | -| test.cpp:180:14:180:19 | Load: * ... | test.cpp:154:3:154:22 | Store: ... = ... | test.cpp:180:14:180:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:133:7:133:8 | b2 | b2 | test.cpp:154:3:154:22 | Store: ... = ... | this store | -| test.cpp:181:13:181:20 | Load: access to array | test.cpp:155:3:155:21 | Store: ... = ... | test.cpp:181:13:181:20 | Load: access to array | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:155:3:155:21 | Store: ... = ... | this store | -| test.cpp:182:14:182:19 | Load: * ... | test.cpp:156:3:156:25 | Store: ... = ... | test.cpp:182:14:182:19 | Load: * ... | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:134:7:134:8 | b3 | b3 | test.cpp:156:3:156:25 | Store: ... = ... | this store | -| test.cpp:239:17:239:17 | Load: p | test.cpp:234:3:234:13 | Store: ... = ... | test.cpp:239:17:239:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:232:7:232:7 | x | x | test.cpp:234:3:234:13 | Store: ... = ... | this store | -| test.cpp:268:17:268:17 | Load: p | test.cpp:263:3:263:13 | Store: ... = ... | test.cpp:268:17:268:17 | Load: p | Stack variable $@ escapes at $@ and is used after it has expired. | test.cpp:260:7:260:7 | x | x | test.cpp:263:3:263:13 | Store: ... = ... | this store | diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref index ce6cdee0d86..4075c6c5798 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/UsingExpiredStackAddress.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UsingExpiredStackAddress.ql \ No newline at end of file +query: Likely Bugs/Memory Management/UsingExpiredStackAddress.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp index 616305a8174..14a10769e14 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/UsingExpiredStackAddress/test.cpp @@ -7,12 +7,12 @@ static struct S100 s101; void escape1() { int x; - s101.p = &x; + s101.p = &x; // $ Source } int simple_field_bad() { escape1(); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } int simple_field_good() { @@ -21,7 +21,7 @@ int simple_field_good() { } int deref_p() { - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } int field_indirect_bad() { @@ -49,13 +49,13 @@ int store_argument_value() { } void store_address_of_argument(int y) { - s101.p = &y; + s101.p = &y; // $ Source } int store_argument_address() { int x; store_address_of_argument(x); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } void address_escapes_through_pointer_arith() { @@ -65,12 +65,12 @@ void address_escapes_through_pointer_arith() { int* p2 = p1 - 1; int* p3 = 1 + p2; p3++; - s101.p = p3; + s101.p = p3; // $ Source } int test_pointer_arith_bad() { address_escapes_through_pointer_arith(); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } int test_pointer_arith_good_1() { @@ -90,12 +90,12 @@ int test_pointer_arith_good_2(bool b) { void field_address_escapes() { S100 s; - s101.p = &s.i; + s101.p = &s.i; // $ Source } int test_field_address_escapes() { field_address_escapes(); - return s101.p[0]; // BAD + return s101.p[0]; // BAD // $ Alert } void escape_through_reference() { @@ -103,12 +103,12 @@ void escape_through_reference() { int& r0 = x; int& r1 = r0; r1++; - s101.p = &r1; + s101.p = &r1; // $ Source } int test_escapes_through_reference() { escape_through_reference(); - return *s101.p; // BAD + return *s101.p; // BAD // $ Alert } struct S300 { @@ -133,53 +133,53 @@ void escape_through_arrays() { int b2[14][15]; int b3[13][14][15]; - s1.p1 = b1; - s2.p1 = &b1[1]; + s1.p1 = b1; // $ Source + s2.p1 = &b1[1]; // $ Source - s1.p2 = b2; - s2.p2 = &b2[1]; - s3.p1 = b2[1]; - s4.p1 = &b2[1][2]; + s1.p2 = b2; // $ Source + s2.p2 = &b2[1]; // $ Source + s3.p1 = b2[1]; // $ Source + s4.p1 = &b2[1][2]; // $ Source - s1.p3 = b3; - s2.p3 = &b3[1]; - s3.p2 = b3[1]; - s4.p2 = &b3[1][2]; - s5.p1 = b3[1][2]; + s1.p3 = b3; // $ Source + s2.p3 = &b3[1]; // $ Source + s3.p2 = b3[1]; // $ Source + s4.p2 = &b3[1][2]; // $ Source + s5.p1 = b3[1][2]; // $ Source s6.p1 = &b3[1][2][3]; - s1.pp[0] = b1; - s2.pp[0] = &b1[1]; - s3.pp[0] = b2[1]; - s4.pp[0] = &b2[1][2]; - s5.pp[0] = b3[1][2]; - s6.pp[0] = &b3[1][2][3]; + s1.pp[0] = b1; // $ Source + s2.pp[0] = &b1[1]; // $ Source + s3.pp[0] = b2[1]; // $ Source + s4.pp[0] = &b2[1][2]; // $ Source + s5.pp[0] = b3[1][2]; // $ Source + s6.pp[0] = &b3[1][2][3]; // $ Source } void test_escape_through_arrays() { escape_through_arrays(); - int x1 = *s1.p1; // BAD - int x2 = *s2.p1; // BAD + int x1 = *s1.p1; // BAD // $ Alert + int x2 = *s2.p1; // BAD // $ Alert - int* x3 = s1.p2[1]; // BAD - int x4 = *s1.p2[1]; // BAD - int* x5 = *s2.p2; // BAD - int* x6 = s3.p1; // BAD - int x7 = *&s4.p1[1]; // BAD + int* x3 = s1.p2[1]; // BAD // $ Alert + int x4 = *s1.p2[1]; // BAD // $ Alert + int* x5 = *s2.p2; // BAD // $ Alert + int* x6 = s3.p1; // BAD // $ Alert + int x7 = *&s4.p1[1]; // BAD // $ Alert - int x8 = *s1.p3[1][2]; // BAD - int x9 = (*s2.p3[0])[0]; // BAD - int x10 = **s3.p2; // BAD - int x11 = **s4.p2; // BAD - int x12 = (*s4.p1); // BAD - int x13 = s5.p1[1]; // BAD + int x8 = *s1.p3[1][2]; // BAD // $ Alert + int x9 = (*s2.p3[0])[0]; // BAD // $ Alert + int x10 = **s3.p2; // BAD // $ Alert + int x11 = **s4.p2; // BAD // $ Alert + int x12 = (*s4.p1); // BAD // $ Alert + int x13 = s5.p1[1]; // BAD // $ Alert - int* x14 = s1.pp[0]; // BAD - int x15 = *s2.pp[0]; // BAD - int x16 = *s3.pp[0]; // BAD - int x17 = **s4.pp; // BAD - int x18 = s5.pp[0][0]; // BAD - int x19 = (*s6.pp)[0]; // BAD + int* x14 = s1.pp[0]; // BAD // $ Alert + int x15 = *s2.pp[0]; // BAD // $ Alert + int x16 = *s3.pp[0]; // BAD // $ Alert + int x17 = **s4.pp; // BAD // $ Alert + int x18 = s5.pp[0][0]; // BAD // $ Alert + int x19 = (*s6.pp)[0]; // BAD // $ Alert } void not_escape_through_arrays() { @@ -231,12 +231,12 @@ static struct S100 s103; void escape2() { int x; s103.p = nullptr; - s103.p = &x; + s103.p = &x; // $ Source } void calls_escape2() { escape2(); - int x = *s103.p; // BAD + int x = *s103.p; // BAD // $ Alert } bool unknown(); @@ -260,10 +260,10 @@ void escape3() { int x; s105.p = nullptr; if(unknown()) { } - s105.p = &x; + s105.p = &x; // $ Source } void calls_escape3() { escape3(); - int x = *s105.p; // BAD + int x = *s105.p; // BAD // $ Alert } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref index 193c84e1ab2..f29596941a1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/IncorrectConstructorDelegation.qlref @@ -1 +1,2 @@ -Likely Bugs/OO/IncorrectConstructorDelegation.ql +query: Likely Bugs/OO/IncorrectConstructorDelegation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp index ce652cabdac..225f3735a41 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/IncorrectConstructorDelegation/test.cpp @@ -4,7 +4,7 @@ class MyRect public: MyRect() { - MyRect(100.0f, 100.0f); // BAD + MyRect(100.0f, 100.0f); // BAD // $ Alert } MyRect(float _width, float _height) : width(_width), height(_height) @@ -13,7 +13,7 @@ public: MyRect(float _width) { - MyRect(_width, _width); // BAD + MyRect(_width, _width); // BAD // $ Alert } MyRect(int a) : MyRect(10.0f, 10.0f) // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp index 4b7b61de8ce..2555a6cb842 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.cpp @@ -53,7 +53,7 @@ struct Base_Virtual_VirtualDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtor +struct Base_Virtual_NonVirtualDtor // $ Alert { ~Base_Virtual_NonVirtualDtor(); virtual void VirtualFunction(); @@ -65,7 +65,7 @@ struct Base_Virtual_ImplicitDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtorWithDefinition +struct Base_Virtual_NonVirtualDtorWithDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithDefinition(); virtual void VirtualFunction(); @@ -75,7 +75,7 @@ Base_Virtual_NonVirtualDtorWithDefinition::~Base_Virtual_NonVirtualDtorWithDefin { } -struct Base_Virtual_NonVirtualDtorWithInlineDefinition +struct Base_Virtual_NonVirtualDtorWithInlineDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithInlineDefinition() { diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref index ff3cecfecc7..9ca3f49140e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/NonVirtualDestructorInBaseClass/NonVirtualDestructorInBaseClass.qlref @@ -1 +1,2 @@ -Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql +query: Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref index 2b0862fc362..eee2e41916c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/ThrowInDestructor.qlref @@ -1 +1,2 @@ -Likely Bugs/OO/ThrowInDestructor.ql +query: Likely Bugs/OO/ThrowInDestructor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp index 247d6d801ef..0574cc47fac 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/OO/ThrowInDestructor/test.cpp @@ -10,7 +10,7 @@ struct ThrowsDirectly { ~ThrowsDirectly() noexcept(false) { if (i == 0) { - throw exception(); // BAD + throw exception(); // BAD // $ Alert } else if (i == 1) { try { @@ -45,14 +45,14 @@ struct ThrowsDirectly { } else if (i == 5) { try { if (i == 5) - throw exception(); // BAD + throw exception(); // BAD // $ Alert } catch (const specific_exception &) { } } else if (i == 6) { try { if (i == 6) - throw exception(); // BAD + throw exception(); // BAD // $ Alert } catch (const other_throwable &) { } } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref b/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref index 8c1c54ff960..bc1be3c9bfb 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qlref @@ -1 +1,2 @@ -Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql \ No newline at end of file +query: Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref b/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref index 2cef090faef..b682f4aa2d5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qlref @@ -1 +1,2 @@ -Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql \ No newline at end of file +query: Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp index 5c2c2d6e357..f9b0f05b091 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test.cpp @@ -22,23 +22,23 @@ void TestProperConfiguration_inter_CorrectUsage02() void TestProperConfiguration_inter_IncorrectUsage01() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD - missing disable SSLv3 + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD - missing disable SSLv3 // $ Alert[cpp/boost/tls-settings-misconfiguration] SetOptionsNoOldTls(ctx); } void TestProperConfiguration_IncorrectUsage01() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // BAD // $ Alert[cpp/boost/tls-settings-misconfiguration] } void TestProperConfiguration_IncorrectUsage02() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD + boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD // $ Alert[cpp/boost/tls-settings-misconfiguration] } void TestProperConfiguration_IncorrectUsage03() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD + boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // BAD // $ Alert[cpp/boost/tls-settings-misconfiguration] SetOptionsNoOldTls(ctx); ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_2 ); // BUG - disabling TLS 1.2 @@ -47,21 +47,21 @@ void TestProperConfiguration_IncorrectUsage03() void TestHardcodedProtocols() { //////////////////////// Banned Hardcoded algorithms - boost::asio::ssl::context cxt_sslv2(boost::asio::ssl::context::sslv2); // BUG - boost::asio::ssl::context cxt_sslv2c(boost::asio::ssl::context::sslv2_client); // BUG - boost::asio::ssl::context cxt_sslv2s(boost::asio::ssl::context::sslv2_server); // BUG + boost::asio::ssl::context cxt_sslv2(boost::asio::ssl::context::sslv2); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv2c(boost::asio::ssl::context::sslv2_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv2s(boost::asio::ssl::context::sslv2_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] - boost::asio::ssl::context cxt_sslv3(boost::asio::ssl::context::sslv3); // BUG - boost::asio::ssl::context cxt_sslv3c(boost::asio::ssl::context::sslv3_client); // BUG - boost::asio::ssl::context cxt_sslv3s(boost::asio::ssl::context::sslv3_server); // BUG + boost::asio::ssl::context cxt_sslv3(boost::asio::ssl::context::sslv3); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv3c(boost::asio::ssl::context::sslv3_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_sslv3s(boost::asio::ssl::context::sslv3_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] - boost::asio::ssl::context cxt_tlsv1(boost::asio::ssl::context::tlsv1); // BUG - boost::asio::ssl::context cxt_tlsv1c(boost::asio::ssl::context::tlsv1_client); // BUG - boost::asio::ssl::context cxt_tlsv1s(boost::asio::ssl::context::tlsv1_server); // BUG + boost::asio::ssl::context cxt_tlsv1(boost::asio::ssl::context::tlsv1); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv1c(boost::asio::ssl::context::tlsv1_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv1s(boost::asio::ssl::context::tlsv1_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] - boost::asio::ssl::context cxt_tlsv11(boost::asio::ssl::context::tlsv11); // BUG - boost::asio::ssl::context cxt_tlsv11c(boost::asio::ssl::context::tlsv11_client); // BUG - boost::asio::ssl::context cxt_tlsv11s(boost::asio::ssl::context::tlsv11_server); // BUG + boost::asio::ssl::context cxt_tlsv11(boost::asio::ssl::context::tlsv11); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv11c(boost::asio::ssl::context::tlsv11_client); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] + boost::asio::ssl::context cxt_tlsv11s(boost::asio::ssl::context::tlsv11_server); // BUG // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] ////////////////////// Hardcoded algorithms @@ -76,7 +76,7 @@ void TestHardcodedProtocols() void InterProceduralTest(boost::asio::ssl::context::method m) { - boost::asio::ssl::context cxt1(m); // BUG - Multiple hits (sink) + boost::asio::ssl::context cxt1(m); // BUG - Multiple hits (sink) // $ Alert[cpp/boost/use-of-deprecated-hardcoded-security-protocol] } void TestHardcodedProtocols_inter() diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp index 5679cee8b0f..c7715ff2461 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test2.cpp @@ -12,7 +12,7 @@ void bad1() { // BAD: missing disable SSLv3 boost::asio::ssl::context::method m = boost::asio::ssl::context::sslv23; - boost::asio::ssl::context ctx(m); + boost::asio::ssl::context ctx(m); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); } @@ -20,7 +20,7 @@ void good2() { // GOOD [FALSE POSITIVE x 3] boost::asio::ssl::context::options opts = boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1 | boost::asio::ssl::context::no_sslv3; - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(opts); } @@ -28,7 +28,7 @@ void bad2() { // BAD: missing disable SSLv3 [WITH FALSE POSITIVE x 2] boost::asio::ssl::context::options opts = boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1; - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(opts); } @@ -42,14 +42,14 @@ void good3() void bad3() { // BAD: missing disable SSLv3 - boost::asio::ssl::context *ctx = new boost::asio::ssl::context(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context *ctx = new boost::asio::ssl::context(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx->set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); } void bad4() { // BAD: missing disable SSLv3 - boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); + boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23); // $ Alert[cpp/boost/tls-settings-misconfiguration] } diff --git a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp index c9932b31618..88f204dcced 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/Protocols/test3.cpp @@ -4,7 +4,7 @@ void useTLS_bad() { - boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); + boost::asio::ssl::context ctx(boost::asio::ssl::context::tls); // $ Alert[cpp/boost/tls-settings-misconfiguration] ctx.set_options(boost::asio::ssl::context::no_tlsv1); // BAD: missing no_tlsv1_1 // ... diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp index 2760dcb349c..5c0ee7378dc 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.cpp @@ -1,23 +1,23 @@ void test_simple_bad(int *p) { int x; - x = *p; - if (p == nullptr) { // BAD + x = *p; // $ Source + if (p == nullptr) { // BAD // $ Alert return; } } void test_not_same_basic_block(int *p) { - int x = *p; + int x = *p; // $ Source if (x > 100) return; - if (!p) // BAD + if (!p) // BAD // $ Alert return; } void test_indirect(int **p) { int x; - x = **p; - if (*p == nullptr) { // BAD + x = **p; // $ Source + if (*p == nullptr) { // BAD // $ Alert return; } } @@ -45,10 +45,10 @@ void test_no_single_dominator(int *p, bool b) { } int test_postdominator_same_bb(int *p) { - int b = (p == nullptr); // BAD + int b = (p == nullptr); // BAD // $ Alert // This dereference is a postdominator of the null check, meaning that all // paths from the check to the function exit will pass through it. - return *p + b; + return *p + b; // $ Source } int test_postdominator(int *p) { @@ -75,8 +75,8 @@ void test_indirect_local() { int *p = &a; int **pp = &p; int x; - x = **pp; - if (*pp == nullptr) { // BAD + x = **pp; // $ Source + if (*pp == nullptr) { // BAD // $ Alert return; } } @@ -89,8 +89,8 @@ void test_field_local(bool boolvar) { auto sp = &s; if (boolvar) { - int x = *sp->p; - if (sp->p == nullptr) { // BAD + int x = *sp->p; // $ Source + if (sp->p == nullptr) { // BAD // $ Alert return; } } else { diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected index 8ffb2330840..997de4af41f 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected +++ b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.expected @@ -1,3 +1,21 @@ +#select +| RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | the value is dereferenced | +| RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | the value is dereferenced | +edges +| RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | +| RedundantNullCheckSimple.cpp:3:8:3:8 | Load: p | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | +| RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | +| RedundantNullCheckSimple.cpp:10:12:10:12 | Load: p | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | +| RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | +| RedundantNullCheckSimple.cpp:19:8:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | +| RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | +| RedundantNullCheckSimple.cpp:78:8:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | +| RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | +| RedundantNullCheckSimple.cpp:92:18:92:18 | Load: p | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | nodes | RedundantNullCheckSimple.cpp:3:3:3:3 | VariableAddress: x | semmle.label | x | | RedundantNullCheckSimple.cpp:3:3:3:8 | Store: ... = ... | semmle.label | ... = ... | @@ -36,21 +54,3 @@ nodes | RedundantNullCheckSimple.cpp:93:9:93:10 | VariableAddress: sp | semmle.label | sp | | RedundantNullCheckSimple.cpp:93:13:93:13 | FieldAddress: p | semmle.label | p | | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | semmle.label | p | -edges -| RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | -| RedundantNullCheckSimple.cpp:3:8:3:8 | Load: p | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | -| RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | -| RedundantNullCheckSimple.cpp:10:12:10:12 | Load: p | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | -| RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | -| RedundantNullCheckSimple.cpp:19:8:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | -| RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | -| RedundantNullCheckSimple.cpp:78:8:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | -| RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | -| RedundantNullCheckSimple.cpp:92:18:92:18 | Load: p | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | -#select -| RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | RedundantNullCheckSimple.cpp:4:7:4:7 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:3:7:3:8 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | RedundantNullCheckSimple.cpp:13:8:13:8 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:10:11:10:12 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | RedundantNullCheckSimple.cpp:20:7:20:8 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:19:7:19:9 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | RedundantNullCheckSimple.cpp:48:12:48:12 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:51:10:51:11 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | RedundantNullCheckSimple.cpp:79:7:79:9 | Load: * ... | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:78:7:78:10 | Load: * ... | the value is dereferenced | -| RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | RedundantNullCheckSimple.cpp:93:13:93:13 | Load: p | This null check is redundant because $@ in any case. | RedundantNullCheckSimple.cpp:92:13:92:18 | Load: * ... | the value is dereferenced | diff --git a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref index 2223e47c30d..169150bbd51 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/RedundantNullCheckSimple/RedundantNullCheckSimple.qlref @@ -1 +1,2 @@ -Likely Bugs/RedundantNullCheckSimple.ql +query: Likely Bugs/RedundantNullCheckSimple.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref index ee515afb200..bf5203dd123 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/ReturnConstType.qlref @@ -1 +1,2 @@ -Likely Bugs/ReturnConstType.ql +query: Likely Bugs/ReturnConstType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp index 77c82fbb54c..a1d04f71a74 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstType/test.cpp @@ -2,12 +2,12 @@ // --- examples from the qhelp --- // The leftmost const has no effect here. -const int square(const int x) { // BAD +const int square(const int x) { // BAD // $ Alert return x * x; } // The const has no effect here, and can easily be mistaken for const char*. -char* const id(char* s) { // BAD +char* const id(char* s) { // BAD // $ Alert return s; } @@ -15,9 +15,9 @@ char* const id(char* s) { // BAD const char *getAConstantString(); const char **getAConstantStringPointer(); -const char getAConstChar(); // BAD -const signed char getASignedConstChar(); // BAD -unsigned const char getAnUnsignedConstChar(); // BAD +const char getAConstChar(); // BAD // $ Alert +const signed char getASignedConstChar(); // BAD // $ Alert +unsigned const char getAnUnsignedConstChar(); // BAD // $ Alert char getAChar(); typedef const char mychar; @@ -43,10 +43,10 @@ template class myWrapper { myWrapper testTemplateClass{t: 'a'}; #define MYCHAR const char -MYCHAR getAMYCHAR(); // FALSE POSITIVE +MYCHAR getAMYCHAR(); // FALSE POSITIVE // $ Alert #define ID(T) T id_ (T x) {return x;} -ID(const char); // FALSE POSITIVE +ID(const char); // FALSE POSITIVE // $ Alert const float pi = 3.14159626f; const float &getPiRef() { return pi; } // GOOD diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref index 052b0cd2ad5..3dbe1d19bf1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/ReturnConstTypeMember.qlref @@ -1 +1,2 @@ -Likely Bugs/ReturnConstTypeMember.ql +query: Likely Bugs/ReturnConstTypeMember.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp index 73d18c844d2..c36e5e9625e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/templates.cpp @@ -10,7 +10,7 @@ class TC1 { template class TC2 { public: - T fun() const { + T fun() const { // $ Alert return 5; } }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp index e568d0da152..e8eb23d013e 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ReturnConstTypeMember/test.cpp @@ -2,13 +2,13 @@ class myClass { int getAnInt() { return 0; } - const int getAConstInt() { + const int getAConstInt() { // $ Alert return 0; } int getAnIntConst() const { return 0; } - const int getAConstIntConst() const { + const int getAConstIntConst() const { // $ Alert return 0; } @@ -16,7 +16,7 @@ class myClass { return 0; } - static const int getAStaticConstInt() { + static const int getAStaticConstInt() { // $ Alert return 0; } }; diff --git a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp index 7dd7855bacc..65e41093c19 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.cpp @@ -3,7 +3,7 @@ void test1() { - int i, j, outer_loop_var, inner_loop_var; + int i, j, outer_loop_var, inner_loop_var; // $ Alert for (i = 0; i < 10; i++) // GOOD: no nested loop { @@ -27,7 +27,7 @@ void test1() void test2(char *str) { - for (char *a = str; *a != NULL; a++) // BAD: short name + for (char *a = str; *a != NULL; a++) // BAD: short name // $ Alert { char *b = a; // GOOD: not a loop variable @@ -70,7 +70,7 @@ void test3() } } - for (int y = 0; y < 256; y++) // BAD: x and y are not a co-ordinate pair + for (int y = 0; y < 256; y++) // BAD: x and y are not a co-ordinate pair // $ Alert { for (int x = 0; x < 256; x++) { @@ -93,7 +93,7 @@ void test3() { string strings[10]; - for (int i = 0; i < 10; i++) // BAD: x and y are not a co-ordinate pair + for (int i = 0; i < 10; i++) // BAD: x and y are not a co-ordinate pair // $ Alert { for (int j = 0; j < strings[i].strlen; j++) { diff --git a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref index 6e4b506018f..de5c76f3f6a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/ShortLoopVarName/ShortLoopVarName.qlref @@ -1 +1,2 @@ -Likely Bugs/ShortLoopVarName.ql +query: Likely Bugs/ShortLoopVarName.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref index 38492f2a203..d96192c760c 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql \ No newline at end of file +query: Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref index e61361d6bfe..56065d60fce 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql +query: Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref index 710092c54d8..c0c3166e8d5 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooFewArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/TooFewArguments.ql +query: Likely Bugs/Underspecified Functions/TooFewArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref index ca44af39c2b..c78a44facd1 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/TooManyArguments.qlref @@ -1 +1,2 @@ -Likely Bugs/Underspecified Functions/TooManyArguments.ql +query: Likely Bugs/Underspecified Functions/TooManyArguments.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c index d77c16683ed..a33a09acda6 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c +++ b/cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/test.c @@ -25,52 +25,52 @@ void test(int *argv[]) { declared_void(); // GOOD declared_with(1); // GOOD - undeclared(); // BAD (GOOD for everything except cpp/implicit-function-declaration) + undeclared(); // BAD (GOOD for everything except cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] undeclared(1); // GOOD - not_yet_declared1(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - not_yet_declared2(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - not_yet_declared2(ca); // BAD (GOOD for everything except for cpp/mistyped-function-arguments + not_yet_declared1(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + not_yet_declared2(1); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + not_yet_declared2(ca); // BAD (GOOD for everything except for cpp/mistyped-function-arguments // $ Alert[cpp/mistyped-function-arguments] // and cpp/too-few-arguments. Not detected in the case of cpp/too-few-arguments.) not_yet_declared2(); // BAD [NOT DETECTED] (GOOD for everything except for cpp/too-few-arguments) - declared_empty_defined_with(); // BAD + declared_empty_defined_with(); // BAD // $ Alert[cpp/too-few-arguments] declared_empty_defined_with(1); // GOOD int x; - declared_empty_defined_with(&x); // BAD - declared_empty_defined_with(3, &x); // BAD + declared_empty_defined_with(&x); // BAD // $ Alert[cpp/mistyped-function-arguments] + declared_empty_defined_with(3, &x); // BAD // $ Alert[cpp/futile-params] - not_declared_defined_with(-1, 0, 2U); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - not_declared_defined_with(4LL, 0, 2.5e9f); // BAD + not_declared_defined_with(-1, 0, 2U); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + not_declared_defined_with(4LL, 0, 2.5e9f); // BAD // $ Alert[cpp/mistyped-function-arguments] declared_with_pointers(pv, ca); // GOOD - declared_with_pointers(3.5e15, 0); // BAD + declared_with_pointers(3.5e15, 0); // BAD // $ Alert[cpp/mistyped-function-arguments] declared_with_array("Hello"); // GOOD - declared_with_array(&x); // BAD + declared_with_array(&x); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_float(2.f); // BAD - defined_with_float(2.0); // BAD + defined_with_float(2.f); // BAD // $ Alert[cpp/mistyped-function-arguments] + defined_with_float(2.0); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_double(2.f); // BAD (GOOD for everything except for cpp/implicit-function-declaration) - defined_with_double('c'); // BAD + defined_with_double(2.f); // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] + defined_with_double('c'); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_long_long('c'); // BAD - defined_with_long_long(3); // BAD + defined_with_long_long('c'); // BAD // $ Alert[cpp/mistyped-function-arguments] + defined_with_long_long(3); // BAD // $ Alert[cpp/mistyped-function-arguments] - defined_with_double(2LL); // BAD - defined_with_long_long(3.5e15); // BAD + defined_with_double(2LL); // BAD // $ Alert[cpp/mistyped-function-arguments] + defined_with_long_long(3.5e15); // BAD // $ Alert[cpp/mistyped-function-arguments] k_and_r_func(2.5, &s); // GOOD int (*parameterName)[2]; - defined_with_ptr_ptr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) + defined_with_ptr_ptr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] defined_with_ptr_ptr(argv); // GOOD - defined_with_ptr_arr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) + defined_with_ptr_arr(parameterName); // // BAD (GOOD for everything except for cpp/implicit-function-declaration) // $ Alert[cpp/implicit-function-declaration] defined_with_ptr_arr(argv); // GOOD declared_and_defined_empty(); // GOOD - declared_and_defined_empty(1); // BAD + declared_and_defined_empty(1); // BAD // $ Alert[cpp/futile-params] } void not_yet_declared1(); @@ -85,7 +85,7 @@ void not_declared_defined_with(int x, int y, int z) { int dereference(); int caller(void) { - return dereference(); // BAD + return dereference(); // BAD // $ Alert[cpp/too-few-arguments] } int dereference(int *x) { return *x; } @@ -130,8 +130,8 @@ extern int extern_definition(double, double*); void test_implicit_function_declaration(int x, double d) { int y; - implicit_declaration(1, 2); // BAD - implicit_declaration_k_and_r(1, 2); // BAD + implicit_declaration(1, 2); // BAD // $ Alert[cpp/implicit-function-declaration] + implicit_declaration_k_and_r(1, 2); // BAD // $ Alert[cpp/implicit-function-declaration] implicit_declaration(1, 2); // GOOD (no longer an implicit declaration) diff --git a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref index 8242a3a6403..f4ba94dd082 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref +++ b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/UseInOwnInitializer.qlref @@ -1 +1,2 @@ -Likely Bugs/UseInOwnInitializer.ql +query: Likely Bugs/UseInOwnInitializer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp index 41dde27c5a0..dc5cbb9c49a 100644 --- a/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp +++ b/cpp/ql/test/query-tests/Likely Bugs/UseInOwnInitializer/test.cpp @@ -1,11 +1,11 @@ typedef long size_t; void test1() { - int x = x; // BAD + int x = x; // BAD // $ Alert } void test2() { - int x = x = 2; // BAD + int x = x = 2; // BAD // $ Alert } void test3() { @@ -54,11 +54,11 @@ void test9() { } void test10() { - int x = x + 1; // BAD: x is evaluated on the right hand side + int x = x + 1; // BAD: x is evaluated on the right hand side // $ Alert } void test11() { - int x = uninitialized(x) + 1; // BAD: x is evaluated on the right hand side + int x = uninitialized(x) + 1; // BAD: x is evaluated on the right hand side // $ Alert } #define self_initialize(t, x) t x = x diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref index 2297839a1bf..ffc998288f1 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfCode.qlref @@ -1 +1 @@ -Metrics/Functions/FunLinesOfCode.ql +query: Metrics/Functions/FunLinesOfCode.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref index 22982899aad..0a15219eae1 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunLinesOfComments.qlref @@ -1 +1 @@ -Metrics/Functions/FunLinesOfComments.ql +query: Metrics/Functions/FunLinesOfComments.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref index d3d6f76ce70..32203bddc4d 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfCalls.qlref @@ -1 +1 @@ -Metrics/Functions/FunNumberOfCalls.ql +query: Metrics/Functions/FunNumberOfCalls.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref index 26fc860b76d..3601ca98507 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfParameters.qlref @@ -1 +1 @@ -Metrics/Functions/FunNumberOfParameters.ql +query: Metrics/Functions/FunNumberOfParameters.ql diff --git a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref index 78f61924a02..ad24a29dddf 100644 --- a/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref +++ b/cpp/ql/test/query-tests/Metrics/Functions/FunNumberOfStatements.qlref @@ -1 +1 @@ -Metrics/Functions/FunNumberOfStatements.ql +query: Metrics/Functions/FunNumberOfStatements.ql diff --git a/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref b/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref index bd3a3b01691..28e3197a8f7 100644 --- a/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref +++ b/cpp/ql/test/query-tests/Power of 10/Rule 2/BoundedLoopIterations.qlref @@ -1 +1,2 @@ -Power of 10/Rule 2/BoundedLoopIterations.ql +query: Power of 10/Rule 2/BoundedLoopIterations.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp b/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp index 29ca9fa1ccd..7d2564f955e 100644 --- a/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp +++ b/cpp/ql/test/query-tests/Power of 10/Rule 2/loops.cpp @@ -21,20 +21,20 @@ void f() { while (i < bound) { i++; } // Good: Bound not modified in loop. do { i++; } while (i < bound); // Good: Bound not modified in loop. - for (i = 0; i < 10; i--); // Bad: No increment. - while (i < 10) { } // Bad: No increment. - do { i += 2; } while (i > 10); // Bad: No decrement. - while (i > 10) { if (i < 5) i--; } // Bad: Conditional decrement. - while (i < bound) { i++; bound++; } // Bad: Bound modified in loop. - while (i < bound) { i++; bound >>= 1; } // Bad: Bound modified in loop. - while (i > bound) { i--; bound += 1; } // Bad: Bound modified in loop. - while (i > bound) { i--; bound = bound; } // Bad: Bound modified in loop. - for (; xs->next; xs = xs->next); // Bad: No bound. - while (i <= -i) {} // Bad: Hidden infinite loop. + for (i = 0; i < 10; i--); // Bad: No increment. // $ Alert + while (i < 10) { } // Bad: No increment. // $ Alert + do { i += 2; } while (i > 10); // Bad: No decrement. // $ Alert + while (i > 10) { if (i < 5) i--; } // Bad: Conditional decrement. // $ Alert + while (i < bound) { i++; bound++; } // Bad: Bound modified in loop. // $ Alert + while (i < bound) { i++; bound >>= 1; } // Bad: Bound modified in loop. // $ Alert + while (i > bound) { i--; bound += 1; } // Bad: Bound modified in loop. // $ Alert + while (i > bound) { i--; bound = bound; } // Bad: Bound modified in loop. // $ Alert + for (; xs->next; xs = xs->next); // Bad: No bound. // $ Alert + while (i <= -i) {} // Bad: Hidden infinite loop. // $ Alert while (i < 10) { i = i + 1; } // Good: Fixed bound. while (i > 10) { i = i - 1; } // Good: Fixed bound. - while (i < 10) { i = 0; } // Bad: increment outside loop - while (i > 10) { i = 0; } // Bad: decrement outside loop - while (i > 10) { i = 1 - i; } // Bad: Swapped operands to `-` + while (i < 10) { i = 0; } // Bad: increment outside loop // $ Alert + while (i > 10) { i = 0; } // Bad: decrement outside loop // $ Alert + while (i > 10) { i = 1 - i; } // Bad: Swapped operands to `-` // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref index e81526fe6d9..bc89bc58f77 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-014/MemsetMayBeDeleted.ql +query: Security/CWE/CWE-014/MemsetMayBeDeleted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp index 1e0ed7d70f0..d859a263780 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp @@ -45,7 +45,7 @@ char *func2(char buff[128], unsigned long long sz) { void func3(unsigned long long sz) { char buff[128]; gets(buff); - memset(buff, 0, PW_SIZE); // BAD + memset(buff, 0, PW_SIZE); // BAD // $ Alert } // x86-64 gcc 9.2: deleted @@ -76,7 +76,7 @@ void func5(unsigned long long sz) { void func6(unsigned long long sz) { struct mem m; gets(m.b); - memset(&m, 0, PW_SIZE); // BAD + memset(&m, 0, PW_SIZE); // BAD // $ Alert } // x86-64 gcc 9.2: deleted @@ -205,7 +205,7 @@ void badFunc0_0(){ for(int i = 0; i < PW_SIZE; i++) { buff1[i] = 13; } - memset(buff1, 0, PW_SIZE); // BAD + memset(buff1, 0, PW_SIZE); // BAD // $ Alert } void nobadFunc1_0() { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp index 876584c5117..e0ad12c9468 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp @@ -52,7 +52,7 @@ void bad() if (FILENAME_MAX-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ - if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) + if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL) // $ Source { /* The next few lines remove the carriage return from the string that is * inserted by fgets() */ @@ -74,7 +74,7 @@ void bad() { FILE *pFile = NULL; /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */ - pFile = FOPEN(data, "wb+"); + pFile = FOPEN(data, "wb+"); // $ Alert if (pFile != NULL) { fclose(pFile); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected index 031804b9225..8ebb959ae4b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected @@ -1,3 +1,5 @@ +#select +| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) | edges | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:62:25:62:46 | ... = ... | provenance | | | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:69:21:69:40 | ... = ... | provenance | | @@ -10,5 +12,3 @@ nodes | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:69:21:69:40 | ... = ... | semmle.label | ... = ... | | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | semmle.label | *data | subpaths -#select -| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | *data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref index 1677939387d..399ff4f1909 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-022/TaintedPath.ql \ No newline at end of file +query: Security/CWE/CWE-022/TaintedPath.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected index bb1caa71e12..784928db053 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected @@ -1,3 +1,5 @@ +#select +| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:53:16:53:19 | *data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | *call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument | edges | tests.cpp:26:15:26:23 | **badSource | tests.cpp:51:12:51:20 | *call to badSource | provenance | | | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:33:34:33:39 | *call to getenv | provenance | | @@ -18,5 +20,3 @@ nodes | tests.cpp:51:12:51:20 | *call to badSource | semmle.label | *call to badSource | | tests.cpp:53:16:53:19 | *data | semmle.label | *data | subpaths -#select -| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | *call to getenv | tests.cpp:53:16:53:19 | *data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | tests.cpp:33:34:33:39 | *call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref index 9fe2347270f..4e996a47ad5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-078/ExecTainted.ql \ No newline at end of file +query: Security/CWE/CWE-078/ExecTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp index 80f8221d903..c8918ffc45e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp @@ -30,7 +30,7 @@ static char * badSource(char * data) { /* Append input from an environment variable to data */ size_t dataLen = strlen(data); - char * environment = GETENV(ENV_VARIABLE); + char * environment = GETENV(ENV_VARIABLE); // $ Source /* If there is data in the environment variable */ if (environment != NULL) { @@ -50,7 +50,7 @@ void CWE78_OS_Command_Injection__char_environment_system_21_bad() badStatic = 1; /* true */ data = badSource(data); /* POTENTIAL FLAW: Execute command in data possibly leading to command injection [NOT DETECTED] */ - if (SYSTEM(data) != 0) + if (SYSTEM(data) != 0) // $ Alert { printLine("command execution failed!"); exit(1); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected index 18dd45752cc..24f63e6cfaa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected @@ -1,3 +1,28 @@ +#select +| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument | +| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument | +| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument | +| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument | +| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument | +| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ | +| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ | +| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ | +| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ | +| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument | +| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument | +| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument | +| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument | +| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | +| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | +| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument | +| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | +| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument | edges | test.cpp:15:27:15:30 | **argv | test.cpp:16:20:16:26 | *access to array | provenance | | | test.cpp:16:20:16:26 | *access to array | test.cpp:22:45:22:52 | *userName | provenance | | @@ -202,28 +227,3 @@ subpaths | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command | test.cpp:197:10:197:16 | concat output argument | | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument | | test.cpp:197:26:197:33 | *filename | test.cpp:187:47:187:54 | *filename | test.cpp:187:19:187:25 | *command [Return] | test.cpp:197:10:197:16 | concat output argument | -#select -| test.cpp:23:12:23:19 | command1 | test.cpp:15:27:15:30 | **argv | test.cpp:23:12:23:19 | *command1 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:15:27:15:30 | **argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument | -| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | *call to getenv | test.cpp:51:10:51:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | *call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument | -| test.cpp:66:10:66:16 | command | test.cpp:63:9:63:16 | fread output argument | test.cpp:66:10:66:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:63:9:63:16 | fread output argument | user input (string read by fread) | test.cpp:65:11:65:17 | strncat output argument | strncat output argument | -| test.cpp:86:32:86:38 | command | test.cpp:83:9:83:16 | fread output argument | test.cpp:86:32:86:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:83:9:83:16 | fread output argument | user input (string read by fread) | test.cpp:85:11:85:17 | strncat output argument | strncat output argument | -| test.cpp:95:45:95:48 | path | test.cpp:92:9:92:16 | fread output argument | test.cpp:95:45:95:48 | *path | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:92:9:92:16 | fread output argument | user input (string read by fread) | test.cpp:94:11:94:14 | strncat output argument | strncat output argument | -| test.cpp:109:18:109:22 | call to c_str | test.cpp:107:20:107:38 | *call to getenv | test.cpp:109:18:109:22 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:107:20:107:38 | *call to getenv | user input (an environment variable) | test.cpp:108:31:108:31 | call to operator+ | call to operator+ | -| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:10:115:23 | call to operator+ | call to operator+ | -| test.cpp:115:25:115:29 | call to c_str | test.cpp:114:20:114:38 | *call to getenv | test.cpp:115:25:115:29 | *call to c_str | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:114:20:114:38 | *call to getenv | user input (an environment variable) | test.cpp:115:17:115:17 | call to operator+ | call to operator+ | -| test.cpp:121:25:121:28 | call to data | test.cpp:120:20:120:38 | *call to getenv | test.cpp:121:10:121:30 | *call to data | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:120:20:120:38 | *call to getenv | user input (an environment variable) | test.cpp:121:17:121:17 | call to operator+ | call to operator+ | -| test.cpp:144:10:144:16 | command | test.cpp:141:9:141:11 | fread output argument | test.cpp:144:10:144:16 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:141:9:141:11 | fread output argument | user input (string read by fread) | test.cpp:143:11:143:17 | sprintf output argument | sprintf output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:17 | strncat output argument | strncat output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:179:13:179:19 | strncat output argument | strncat output argument | -| test.cpp:184:32:184:38 | command | test.cpp:175:9:175:16 | fread output argument | test.cpp:184:32:184:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:175:9:175:16 | fread output argument | user input (string read by fread) | test.cpp:181:13:181:19 | strncat output argument | strncat output argument | -| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:15 | strncat output argument | strncat output argument | -| test.cpp:199:32:199:38 | command | test.cpp:195:9:195:16 | fread output argument | test.cpp:199:32:199:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:195:9:195:16 | fread output argument | user input (string read by fread) | test.cpp:189:11:189:17 | strncat output argument | strncat output argument | -| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | -| test.cpp:223:32:223:38 | command | test.cpp:219:9:219:16 | fread output argument | test.cpp:223:32:223:38 | *command | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:219:9:219:16 | fread output argument | user input (string read by fread) | test.cpp:221:10:221:16 | strncat output argument | strncat output argument | -| test.cpp:234:10:234:15 | buffer | test.cpp:231:19:231:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:231:19:231:33 | *call to getenv | user input (an environment variable) | test.cpp:231:11:231:16 | strncat output argument | strncat output argument | -| test.cpp:234:10:234:15 | buffer | test.cpp:232:19:232:33 | *call to getenv | test.cpp:234:10:234:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:232:19:232:33 | *call to getenv | user input (an environment variable) | test.cpp:232:11:232:16 | strncat output argument | strncat output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:243:5:243:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:243:5:243:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:242:11:242:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:244:5:244:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:244:5:244:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:249:10:249:16 | buffer2 | test.cpp:248:5:248:10 | *call to getenv | test.cpp:249:10:249:16 | *buffer2 | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:248:5:248:10 | *call to getenv | user input (an environment variable) | test.cpp:245:11:245:17 | sprintf output argument | sprintf output argument | -| test.cpp:261:10:261:15 | buffer | test.cpp:259:21:259:35 | *call to getenv | test.cpp:261:10:261:15 | *buffer | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:259:21:259:35 | *call to getenv | user input (an environment variable) | test.cpp:259:13:259:18 | strncat output argument | strncat output argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref index 1de765a2fdf..4e996a47ad5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-078/ExecTainted.ql +query: Security/CWE/CWE-078/ExecTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp index 8c7651f3275..3749d613795 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp @@ -12,7 +12,7 @@ extern void encodeShellString(char *shellStr, int maxChars, const char* cStr); #include "../../../../../../include/string.h" ///// Test code ///// -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source char *userName = argv[2]; { @@ -20,7 +20,7 @@ int main(int argc, char** argv) { // a command. char command1[1000] = {0}; sprintf(command1, "userinfo -v \"%s\"", userName); - system(command1); + system(command1); // $ Alert } { @@ -44,11 +44,11 @@ void test2(char* arg2) { void test3(char* arg1) { // GOOD?: the user string is a `$CFLAGS` environment variable - char *envCflags = getenv("CFLAGS"); + char *envCflags = getenv("CFLAGS"); // $ Source char command[1000]; sprintf(command, "%s %s", arg1, envCflags); - system(command); + system(command); // $ Alert } typedef unsigned long size_t; @@ -60,10 +60,10 @@ char *strncat(char *s1, const char *s2, size_t n); void test4(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source strncat(command, filename, 1000); - system(command); + system(command); // $ Alert } void test5(FILE *f) { @@ -80,19 +80,19 @@ int execl(char *path, char *arg1, ...); void test6(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source strncat(command, filename, 1000); - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void test7(FILE *f) { // GOOD [FALSE POSITIVE]: the user string is a positional argument to a shell script char path[1000] = "/home/me/", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source strncat(path, filename, 1000); - execl("/bin/sh", "sh", "-c", "script.sh", path); + execl("/bin/sh", "sh", "-c", "script.sh", path); // $ Alert } void test8(char *arg2) { @@ -104,21 +104,21 @@ void test8(char *arg2) { void test9(FILE *f) { // BAD: the user string is injected directly into a command - std::string path(getenv("something")); + std::string path(getenv("something")); // $ Source std::string command = "mv " + path; - system(command.c_str()); + system(command.c_str()); // $ Alert } void test10(FILE *f) { // BAD: the user string is injected directly into a command - std::string path(getenv("something")); - system(("mv " + path).c_str()); + std::string path(getenv("something")); // $ Source + system(("mv " + path).c_str()); // $ Alert } void test11(FILE *f) { // BAD: the user string is injected directly into a command - std::string path(getenv("something")); - system(("mv " + path).data()); + std::string path(getenv("something")); // $ Source + system(("mv " + path).data()); // $ Alert } int atoi(char *); @@ -138,10 +138,10 @@ void test13(FILE *f) { char str[1000]; char command[1000]; - fread(str, 1, 1000, f); + fread(str, 1, 1000, f); // $ Source sprintf(command, "echo %s", str); - system(command); // BAD: the user string was printed into the command with the %s specifier + system(command); // BAD: the user string was printed into the command with the %s specifier // $ Alert } void test14(FILE *f) { @@ -172,7 +172,7 @@ void test15(FILE *f) { void test16(FILE *f, bool use_flags) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", flags[1000] = "-R", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source if (use_flags) { strncat(flags, filename, 1000); @@ -181,7 +181,7 @@ void test16(FILE *f, bool use_flags) { strncat(command, filename, 1000); } - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void concat(char *command, char *flags, char *filename) { @@ -192,11 +192,11 @@ void concat(char *command, char *flags, char *filename) { void test17(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", flags[1000] = "-R", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source concat(command, flags, filename); - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void test18() { @@ -216,11 +216,11 @@ void test18() { void test19(FILE *f) { // BAD: the user string is injected directly into a command char command[1000] = "mv ", filename[1000]; - fread(filename, 1, 1000, f); + fread(filename, 1, 1000, f); // $ Source CONCAT(command, filename) - execl("/bin/sh", "sh", "-c", command); + execl("/bin/sh", "sh", "-c", command); // $ Alert } void test20() { @@ -228,10 +228,10 @@ void test20() { char buffer[1024 * 4]; strncpy(buffer, getenv("var_a"), 1024); - strncat(buffer, getenv("var_b"), 1024); - strncat(buffer, getenv("var_c"), 1024); + strncat(buffer, getenv("var_b"), 1024); // $ Source + strncat(buffer, getenv("var_c"), 1024); // $ Source strncat(buffer, " ", 1024); - system(buffer); + system(buffer); // $ Alert } void test21() { @@ -240,13 +240,13 @@ void test21() { char buffer2[1024]; sprintf(buffer1, "%s %s", - getenv("var_a"), - getenv("var_b")); + getenv("var_a"), // $ Source + getenv("var_b")); // $ Source sprintf(buffer2, "%s %s %s", " ", buffer1, - getenv("var_c")); - system(buffer2); + getenv("var_c")); // $ Source + system(buffer2); // $ Alert } void test22() { @@ -256,9 +256,9 @@ void test22() { strncpy(buffer, "command ", 1024); for (i = 0; i < 10; i++) { - strncat(buffer, getenv("var_a"), 1024); + strncat(buffer, getenv("var_a"), 1024); // $ Source } - system(buffer); + system(buffer); // $ Alert } // open question: do we want to report certain sources even when they're the start of the string? diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected index 4f31dd3e17b..be2a5f70bcc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected @@ -1,3 +1,7 @@ +#select +| search.c:17:8:17:12 | *query | search.c:67:21:67:26 | *call to getenv | search.c:17:8:17:12 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | +| search.c:23:39:23:43 | *query | search.c:67:21:67:26 | *call to getenv | search.c:23:39:23:43 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | +| search.c:62:8:62:17 | *query_text | search.c:67:21:67:26 | *call to getenv | search.c:62:8:62:17 | *query_text | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | edges | search.c:14:24:14:28 | *query | search.c:17:8:17:12 | *query | provenance | | | search.c:22:24:22:28 | *query | search.c:23:39:23:43 | *query | provenance | | @@ -22,7 +26,3 @@ nodes | search.c:73:17:73:25 | *raw_query | semmle.label | *raw_query | | search.c:77:17:77:25 | *raw_query | semmle.label | *raw_query | subpaths -#select -| search.c:17:8:17:12 | *query | search.c:67:21:67:26 | *call to getenv | search.c:17:8:17:12 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | -| search.c:23:39:23:43 | *query | search.c:67:21:67:26 | *call to getenv | search.c:23:39:23:43 | *query | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | -| search.c:62:8:62:17 | *query_text | search.c:67:21:67:26 | *call to getenv | search.c:62:8:62:17 | *query_text | Cross-site scripting vulnerability due to $@. | search.c:67:21:67:26 | call to getenv | this query data | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref index bd5e957761b..1192c6d67f5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-079/CgiXss.ql +query: Security/CWE/CWE-079/CgiXss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c index 9369d80fd91..830a5919eb3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c @@ -14,13 +14,13 @@ char* escape_html(char* raw); void bad_server1(char* query) { puts("

Query results for "); // BAD: Printing out an HTTP parameter with no escaping - puts(query); + puts(query); // $ Alert puts("\n

\n"); puts(do_search(query)); } void bad_server2(char* query) { - printf("

Query results for %s\n", query); + printf("

Query results for %s\n", query); // $ Alert // BAD: Printing out an HTTP parameter with no escaping puts("\n

"); puts(do_search(query)); @@ -59,12 +59,12 @@ void bad_server3(char* query) { puts("

Query results for "); // BAD: Printing out an HTTP parameter with no escaping - puts(query_text); + puts(query_text); // $ Alert puts("\n

\n"); } int main(int argc, char** argv) { - char* raw_query = getenv("QUERY_STRING"); + char* raw_query = getenv("QUERY_STRING"); // $ Source if (strcmp("good1", argv[0]) == 0) { good_server1(raw_query); } else if (strcmp("bad1", argv[0]) == 0) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected index f328113106e..999c7f5240d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected @@ -1,3 +1,5 @@ +#select +| test.cpp:43:32:43:35 | *data | test.cpp:64:30:64:35 | *call to getenv | test.cpp:43:32:43:35 | *data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | *call to getenv | an environment variable | edges | test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | *data | provenance | | | test.cpp:64:30:64:35 | *call to getenv | test.cpp:64:30:64:35 | *call to getenv | provenance | | @@ -10,5 +12,3 @@ nodes | test.cpp:64:30:64:35 | *call to getenv | semmle.label | *call to getenv | | test.cpp:73:24:73:27 | *data | semmle.label | *data | subpaths -#select -| test.cpp:43:32:43:35 | *data | test.cpp:64:30:64:35 | *call to getenv | test.cpp:43:32:43:35 | *data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref index a9ca1db5199..57318b8ffeb 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-114/UncontrolledProcessOperation.ql +query: Security/CWE/CWE-114/UncontrolledProcessOperation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp index 299e0372d4a..bae7e5fdf99 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp @@ -40,7 +40,7 @@ void CWE114_Process_Control__w32_char_environment_82_bad::action(char * data) HMODULE hModule; /* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to * replace his own file with the intended library */ - hModule = LoadLibraryA(data); + hModule = LoadLibraryA(data); // $ Alert if (hModule != NULL) { FreeLibrary(hModule); @@ -61,7 +61,7 @@ void bad() { /* Append input from an environment variable to data */ size_t dataLen = strlen(data); - char * environment = GETENV(ENV_VARIABLE); + char * environment = GETENV(ENV_VARIABLE); // $ Source /* If there is data in the environment variable */ if (environment != NULL) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected index ca24075c2c3..c7cc621e4b3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected @@ -1,3 +1,14 @@ +#select +| test.cpp:26:10:26:16 | *command | test.cpp:42:18:42:34 | *call to getenv | test.cpp:26:10:26:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | *call to getenv | an environment variable | +| test.cpp:31:10:31:16 | *command | test.cpp:43:18:43:34 | *call to getenv | test.cpp:31:10:31:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | *call to getenv | an environment variable | +| test.cpp:62:10:62:15 | *buffer | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:63:10:63:13 | *data | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:64:10:64:16 | *dataref | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:65:10:65:14 | *data2 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | +| test.cpp:78:10:78:15 | *buffer | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets | +| test.cpp:99:15:99:20 | *buffer | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv | +| test.cpp:107:15:107:20 | *buffer | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv | +| test.cpp:114:9:114:11 | *ptr | test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | *call to fgets | string read by fgets | edges | test.cpp:24:30:24:36 | *command | test.cpp:26:10:26:16 | *command | provenance | | | test.cpp:29:30:29:36 | *command | test.cpp:31:10:31:16 | *command | provenance | | @@ -40,14 +51,3 @@ nodes | test.cpp:113:8:113:12 | *call to fgets | semmle.label | *call to fgets | | test.cpp:114:9:114:11 | *ptr | semmle.label | *ptr | subpaths -#select -| test.cpp:26:10:26:16 | *command | test.cpp:42:18:42:34 | *call to getenv | test.cpp:26:10:26:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | *call to getenv | an environment variable | -| test.cpp:31:10:31:16 | *command | test.cpp:43:18:43:34 | *call to getenv | test.cpp:31:10:31:16 | *command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | *call to getenv | an environment variable | -| test.cpp:62:10:62:15 | *buffer | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:63:10:63:13 | *data | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | *data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:64:10:64:16 | *dataref | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | *dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:65:10:65:14 | *data2 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | *data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets | -| test.cpp:78:10:78:15 | *buffer | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | *buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets | -| test.cpp:99:15:99:20 | *buffer | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv | -| test.cpp:107:15:107:20 | *buffer | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | *buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv | -| test.cpp:114:9:114:11 | *ptr | test.cpp:113:8:113:12 | *call to fgets | test.cpp:114:9:114:11 | *ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | *call to fgets | string read by fgets | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref index a9ca1db5199..57318b8ffeb 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-114/UncontrolledProcessOperation.ql +query: Security/CWE/CWE-114/UncontrolledProcessOperation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp index ed3adcb8d80..064ba375a0f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp @@ -23,12 +23,12 @@ public: void doCommand2(const char *command) { - system(command); // BAD (externally controlled string) + system(command); // BAD (externally controlled string) // $ Alert } void doCommand3(const char *command) { - system(command); // BAD (externally controlled string) + system(command); // BAD (externally controlled string) // $ Alert } }; @@ -39,8 +39,8 @@ void testMyDerived() MyBase *md3 = new MyDerived; // MyBase pointer to a MyDerived md1->doCommand1("fixed"); - md2->doCommand2(getenv("varname")); - md3->doCommand3(getenv("varname")); + md2->doCommand2(getenv("varname")); // $ Source + md3->doCommand3(getenv("varname")); // $ Source } // --- @@ -53,16 +53,16 @@ void testReferencePointer1() { char buffer[1024]; - if (fgets(buffer, 1024, stdin) != 0) + if (fgets(buffer, 1024, stdin) != 0) // $ Source { char *data = buffer; char *&dataref = data; char *data2 = dataref; - system(buffer); // BAD - system(data); // BAD - system(dataref); // BAD - system(data2); // BAD + system(buffer); // BAD // $ Alert + system(data); // BAD // $ Alert + system(dataref); // BAD // $ Alert + system(data2); // BAD // $ Alert } } @@ -73,9 +73,9 @@ void testReferencePointer2() char *&dataref = data; char *data2 = dataref; - if (fgets(buffer, 1024, stdin) != 0) + if (fgets(buffer, 1024, stdin) != 0) // $ Source { - system(buffer); // BAD + system(buffer); // BAD // $ Alert system(data); // BAD system(dataref); // BAD [NOT DETECTED] system(data2); // BAD [NOT DETECTED] @@ -95,21 +95,21 @@ void testAcceptRecv(int socket1, int socket2) { char buffer[1024]; - recv(socket1, buffer, 1024); - LoadLibrary(buffer); // BAD: using data from recv + recv(socket1, buffer, 1024); // $ Source + LoadLibrary(buffer); // BAD: using data from recv // $ Alert } { char buffer[1024]; accept(socket2, 0, 0); - recv(socket2, buffer, 1024); - LoadLibrary(buffer); // BAD: using data from recv + recv(socket2, buffer, 1024); // $ Source + LoadLibrary(buffer); // BAD: using data from recv // $ Alert } } void argumentUse(char *ptr, FILE *stream) { char buffer[80]; - ptr = fgets(buffer, sizeof(buffer), stream); - system(ptr); // BAD + ptr = fgets(buffer, sizeof(buffer), stream); // $ Source + system(ptr); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref index 9636c74d0a8..76b6e590021 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/BadlyBoundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/BadlyBoundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref index d934901f174..0e9b8f83382 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OffsetUseBeforeRangeCheck.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql \ No newline at end of file +query: Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref index 5c2bacec579..bb308ea4b21 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowBuffer.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-119/OverflowBuffer.ql \ No newline at end of file +query: Security/CWE/CWE-119/OverflowBuffer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected index e217064d1df..58f42bec0c8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref index a4213e22fcd..0e0d1d3792d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowDestination.qlref @@ -1 +1,2 @@ -Critical/OverflowDestination.ql \ No newline at end of file +query: Critical/OverflowDestination.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref index 9ff1c3b33dc..93d88e7802a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverflowStatic.qlref @@ -1 +1,2 @@ -Critical/OverflowStatic.ql \ No newline at end of file +query: Critical/OverflowStatic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref index f6c962c1a7b..18ae0f2a567 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref index 757d1592e83..ba8f6a96a1f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected index 3a2b7372831..b8140181620 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.expected @@ -1,3 +1,19 @@ +#select +| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string | +| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string | +| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | string | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string | +| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | string | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string | +| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | string | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string | +| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | string | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string | +| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | string | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string | +| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | string | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string | +| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | string | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string | +| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string | +| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string | +| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string | +| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | +| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p | +| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | edges | test.cpp:16:11:16:21 | **mk_string_t [string] | test.cpp:39:21:39:31 | *call to mk_string_t [string] | provenance | | | test.cpp:18:5:18:7 | *str [post update] [string] | test.cpp:19:5:19:7 | *str [string] | provenance | | @@ -108,19 +124,3 @@ nodes subpaths | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:235:27:235:31 | *p_str [Return] [string] | test.cpp:242:16:242:19 | set_string output argument [string] | | test.cpp:242:22:242:27 | buffer | test.cpp:235:40:235:45 | buffer | test.cpp:235:27:235:31 | *p_str [string] | test.cpp:242:16:242:19 | set_string output argument [string] | -#select -| test.cpp:42:5:42:11 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:42:18:42:23 | string | This write may overflow $@ by 1 element. | test.cpp:42:18:42:23 | string | string | -| test.cpp:72:9:72:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:72:22:72:27 | string | This write may overflow $@ by 1 element. | test.cpp:72:22:72:27 | string | string | -| test.cpp:80:9:80:15 | call to strncpy | test.cpp:18:19:18:24 | call to malloc | test.cpp:80:22:80:27 | string | This write may overflow $@ by 2 elements. | test.cpp:80:22:80:27 | string | string | -| test.cpp:152:5:152:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:152:18:152:23 | string | This write may overflow $@ by 1 element. | test.cpp:152:18:152:23 | string | string | -| test.cpp:154:5:154:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:154:18:154:23 | string | This write may overflow $@ by 1 element. | test.cpp:154:18:154:23 | string | string | -| test.cpp:156:5:156:11 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:156:18:156:23 | string | This write may overflow $@ by 2 elements. | test.cpp:156:18:156:23 | string | string | -| test.cpp:175:9:175:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:175:22:175:27 | string | This write may overflow $@ by 1 element. | test.cpp:175:22:175:27 | string | string | -| test.cpp:187:9:187:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:187:22:187:27 | string | This write may overflow $@ by 1 element. | test.cpp:187:22:187:27 | string | string | -| test.cpp:195:9:195:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:195:22:195:27 | string | This write may overflow $@ by 1 element. | test.cpp:195:22:195:27 | string | string | -| test.cpp:199:9:199:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:199:22:199:27 | string | This write may overflow $@ by 2 elements. | test.cpp:199:22:199:27 | string | string | -| test.cpp:203:9:203:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:203:22:203:27 | string | This write may overflow $@ by 2 elements. | test.cpp:203:22:203:27 | string | string | -| test.cpp:207:9:207:15 | call to strncpy | test.cpp:147:19:147:24 | call to malloc | test.cpp:207:22:207:27 | string | This write may overflow $@ by 3 elements. | test.cpp:207:22:207:27 | string | string | -| test.cpp:243:5:243:10 | call to memset | test.cpp:241:20:241:38 | call to malloc | test.cpp:243:12:243:21 | string | This write may overflow $@ by 1 element. | test.cpp:243:16:243:21 | string | string | -| test.cpp:250:5:250:10 | call to memset | test.cpp:249:14:249:33 | call to my_alloc | test.cpp:250:12:250:12 | p | This write may overflow $@ by 1 element. | test.cpp:250:12:250:12 | p | p | -| test.cpp:266:5:266:10 | call to memset | test.cpp:262:15:262:30 | call to malloc | test.cpp:266:12:266:12 | p | This write may overflow $@ by 1 element. | test.cpp:266:12:266:12 | p | p | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref index 1a418e6abc6..8ea70c432a1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/OverrunWriteProductFlow.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-119/OverrunWriteProductFlow.ql \ No newline at end of file +query: Security/CWE/CWE-119/OverrunWriteProductFlow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref index bf0bf1ea7d0..3a2ef158d3d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/StrncpyFlippedArgs.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StrncpyFlippedArgs.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StrncpyFlippedArgs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected index e217064d1df..58f42bec0c8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref index 767f2ea4db9..36c47957d33 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/UnboundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/UnboundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/UnboundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref index 94b53951c4b..8dcc2f70c2f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp index ca6ca9a5c5a..afba134ead8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/test.cpp @@ -15,7 +15,7 @@ typedef struct string_t *mk_string_t(int size) { string_t *str = (string_t *) malloc(sizeof(string_t)); - str->string = malloc(size); + str->string = malloc(size); // $ Source[cpp/overrun-write] str->size = size; return str; } @@ -39,7 +39,7 @@ void test3(unsigned size, char *buf, unsigned anotherSize) { string_t *str = mk_string_t(size); strncpy(str->string, buf, str->size); // GOOD - strncpy(str->string, buf, str->size + 1); // BAD + strncpy(str->string, buf, str->size + 1); // BAD // $ Alert[cpp/overrun-write] strncpy(str->string, buf, size); // GOOD strncpy(str->string, buf, size + 1); // BAD [NOT DETECTED] @@ -69,7 +69,7 @@ void test3(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= str->size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 1) { @@ -77,7 +77,7 @@ void test3(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= str->size + 2) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 2) { @@ -144,16 +144,16 @@ void test4(unsigned size, char *buf, unsigned anotherSize) { void test5(unsigned size, char *buf, unsigned anotherSize) { string_t *str = (string_t *) malloc(sizeof(string_t)); - str->string = malloc(size - 1); + str->string = malloc(size - 1); // $ Source[cpp/overrun-write] str->size = size - 1; strncpy(str->string, buf, str->size); // GOOD strncpy(str->string, buf, str->size - 1); // GOOD - strncpy(str->string, buf, str->size + 1); // BAD + strncpy(str->string, buf, str->size + 1); // BAD // $ Alert[cpp/overrun-write] - strncpy(str->string, buf, size); // BAD + strncpy(str->string, buf, size); // BAD // $ Alert[cpp/overrun-write] strncpy(str->string, buf, size - 1); // GOOD - strncpy(str->string, buf, size + 1); // BAD + strncpy(str->string, buf, size + 1); // BAD // $ Alert[cpp/overrun-write] if(anotherSize < str->size) { strncpy(str->string, buf, anotherSize); // GOOD @@ -172,7 +172,7 @@ void test5(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= size) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size - 1) { @@ -184,7 +184,7 @@ void test5(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize < size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize < size - 1) { @@ -192,19 +192,19 @@ void test5(unsigned size, char *buf, unsigned anotherSize) { } if(anotherSize <= str->size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 1) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= str->size + 2) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } if(anotherSize <= size + 2) { - strncpy(str->string, buf, anotherSize); // BAD + strncpy(str->string, buf, anotherSize); // BAD // $ Alert[cpp/overrun-write] } } @@ -238,16 +238,16 @@ void set_string(string_t* p_str, char* buffer) { void test_flow_through_setter(unsigned size) { string_t str; - char* buffer = (char*)malloc(size); + char* buffer = (char*)malloc(size); // $ Source[cpp/overrun-write] set_string(&str, buffer); - memset(str.string, 0, size + 1); // BAD + memset(str.string, 0, size + 1); // BAD // $ Alert[cpp/overrun-write] } void* my_alloc(unsigned size); void foo(unsigned size) { - int* p = (int*)my_alloc(size); // BAD - memset(p, 0, size + 1); + int* p = (int*)my_alloc(size); // BAD // $ Source[cpp/overrun-write] + memset(p, 0, size + 1); // $ Alert[cpp/overrun-write] } void test6(unsigned long n, char *p) { @@ -259,11 +259,11 @@ void test6(unsigned long n, char *p) { } void test7(unsigned n) { - char* p = (char*)malloc(n); + char* p = (char*)malloc(n); // $ Source[cpp/overrun-write] if(!p) { p = (char*)malloc(++n); } - memset(p, 0, n); // GOOD [FALSE POSITIVE] + memset(p, 0, n); // GOOD [FALSE POSITIVE] // $ Alert[cpp/overrun-write] } void test8(unsigned size, unsigned src_pos) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp index 61b69d95185..1806be58d7d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/tests.cpp @@ -168,8 +168,8 @@ void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_memcpy_01_bad() memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - memcpy(data, source, 100*sizeof(char)); - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + memcpy(data, source, 100*sizeof(char)); // $ Alert[cpp/overflow-buffer] + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); free(data); } @@ -189,8 +189,8 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_01_bad() memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ - memcpy(data, source, 100*sizeof(char)); - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + memcpy(data, source, 100*sizeof(char)); // $ Alert[cpp/overflow-buffer] + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -209,8 +209,8 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memcpy_01_bad() memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */ - memcpy(data, source, 100*sizeof(char)); - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + memcpy(data, source, 100*sizeof(char)); // $ Alert[cpp/overflow-buffer] + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -234,7 +234,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_loop_01_bad() { data[i] = source[i]; } - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -258,7 +258,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_01_bad() { data[i] = source[i]; } - data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ + data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printLine(data); } } @@ -287,7 +287,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01 wchar_t source[10+1] = SRC_STRING; /* Copy length + 1 to include NUL terminator from source */ /* POTENTIAL FLAW: data may not have enough space to hold source */ - wcsncpy(data, source, wcslen(source) + 1); + wcsncpy(data, source, wcslen(source) + 1); // $ Alert[cpp/bad-strncpy-size] printWLine(data); delete [] data; } @@ -303,7 +303,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_ncpy_01 wchar_t source[10+1] = SRC_STRING; /* Copy length + 1 to include NUL terminator from source */ /* POTENTIAL FLAW: data may not have enough space to hold source */ - wcsncpy(data, source, wcslen(source) + 1); // [FALSE POSITIVE RESULT] (debatable) + wcsncpy(data, source, wcslen(source) + 1); // [FALSE POSITIVE RESULT] (debatable) // $ Alert[cpp/bad-strncpy-size] printWLine(data); delete [] data; } @@ -347,7 +347,7 @@ namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncat_01 memset(source, 'C', 100-1); /* fill with 'C's */ source[100-1] = '\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */ - strncat(data, source, 100); + strncat(data, source, 100); // $ Alert[cpp/badly-bounded-write] printLine(data); delete [] data; } @@ -381,7 +381,7 @@ void CWE121_Stack_Based_Buffer_Overflow__CWE131_memcpy_01_bad() { int source[10] = {0}; /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */ - memcpy(data, source, 10*sizeof(int)); + memcpy(data, source, 10*sizeof(int)); // $ Alert[cpp/overflow-buffer] printIntLine(data[0]); } } @@ -431,7 +431,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_01_bad() { data[i] = source[i]; } - data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ + data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printWLine(data); delete [] data; } @@ -449,8 +449,8 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_01_bad() wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - wcsncpy(data, source, 100-1); - data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ + wcsncpy(data, source, 100-1); // $ Alert[cpp/bad-strncpy-size] Alert[cpp/badly-bounded-write] + data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */ // $ Alert[cpp/overflow-buffer] printWLine(data); delete [] data; } @@ -478,7 +478,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_01_bad() wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - SNPRINTF(data, 100, L"%s", source); + SNPRINTF(data, 100, L"%s", source); // $ Alert[cpp/badly-bounded-write] printWLine(data); delete [] data; } @@ -627,7 +627,7 @@ void CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_31_bad() wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */ - SNPRINTF(data, 100, L"%s", source); + SNPRINTF(data, 100, L"%s", source); // $ Alert[cpp/badly-bounded-write] printWLine(data); delete [] data; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref index 9636c74d0a8..76b6e590021 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/BadlyBoundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/BadlyBoundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/BadlyBoundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref index d934901f174..0e9b8f83382 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OffsetUseBeforeRangeCheck.qlref @@ -1 +1,2 @@ -Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql \ No newline at end of file +query: Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref index 5c2bacec579..bb308ea4b21 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-119/OverflowBuffer.ql \ No newline at end of file +query: Security/CWE/CWE-119/OverflowBuffer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected index d9137973707..142a9b4c59e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected @@ -1,3 +1,8 @@ +#select +| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | +| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | *src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | edges | main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | | | main.cpp:7:33:7:36 | **argv | overflowdestination.cpp:23:45:23:48 | **argv | provenance | | @@ -34,8 +39,3 @@ nodes | overflowdestination.cpp:76:30:76:32 | *src | semmle.label | *src | subpaths | overflowdestination.cpp:75:30:75:32 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:50:52:50:54 | *src | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | -#select -| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | **argv | overflowdestination.cpp:30:17:30:20 | *arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | *src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | -| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | *src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref index a4213e22fcd..0e0d1d3792d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.qlref @@ -1 +1,2 @@ -Critical/OverflowDestination.ql \ No newline at end of file +query: Critical/OverflowDestination.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref index 9ff1c3b33dc..93d88e7802a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.qlref @@ -1 +1,2 @@ -Critical/OverflowStatic.ql \ No newline at end of file +query: Critical/OverflowStatic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref index f6c962c1a7b..18ae0f2a567 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref index 757d1592e83..ba8f6a96a1f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref index bf0bf1ea7d0..3a2ef158d3d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/StrncpyFlippedArgs.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/StrncpyFlippedArgs.ql \ No newline at end of file +query: Likely Bugs/Memory Management/StrncpyFlippedArgs.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected index 5c10f6e059d..af3fa1ab7cf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected @@ -1,3 +1,6 @@ +#select +| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | +| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | edges | main.cpp:6:27:6:30 | **argv | main.cpp:7:33:7:36 | **argv | provenance | | | main.cpp:6:27:6:30 | **argv | main.cpp:8:34:8:37 | **argv | provenance | | @@ -96,6 +99,3 @@ subpaths | main.cpp:8:34:8:37 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | test_buffer_overrun.cpp:32:46:32:49 | *argv | main.cpp:8:34:8:37 | test_buffer_overrun_main output argument | | main.cpp:9:29:9:32 | **argv | tests_restrict.c:15:41:15:44 | **argv | tests_restrict.c:15:41:15:44 | **argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | | main.cpp:9:29:9:32 | *argv | tests_restrict.c:15:41:15:44 | *argv | tests_restrict.c:15:41:15:44 | *argv | main.cpp:9:29:9:32 | tests_restrict_main output argument | -#select -| tests.cpp:636:2:636:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:636:17:636:22 | *source | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | -| tests.cpp:649:2:649:7 | call to strcpy | main.cpp:6:27:6:30 | **argv | tests.cpp:649:14:649:19 | *home | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref index 767f2ea4db9..36c47957d33 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/UnboundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/UnboundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref index 94b53951c4b..8dcc2f70c2f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp index 78f94af22cf..6f04206359c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/main.cpp @@ -3,7 +3,7 @@ int test_buffer_overrun_main(int argc, char **argv); int tests_restrict_main(int argc, char **argv); int tests_main(int argc, char **argv); -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source[cpp/overflow-destination] Source[cpp/unbounded-write] overflowdesination_main(argc, argv); test_buffer_overrun_main(argc, argv); tests_restrict_main(argc, argv); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp index 8b785b5a662..5aa229610bc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/overflowdestination.cpp @@ -27,7 +27,7 @@ int overflowdesination_main(int argc, char* argv[]) { arg1 = argv[1]; //wrong: only uses the size of the source (argv[1]) when using strncpy - strncpy(param, arg1, strlen(arg1)); + strncpy(param, arg1, strlen(arg1)); // $ Alert[cpp/bad-strncpy-size] Alert[cpp/overflow-destination] //correct: uses the size of the destination array as well strncpy(param, arg1, min(strlen(arg1), sizeof(param) -1)); @@ -40,17 +40,17 @@ void overflowdest_test1(FILE *f) char dest[64]; char src[128]; - fgets(src, 128, f); // GOOD (taints `src`) + fgets(src, 128, f); // GOOD (taints `src`) // $ Source[cpp/overflow-destination] memcpy(dest, src, sizeof(dest)); // GOOD - memcpy(dest, src, sizeof(src)); // BAD: size derived from the source buffer + memcpy(dest, src, sizeof(src)); // BAD: size derived from the source buffer // $ Alert[cpp/overflow-buffer] Alert[cpp/overflow-destination] Alert[cpp/static-buffer-overflow] memcpy(dest, dest, sizeof(dest)); // GOOD } void overflowdest_test2(FILE *f, char *dest, char *src) { memcpy(dest, src, strlen(dest) + 1); // GOOD - memcpy(dest, src, strlen(src) + 1); // BAD: size derived from the source buffer + memcpy(dest, src, strlen(src) + 1); // BAD: size derived from the source buffer // $ Alert[cpp/overflow-destination] memcpy(dest, dest, strlen(dest) + 1); // GOOD } @@ -61,7 +61,7 @@ void overflowdest_test3(FILE *f, char *dest, char *src) char *src3 = src; memcpy(dest2, src2, strlen(dest2) + 1); // GOOD - memcpy(dest2, src2, strlen(src2) + 1); // BAD: size derived from the source buffer + memcpy(dest2, src2, strlen(src2) + 1); // BAD: size derived from the source buffer // $ Alert[cpp/overflow-destination] memcpy(dest2, dest2, strlen(dest2) + 1); // GOOD } @@ -70,7 +70,7 @@ void overflowdest_test23_caller(FILE *f) char dest[64]; char src[128]; - fgets(src, 128, f); // GOOD (taints `src`) + fgets(src, 128, f); // GOOD (taints `src`) // $ Source[cpp/overflow-destination] overflowdest_test2(f, dest, src); overflowdest_test3(f, dest, src); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp index 603d868258a..60e26aca37f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp @@ -20,9 +20,9 @@ void test1() char bigbuffer[20]; memcpy(bigbuffer, smallbuffer, sizeof(smallbuffer)); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read + memcpy(bigbuffer, smallbuffer, sizeof(bigbuffer)); // BAD: over-read // $ Alert[cpp/overflow-buffer] memcpy(smallbuffer, bigbuffer, sizeof(smallbuffer)); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write + memcpy(smallbuffer, bigbuffer, sizeof(bigbuffer)); // BAD: over-write // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] } void test2() @@ -31,9 +31,9 @@ void test2() char *bigbuffer = (char *)malloc(sizeof(char) * 20); memcpy(bigbuffer, smallbuffer, sizeof(char) * 10); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(char) * 20); // BAD: over-read + memcpy(bigbuffer, smallbuffer, sizeof(char) * 20); // BAD: over-read // $ Alert[cpp/overflow-buffer] memcpy(smallbuffer, bigbuffer, sizeof(char) * 10); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(char) * 20); // BAD: over-write + memcpy(smallbuffer, bigbuffer, sizeof(char) * 20); // BAD: over-write // $ Alert[cpp/overflow-buffer] free(bigbuffer); free(smallbuffer); @@ -47,9 +47,9 @@ void test3() bigbuffer = new char[20]; memcpy(bigbuffer, smallbuffer, sizeof(char[10])); // GOOD - memcpy(bigbuffer, smallbuffer, sizeof(char[20])); // BAD: over-read + memcpy(bigbuffer, smallbuffer, sizeof(char[20])); // BAD: over-read // $ Alert[cpp/overflow-buffer] memcpy(smallbuffer, bigbuffer, sizeof(char[10])); // GOOD - memcpy(smallbuffer, bigbuffer, sizeof(char[20])); // BAD: over-write + memcpy(smallbuffer, bigbuffer, sizeof(char[20])); // BAD: over-write // $ Alert[cpp/overflow-buffer] delete [] bigbuffer; delete [] smallbuffer; @@ -160,8 +160,8 @@ void test6(bool cond) for (k = 0; k <= 100; k++) { - buffer[k] = 'x'; // BAD: over-write - ch = buffer[k]; // BAD: over-read + buffer[k] = 'x'; // BAD: over-write // $ Alert[cpp/static-buffer-overflow] + ch = buffer[k]; // BAD: over-read // $ Alert[cpp/static-buffer-overflow] } } @@ -169,11 +169,11 @@ void test7() { char *names[] = {"tom", "dick", "harry"}; - printf("name: %s\n", names[-1]); // BAD: under-read + printf("name: %s\n", names[-1]); // BAD: under-read // $ Alert[cpp/overflow-buffer] printf("name: %s\n", names[0]); // GOOD printf("name: %s\n", names[1]); // GOOD printf("name: %s\n", names[2]); // GOOD - printf("name: %s\n", names[3]); // BAD: over-read + printf("name: %s\n", names[3]); // BAD: over-read // $ Alert[cpp/overflow-buffer] } void test8(int unbounded) @@ -219,16 +219,16 @@ void test9(int param) buffer4 = buffer3; memset(buffer1, 0, 32); // GOOD - memset(buffer1, 0, 33); // BAD: overrun write of buffer1 + memset(buffer1, 0, 33); // BAD: overrun write of buffer1 // $ Alert[cpp/overflow-buffer] memset(buffer2, 0, 32); // GOOD - memset(buffer2, 0, 33); // BAD: overrun write of buffer2 + memset(buffer2, 0, 33); // BAD: overrun write of buffer2 // $ Alert[cpp/overflow-buffer] memset(buffer3, 0, 32); // GOOD - memset(buffer3, 0, 33); // BAD: overrun write of buffer3 + memset(buffer3, 0, 33); // BAD: overrun write of buffer3 // $ Alert[cpp/overflow-buffer] memset(buffer4, 0, 32); // GOOD - memset(buffer4, 0, 33); // BAD: overrun write of buffer4 (buffer3) + memset(buffer4, 0, 33); // BAD: overrun write of buffer4 (buffer3) // $ Alert[cpp/overflow-buffer] memcmp(buffer1, buffer2, 32); // GOOD - memcmp(buffer1, buffer2, 33); // BAD: overrun read of buffer1, buffer2 + memcmp(buffer1, buffer2, 33); // BAD: overrun read of buffer1, buffer2 // $ Alert[cpp/overflow-buffer] } { @@ -236,13 +236,13 @@ void test9(int param) char *str2 = "abcdefgh"; strncpy(str1, str2, strlen(str1) + 1); // GOOD - strncpy(str1, str2, strlen(str2) + 1); // BAD: overrun write of str1 - strncpy(str2, str1, strlen(str1) + 1); // DUBIOUS (detected) + strncpy(str1, str2, strlen(str2) + 1); // BAD: overrun write of str1 // $ Alert[cpp/bad-strncpy-size] + strncpy(str2, str1, strlen(str1) + 1); // DUBIOUS (detected) // $ Alert[cpp/bad-strncpy-size] strncpy(str2, str1, strlen(str2) + 1); // BAD: overrun read of str1 [NOT REPORTED] } - memmove(global_array_6, global_array_5, 6); // BAD: overrun read of global_array_5 - memmove(global_array_5, global_array_6, 6); // BAD: overrun write of global_array_5 + memmove(global_array_6, global_array_5, 6); // BAD: overrun read of global_array_5 // $ Alert[cpp/overflow-buffer] + memmove(global_array_5, global_array_6, 6); // BAD: overrun write of global_array_5 // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] if (param > 0) { @@ -262,8 +262,8 @@ void test10() wmemset(buffer1, 0, 32); // GOOD - wmemset(buffer1, 0, 33); // BAD: overrun write of buffer1 - wmemset((wchar_t *)buffer2, 0, 32); // BAD: overrun write of buffer2 + wmemset(buffer1, 0, 33); // BAD: overrun write of buffer1 // $ Alert[cpp/overflow-buffer] + wmemset((wchar_t *)buffer2, 0, 32); // BAD: overrun write of buffer2 // $ Alert[cpp/overflow-buffer] } void test11() @@ -272,7 +272,7 @@ void test11() char *string = "Hello, world!"; memset(string, 0, 14); // GOOD - memset(string, 0, 15); // BAD: overrun write of string + memset(string, 0, 15); // BAD: overrun write of string // $ Alert[cpp/overflow-buffer] } { @@ -282,14 +282,14 @@ void test11() buffer = new char[64]; - memset(buffer, 0, 128); // BAD: overrun write of buffer + memset(buffer, 0, 128); // BAD: overrun write of buffer // $ Alert[cpp/overflow-buffer] } { char array[10] = "123"; memset(array, 0, 10); // GOOD - memset(array, 0, 11); // BAD: overrun write of array + memset(array, 0, 11); // BAD: overrun write of array // $ Alert[cpp/overflow-buffer] } } @@ -307,11 +307,11 @@ void test12() dbuf = new char[16]; memset(&myVar, 0, sizeof(myVar)); // GOOD - memset(&myVar, 0, sizeof(myVar) + 1); // BAD: overrun write of myVar + memset(&myVar, 0, sizeof(myVar) + 1); // BAD: overrun write of myVar // $ Alert[cpp/overflow-buffer] memset(myVar.buffer, 0, 16); // GOOD memset(myVar.buffer, 0, 17); // DUBIOUS: overrun write of myVar.buffer, but not out of myVar itself [NOT DETECTED] memset(&(myVar.field), 0, sizeof(int)); // GOOD - memset(&(myVar.field), 0, sizeof(int) * 2); // BAD: overrun write of myVar.field + memset(&(myVar.field), 0, sizeof(int) * 2); // BAD: overrun write of myVar.field // $ Alert[cpp/overflow-buffer] memset(buf + 8, 0, 8); // GOOD memset(buf + 8, 0, 9); // BAD: overrun write of buf [NOT DETECTED] @@ -345,33 +345,33 @@ void test13(char *argArray) char *ptrArray = charArray; char *ptrArrayOffset = charArray + 1; - charArray[-1] = 1; // BAD: underrun write + charArray[-1] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] charArray[0] = 1; // GOOD charArray[9] = 1; // GOOD - charArray[10] = 1; // BAD: overrun write - charArray[5] = charArray[10]; // BAD: overrun read + charArray[10] = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] + charArray[5] = charArray[10]; // BAD: overrun read // $ Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] - intArray[-1] = 1; // BAD: underrun write + intArray[-1] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] intArray[0] = 1; // GOOD intArray[9] = 1; // GOOD - intArray[10] = 1; // BAD: overrun write - intArray[5] = intArray[10]; // BAD: overrun read + intArray[10] = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] + intArray[5] = intArray[10]; // BAD: overrun read // $ Alert[cpp/overflow-buffer] - structArray[-1].field = 1; // BAD: underrun write + structArray[-1].field = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] structArray[0].field = 1; // GOOD structArray[9].field = 1; // GOOD - structArray[10].field = 1; // BAD: overrun write - structArray[5].field = structArray[10].field; // BAD: overrun read + structArray[10].field = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] + structArray[5].field = structArray[10].field; // BAD: overrun read // $ Alert[cpp/overflow-buffer] charArray[9] = (char)intArray[9]; // GOOD - charArray[9] = (char)intArray[10]; // BAD: overrun read + charArray[9] = (char)intArray[10]; // BAD: overrun read // $ Alert[cpp/overflow-buffer] - ptrArray[-2] = 1; // BAD: underrun write - ptrArray[-1] = 1; // BAD: underrun write + ptrArray[-2] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] + ptrArray[-1] = 1; // BAD: underrun write // $ Alert[cpp/overflow-buffer] ptrArray[0] = 1; // GOOD ptrArray[8] = 1; // GOOD ptrArray[9] = 1; // GOOD - ptrArray[10] = 1; // BAD: overrun write + ptrArray[10] = 1; // BAD: overrun write // $ Alert[cpp/overflow-buffer] ptrArrayOffset[-2] = 1; // BAD: underrun write [NOT DETECTED] ptrArrayOffset[-1] = 1; // GOOD (there is room for this) @@ -391,10 +391,10 @@ void test13(char *argArray) buffer1[0] = 0xFFFF; buffer1[49] = 0xFFFF; - buffer1[50] = 0xFFFF; // BAD: overrun write + buffer1[50] = 0xFFFF; // BAD: overrun write // $ Alert[cpp/overflow-buffer] buffer2[0] = 0xFFFF; buffer2[49] = 0xFFFF; - buffer2[50] = 0xFFFF; // BAD: overrun write + buffer2[50] = 0xFFFF; // BAD: overrun write // $ Alert[cpp/overflow-buffer] } } @@ -464,7 +464,7 @@ void test17(long long *longArray) { int intArray[5]; - ((char *)intArray)[-3] = 0; // BAD: underrun write + ((char *)intArray)[-3] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] } { @@ -472,14 +472,14 @@ void test17(long long *longArray) multi[5][5] = 0; // GOOD - multi[-5][5] = 0; // BAD: underrun write [INCORRECT MESSAGE] + multi[-5][5] = 0; // BAD: underrun write [INCORRECT MESSAGE] // $ Alert[cpp/overflow-buffer] multi[5][-5] = 0; // DUBIOUS: underrun write (this one is still within the bounds of the whole array) - multi[-5][-5] = 0; // BAD: underrun write [INCORRECT MESSAGE] + multi[-5][-5] = 0; // BAD: underrun write [INCORRECT MESSAGE] // $ Alert[cpp/overflow-buffer] multi[0][-5] = 0; // BAD: underrun write [NOT DETECTED] - multi[15][5] = 0; // BAD: overrun write + multi[15][5] = 0; // BAD: overrun write // $ Alert[cpp/overflow-buffer] multi[5][15] = 0; // DUBIOUS: overrun write (this one is still within the bounds of the whole array) - multi[15][15] = 0; // BAD: overrun write + multi[15][15] = 0; // BAD: overrun write // $ Alert[cpp/overflow-buffer] } } @@ -494,22 +494,22 @@ void test18() char *p4 = (char *)malloc(128); char *p5 = (char *)malloc(128); - p1[-1] = 0; // BAD: underrun write - p2[-1] = 0; // BAD: underrun write + p1[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] + p2[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] p2++; p2[-1] = 0; // GOOD - p3[-1] = 0; // BAD + p3[-1] = 0; // BAD // $ Alert[cpp/overflow-buffer] while (*p3 != 0) { p3 = update(p3); } p3[-1] = 0; // GOOD - p4[-1] = 0; // BAD: underrun write + p4[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] p4++; p4[-1] = 0; // GOOD - p5[-1] = 0; // BAD + p5[-1] = 0; // BAD // $ Alert[cpp/overflow-buffer] while (*p5 != 0) { p5 = update(p5); } @@ -537,7 +537,7 @@ void test19(bool b) if (b) { - memset(p1, 0, 20); // BAD + memset(p1, 0, 20); // BAD // $ Alert[cpp/overflow-buffer] memset(p2, 0, 20); // GOOD memset(p3, 0, 20); // GOOD } @@ -559,12 +559,12 @@ void test20() // ... } - if (fread(charBuffer, sizeof(char), 101, fileSource) > 0) // BAD + if (fread(charBuffer, sizeof(char), 101, fileSource) > 0) // BAD // $ Alert[cpp/overflow-buffer] { // ... } - if (fread(charBuffer, sizeof(int), 100, fileSource) > 0) // BAD + if (fread(charBuffer, sizeof(int), 100, fileSource) > 0) // BAD // $ Alert[cpp/overflow-buffer] { // ... } @@ -587,7 +587,7 @@ void test21(bool cond) char *ptr; int i; - if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] ptr = buffer; if (cond) @@ -595,7 +595,7 @@ void test21(bool cond) ptr++; if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[0] } else { - if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] } if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] or buffer[0] [NOT DETECTED] @@ -633,7 +633,7 @@ char* strcpy(char *, const char *); void test24(char* source) { char buffer[100]; - strcpy(buffer, source); // BAD + strcpy(buffer, source); // BAD // $ Alert[cpp/unbounded-write] } struct my_struct { @@ -646,7 +646,7 @@ void test25(char* source) { s.home = source; char buf[100]; - strcpy(buf, s.home); // BAD + strcpy(buf, s.home); // BAD // $ Alert[cpp/unbounded-write] } void test26(bool cond) @@ -655,7 +655,7 @@ void test26(bool cond) char *ptr; int i; - if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] ptr = buffer; if (cond) @@ -663,7 +663,7 @@ void test26(bool cond) ptr += 1; if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[0] } else { - if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] + if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] // $ Alert[cpp/overflow-buffer] } if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] or buffer[0] [NOT DETECTED] @@ -726,15 +726,15 @@ struct HasSomeFields { }; void test32() { - memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD + memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD // $ Alert[cpp/overflow-buffer] }; void test33() { - memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, b)); // BAD + memset(&c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, b)); // BAD // $ Alert[cpp/overflow-buffer] }; void test34() { - memset(&b, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD + memset(&b, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD // $ Alert[cpp/overflow-buffer] }; void test35() { @@ -745,7 +745,7 @@ struct HasSomeFields { void test36() { HasSomeFields hsf; memset(&hsf.a, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // GOOD - memset(&hsf.c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD + memset(&hsf.c, 0, sizeof(HasSomeFields) - offsetof(HasSomeFields, a)); // BAD // $ Alert[cpp/overflow-buffer] } struct AnonUnionInStruct @@ -771,18 +771,18 @@ struct AnonUnionInStruct memset(&a_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&a_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD - memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD + memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // GOOD memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, c_1)); // GOOD - memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD + memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&b_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // BAD + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // BAD // $ Alert[cpp/overflow-buffer] memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, c_1)); // GOOD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD - memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD // $ Alert[cpp/overflow-buffer] memset(&c_1, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD memset(&a_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // GOOD @@ -792,10 +792,10 @@ struct AnonUnionInStruct memset(&a_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&a_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD - memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD + memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_1)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_1)); // GOOD memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, c_1)); // GOOD - memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD + memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, a_2)); // BAD // $ Alert[cpp/overflow-buffer] memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, b_2)); // GOOD memset(&b_2, 0, sizeof(AnonUnionInStruct) - offsetof(AnonUnionInStruct, d)); // GOOD }; @@ -813,7 +813,7 @@ struct UnionWithoutStruct void test37() { memset(&a, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, a)); // GOOD memset(&a, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, b)); // GOOD - memset(&b, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, a)); // BAD + memset(&b, 0, sizeof(UnionWithoutStruct) - offsetof(UnionWithoutStruct, a)); // BAD // $ Alert[cpp/overflow-buffer] }; }; @@ -840,20 +840,20 @@ struct S2 { memset(&f.inner.a, 0, sizeof(S2) - offsetof(S2, f)); // GOOD memset(&f.inner.a, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD + memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // GOOD memset(&f.inner.b, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // GOOD - memset(&f.inner.b, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD + memset(&f.inner.b, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.b, 0, sizeof(S2) - offsetof(FourUInts, x)); // GOOD - memset(&f.inner.b, 0, sizeof(S2) - offsetof(S2, f)); // BAD + memset(&f.inner.b, 0, sizeof(S2) - offsetof(S2, f)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.b, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD + memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.c, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // GOOD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD + memset(&f.inner.c, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.c, 0, sizeof(S2) - offsetof(FourUInts, x)); // GOOD - memset(&f.inner.c, 0, sizeof(S2) - offsetof(S2, f)); // BAD + memset(&f.inner.c, 0, sizeof(S2) - offsetof(S2, f)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.inner.c, 0, sizeof(S2) - offsetof(S2, u)); // GOOD memset(&f.inner, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // GOOD @@ -864,12 +864,12 @@ struct S2 { memset(&f.inner, 0, sizeof(S2) - offsetof(S2, f)); // GOOD memset(&f.inner, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD - memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD - memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD - memset(&f.x, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD + memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.x, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&f.x, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] memset(&f.x, 0, sizeof(S2) - offsetof(FourUInts, x)); // GOOD - memset(&f.x, 0, sizeof(S2) - offsetof(S2, f)); // GOOD + memset(&f.x, 0, sizeof(S2) - offsetof(S2, f)); // GOOD // $ Alert[cpp/overflow-buffer] memset(&f.x, 0, sizeof(S2) - offsetof(S2, u)); // GOOD memset(&f, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // GOOD @@ -880,12 +880,12 @@ struct S2 { memset(&f, 0, sizeof(S2) - offsetof(S2, f)); // GOOD memset(&f, 0, sizeof(S2) - offsetof(S2, u)); // GOOD - memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(FourUInts, x)); // BAD - memset(&u, 0, sizeof(S2) - offsetof(S2, f)); // BAD + memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, a)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, b)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(ThreeUInts, c)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(FourUInts, inner)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(FourUInts, x)); // BAD // $ Alert[cpp/overflow-buffer] + memset(&u, 0, sizeof(S2) - offsetof(S2, f)); // BAD // $ Alert[cpp/overflow-buffer] memset(&u, 0, sizeof(S2) - offsetof(S2, u)); // GOOD } }; @@ -981,24 +981,24 @@ void test28() { int arr[10]; int *ptr1 = arr; - ptr1[-1] = 0; // BAD: underrun write + ptr1[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] ptr1++; ptr1[-1] = 0; // GOOD int *ptr2 = arr; - ptr2[-1] = 0; // BAD: underrun write + ptr2[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] *ptr2++; ptr2[-1] = 0; // GOOD int *ptr3 = arr; - ptr3[-1] = 0; // BAD: underrun write + ptr3[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] if (cond()) { ptr3++; } ptr3[-1] = 0; // GOOD (depending what cond() does) int *ptr4 = arr; - ptr4[-1] = 0; // BAD: underrun write + ptr4[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] while (true) { ptr4++; if (cond()) break; @@ -1006,7 +1006,7 @@ void test28() { ptr4[-1] = 0; // GOOD int *ptr5 = arr; - ptr5[-1] = 0; // BAD: underrun write + ptr5[-1] = 0; // BAD: underrun write // $ Alert[cpp/overflow-buffer] while (true) { if (cond()) ptr5++; if (cond()) break; @@ -1028,7 +1028,7 @@ void test29() { memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2) memset(&(ptr->arr1[0]), 0, sizeof(ptr->arr1) + sizeof(ptr->arr2)); // GOOD (overwrites arr1, arr2) - memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2) + 10); // BAD + memset(ptr->arr1, 0, sizeof(ptr->arr1) + sizeof(ptr->arr2) + 10); // BAD // $ Alert[cpp/overflow-buffer] } struct UnionStruct { @@ -1047,14 +1047,14 @@ void test30() { UnionStruct us; memset(us.buffer1, 0, sizeof(us.buffer1)); // GOOD - memset(us.buffer1, 0, sizeof(us)); // BAD + memset(us.buffer1, 0, sizeof(us)); // BAD // $ Alert[cpp/overflow-buffer] memset(us.buffer2, 0, sizeof(us.buffer2)); // GOOD - memset(us.buffer2, 0, sizeof(us)); // BAD + memset(us.buffer2, 0, sizeof(us)); // BAD // $ Alert[cpp/overflow-buffer] strncpy(us.buffer1, "", sizeof(us.buffer1) - 1); // GOOD - strncpy(us.buffer1, "", sizeof(us) - 1); // BAD + strncpy(us.buffer1, "", sizeof(us) - 1); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] strncpy(us.buffer2, "", sizeof(us.buffer2) - 1); // GOOD - strncpy(us.buffer2, "", sizeof(us) - 1); // BAD + strncpy(us.buffer2, "", sizeof(us) - 1); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] } struct S_Size16 { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c index 96a5571bf65..a081e77a784 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests_restrict.c @@ -9,7 +9,7 @@ char smallbuf[1], largebuf[2]; void test1() { memcpy(largebuf, smallbuf, 1); // GOOD - memcpy(largebuf, smallbuf, 2); // BAD: source over-read + memcpy(largebuf, smallbuf, 2); // BAD: source over-read // $ Alert[cpp/overflow-buffer] } int tests_restrict_main(int argc, char *argv[]) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp index bac7abb5187..dc1e17d8979 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/unions.cpp @@ -23,15 +23,15 @@ void myUnionTest() memset(&mu, 0, sizeof(mu)); memset(&mu, 0, sizeof(mu.small)); memset(&mu, 0, sizeof(mu.large)); - memset(&mu, 0, 200); // BAD + memset(&mu, 0, 200); // BAD // $ Alert[cpp/overflow-buffer] memset(&(mu.small), 0, sizeof(mu)); // (dubious) memset(&(mu.small), 0, sizeof(mu.small)); memset(&(mu.small), 0, sizeof(mu.large)); // (dubious) - memset(&(mu.small), 0, 200); // BAD + memset(&(mu.small), 0, 200); // BAD // $ Alert[cpp/overflow-buffer] memset(&(mu.large), 0, sizeof(mu)); memset(&(mu.large), 0, sizeof(mu.small)); // (dubious) memset(&(mu.large), 0, sizeof(mu.large)); - memset(&(mu.large), 0, 200); // BAD + memset(&(mu.large), 0, 200); // BAD // $ Alert[cpp/overflow-buffer] } // --- diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp index d4fe3da48bd..48af5418202 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp @@ -68,9 +68,9 @@ void testVarStruct1() { vs1->amount = 1024; memset(vs1->data, 0, 1024); // GOOD - memset(vs1->data, 0, 1025); // BAD: buffer overflow + memset(vs1->data, 0, 1025); // BAD: buffer overflow // $ Alert[cpp/overflow-buffer] strncpy(vs1->data, "Hello, world!", 1024); // GOOD - strncpy(vs1->data, "Hello, world!", 1025); // BAD + strncpy(vs1->data, "Hello, world!", 1025); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] } struct varStruct2 { @@ -84,7 +84,7 @@ void testVarStruct2() { vs2->size = 16; vs2->elements[15] = 0; // GOOD - vs2->elements[16] = 0; // BAD: buffer overflow + vs2->elements[16] = 0; // BAD: buffer overflow // $ Alert[cpp/overflow-buffer] } struct notVarStruct1 { @@ -96,11 +96,11 @@ void testNotVarStruct1() { notVarStruct1 *nvs1 = (notVarStruct1 *)malloc(sizeof(notVarStruct1) * 2); memset(nvs1->str, 0, 128); // GOOD - memset(nvs1->str, 0, 129); // DUBIOUS: buffer overflow (overflows nvs1->str but not nvs1 overall) + memset(nvs1->str, 0, 129); // DUBIOUS: buffer overflow (overflows nvs1->str but not nvs1 overall) // $ Alert[cpp/overflow-buffer] memset(nvs1[1].str, 0, 128); // GOOD memset(nvs1[1].str, 0, 129); // BAD: buffer overflow [NOT DETECTED] strncpy(nvs1->str, "Hello, world!", 128); // GOOD - strncpy(nvs1->str, "Hello, world!", 129); // BAD + strncpy(nvs1->str, "Hello, world!", 129); // BAD // $ Alert[cpp/badly-bounded-write] Alert[cpp/overflow-buffer] Alert[cpp/static-buffer-overflow] } struct notVarStruct2 { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref index 9790cddebab..7f1a1cf35f2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/UnsafeUseOfStrcat.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +query: Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c index c670533f9af..cf3edad43db 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/UnsafeUseOfStrcat/test.c @@ -17,7 +17,7 @@ void free(void *ptr); static void bad0(char *s) { char buf[80]; strcpy(buf, "s: "); - strcat(buf, s); // BAD -- s may be too long and overflow the buffer + strcat(buf, s); // BAD -- s may be too long and overflow the buffer // $ Alert } static void good0(char *s) { @@ -30,7 +30,7 @@ static void good0(char *s) { static void bad1(char *s, int len) { char *buf = malloc(len+4); strcpy(buf, "s: "); - strcat(buf, s); // BAD -- s may be too long and overflow the buffer + strcat(buf, s); // BAD -- s may be too long and overflow the buffer // $ Alert } static void good1(char *s, int len) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref index 9636c74d0a8..76b6e590021 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/BadlyBoundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/BadlyBoundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/BadlyBoundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref index f6c962c1a7b..18ae0f2a567 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref index 757d1592e83..ba8f6a96a1f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected index 0ebcbb8cde4..b4834cc6dc7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected @@ -1,3 +1,9 @@ +#select +| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | +| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | +| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | scanf output argument | tests.c:31:15:31:23 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | scanf output argument | value read by scanf | +| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | scanf output argument | tests.c:33:21:33:29 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | scanf output argument | value read by scanf | +| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | edges | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | provenance | | | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | provenance | | @@ -10,9 +16,3 @@ nodes | tests.c:33:21:33:29 | scanf output argument | semmle.label | scanf output argument | | tests.c:34:10:34:16 | *access to array | semmle.label | *access to array | subpaths -#select -| tests.c:28:3:28:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:28:22:28:28 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | -| tests.c:29:3:29:9 | call to sprintf | tests.c:16:26:16:29 | **argv | tests.c:29:28:29:34 | *access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | -| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | scanf output argument | tests.c:31:15:31:23 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | scanf output argument | value read by scanf | -| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | scanf output argument | tests.c:33:21:33:29 | scanf output argument | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | scanf output argument | value read by scanf | -| tests.c:34:25:34:33 | buffer100 | tests.c:16:26:16:29 | **argv | tests.c:34:10:34:16 | *access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:16:26:16:29 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref index 767f2ea4db9..36c47957d33 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/UnboundedWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/UnboundedWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref index 94b53951c4b..8dcc2f70c2f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c index 5d37ff374ba..3919367d26a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests.c @@ -13,7 +13,7 @@ int sscanf(const char *s, const char *format, ...); //// Test code ///// -int main(int argc, char *argv[]) +int main(int argc, char *argv[]) // $ Source[cpp/unbounded-write] { if (argc < 1) { @@ -25,13 +25,13 @@ int main(int argc, char *argv[]) char buffer100[100]; int i; - sprintf(buffer100, argv[0]); // BAD: argv[0] could be more than 100 characters - sprintf(buffer100, "%s", argv[0]); // BAD: argv[0] could be more than 100 characters + sprintf(buffer100, argv[0]); // BAD: argv[0] could be more than 100 characters // $ Alert[cpp/unbounded-write] + sprintf(buffer100, "%s", argv[0]); // BAD: argv[0] could be more than 100 characters // $ Alert[cpp/unbounded-write] - scanf("%s", buffer100); // BAD: the input could be more than 100 characters + scanf("%s", buffer100); // BAD: the input could be more than 100 characters // $ Alert[cpp/unbounded-write] scanf("%i", i); // GOOD: no problems with non-strings - scanf("%i %s", i, buffer100); // BAD: second format parameter may overflow - sscanf(argv[0], "%s", buffer100); // BAD: argv[0] could be more than 100 characters + scanf("%i %s", i, buffer100); // BAD: second format parameter may overflow // $ Alert[cpp/unbounded-write] + sscanf(argv[0], "%s", buffer100); // BAD: argv[0] could be more than 100 characters // $ Alert[cpp/unbounded-write] } // Test cases for BadlyBoundedWrite.ql @@ -40,10 +40,10 @@ int main(int argc, char *argv[]) snprintf(buffer110, 109, argv[0]); // GOOD snprintf(buffer110, 110, argv[0]); // GOOD - snprintf(buffer110, 111, argv[0]); // BAD: this could still overrun the 110 character buffer + snprintf(buffer110, 111, argv[0]); // BAD: this could still overrun the 110 character buffer // $ Alert[cpp/badly-bounded-write] snprintf(buffer110, 109, "%s", argv[0]); // GOOD snprintf(buffer110, 110, "%s", argv[0]); // GOOD - snprintf(buffer110, 111, "%s", argv[0]); // BAD: this could still overrun the 110 character buffer + snprintf(buffer110, 111, "%s", argv[0]); // BAD: this could still overrun the 110 character buffer // $ Alert[cpp/badly-bounded-write] } // Test cases for OverrunWrite.ql @@ -51,16 +51,16 @@ int main(int argc, char *argv[]) char buffer10[10]; sprintf(buffer10, "123456789"); // GOOD - sprintf(buffer10, "1234567890"); // BAD: the null terminator of this string overruns the buffer + sprintf(buffer10, "1234567890"); // BAD: the null terminator of this string overruns the buffer // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer10, "%.9s", "123456789"); // GOOD sprintf(buffer10, "%.9s", "1234567890"); // GOOD sprintf(buffer10, "%.10s", "123456789"); // GOOD - sprintf(buffer10, "%.10s", "1234567890"); // BAD: the precision specified is too large for this buffer + sprintf(buffer10, "%.10s", "1234567890"); // BAD: the precision specified is too large for this buffer // $ Alert[cpp/very-likely-overrunning-write] scanf("%8s", buffer10); // GOOD: restricted to 8 characters + null scanf("%9s", buffer10); // GOOD: restricted to 9 characters + null - scanf("%10s", buffer10); // BAD: null can overflow - scanf("%11s", buffer10); // BAD: string can overflow + scanf("%10s", buffer10); // BAD: null can overflow // $ Alert[cpp/very-likely-overrunning-write] + scanf("%11s", buffer10); // BAD: string can overflow // $ Alert[cpp/very-likely-overrunning-write] } // More complex tests for OverrunWrite.ql @@ -83,14 +83,14 @@ int main(int argc, char *argv[]) { str35 = "12345"; } - strcpy(buffer5, str35); // BAD: if str35 is "12345", it overflows the buffer + strcpy(buffer5, str35); // BAD: if str35 is "12345", it overflows the buffer // $ Alert[cpp/very-likely-overrunning-write] str35 = "abc"; strcpy(buffer5, str35); // GOOD: str35 is guaranteed to fit now strcpy(buffer5, (argc == 2) ? "1234" : "abcd"); // GOOD: both of the strings fit - strcpy(buffer5, (argc == 2) ? "1234" : "abcde"); // BAD: "abcde" overflows the buffer + strcpy(buffer5, (argc == 2) ? "1234" : "abcde"); // BAD: "abcde" overflows the buffer // $ Alert[cpp/very-likely-overrunning-write] } // Test cases for OverrunWriteFloat.ql @@ -100,9 +100,9 @@ int main(int argc, char *argv[]) double bigval = 1e304; sprintf(buffer256, "%e", bigval); // GOOD - sprintf(buffer256, "%f", bigval); // BAD: this %f representation may need more than 256 characters + sprintf(buffer256, "%f", bigval); // BAD: this %f representation may need more than 256 characters // $ Alert[cpp/overrunning-write-with-float] sprintf(buffer256, "%g", bigval); // GOOD - sprintf(buffer256, "%e%f%g", bigval, bigval, bigval); // BAD: the %f representation may need more than 256 characters + sprintf(buffer256, "%e%f%g", bigval, bigval, bigval); // BAD: the %f representation may need more than 256 characters // $ Alert[cpp/overrunning-write-with-float] // GOOD: a 999 character buffer is sufficient in all of these cases sprintf(buffer999, "%e", bigval); // GOOD @@ -117,8 +117,8 @@ int main(int argc, char *argv[]) char buffer16[16]; char buffer17[17]; char buffer49[49]; - sprintf(buffer1, "%p", argv); // BAD - sprintf(buffer16, "%p", argv); // BAD + sprintf(buffer1, "%p", argv); // BAD // $ Alert[cpp/very-likely-overrunning-write] + sprintf(buffer16, "%p", argv); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer17, "%p", argv); // GOOD sprintf(buffer49, "%p and then a few more words", argv); // GOOD } @@ -133,7 +133,7 @@ void test_fn2() MyCharArray myBuffer10; sprintf(myBuffer10, "%s", "123456789"); // GOOD - sprintf(myBuffer10, "%s", "1234567890"); // BAD: buffer overflow + sprintf(myBuffer10, "%s", "1234567890"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } // --- @@ -183,10 +183,10 @@ void tesHexBounds(int x) { } if (x < 16) { - sprintf(buffer2, "%x", x); // BAD: negative values + sprintf(buffer2, "%x", x); // BAD: negative values // $ Alert[cpp/very-likely-overrunning-write] } if (x <= 16 && x > 0) { - sprintf(buffer2, "%x", x); // BAD: bound too loose + sprintf(buffer2, "%x", x); // BAD: bound too loose // $ Alert[cpp/very-likely-overrunning-write] } if(x < 0x10000 && x > 0) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp index c492e11f0b8..4be5107a6a0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/tests2.cpp @@ -15,36 +15,36 @@ void tests2() { buffer = (wchar_t *)malloc(2 * sizeof(wchar_t)); wcscpy(buffer, L"1"); // GOOD - wcscpy(buffer, L"12"); // BAD: buffer overflow + wcscpy(buffer, L"12"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)malloc(3 * sizeof(wchar_t)); wcscpy(buffer, L"12"); // GOOD - wcscpy(buffer, L"123"); // BAD: buffer overflow + wcscpy(buffer, L"123"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)realloc(0, 4 * sizeof(wchar_t)); wcscpy(buffer, L"123"); // GOOD - wcscpy(buffer, L"1234"); // BAD: buffer overflow + wcscpy(buffer, L"1234"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] buffer = (wchar_t *)realloc(buffer, 5 * sizeof(wchar_t)); wcscpy(buffer, L"1234"); // GOOD - wcscpy(buffer, L"12345"); // BAD: buffer overflow + wcscpy(buffer, L"12345"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)calloc(6, sizeof(wchar_t)); wcscpy(buffer, L"12345"); // GOOD - wcscpy(buffer, L"123456"); // BAD: buffer overflow + wcscpy(buffer, L"123456"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = (wchar_t *)calloc(sizeof(wchar_t), 7); wcscpy(buffer, L"123456"); // GOOD - wcscpy(buffer, L"1234567"); // BAD: buffer overflow + wcscpy(buffer, L"1234567"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] free(buffer); buffer = new wchar_t[8]; wcscpy(buffer, L"1234567"); // GOOD - wcscpy(buffer, L"12345678"); // BAD: buffer overflow + wcscpy(buffer, L"12345678"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] delete [] buffer; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c index 68c9aff9c2b..6d0f0f8ca9d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/unions.c @@ -23,8 +23,8 @@ void unions_test(MyUnion *mu) strcpy(&(mu->ptr), "1234567890"); // GOOD (dubious) strcpy(&(mu->buffer), "1234567890"); // GOOD strcpy(mu, "12345678901234567890"); // BAD [NOT DETECTED] - strcpy(&(mu->ptr), "12345678901234567890"); // BAD - strcpy(&(mu->buffer), "12345678901234567890"); // BAD + strcpy(&(mu->ptr), "12345678901234567890"); // BAD // $ Alert[cpp/very-likely-overrunning-write] + strcpy(&(mu->buffer), "12345678901234567890"); // BAD // $ Alert[cpp/very-likely-overrunning-write] mu->ptr = buffer; strcpy(mu->ptr, "1234567890"); // GOOD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp index 56036aa76ac..2a35ada2f23 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/var_size_struct.cpp @@ -19,5 +19,5 @@ void testVarStruct() { vs->size = 9; strcpy(vs->data, "12345678"); // GOOD - strcpy(vs->data, "123456789"); // BAD: buffer overflow + strcpy(vs->data, "123456789"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c index c4eed5068e5..c01abbfbaa7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/varbuffer.c @@ -12,16 +12,16 @@ void testMyVarStruct() MyVarStruct *ptr1 = (MyVarStruct*)malloc(sizeof(MyVarStruct)); ptr1->len = 0; strcpy(ptr1->buffer, ""); // GOOD - strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 - strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 + strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] // ... MyVarStruct *ptr2 = (MyVarStruct*)malloc(sizeof(MyVarStruct) + (sizeof(char) * 10)); ptr2->len = 10; strcpy(ptr2->buffer, "123456789"); // GOOD strcpy(ptr2->buffer, "1234567890"); // GOOD - strcpy(ptr2->buffer, "1234567890a"); // BAD: length 12, but destination only has length 11 - strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 11 + strcpy(ptr2->buffer, "1234567890a"); // BAD: length 12, but destination only has length 11 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 11 // $ Alert[cpp/very-likely-overrunning-write] // ... } @@ -36,14 +36,14 @@ void testMyFixedStruct() ptr1->len = 1; strcpy(ptr1->buffer, ""); // GOOD strcpy(ptr1->buffer, "1"); // GOOD - strcpy(ptr1->buffer, "12"); // BAD: length 3, but destination only has length 2 - strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 2 + strcpy(ptr1->buffer, "12"); // BAD: length 3, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] // ... MyFixedStruct1 *ptr2 = (MyFixedStruct1*)malloc(sizeof(MyFixedStruct1) + (sizeof(char) * 10)); ptr2->len = 11; - strcpy(ptr2->buffer, "123456789"); // BAD / DUBIOUS: length 10, but destination only has length 2 - strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 2 + strcpy(ptr2->buffer, "123456789"); // BAD / DUBIOUS: length 10, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 2 // $ Alert[cpp/very-likely-overrunning-write] // ... } @@ -57,13 +57,13 @@ void testMyFixedStruct2() MyFixedStruct2 *ptr1 = (MyFixedStruct2 *)malloc(sizeof(MyFixedStruct2)); ptr1->len = 1; strcpy(ptr1->buffer, ""); // GOOD - strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 - strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 + strcpy(ptr1->buffer, "1"); // BAD: length 2, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] + strcpy(ptr1->buffer, "123456789"); // BAD: length 10, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] // ... MyFixedStruct2 *ptr2 = (MyFixedStruct2*)malloc(sizeof(MyFixedStruct2) + (sizeof(char) * 10)); ptr2->len = 11; strcpy(ptr2->buffer, "123456789"); // BAD: length 10, but destination only has length 1 [NOT DETECTED] - strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 1 + strcpy(ptr2->buffer, "1234567890abcdef"); // BAD: length 17, but destination only has length 1 // $ Alert[cpp/very-likely-overrunning-write] // ... } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref index 75497f34f93..c1cd5bb0da9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/UnterminatedVarargsCall.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-121/UnterminatedVarargsCall.ql \ No newline at end of file +query: Security/CWE/CWE-121/UnterminatedVarargsCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp index d6c9a3915e7..4d58c6ffbc6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/more_tests.cpp @@ -22,7 +22,7 @@ int main() myFunction2(0, 1, -1); myFunction2(0, 1, 2, -1); myFunction2(0, 1, 2, 3, -1); - myFunction2(0, 1, 2, 3, 4); // BAD: missing terminator + myFunction2(0, 1, 2, 3, 4); // BAD: missing terminator // $ Alert myFunction3(-1); myFunction3(0, -1); @@ -36,7 +36,7 @@ int main() myFunction4(0, 0, 1, 1, 0); myFunction4(0, x, 1, 1, 1, 0); myFunction4(0, 0, 1, 1, 1, 1, 0); - myFunction4(x, 0, 1, 1, 1, 1, 1); // BAD: missing terminator + myFunction4(x, 0, 1, 1, 1, 1, 1); // BAD: missing terminator // $ Alert myFunction5('a', 'b', 'c', 0); // GOOD: ambiguous terminator myFunction5('a', 'b', 'c', 0); @@ -46,7 +46,7 @@ int main() myFunction5('a', 'b', 'c', -1); myFunction6(0.0); - myFunction6(1.0); // BAD: missing terminator + myFunction6(1.0); // BAD: missing terminator // $ Alert myFunction6(1.0, 2.0, 0.0); myFunction6(1.0, 2.0, 3.0, 0.0); myFunction6(1.0, 2.0, 3.0, 4.0, 0.0); @@ -61,8 +61,8 @@ int main() myFunction7("seven", "eight", "nine", 0); myFunction7("alpha", "beta", "gamma", 0); myFunction7("", 0); - myFunction7("yes", "no"); // BAD: missing terminator - myFunction7(); // BAD: missing terminator + myFunction7("yes", "no"); // BAD: missing terminator // $ Alert + myFunction7(); // BAD: missing terminator // $ Alert return 0; } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c index f89d19cf3c7..9ea3c57ba52 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-121/semmle/tests/tests.c @@ -31,7 +31,7 @@ void f7(char *format, ...) int main(int argc, char *argv[]) { - f1("", 1); // BAD: not terminated with 0 + f1("", 1); // BAD: not terminated with 0 // $ Alert f1("", 1, 0); f1("", 1, 1, 0); f1("", 1, 1, 1, 0); @@ -75,13 +75,13 @@ int main(int argc, char *argv[]) f6("h", 5, -1); f6("i", 5, 6, -1); f6("j", 5, 6, 7, -1); - f6("k", 5, 6, argc); // BAD: not (necessarily) terminated with -1 - f6("l"); // BAD: not terminated with -1 + f6("k", 5, 6, argc); // BAD: not (necessarily) terminated with -1 // $ Alert + f6("l"); // BAD: not terminated with -1 // $ Alert f7("", 0); f7("", 0); f7("", 0); - f7(""); // BAD: not terminated with 0 + f7(""); // BAD: not terminated with 0 // $ Alert f7("", 0); f7("", 0); f7("", 0); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c index 2092902b665..97024d60eb3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c @@ -27,7 +27,7 @@ void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01_bad() { char inputBuffer[CHAR_ARRAY_SIZE] = ""; /* POTENTIAL FLAW: Read data from the console using fgets() */ - if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL) + if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL) // $ Source { /* Convert to int */ data = atoi(inputBuffer); @@ -49,7 +49,7 @@ void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01_bad() * This code does check to see if the array index is negative */ if (data >= 0) { - buffer[data] = 1; + buffer[data] = 1; // $ Alert /* Print the array values */ for(i = 0; i < 10; i++) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected index 1fb824b35d6..21a50d0a8fa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected @@ -1,3 +1,5 @@ +#select +| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | An array indexing expression depends on $@ that might be outside the bounds of the array. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | string read by fgets | edges | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | provenance | TaintFunction | | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | provenance | | @@ -6,5 +8,3 @@ nodes | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:33:13:33:36 | ... = ... | semmle.label | ... = ... | | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | semmle.label | data | subpaths -#select -| CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:52:20:52:23 | data | An array indexing expression depends on $@ that might be outside the bounds of the array. | CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_01.c:30:19:30:29 | fgets output argument | string read by fgets | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref index f1d46d8f8d6..71a6b558145 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/SAMATE/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-129/ImproperArrayIndexValidation.ql \ No newline at end of file +query: Security/CWE/CWE-129/ImproperArrayIndexValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected index 184af69e72c..3377b266d0a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.expected @@ -1,3 +1,8 @@ +#select +| test1.c:20:16:20:16 | i | test1.c:7:26:7:29 | **argv | test1.c:20:16:20:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:35:11:35:11 | i | test1.c:7:26:7:29 | **argv | test1.c:35:11:35:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:43:11:43:11 | i | test1.c:7:26:7:29 | **argv | test1.c:43:11:43:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | +| test1.c:55:15:55:15 | j | test1.c:7:26:7:29 | **argv | test1.c:55:15:55:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | edges | test1.c:7:26:7:29 | **argv | test1.c:8:11:8:14 | call to atoi | provenance | TaintFunction | | test1.c:8:11:8:14 | call to atoi | test1.c:9:9:9:9 | i | provenance | | @@ -30,8 +35,3 @@ nodes | test1.c:53:3:53:7 | ... = ... | semmle.label | ... = ... | | test1.c:55:15:55:15 | j | semmle.label | j | subpaths -#select -| test1.c:20:16:20:16 | i | test1.c:7:26:7:29 | **argv | test1.c:20:16:20:16 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:35:11:35:11 | i | test1.c:7:26:7:29 | **argv | test1.c:35:11:35:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:43:11:43:11 | i | test1.c:7:26:7:29 | **argv | test1.c:43:11:43:11 | i | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | -| test1.c:55:15:55:15 | j | test1.c:7:26:7:29 | **argv | test1.c:55:15:55:15 | j | An array indexing expression depends on $@ that might be outside the bounds of the array. | test1.c:7:26:7:29 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref index f1d46d8f8d6..71a6b558145 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/ImproperArrayIndexValidation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-129/ImproperArrayIndexValidation.ql \ No newline at end of file +query: Security/CWE/CWE-129/ImproperArrayIndexValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c index 89619626de9..a92689a48d3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-129/semmle/ImproperArrayIndexValidation/test1.c @@ -4,7 +4,7 @@ void dosomething(char c); const char chr[26] = "abcdefghijklmnopqrstuvwxyz"; -int main(int argc, char *argv[]) { +int main(int argc, char *argv[]) { // $ Source int i = atoi(argv[1]); test1(i); test2(i); @@ -17,7 +17,7 @@ int main(int argc, char *argv[]) { void test1(int i) { // BAD: i has not been validated. - char c = chr[i]; + char c = chr[i]; // $ Alert dosomething(c); } @@ -32,7 +32,7 @@ void test2(int i) { int myArray[10]; void test3(int i) { - myArray[i] = 0; // BAD: i has not been validated + myArray[i] = 0; // BAD: i has not been validated // $ Alert i = 5; @@ -40,7 +40,7 @@ void test3(int i) { } void test4(int i) { - myArray[i] = 0; // BAD: i has not been validated + myArray[i] = 0; // BAD: i has not been validated // $ Alert if ((i < 0) || (i >= 10)) return; @@ -52,7 +52,7 @@ void test5(int i) { j = i; - j = myArray[j]; // BAD: j has not been validated + j = myArray[j]; // BAD: j has not been validated // $ Alert } extern int myTable[256]; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref index 53beb09ebd7..0459fddee60 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/NoSpaceForZeroTerminator.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +query: Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c index 551b2441a41..15de6c31dec 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.c @@ -13,7 +13,7 @@ char *strcpy(char *s1, const char *s2); static void bad0(char *str) { // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(strlen(str)); + char *buffer = malloc(strlen(str)); // $ Alert strcpy(buffer, str); free(buffer); } @@ -29,7 +29,7 @@ static void good0(char *str) { static void bad1(char *str) { int len = strlen(str); // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(len); + char *buffer = malloc(len); // $ Alert strcpy(buffer, str); free(buffer); } @@ -46,7 +46,7 @@ static void good1(char *str) { static void bad2(char *str) { int len = strlen(str); // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(len); + char *buffer = malloc(len); // $ Alert strcpy(buffer, str); free(buffer); } @@ -61,7 +61,7 @@ static void good2(char *str) { static void bad3(char *str) { // BAD -- Not allocating space for '\0' terminator - char *buffer = malloc(strlen(str) * sizeof(char)); + char *buffer = malloc(strlen(str) * sizeof(char)); // $ Alert strcpy(buffer, str); free(buffer); } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp index 24032a91ef1..f6c44301a68 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test.cpp @@ -21,14 +21,14 @@ int strcmp(const char *s1, const char *s2); static void bad1(wchar_t *wstr) { // BAD -- Not allocating space for '\0' terminator - wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr)); + wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr)); // $ Alert wcscpy(wbuffer, wstr); free(wbuffer); } static void bad2(wchar_t *wstr) { // BAD -- Not allocating space for '\0' terminator - wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); + wchar_t *wbuffer = (wchar_t *)malloc(wcslen(wstr) * sizeof(wchar_t)); // $ Alert wcscpy(wbuffer, wstr); free(wbuffer); } @@ -42,7 +42,7 @@ static void good1(wchar_t *wstr) { static void bad3(char *str) { // BAD -- zero-termination proved by sprintf (as destination) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert sprintf(buffer, "%s", str); free(buffer); } @@ -52,7 +52,7 @@ void wdecode(wchar_t *dest, wchar_t *src); static void bad4(char *str) { // BAD -- zero-termination proved by wprintf (as parameter) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert decode(buffer, str); wprintf(L"%s", buffer); free(buffer); @@ -60,7 +60,7 @@ static void bad4(char *str) { static void bad5(char *str) { // BAD -- zero-termination proved by strcat (as destination) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert buffer[0] = 0; strcat(buffer, str); free(buffer); @@ -68,7 +68,7 @@ static void bad5(char *str) { static void bad6(char *str, char *dest) { // BAD -- zero-termination proved by strcat (as source) - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert decode(buffer, str); strcat(dest, buffer); free(buffer); @@ -76,7 +76,7 @@ static void bad6(char *str, char *dest) { static void bad7(char *str, char *str2) { // BAD -- zero-termination proved by strcmp - char *buffer = (char *)malloc(strlen(str)); + char *buffer = (char *)malloc(strlen(str)); // $ Alert decode(buffer, str); if (strcmp(buffer, str2) == 0) { // ... @@ -86,7 +86,7 @@ static void bad7(char *str, char *str2) { static void bad8(wchar_t *str) { // BAD -- zero-termination proved by wcslen - wchar_t *wbuffer = (wchar_t *)malloc(wcslen(str)); + wchar_t *wbuffer = (wchar_t *)malloc(wcslen(str)); // $ Alert wdecode(wbuffer, str); if (wcslen(wbuffer) == 0) { // ... @@ -103,7 +103,7 @@ static void good2(char *str, char *dest) { static void bad9(wchar_t *wstr) { // BAD -- using new - wchar_t *wbuffer = new wchar_t[wcslen(wstr)]; + wchar_t *wbuffer = new wchar_t[wcslen(wstr)]; // $ Alert wcscpy(wbuffer, wstr); delete wbuffer; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp index 7c7f7406697..1aca38a8f64 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-131/NoSpaceForZeroTerminator/test2.cpp @@ -61,14 +61,14 @@ static void bad2(wchar_t *str) { static void bad3(wchar_t *str) { // BAD -- Not allocating space for '\0' terminator - wchar_t *buffer = (wchar_t *)calloc(sizeof(wchar_t), wcslen(str)); + wchar_t *buffer = (wchar_t *)calloc(sizeof(wchar_t), wcslen(str)); // $ Alert wcscpy(buffer, str); free(buffer); } static void bad4(char *str) { // BAD -- Not allocating space for '\0' terminator - char *buffer = (char *)realloc(0, strlen(str)); + char *buffer = (char *)realloc(0, strlen(str)); // $ Alert strcpy(buffer, str); free(buffer); } @@ -81,12 +81,12 @@ void *MyMalloc2(size_t size); void customAllocatorTests(char *str) { { - char *buffer1 = (char *)MyMalloc1(strlen(str)); // BAD (no room for `\0` terminator) + char *buffer1 = (char *)MyMalloc1(strlen(str)); // BAD (no room for `\0` terminator) // $ Alert strcpy(buffer1, str); } { - char *buffer2 = (char *)MyMalloc2(strlen(str)); // BAD (no room for `\0` terminator) + char *buffer2 = (char *)MyMalloc2(strlen(str)); // BAD (no room for `\0` terminator) // $ Alert strcpy(buffer2, str); } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected index 560ecc8bd77..79b6ff33410 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.expected @@ -1,3 +1,7 @@ +#select +| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv | +| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets | +| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable | edges | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:100:13:100:60 | ... = ... | provenance | | | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | provenance | | @@ -21,7 +25,3 @@ nodes | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | semmle.label | *call to getenv | | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | semmle.label | *data | subpaths -#select -| char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | char_connect_socket_w32_vsnprintf_01_bad.c:125:15:125:18 | *data | The value of this argument may come from $@ and is being used as a formatting argument to badVaSink(data), which calls vsnprintf(format). | char_connect_socket_w32_vsnprintf_01_bad.c:94:46:94:69 | recv output argument | buffer read by recv | -| char_console_fprintf_01_bad.c:49:21:49:24 | *data | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | char_console_fprintf_01_bad.c:49:21:49:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_console_fprintf_01_bad.c:30:23:30:35 | fgets output argument | string read by fgets | -| char_environment_fprintf_01_bad.c:36:21:36:24 | *data | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | char_environment_fprintf_01_bad.c:36:21:36:24 | *data | The value of this argument may come from $@ and is being used as a formatting argument to fprintf(format). | char_environment_fprintf_01_bad.c:27:30:27:35 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref index 079e0c8a7c0..9c363bfac55 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/UncontrolledFormatString.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c index ccba3e54840..9c177049c0f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_connect_socket_w32_vsnprintf_01_bad.c @@ -91,7 +91,7 @@ void CWE134_Uncontrolled_Format_String__char_connect_socket_w32_vsnprintf_01_bad /* Abort on error or the connection was closed, make sure to recv one * less char than is in the recv_buf in order to append a terminator */ /* Abort on error or the connection was closed */ - recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); + recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); // $ Source if (recvResult == SOCKET_ERROR || recvResult == 0) { break; @@ -122,5 +122,5 @@ void CWE134_Uncontrolled_Format_String__char_connect_socket_w32_vsnprintf_01_bad } #endif } - badVaSink(data, data); + badVaSink(data, data); // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c index 1af281b9f42..493f9a5f7de 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_console_fprintf_01_bad.c @@ -27,7 +27,7 @@ void CWE134_Uncontrolled_Format_String__char_console_fprintf_01_bad() /* POTENTIAL FLAW: Read data from the console */ if(100-data_len > 1) { - if (fgets(data+data_len, (int)(100-data_len), stdin) != NULL) + if (fgets(data+data_len, (int)(100-data_len), stdin) != NULL) // $ Source { /* The next 3 lines remove the carriage return from the string that is * inserted by fgets() */ @@ -46,7 +46,7 @@ void CWE134_Uncontrolled_Format_String__char_console_fprintf_01_bad() } } /* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */ - fprintf(stdout, data); + fprintf(stdout, data); // $ Alert } /* goodG2B uses the GoodSource with the BadSink */ diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c index f759a9d8e61..bc9f7e9f4a8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/SAMATE/char_environment_fprintf_01_bad.c @@ -24,7 +24,7 @@ void CWE134_Uncontrolled_Format_String__char_environment_fprintf_01_bad() { /* Append input from an environment variable to data */ size_t data_len = strlen(data); - char * environment = GETENV(ENV_VARIABLE); + char * environment = GETENV(ENV_VARIABLE); // $ Source /* If there is data in the environment variable */ if (environment != NULL) { @@ -33,7 +33,7 @@ void CWE134_Uncontrolled_Format_String__char_environment_fprintf_01_bad() } } /* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */ - fprintf(stdout, data); + fprintf(stdout, data); // $ Alert } /* goodG2B uses the GoodSource with the BadSink */ diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c index 5649c0e19b1..4c6baf0d562 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.c @@ -10,7 +10,7 @@ void printWrapper(char *correct) { printf(correct); } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source // GOOD: constant format printf("Correct"); printWrapper("Correct"); @@ -92,63 +92,63 @@ int main(int argc, char **argv) { printWrapper((char *) c10); // BAD: format comes from argv - printf(argv[1]); - printWrapper(argv[1]); + printf(argv[1]); // $ Alert + printWrapper(argv[1]); // $ Alert // BAD: i1 value comes from argv char *i1; i1 = argv[1]; - printf(i1); - printWrapper(i1); + printf(i1); // $ Alert + printWrapper(i1); // $ Alert // BAD: i2 value comes from argv char **i2 = argv; - printf(i2[0]); - printWrapper(i2[0]); + printf(i2[0]); // $ Alert + printWrapper(i2[0]); // $ Alert // BAD: i2 value comes from argv - printf(*i2); - printWrapper(*i2); + printf(*i2); // $ Alert + printWrapper(*i2); // $ Alert // BAD: i3 value comes from argv char i3[5012]; memcpy(i3, argv[1], 5012); - printf(i3); - printWrapper(i3); + printf(i3); // $ Alert + printWrapper(i3); // $ Alert // BAD: i4 value comes from argv char *i4 = i3; - printf(i4); - printWrapper(i4); + printf(i4); // $ Alert + printWrapper(i4); // $ Alert // BAD: i5 value comes from argv char i5[5012]; i5[0] = argv[1][0]; - printf(i5); - printWrapper(i5); + printf(i5); // $ Alert + printWrapper(i5); // $ Alert // BAD: i5 value comes from argv - printf(i5 + 1); - printWrapper(i5 + 1); + printf(i5 + 1); // $ Alert + printWrapper(i5 + 1); // $ Alert // BAD: i4 value comes from argv - printf(i4++); - printWrapper(--i4); + printf(i4++); // $ Alert + printWrapper(--i4); // $ Alert // BAD: i5 value comes from argv, so in some cases the format come from argv - printf(argv[1] ? "a" : i5); - printWrapper(argv[1] ? "a" : i5); + printf(argv[1] ? "a" : i5); // $ Alert + printWrapper(argv[1] ? "a" : i5); // $ Alert // BAD: i7 receives the value of i1, which comes from argv char *i7 = (argv[1] , i1); - printf(i7); - printWrapper(i7); + printf(i7); // $ Alert + printWrapper(i7); // $ Alert // BAD: i8 value comes from argv char *i8; *(&i8) = argv[1]; - printf(i8); - printWrapper(i8); + printf(i8); // $ Alert + printWrapper(i8); // $ Alert // BAD: i9 value comes from argv [NOT DETECTED] char i9buf[32]; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected index 7b87c3ff440..ca7aa17cf08 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected @@ -1,3 +1,28 @@ +#select +| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | +| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | edges | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | provenance | | | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | provenance | | @@ -132,28 +157,3 @@ subpaths | argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:122:15:122:16 | printWrapper output argument | | argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:128:15:128:16 | printWrapper output argument | | argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:9:25:9:31 | *correct | argvLocal.c:132:15:132:20 | printWrapper output argument | -#select -| argvLocal.c:95:9:95:15 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:95:9:95:15 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:96:15:96:21 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:96:15:96:21 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:101:9:101:10 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:101:9:101:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:102:15:102:16 | *i1 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:102:15:102:16 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:106:9:106:13 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:106:9:106:13 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:107:15:107:19 | *access to array | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:107:15:107:19 | *access to array | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:110:9:110:11 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:110:9:110:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:111:15:111:17 | ** ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:111:15:111:17 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:116:9:116:10 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:116:9:116:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:117:15:117:16 | *i3 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:117:15:117:16 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:121:9:121:10 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:121:9:121:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:122:15:122:16 | *i4 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:122:15:122:16 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:127:9:127:10 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:127:9:127:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:128:15:128:16 | *i5 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:128:15:128:16 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:131:9:131:14 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:131:9:131:14 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:132:15:132:20 | *... + ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:132:15:132:20 | *... + ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:135:9:135:12 | *... ++ | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:135:9:135:12 | *... ++ | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:136:15:136:18 | *-- ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:136:15:136:18 | *-- ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:139:9:139:26 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:139:9:139:26 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:140:15:140:32 | *... ? ... : ... | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:140:15:140:32 | *... ? ... : ... | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:144:9:144:10 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:144:9:144:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:145:15:145:16 | *i7 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:145:15:145:16 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:150:9:150:10 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:150:9:150:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | -| argvLocal.c:151:15:151:16 | *i8 | argvLocal.c:13:27:13:30 | **argv | argvLocal.c:151:15:151:16 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref index 079e0c8a7c0..9c363bfac55 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected index b5f6ad602fb..e853d5457f6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.expected @@ -1,3 +1,27 @@ +#select +| consts.cpp:86:9:86:10 | *v1 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:86:2:86:7 | call to printf | printf | +| consts.cpp:91:9:91:10 | *v2 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:91:9:91:10 | *v2 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:91:2:91:7 | call to printf | printf | +| consts.cpp:95:9:95:10 | *v3 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | +| consts.cpp:95:9:95:10 | *v3 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | +| consts.cpp:100:9:100:10 | *v4 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | +| consts.cpp:100:9:100:10 | *v4 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | +| consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:103:2:103:7 | call to printf | printf | +| consts.cpp:107:9:107:10 | *v5 | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:107:9:107:10 | *v5 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:107:2:107:7 | call to printf | printf | +| consts.cpp:112:9:112:10 | *v6 | consts.cpp:111:7:111:13 | *call to varFunc | consts.cpp:112:9:112:10 | *v6 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:112:2:112:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | +| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | +| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | +| consts.cpp:130:9:130:10 | *v9 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | +| consts.cpp:130:9:130:10 | *v9 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | +| consts.cpp:135:9:135:11 | *v10 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | +| consts.cpp:135:9:135:11 | *v10 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | +| consts.cpp:140:9:140:11 | *v11 | consts.cpp:139:13:139:16 | readString output argument | consts.cpp:140:9:140:11 | *v11 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:140:2:140:7 | call to printf | printf | +| consts.cpp:145:9:145:11 | *v12 | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:145:2:145:7 | call to printf | printf | edges | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:30:9:30:14 | *access to array | provenance | | | consts.cpp:24:7:24:9 | **gv1 | consts.cpp:123:2:123:12 | *... = ... | provenance | | @@ -69,27 +93,3 @@ nodes | consts.cpp:144:16:144:18 | readStringRef output argument | semmle.label | readStringRef output argument | | consts.cpp:145:9:145:11 | *v12 | semmle.label | *v12 | subpaths -#select -| consts.cpp:86:9:86:10 | *v1 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:86:9:86:10 | *v1 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:86:2:86:7 | call to printf | printf | -| consts.cpp:91:9:91:10 | *v2 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:91:9:91:10 | *v2 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:91:2:91:7 | call to printf | printf | -| consts.cpp:95:9:95:10 | *v3 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | -| consts.cpp:95:9:95:10 | *v3 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:95:9:95:10 | *v3 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:95:2:95:7 | call to printf | printf | -| consts.cpp:100:9:100:10 | *v4 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | -| consts.cpp:100:9:100:10 | *v4 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:100:9:100:10 | *v4 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:100:2:100:7 | call to printf | printf | -| consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | consts.cpp:103:9:103:17 | *call to varFunc | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:103:2:103:7 | call to printf | printf | -| consts.cpp:107:9:107:10 | *v5 | consts.cpp:106:13:106:19 | *call to varFunc | consts.cpp:107:9:107:10 | *v5 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:107:2:107:7 | call to printf | printf | -| consts.cpp:112:9:112:10 | *v6 | consts.cpp:111:7:111:13 | *call to varFunc | consts.cpp:112:9:112:10 | *v6 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:112:2:112:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:116:9:116:13 | *access to array | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:116:9:116:13 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:116:2:116:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:7:90:10 | *call to gets | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:121:9:121:10 | *v8 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:121:9:121:10 | *v8 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:121:2:121:7 | call to printf | printf | -| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | -| consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:126:9:126:30 | *call to nonConstFuncToArray | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:126:2:126:7 | call to printf | printf | -| consts.cpp:130:9:130:10 | *v9 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | -| consts.cpp:130:9:130:10 | *v9 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:130:9:130:10 | *v9 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:130:2:130:7 | call to printf | printf | -| consts.cpp:135:9:135:11 | *v10 | consts.cpp:85:7:85:8 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | -| consts.cpp:135:9:135:11 | *v10 | consts.cpp:90:12:90:13 | gets output argument | consts.cpp:135:9:135:11 | *v10 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:135:2:135:7 | call to printf | printf | -| consts.cpp:140:9:140:11 | *v11 | consts.cpp:139:13:139:16 | readString output argument | consts.cpp:140:9:140:11 | *v11 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:140:2:140:7 | call to printf | printf | -| consts.cpp:145:9:145:11 | *v12 | consts.cpp:144:16:144:18 | readStringRef output argument | consts.cpp:145:9:145:11 | *v12 | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | consts.cpp:145:2:145:7 | call to printf | printf | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref index 83622f12b4d..cb71273232c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/NonConstantFormat.qlref @@ -1 +1,2 @@ -Likely Bugs/Format/NonConstantFormat.ql \ No newline at end of file +query: Likely Bugs/Format/NonConstantFormat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp index 7242bedc133..b3815dfd0b7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/consts/consts.cpp @@ -82,65 +82,65 @@ void a() { // BAD: v1 value came from the user char v1[100]; - gets(v1); - printf(v1); + gets(v1); // $ Source + printf(v1); // $ Alert // BAD: v2 value came from the user char *v2; - v2 = gets(v1); - printf(v2); + v2 = gets(v1); // $ Source + printf(v2); // $ Alert // BAD: v3 value is copied from v1, which came from the user char *v3 = v1; - printf(v3); + printf(v3); // $ Alert // BAD: v4 value is copied from v1, which came from the user char *v4; v4 = v1; - printf(v4); + printf(v4); // $ Alert // BAD: varFunc() is not defined, so it may not be constant - printf(varFunc()); + printf(varFunc()); // $ Alert // BAD: varFunc() is not defined, so it may not be constant - char *v5 = varFunc(); - printf(v5); + char *v5 = varFunc(); // $ Source + printf(v5); // $ Alert // BAD: varFunc() is not defined, so it may not be constant char *v6; - v6 = varFunc(); - printf(v6); + v6 = varFunc(); // $ Source + printf(v6); // $ Alert // BAD: all elements of v7 came from the user char *v7[] = { v1, v2 }; - printf(v7[0]); + printf(v7[0]); // $ Alert // BAD: v8 started as constant, but changed to a value that came from the user char *v8 = "a"; v8 = v7[1]; - printf(v8); + printf(v8); // $ Alert gv1[1] = v1; // BAD: nonConstFuncToArray() always returns a value from gv1, which is started as constant but was changed to a value that came from the user - printf(nonConstFuncToArray(0)); + printf(nonConstFuncToArray(0)); // $ Alert // BAD: v9 value is copied from v1, which came from the user const char *v9 = v1; - printf(v9); + printf(v9); // $ Alert // BAD: v10 value is derived from values that are not constant char v10[10]; sprintf(v10, "%s", v1); - printf(v10); + printf(v10); // $ Alert // BAD: v11 is initialized via a pointer char *v11; - readString(&v11); - printf(v11); + readString(&v11); // $ Source + printf(v11); // $ Alert // BAD: v12 is initialized via a reference char *v12; - readStringRef(v12); - printf(v12); + readStringRef(v12); // $ Source + printf(v12); // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c index d2b28baac23..23a05e1ec50 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c @@ -13,8 +13,8 @@ FILE *f; int main(int argc, char **argv) { // BAD: i1 comes from the user char i1[1024]; - fread(i1, sizeof(char), 1024, f); - printf(i1); + fread(i1, sizeof(char), 1024, f); // $ Source + printf(i1); // $ Alert // GOOD: i2 comes from the user, but is not the format string here char i2[1024]; @@ -23,39 +23,39 @@ int main(int argc, char **argv) { // BAD: i3 comes from the user char i3[1024]; - fgets(i3, 1, 0); - printf(i3); + fgets(i3, 1, 0); // $ Source + printf(i3); // $ Alert // BAD: i4 comes from the user char i41[1024]; - char *i4 = fgets(i41, 1, f); - printf(i4); + char *i4 = fgets(i41, 1, f); // $ Source + printf(i4); // $ Alert // BAD: i5 comes from the user char i5[1024]; - gets(i5); - printf(i5); + gets(i5); // $ Source + printf(i5); // $ Alert // BAD: i6 comes from the user char i61[1024]; - char *i6 = gets(i61); - printf(i6); + char *i6 = gets(i61); // $ Source + printf(i6); // $ Alert // BAD: i7 comes from the user char **i7; - gets(*i7); - printf(*i7); + gets(*i7); // $ Source + printf(*i7); // $ Alert // BAD: i8 comes from the user char i81[1024]; char **i8; - *i8 = gets(i81); - printf(*i8); + *i8 = gets(i81); // $ Source + printf(*i8); // $ Alert // BAD: e1 comes from i1, which comes from the user char e1[1]; e1[0] = i1[0]; - printf(e1); + printf(e1); // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected index 4447b215aed..3966ccbf52f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected @@ -1,3 +1,12 @@ +#select +| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | +| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets | +| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets | +| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets | +| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets | +| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets | +| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets | +| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | edges | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | provenance | | | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:57:2:57:14 | ... = ... | provenance | | @@ -32,12 +41,3 @@ nodes | funcsLocal.c:57:2:57:14 | ... = ... | semmle.label | ... = ... | | funcsLocal.c:58:9:58:10 | *e1 | semmle.label | *e1 | subpaths -#select -| funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | -| funcsLocal.c:27:9:27:10 | *i3 | funcsLocal.c:26:8:26:9 | fgets output argument | funcsLocal.c:27:9:27:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:26:8:26:9 | fgets output argument | string read by fgets | -| funcsLocal.c:32:9:32:10 | *i4 | funcsLocal.c:31:13:31:17 | *call to fgets | funcsLocal.c:32:9:32:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:31:13:31:17 | *call to fgets | string read by fgets | -| funcsLocal.c:37:9:37:10 | *i5 | funcsLocal.c:36:7:36:8 | gets output argument | funcsLocal.c:37:9:37:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:36:7:36:8 | gets output argument | string read by gets | -| funcsLocal.c:42:9:42:10 | *i6 | funcsLocal.c:41:13:41:16 | *call to gets | funcsLocal.c:42:9:42:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:41:13:41:16 | *call to gets | string read by gets | -| funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets | -| funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets | -| funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref index 079e0c8a7c0..9c363bfac55 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected index 7408d8360ef..8f06acca17f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.expected @@ -1,3 +1,9 @@ +#select +| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:41:15:41:19 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | +| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | edges | globalVars.c:8:7:8:10 | **copy | globalVars.c:8:7:8:10 | **copy | provenance | | | globalVars.c:8:7:8:10 | **copy | globalVars.c:27:9:27:12 | *copy | provenance | | @@ -55,9 +61,3 @@ subpaths | globalVars.c:30:15:30:18 | *copy | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:30:15:30:18 | printWrapper output argument | | globalVars.c:35:11:35:14 | *copy | globalVars.c:15:21:15:23 | *val | globalVars.c:15:21:15:23 | *val | globalVars.c:35:11:35:14 | setCopy2 output argument | | globalVars.c:41:15:41:19 | *copy2 | globalVars.c:19:25:19:27 | *str | globalVars.c:19:25:19:27 | *str | globalVars.c:41:15:41:19 | printWrapper output argument | -#select -| globalVars.c:27:9:27:12 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:27:9:27:12 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:30:15:30:18 | *copy | globalVars.c:23:27:23:30 | **argv | globalVars.c:30:15:30:18 | *copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:38:9:38:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:38:9:38:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:41:15:41:19 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:41:15:41:19 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | -| globalVars.c:50:9:50:13 | *copy2 | globalVars.c:23:27:23:30 | **argv | globalVars.c:50:9:50:13 | *copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:23:27:23:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref index 079e0c8a7c0..9c363bfac55 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatString.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c index c36c708eab0..dedeade890a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/globalVars.c @@ -20,14 +20,14 @@ void printWrapper(char *str) { printf(str); } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source copyArgv(argv); // BAD: format comes from argv through copy - printf(copy); + printf(copy); // $ Alert // BAD: format comes from argv through copy - printWrapper(copy); + printWrapper(copy); // $ Alert // GOOD: constant format printf("%s", copy); @@ -35,10 +35,10 @@ int main(int argc, char **argv) { setCopy2(copy); // BAD: format comes from argv through copy2 (that is set to copy that is set to argv[1]) - printf(copy2); + printf(copy2); // $ Alert // BAD: format comes from argv through copy2 (that is set to copy that is set to argv[1]) - printWrapper(copy2); + printWrapper(copy2); // $ Alert // GOOD: constant format printf("%s", copy2); @@ -47,5 +47,5 @@ int main(int argc, char **argv) { // Should be GOOD because copy2 has value "asdf" // But we flag this case because once a global variable gets tainted we mark all usages as tainted - printf(copy2); + printf(copy2); // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c index 3d15905d82d..b7a8eca6e0f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c @@ -13,7 +13,7 @@ int inv(int a) { return !a; } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source int varZero = 0; int varOne = 1; @@ -59,69 +59,69 @@ int main(int argc, char **argv) { char *c7; if (globalZero) c7 = argv[1]; - printf(c7); + printf(c7); // $ Alert // GOOD: inv(1) returns 0 and it never goes inside the if // But we can't handle this case because currently we don't analyse arguments in function calls char *c8; if (inv(1)) c8 = argv[1]; - printf(c8); + printf(c8); // $ Alert // BAD: condition is true and it always goes inside the if char *i1; if (1) i1 = argv[1]; - printf(i1); + printf(i1); // $ Alert // BAD: condition is true and it always goes inside the if char *i2; if (0 == 0) i2 = argv[1]; - printf(i2); + printf(i2); // $ Alert // BAD: condition is true and it always goes inside the if char *i3; if (!0) i3 = argv[1]; - printf(i3); + printf(i3); // $ Alert // BAD: varOne is 1 so condition is true and it always goes inside the if char *i4; if (varOne) i4 = argv[1]; - printf(i4); + printf(i4); // $ Alert // BAD: varZero is 0 so condition is true and it always goes inside the if char *i5; if (!varZero) i5 = argv[1]; - printf(i5); + printf(i5); // $ Alert // BAD: condition is true and it always goes inside the if // But our analysis only handle booleans, so it isn't able the detect that both values are the same (we can handle only 0 == 0) char *i6; if (varOne == varOne) i6 = argv[1]; - printf(i6); + printf(i6); // $ Alert // BAD: globalOne is 1 so condition is true and it always goes inside the if char *i7; if (globalOne) i7 = argv[1]; - printf(i7); + printf(i7); // $ Alert // BAD: we don't know the value of globalUnknown so we have to assume it can be true char *i8; if (globalUnknown) i8 = argv[1]; - printf(i8); + printf(i8); // $ Alert // BAD: inv(0) returns 1 and it always goes inside the if char *i9; if (inv(0)) i9 = argv[1]; - printf(i9); + printf(i9); // $ Alert return 0; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected index e8d852cbcd2..5dad063c999 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected @@ -1,3 +1,15 @@ +#select +| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | +| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | edges | ifs.c:16:27:16:30 | **argv | ifs.c:61:3:61:14 | *... = ... | provenance | | | ifs.c:16:27:16:30 | **argv | ifs.c:68:3:68:14 | *... = ... | provenance | | @@ -46,15 +58,3 @@ nodes | ifs.c:123:3:123:14 | *... = ... | semmle.label | *... = ... | | ifs.c:124:9:124:10 | *i9 | semmle.label | *i9 | subpaths -#select -| ifs.c:62:9:62:10 | *c7 | ifs.c:16:27:16:30 | **argv | ifs.c:62:9:62:10 | *c7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:69:9:69:10 | *c8 | ifs.c:16:27:16:30 | **argv | ifs.c:69:9:69:10 | *c8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:75:9:75:10 | *i1 | ifs.c:16:27:16:30 | **argv | ifs.c:75:9:75:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:81:9:81:10 | *i2 | ifs.c:16:27:16:30 | **argv | ifs.c:81:9:81:10 | *i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:87:9:87:10 | *i3 | ifs.c:16:27:16:30 | **argv | ifs.c:87:9:87:10 | *i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:93:9:93:10 | *i4 | ifs.c:16:27:16:30 | **argv | ifs.c:93:9:93:10 | *i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:99:9:99:10 | *i5 | ifs.c:16:27:16:30 | **argv | ifs.c:99:9:99:10 | *i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:106:9:106:10 | *i6 | ifs.c:16:27:16:30 | **argv | ifs.c:106:9:106:10 | *i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:112:9:112:10 | *i7 | ifs.c:16:27:16:30 | **argv | ifs.c:112:9:112:10 | *i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:118:9:118:10 | *i8 | ifs.c:16:27:16:30 | **argv | ifs.c:118:9:118:10 | *i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | -| ifs.c:124:9:124:10 | *i9 | ifs.c:16:27:16:30 | **argv | ifs.c:124:9:124:10 | *i9 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | ifs.c:16:27:16:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref index 079e0c8a7c0..9c363bfac55 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-134/UncontrolledFormatString.ql \ No newline at end of file +query: Security/CWE/CWE-134/UncontrolledFormatString.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected index a2221ec2fd3..b1a17aac362 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected @@ -1,8 +1,8 @@ +#select +| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf | edges | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | provenance | | nodes | examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument | | examples.cpp:66:11:66:14 | data | semmle.label | data | subpaths -#select -| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref index 3939653db1c..d8fb26f7e02 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticTainted.ql +query: Security/CWE/CWE-190/ArithmeticTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected index dbc1a99858e..24e8043d7db 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.expected @@ -1,3 +1,16 @@ +#select +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | +| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | edges | examples.cpp:22:5:22:33 | ... = ... | examples.cpp:25:31:25:34 | data | provenance | | | examples.cpp:22:26:22:33 | call to rand | examples.cpp:22:5:22:33 | ... = ... | provenance | | @@ -31,16 +44,3 @@ nodes | examples.cpp:35:26:35:33 | call to rand | semmle.label | call to rand | | examples.cpp:38:9:38:12 | data | semmle.label | data | subpaths -#select -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:25:31:25:34 | data | examples.cpp:22:26:22:33 | call to rand | examples.cpp:25:31:25:34 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:22:26:22:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | -| examples.cpp:38:9:38:12 | data | examples.cpp:35:26:35:33 | call to rand | examples.cpp:38:9:38:12 | data | This arithmetic expression depends on an $@, potentially causing an underflow. | examples.cpp:35:26:35:33 | call to rand | uncontrolled value | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref index 1fcafc3ca1c..e18d0e08a87 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticUncontrolled.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticUncontrolled.ql +query: Security/CWE/CWE-190/ArithmeticUncontrolled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref index ab2c35ce59b..0109cee57cf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticWithExtremeValues.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +query: Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref index df42008c632..419ed80f3b9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/IntegerOverflowTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/IntegerOverflowTainted.ql +query: Security/CWE/CWE-190/IntegerOverflowTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp index b2cdbbe7133..3fab05fc20c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/examples.cpp @@ -19,10 +19,10 @@ void CWE191_Integer_Underflow__unsigned_int_rand_sub_01_bad() unsigned int data; data = 0; /* POTENTIAL FLAW: Use a random value */ - data = (unsigned int)RAND32(); + data = (unsigned int)RAND32(); // $ Source[cpp/uncontrolled-arithmetic] { /* POTENTIAL FLAW: Subtracting 1 from data could cause an underflow */ - unsigned int result = data - 1; + unsigned int result = data - 1; // $ Alert[cpp/uncontrolled-arithmetic] printUnsignedLine(result); } } @@ -32,10 +32,10 @@ void CWE191_Integer_Underflow__unsigned_int_rand_postdec_01_bad() unsigned int data; data = 0; /* POTENTIAL FLAW: Use a random value */ - data = (unsigned int)RAND32(); + data = (unsigned int)RAND32(); // $ Source[cpp/uncontrolled-arithmetic] { /* POTENTIAL FLAW: Decrementing data could cause an underflow */ - data--; + data--; // $ Alert[cpp/uncontrolled-arithmetic] unsigned int result = data; printUnsignedLine(result); } @@ -60,10 +60,10 @@ void CWE191_Integer_Underflow__unsigned_int_fscanf_predec_01_bad() unsigned int data; data = 0; /* POTENTIAL FLAW: Use a value input from the console */ - fscanf (stdin, "%u", &data); + fscanf (stdin, "%u", &data); // $ Source[cpp/tainted-arithmetic] { /* POTENTIAL FLAW: Decrementing data could cause an underflow */ - --data; + --data; // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] unsigned int result = data; printUnsignedLine(result); } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected index 97bd3603cd3..c07119831d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.expected @@ -1,3 +1,31 @@ +#select +| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value | +| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value | +| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value | +| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | +| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | +| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value | +| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value | +| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value | +| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value | +| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value | +| test.c:157:9:157:9 | r | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value | +| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value | +| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value | +| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value | +| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value | +| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value | +| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value | +| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value | +| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value | +| test.cpp:171:11:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value | +| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | +| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | +| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value | edges | test.c:18:13:18:16 | call to rand | test.c:18:13:18:16 | call to rand | provenance | | | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | provenance | | @@ -146,31 +174,3 @@ nodes | test.cpp:215:11:215:14 | call to rand | semmle.label | call to rand | | test.cpp:219:8:219:8 | x | semmle.label | x | subpaths -#select -| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | uncontrolled value | -| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | uncontrolled value | -| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | uncontrolled value | -| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | -| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:75:13:75:19 | call to rand | uncontrolled value | -| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:14:81:17 | call to rand | uncontrolled value | -| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:81:23:81:26 | call to rand | uncontrolled value | -| test.c:127:9:127:9 | r | test.c:125:13:125:16 | call to rand | test.c:127:9:127:9 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:125:13:125:16 | call to rand | uncontrolled value | -| test.c:133:5:133:5 | r | test.c:131:13:131:16 | call to rand | test.c:133:5:133:5 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:131:13:131:16 | call to rand | uncontrolled value | -| test.c:139:10:139:10 | r | test.c:137:13:137:16 | call to rand | test.c:139:10:139:10 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.c:137:13:137:16 | call to rand | uncontrolled value | -| test.c:157:9:157:9 | r | test.c:155:22:155:27 | call to rand | test.c:157:9:157:9 | r | This arithmetic expression depends on an $@, potentially causing an underflow. | test.c:155:22:155:25 | call to rand | uncontrolled value | -| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | uncontrolled value | -| test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | uncontrolled value | -| test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | uncontrolled value | -| test.cpp:65:9:65:9 | x | test.cpp:62:19:62:24 | call to rand | test.cpp:65:9:65:9 | x | This arithmetic expression depends on an $@, potentially causing an underflow. | test.cpp:62:19:62:22 | call to rand | uncontrolled value | -| test.cpp:90:10:90:10 | x | test.cpp:86:10:86:13 | call to rand | test.cpp:90:10:90:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:86:10:86:13 | call to rand | uncontrolled value | -| test.cpp:102:10:102:10 | x | test.cpp:98:10:98:13 | call to rand | test.cpp:102:10:102:10 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:98:10:98:13 | call to rand | uncontrolled value | -| test.cpp:146:9:146:9 | y | test.cpp:137:10:137:13 | call to rand | test.cpp:146:9:146:9 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:137:10:137:13 | call to rand | uncontrolled value | -| test.cpp:154:10:154:10 | b | test.cpp:151:10:151:13 | call to rand | test.cpp:154:10:154:10 | b | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:151:10:151:13 | call to rand | uncontrolled value | -| test.cpp:171:11:171:16 | y | test.cpp:169:11:169:14 | call to rand | test.cpp:171:11:171:16 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:169:11:169:14 | call to rand | uncontrolled value | -| test.cpp:196:7:196:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:196:7:196:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:198:7:198:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:198:7:198:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:199:7:199:7 | x | test.cpp:189:10:189:13 | call to rand | test.cpp:199:7:199:7 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:189:10:189:13 | call to rand | uncontrolled value | -| test.cpp:204:7:204:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:204:7:204:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:205:7:205:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:205:7:205:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:208:7:208:7 | y | test.cpp:190:10:190:13 | call to rand | test.cpp:208:7:208:7 | y | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:190:10:190:13 | call to rand | uncontrolled value | -| test.cpp:219:8:219:8 | x | test.cpp:215:11:215:14 | call to rand | test.cpp:219:8:219:8 | x | This arithmetic expression depends on an $@, potentially causing an overflow. | test.cpp:215:11:215:14 | call to rand | uncontrolled value | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref index 1fcafc3ca1c..e18d0e08a87 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/ArithmeticUncontrolled.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticUncontrolled.ql +query: Security/CWE/CWE-190/ArithmeticUncontrolled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c index 691801a620a..77c4ace01e7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.c @@ -15,10 +15,10 @@ void add_100(int); void randomTester() { int i; for (i = 0; i < 1000; i++) { - int r = rand(); + int r = rand(); // $ Source // BAD: The return from rand() is unbounded - trySlice(r, r+100); + trySlice(r, r+100); // $ Alert } for (i = 0; i < 1000; i++) { @@ -31,8 +31,8 @@ void randomTester() { } { - int r = RAND(); - r += 100; // BAD: The return from RAND() is unbounded + int r = RAND(); // $ Source + r += 100; // BAD: The return from RAND() is unbounded // $ Alert } { @@ -41,8 +41,8 @@ void randomTester() { } { - int r = rand(); - r += 100; // BAD + int r = rand(); // $ Source + r += 100; // BAD // $ Alert } { @@ -72,15 +72,15 @@ void randomTester() { } { - int r = RAND2(); + int r = RAND2(); // $ Source - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { - int r = (rand() ^ rand()); + int r = (rand() ^ rand()); // $ Source - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { @@ -122,21 +122,21 @@ void randomTester2(int bound, int min, int max) { void moreTests() { { - int r = rand(); + int r = rand(); // $ Source - r = r * 100; // BAD + r = r * 100; // BAD // $ Alert } { - int r = rand(); + int r = rand(); // $ Source - r *= 100; // BAD + r *= 100; // BAD // $ Alert } { - int r = rand(); + int r = rand(); // $ Source int v = 100; - v *= r; // BAD + v *= r; // BAD // $ Alert } { @@ -152,9 +152,9 @@ void moreTests() { } { - unsigned int r = rand(); + unsigned int r = rand(); // $ Source - r = r - 100; // BAD + r = r - 100; // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp index f5e401c60cd..58f37f152cf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticUncontrolled/test.cpp @@ -5,36 +5,36 @@ int rand(void); int get_rand() { - return rand(); + return rand(); // $ Source } void get_rand2(int *dest) { - *dest = rand(); + *dest = rand(); // $ Source } void get_rand3(int &dest) { - dest = rand(); + dest = rand(); // $ Source } void randomTester2() { { int r = get_rand(); - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { int r; get_rand2(&r); - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } { int r; get_rand3(r); - r = r + 100; // BAD + r = r + 100; // BAD // $ Alert } } @@ -59,10 +59,10 @@ int test_remainder_subtract() unsigned int test_remainder_subtract_unsigned() { - unsigned int x = rand(); + unsigned int x = rand(); // $ Source unsigned int y = x % 100; // y <= x - return x - y; // GOOD (as y <= x) [FALSE POSITIVE] + return x - y; // GOOD (as y <= x) [FALSE POSITIVE] // $ Alert } typedef unsigned long size_t; @@ -83,11 +83,11 @@ int test_snprintf(char *buf, size_t buf_sz) int test_else_1() { - int x = rand(); + int x = rand(); // $ Source if (x > 100) { - return x * 10; // BAD + return x * 10; // BAD // $ Alert } else { return x * 10; // GOOD (as x <= 100) } @@ -95,11 +95,11 @@ int test_else_1() int test_else_2() { - int x = rand(); + int x = rand(); // $ Source if (x > 100) { - return x * 10; // BAD + return x * 10; // BAD // $ Alert } return x * 10; // GOOD (as x <= 100) @@ -134,7 +134,7 @@ int test_conditional_assignment_2() int test_conditional_assignment_3() { - int x = rand(); + int x = rand(); // $ Source int y = 100; int c = 10; @@ -143,15 +143,15 @@ int test_conditional_assignment_3() y = x; } - return y * c; // GOOD (as y <= 100) [FALSE POSITIVE] + return y * c; // GOOD (as y <= 100) [FALSE POSITIVE] // $ Alert } int test_underflow() { - int x = rand(); + int x = rand(); // $ Source int a = -x; // GOOD int b = 10 - x; // GOOD - int c = b * 2; // BAD + int c = b * 2; // BAD // $ Alert } int test_cast() @@ -166,9 +166,9 @@ int test_cast() void test_float() { { - int x = rand(); + int x = rand(); // $ Source float y = x; // GOOD - int z = (int)y * 5; // BAD + int z = (int)y * 5; // BAD // $ Alert } { @@ -186,37 +186,37 @@ void test_float() void test_if_const_bounded() { - int x = rand(); - int y = rand(); + int x = rand(); // $ Source + int y = rand(); // $ Source int c = 10; if (x < 1000) { x = x * 2; // GOOD - x = x * c; // GOOD [FALSE POSITIVE] + x = x * c; // GOOD [FALSE POSITIVE] // $ Alert } else { - x = x * 2; // BAD - x = x * c; // BAD + x = x * 2; // BAD // $ Alert + x = x * c; // BAD // $ Alert } if (y > 1000) { - y = y * 2; // BAD - y = y * c; // BAD + y = y * 2; // BAD // $ Alert + y = y * c; // BAD // $ Alert } else { y = y * 2; // GOOD - y = y * c; // GOOD [FALSE POSITIVE] + y = y * c; // GOOD [FALSE POSITIVE] // $ Alert } } void test_mod_limit() { { - int x = rand(); + int x = rand(); // $ Source int y = 100; int z; - z = (x + y) % 1000; // BAD + z = (x + y) % 1000; // BAD // $ Alert } { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref index ab2c35ce59b..0109cee57cf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/ArithmeticWithExtremeValues.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +query: Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c index 8760641c8e2..d4fa29deaf9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ArithmeticWithExtremeValues/test.c @@ -14,7 +14,7 @@ int len_last(int n, char** lines) { } // BAD: if the input array is empty, then max will still be INT_MAX - return min + 1; + return min + 1; // $ Alert } @@ -45,9 +45,9 @@ void test_crement() { sc1 = CHAR_MIN; sc1++; // GOOD sc2 = CHAR_MIN; - sc2--; // BAD + sc2--; // BAD // $ Alert sc3 = CHAR_MAX; - sc3++; // BAD + sc3++; // BAD // $ Alert sc4 = CHAR_MAX; sc4--; // GOOD @@ -56,11 +56,11 @@ void test_crement() { sc5++; // GOOD [FALSE POSITIVE] sc6 = CHAR_MAX; - sc6 += 1; // BAD + sc6 += 1; // BAD // $ Alert sc7 = CHAR_MAX; sc7 -= 1; // GOOD sc8 = CHAR_MIN; - sc8 -= 1; // BAD + sc8 -= 1; // BAD // $ Alert sc9 = CHAR_MIN; sc9 += 1; // GOOD @@ -121,5 +121,5 @@ void test_guards4(int cond) { if (x == 0) return; - return x + 1; // BAD + return x + 1; // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref index 4a71f8aad4c..f836a00c9c4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ComparisonWithWiderType.ql +query: Security/CWE/CWE-190/ComparisonWithWiderType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c index 8361ae3e31b..e22cce3c2a1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test.c @@ -1,17 +1,17 @@ void test1 (int x) { char c; - for (c = 0; c < x; c++) {} //BAD + for (c = 0; c < x; c++) {} //BAD // $ Alert } void test2 (int x) { char c; - for (c = 0; x > c; c++) {} // BAD + for (c = 0; x > c; c++) {} // BAD // $ Alert } void test3 (int x) { short s; - for (s = 0; s < x; s++) {} //BAD + for (s = 0; s < x; s++) {} //BAD // $ Alert } void runner() { // get range analysis to give large values to x in tests @@ -39,7 +39,7 @@ void test5 () { void test6() { short s1; - for (s1 = 0; s1 < 0x0000ffff; s1++) {} // BAD + for (s1 = 0; s1 < 0x0000ffff; s1++) {} // BAD // $ Alert } void test7(long long l) { @@ -62,7 +62,7 @@ void test9(int x) { void test10(int x) { short s; - for (s = 0; s < x; ) { // BAD + for (s = 0; s < x; ) { // BAD // $ Alert do { s++; @@ -84,27 +84,27 @@ void test12() { unsigned int x; x = get_a_uint(); - for (c = 0; c < x; c++) {} // BAD + for (c = 0; c < x; c++) {} // BAD // $ Alert x = get_a_uint(); for (c = 0; c < 0xFF; c++) {} // GOOD x = get_a_uint(); - for (c = 0; c < 0xFF00; c++) {} // BAD + for (c = 0; c < 0xFF00; c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < 0xFF0000; c++) {} // BAD + for (c = 0; c < 0xFF0000; c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < 0xFF000000; c++) {} // BAD + for (c = 0; c < 0xFF000000; c++) {} // BAD // $ Alert x = get_a_uint(); for (c = 0; c < (x & 0xFF); c++) {} // GOOD x = get_a_uint(); - for (c = 0; c < (x & 0xFF00); c++) {} // BAD + for (c = 0; c < (x & 0xFF00); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x & 0xFF0000); c++) {} // BAD + for (c = 0; c < (x & 0xFF0000); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x & 0xFF000000); c++) {} // BAD + for (c = 0; c < (x & 0xFF000000); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x >> 8); c++) {} // BAD + for (c = 0; c < (x >> 8); c++) {} // BAD // $ Alert x = get_a_uint(); - for (c = 0; c < (x >> 16); c++) {} // BAD + for (c = 0; c < (x >> 16); c++) {} // BAD // $ Alert x = get_a_uint(); for (c = 0; c < (x >> 24); c++) {} // GOOD (assuming 32-bit ints) x = get_a_uint(); @@ -125,7 +125,7 @@ void test13() { ux = get_a_uint(); uy = get_a_uint(); sz = ux & uy; - for (uc = 0; uc < sz; uc++) {} // BAD + for (uc = 0; uc < sz; uc++) {} // BAD // $ Alert ux = get_a_uint(); uy = get_a_uint(); @@ -136,7 +136,7 @@ void test13() { sx = get_an_int(); sy = get_an_int(); sz = (unsigned)sx & (unsigned)sy; - for (uc = 0; uc < sz; uc++) {} // BAD + for (uc = 0; uc < sz; uc++) {} // BAD // $ Alert sx = get_an_int(); sy = get_an_int(); @@ -153,7 +153,7 @@ void test14() { // BAD: 's' is compared with a value of a wider type. // 's' overflows before reaching 'sx', // causing an infinite loop - while (s < sx) { + while (s < sx) { // $ Alert s += 1; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected index 4235033abcc..e321000d0ca 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected @@ -1,3 +1,24 @@ +#select +| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | +| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) | +| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) | +| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) | +| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) | +| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) | +| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) | +| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | +| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) | +| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | +| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | +| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | +| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | edges | test.cpp:39:27:39:30 | **argv | test.cpp:40:16:40:19 | call to atoi | provenance | TaintFunction | | test.cpp:40:16:40:19 | call to atoi | test.cpp:43:38:43:44 | tainted | provenance | | @@ -88,24 +109,3 @@ nodes | test.cpp:385:35:385:38 | size | semmle.label | size | | test.cpp:386:35:386:38 | size | semmle.label | size | subpaths -#select -| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:44:31:44:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:46:31:46:36 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:49:25:49:30 | call to malloc | test.cpp:39:27:39:30 | **argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:50:17:50:30 | new[] | test.cpp:39:27:39:30 | **argv | test.cpp:50:17:50:30 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:53:21:53:27 | call to realloc | test.cpp:39:27:39:30 | **argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) | -| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:31 | *call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:124:18:124:31 | *call to getenv | user input (an environment variable) | -| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:32 | *call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:133:19:133:32 | *call to getenv | user input (an environment variable) | -| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:33 | *call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:148:20:148:33 | *call to getenv | user input (an environment variable) | -| test.cpp:194:4:194:9 | call to malloc | test.cpp:190:19:190:32 | *call to getenv | test.cpp:194:11:194:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:190:19:190:32 | *call to getenv | user input (an environment variable) | -| test.cpp:209:4:209:9 | call to malloc | test.cpp:205:19:205:32 | *call to getenv | test.cpp:209:11:209:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:205:19:205:32 | *call to getenv | user input (an environment variable) | -| test.cpp:261:14:261:19 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:261:21:261:21 | s | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:269:2:269:7 | call to malloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:269:9:269:18 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:271:2:271:7 | call to malloc | test.cpp:241:14:241:27 | *call to getenv | test.cpp:271:9:271:24 | call to get_tainted_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:241:14:241:27 | *call to getenv | user input (an environment variable) | -| test.cpp:275:2:275:9 | call to my_alloc | test.cpp:267:24:267:37 | *call to getenv | test.cpp:275:11:275:20 | local_size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:267:24:267:37 | *call to getenv | user input (an environment variable) | -| test.cpp:293:4:293:9 | call to malloc | test.cpp:289:20:289:33 | *call to getenv | test.cpp:293:11:293:29 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:289:20:289:33 | *call to getenv | user input (an environment variable) | -| test.cpp:321:4:321:9 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:321:11:321:28 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | -| test.cpp:338:3:338:8 | call to malloc | test.cpp:281:18:281:31 | *call to getenv | test.cpp:338:10:338:27 | ... * ... | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:281:18:281:31 | *call to getenv | user input (an environment variable) | -| test.cpp:385:25:385:33 | call to MyMalloc1 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:385:35:385:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | -| test.cpp:386:25:386:33 | call to MyMalloc2 | test.cpp:383:18:383:31 | *call to getenv | test.cpp:386:35:386:38 | size | This allocation size is derived from $@ and could allocate arbitrary amounts of memory. | test.cpp:383:18:383:31 | *call to getenv | user input (an environment variable) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref index df804c0942f..2db07b99589 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/TaintedAllocationSize.ql +query: Security/CWE/CWE-190/TaintedAllocationSize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp index e13c50a960b..dfdebcf2478 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp @@ -36,21 +36,21 @@ int getTainted() { return i; } -int main(int argc, char **argv) { +int main(int argc, char **argv) { // $ Source int tainted = atoi(argv[1]); MyStruct *arr1 = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD - MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD - MyStruct *arr3 = (MyStruct *)malloc(tainted * sizeof(MyStruct)); // BAD + MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD // $ Alert + MyStruct *arr3 = (MyStruct *)malloc(tainted * sizeof(MyStruct)); // BAD // $ Alert MyStruct *arr4 = (MyStruct *)malloc(getTainted() * sizeof(MyStruct)); // BAD [NOT DETECTED] - MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // BAD + MyStruct *arr5 = (MyStruct *)malloc(sizeof(MyStruct) + tainted); // BAD // $ Alert int size = tainted * 8; - char *chars1 = (char *)malloc(size); // BAD - char *chars2 = new char[size]; // BAD + char *chars1 = (char *)malloc(size); // BAD // $ Alert + char *chars2 = new char[size]; // BAD // $ Alert char *chars3 = new char[8]; // GOOD - arr1 = (MyStruct *)realloc(arr1, sizeof(MyStruct) * tainted); // BAD + arr1 = (MyStruct *)realloc(arr1, sizeof(MyStruct) * tainted); // BAD // $ Alert size = 8; chars3 = new char[size]; // GOOD @@ -121,18 +121,18 @@ int bounded(int x, int limit) { } void open_file_bounded () { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source int bounded_size = bounded(size, MAX_SIZE); int* a = (int*)malloc(bounded_size * sizeof(int)); // GOOD - int* b = (int*)malloc(size * sizeof(int)); // BAD + int* b = (int*)malloc(size * sizeof(int)); // BAD // $ Alert } void more_bounded_tests() { { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } { @@ -145,11 +145,11 @@ void more_bounded_tests() { } { - long size = atol(getenv("USER")); + long size = atol(getenv("USER")); // $ Source if (size > 0) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } @@ -187,11 +187,11 @@ void more_bounded_tests() { } { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source if (size % 100) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } @@ -202,11 +202,11 @@ void more_bounded_tests() { } { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source if (size & 7) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } @@ -238,7 +238,7 @@ size_t get_untainted_size() size_t get_tainted_size() { - return atoi(getenv("USER")) * sizeof(int); + return atoi(getenv("USER")) * sizeof(int); // $ Source } size_t get_bounded_size() @@ -258,27 +258,27 @@ void *my_alloc(size_t s) { } void my_func(size_t s) { - void *ptr = malloc(s); // BAD + void *ptr = malloc(s); // BAD // $ Alert free(ptr); } void more_cases() { - int local_size = atoi(getenv("USER")) * sizeof(int); + int local_size = atoi(getenv("USER")) * sizeof(int); // $ Source - malloc(local_size); // BAD + malloc(local_size); // BAD // $ Alert malloc(get_untainted_size()); // GOOD - malloc(get_tainted_size()); // BAD + malloc(get_tainted_size()); // BAD // $ Alert malloc(get_bounded_size()); // GOOD my_alloc(100); // GOOD - my_alloc(local_size); // BAD + my_alloc(local_size); // BAD // $ Alert my_func(100); // GOOD my_func(local_size); // GOOD } bool get_size(int &out_size) { - out_size = atoi(getenv("USER")); + out_size = atoi(getenv("USER")); // $ Source return true; } @@ -286,11 +286,11 @@ bool get_size(int &out_size) { void equality_cases() { { int size1 = atoi(getenv("USER")); - int size2 = atoi(getenv("USER")); + int size2 = atoi(getenv("USER")); // $ Source if (size1 == 100) { - malloc(size2 * sizeof(int)); // BAD + malloc(size2 * sizeof(int)); // BAD // $ Alert } if (size2 == 100) { @@ -318,7 +318,7 @@ void equality_cases() { if ((get_size(size)) && (size != 100)) { - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } } { @@ -335,7 +335,7 @@ void equality_cases() { if ((!get_size(size)) || (size == 100)) return; - malloc(size * sizeof(int)); // BAD + malloc(size * sizeof(int)); // BAD // $ Alert } { int size = atoi(getenv("USER")); @@ -380,8 +380,8 @@ void *MyMalloc2(size_t size); void customAllocatorTests() { - int size = atoi(getenv("USER")); + int size = atoi(getenv("USER")); // $ Source - char *chars1 = (char *)MyMalloc1(size); // BAD - char *chars2 = (char *)MyMalloc2(size); // BAD + char *chars1 = (char *)MyMalloc1(size); // BAD // $ Alert + char *chars2 = (char *)MyMalloc2(size); // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected index 34aa8a7a7e4..79589589140 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected @@ -1,3 +1,15 @@ +#select +| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | +| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | +| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | +| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | +| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | +| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:44:7:44:10 | len2 | main.cpp:7:27:7:30 | **argv | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | +| test.c:54:7:54:10 | len3 | main.cpp:7:27:7:30 | **argv | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | edges | main.cpp:7:27:7:30 | **argv | main.cpp:8:17:8:20 | **argv | provenance | | | main.cpp:8:17:8:20 | **argv | test.c:10:28:10:31 | **argv | provenance | | @@ -53,15 +65,3 @@ nodes | test.c:54:7:54:10 | len3 | semmle.label | len3 | | test.c:54:7:54:12 | ... -- | semmle.label | ... -- | subpaths -#select -| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | -| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf | -| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | -| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets | -| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets | -| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:14:15:14:28 | maxConnections | main.cpp:7:27:7:30 | **argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:44:7:44:10 | len2 | main.cpp:7:27:7:30 | **argv | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | -| test.c:54:7:54:10 | len3 | main.cpp:7:27:7:30 | **argv | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | main.cpp:7:27:7:30 | **argv | a command-line argument | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref index 3939653db1c..d8fb26f7e02 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ArithmeticTainted.ql +query: Security/CWE/CWE-190/ArithmeticTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref index df42008c632..419ed80f3b9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/IntegerOverflowTainted.ql +query: Security/CWE/CWE-190/IntegerOverflowTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp index 645b5893dea..2a91b61f5fa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/main.cpp @@ -4,7 +4,7 @@ int main3(int argc, char** argv); } int main4(int argc, char** argv); -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source[cpp/tainted-arithmetic] main1(argc, argv); main3(argc, argv); main4(argc, argv); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c index b39e54084ac..cd42710fa1e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test.c @@ -11,7 +11,7 @@ int main1(int argc, char** argv) { int maxConnections = atoi(argv[1]); // BAD: arithmetic on a user input without any validation - startServer(maxConnections * 1000); + startServer(maxConnections * 1000); // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] // GOOD: check the user input first int maxConnections2 = atoi(argv[1]); @@ -41,7 +41,7 @@ int main1(int argc, char** argv) { len2 = atoi(argv[1]); while (len2) { - len2--; // BAD: can underflow, if len2 is initially negative. + len2--; // BAD: can underflow, if len2 is initially negative. // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } } @@ -51,7 +51,7 @@ int main1(int argc, char** argv) { len3 = atoi(argv[1]); while (len3 != 0) { - len3--; // BAD: can underflow, if len3 is initially negative. + len3--; // BAD: can underflow, if len3 is initially negative. // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp index 1cf12a197f4..b656c39a0ca 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test2.cpp @@ -11,10 +11,10 @@ typedef struct _myStruct { void test2_sink(s64 v, MyStruct s, MyStruct &s_r, MyStruct *s_p) { - s64 v1 = v * 2; // bad - s64 v2 = s.val * 2; // bad - s64 v3 = s_r.val * 2; // bad - s64 v4 = s_p->val * 2; // bad + s64 v1 = v * 2; // bad // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] + s64 v2 = s.val * 2; // bad // $ Alert[cpp/integer-overflow-tainted] + s64 v3 = s_r.val * 2; // bad // $ Alert[cpp/integer-overflow-tainted] + s64 v4 = s_p->val * 2; // bad // $ Alert[cpp/integer-overflow-tainted] } void test2_source() @@ -22,7 +22,7 @@ void test2_source() MyStruct ms; s64 v; - fscanf(stdin, "%i", &v); + fscanf(stdin, "%i", &v); // $ Source[cpp/tainted-arithmetic] ms.val = v; test2_sink(v, ms, ms, &ms); } @@ -33,9 +33,9 @@ int atoi(const char *); void test3() { char buffer[20]; - fgets(buffer, 20, stdin); + fgets(buffer, 20, stdin); // $ Source[cpp/tainted-arithmetic] int num = atoi(buffer); - num = num + 1000; // BAD - num += 1000; // BAD + num = num + 1000; // BAD // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] + num += 1000; // BAD // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c index a8116e05853..f24b640810d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test3.c @@ -9,8 +9,8 @@ // from a macro that is defined in a system header. int main3(int argc, char **argv) { char *cmd = argv[0]; - int x = (int)(unsigned char)*cmd; // BAD: overflow - int y = CAST(*cmd); // BAD: overflow in macro expansion (macro is not from a system header) + int x = (int)(unsigned char)*cmd; // BAD: overflow // $ Alert[cpp/integer-overflow-tainted] + int y = CAST(*cmd); // BAD: overflow in macro expansion (macro is not from a system header) // $ Alert[cpp/integer-overflow-tainted] int z = SYSTEM_CAST(*cmd); // GOOD: overflow in macro expansion (macro from a system header) return x + y + z; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp index ad4cc80d30a..c298e431e94 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test4.cpp @@ -10,7 +10,7 @@ int main4(int argc, char **argv) { if (!p[0]) { // GOOD: cast to bool. return 1; } - if ((unsigned)p[1] == 0) { // BAD: cast to unsigned could overflow. + if ((unsigned)p[1] == 0) { // BAD: cast to unsigned could overflow. // $ Alert[cpp/integer-overflow-tainted] return 2; } if ((bool)p[2] != 0 || !p[3] == 1) { // GOOD: casts to bool. diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp index 2ee675be6b5..27b4a652e35 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp @@ -6,17 +6,17 @@ int getTaintedInt() { char buf[128]; - gets(buf); - return strtoul(buf, 0, 10); + gets(buf); // $ Source[cpp/tainted-arithmetic] + return strtoul(buf, 0, 10); // $ Alert[cpp/integer-overflow-tainted] } void useTaintedInt() { int x, y; - x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value + x = getTaintedInt() * 1024; // BAD: arithmetic on a tainted value // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] y = getTaintedInt(); - y = y * 1024; // BAD: arithmetic on a tainted value + y = y * 1024; // BAD: arithmetic on a tainted value // $ Alert[cpp/integer-overflow-tainted] Alert[cpp/tainted-arithmetic] } typedef long long int intmax_t; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp index c7034e6cd0e..596e5030bae 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test6.cpp @@ -8,12 +8,12 @@ FILE *stdin; void docast1(u32 s) { - u16 c = (u16)s; // bad + u16 c = (u16)s; // bad // $ Alert[cpp/integer-overflow-tainted] } void docast2(u32 s) { - u16 c = (u16)s; // bad + u16 c = (u16)s; // bad // $ Alert[cpp/integer-overflow-tainted] } class MyBaseClass @@ -27,7 +27,7 @@ class MyDerivedClass : public MyBaseClass public: void docast(u32 s) { - u16 c = (u16)s; // bad + u16 c = (u16)s; // bad // $ Alert[cpp/integer-overflow-tainted] } }; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref index 9681978c0ad..ebdee8ed631 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql +query: Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp index 37930f82129..c143bb62cde 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp @@ -3,11 +3,11 @@ int getAnInt(); bool cond(); void test(unsigned x, unsigned y, bool unknown) { - if(x - y > 0) { } // BAD + if(x - y > 0) { } // BAD // $ Alert unsigned total = getAnInt(); unsigned limit = getAnInt(); - while(limit - total > 0) { // BAD + while(limit - total > 0) { // BAD // $ Alert total += getAnInt(); } @@ -59,7 +59,7 @@ void test(unsigned x, unsigned y, bool unknown) { if(unknown) { ++y; } } - if(x - y > 0) { } // GOOD [FALSE POSITIVE] + if(x - y > 0) { } // GOOD [FALSE POSITIVE] // $ Alert x = y; while(cond()) { @@ -72,7 +72,7 @@ void test(unsigned x, unsigned y, bool unknown) { if (n > x - y) { n = x - y; } if (n > 0) { y += n; // NOTE: `n` is at most `x - y` at this point. - if (x - y > 0) {} // GOOD [FALSE POSITIVE] + if (x - y > 0) {} // GOOD [FALSE POSITIVE] // $ Alert } } @@ -98,7 +98,7 @@ void test4() { unsigned int a = getAnInt(); unsigned int b = a + 1; - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } @@ -125,7 +125,7 @@ void test7() { unsigned int b = getAnInt(); unsigned int a = b - 1; - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } @@ -134,7 +134,7 @@ void test8() { unsigned int a = getAnInt(); unsigned int b = getAnInt(); - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } @@ -143,13 +143,13 @@ void test8() { // ... } } else { - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } if (b >= a) { // GOOD - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } else { @@ -179,7 +179,7 @@ void test9() { b = 0; } - if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE] + if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE] // $ Alert // ... } } @@ -205,7 +205,7 @@ void test11() { b = getAnInt(); - if (a - b > 0) { // BAD + if (a - b > 0) { // BAD // $ Alert // ... } } @@ -249,7 +249,7 @@ int test14() { return 0; } // b != 0 - return (a - b > 0); // BAD + return (a - b > 0); // BAD // $ Alert } struct Numbers @@ -263,7 +263,7 @@ int test15(Numbers *n) { return 0; } - return (n->a - n->b > 0); // BAD + return (n->a - n->b > 0); // BAD // $ Alert } int test16() { @@ -273,7 +273,7 @@ int test16() { if (!b) { return 0; } else { - return (a - b > 0); // BAD + return (a - b > 0); // BAD // $ Alert } } @@ -285,7 +285,7 @@ int test17() { return 0; } // b != 0 - return (a - b > 0); // BAD + return (a - b > 0); // BAD // $ Alert } int test18() { @@ -309,7 +309,7 @@ void test19() { uint32_t limit = get_limit(); uint32_t total = 0; - while (limit - total > 0) { // BAD: if `total` is greater than `limit` this will underflow and continue executing the loop. + while (limit - total > 0) { // BAD: if `total` is greater than `limit` this will underflow and continue executing the loop. // $ Alert total += get_data(); } @@ -359,7 +359,7 @@ void test21(unsigned long a) if(a - b > 0) { } // GOOD } int64_t b = (int64_t)a + c; - if(a - b > 0) { } // BAD + if(a - b > 0) { } // BAD // $ Alert } { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref index b899b6eeb20..75e8699aaac 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-193/InvalidPointerDeref.qlref @@ -1 +1 @@ -Security/CWE/CWE-193/InvalidPointerDeref.ql +query: Security/CWE/CWE-193/InvalidPointerDeref.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref index 72ed7d53685..419ed80f3b9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/IntegerOverflowTainted.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/IntegerOverflowTainted.ql \ No newline at end of file +query: Security/CWE/CWE-190/IntegerOverflowTainted.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp index 79f9a79c97f..76d25fbe46c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-197/SAMATE/IntegerOverflowTainted/tests.cpp @@ -35,7 +35,7 @@ void CWE197_Numeric_Truncation_Error__short_fscanf_82_bad::action(short data) { { /* POTENTIAL FLAW: Convert data to a char, possibly causing a truncation error */ - char charData = (char)data; + char charData = (char)data; // $ Alert printHexCharLine(charData); } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref index e4649946851..41d5b35b3c9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousFunctionOverflow.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousFunctionOverflow.ql +query: Security/CWE/CWE-676/DangerousFunctionOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref index 676e3053645..a5067fc5ee1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/DangerousUseOfCin.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousUseOfCin.ql \ No newline at end of file +query: Security/CWE/CWE-676/DangerousUseOfCin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref index f6c962c1a7b..18ae0f2a567 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref index 757d1592e83..ba8f6a96a1f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWriteFloat.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/OverrunWriteFloat.ql \ No newline at end of file +query: Security/CWE/CWE-120/OverrunWriteFloat.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref index 94b53951c4b..8dcc2f70c2f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/VeryLikelyOverrunWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql \ No newline at end of file +query: Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp index 8bb6dfdd996..870d6786e00 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp @@ -109,7 +109,7 @@ char *test1() { static char buffer[1024]; - return gets(buffer); // BAD: use of gets + return gets(buffer); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] } typedef char MYCHAR; @@ -126,10 +126,10 @@ void test2() char *buffer4 = buffer1; std::istream &input = std::cin; - std::cin >> buffer1; // BAD: use of operator>> into a statically-allocated character array - std::cin >> buffer2; // BAD: use of operator>> into a statically-allocated character array - std::cin >> buffer3; // BAD: use of operator>> into a statically-allocated character array - std::cin >> buffer4; // BAD: use of operator>> into a statically-allocated character array + std::cin >> buffer1; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] + std::cin >> buffer2; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] + std::cin >> buffer3; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] + std::cin >> buffer4; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] input >> buffer1; // BAD: use of operator>> into a statically-allocated character array (NOT DETECTED) } @@ -154,7 +154,7 @@ void test2() int i, j, k; std::cin >> i >> j >> k; // GOOD: destinations are not character arrays - std::cin >> i >> buffer >> k; // BAD: use of operator>> into a statically-allocated character array + std::cin >> i >> buffer >> k; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] } @@ -163,7 +163,7 @@ void test2() static char buf[1024]; static int i; - std::wcin >> wbuf; // BAD: use of operator>> into a statically-allocated character array + std::wcin >> wbuf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] std::wcin >> i; // GOOD: destination is not a character array } @@ -174,9 +174,9 @@ void test2() char buf[4096]; int i; - my_ifstream >> buf; // BAD: use of operator>> into a statically-allocated character array + my_ifstream >> buf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] my_ifstream >> i; // GOOD: destination is not a character array - my_wifstream >> wbuf; // BAD: use of operator>> into a statically-allocated character array + my_wifstream >> wbuf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] my_wifstream >> i; // GOOD: destination is not a character array } @@ -187,10 +187,10 @@ void test2() std::cin.width(10); std::cin >> buf1; // GOOD: controlled by width() - std::cin >> buf2; // BAD: uncontrolled by width() + std::cin >> buf2; // BAD: uncontrolled by width() // $ Alert[cpp/dangerous-cin] std::cin.width(10); - std::cin >> buf1 >> buf2; // BAD: buf2 is uncontrolled by width() + std::cin >> buf1 >> buf2; // BAD: buf2 is uncontrolled by width() // $ Alert[cpp/dangerous-cin] std::cin.width(10); std::cin >> i; // GOOD: destination is not a character array @@ -200,18 +200,18 @@ void test2() std::cin >> i >> buf1; // GOOD: controlled by width() std::cin.width(20); - std::cin >> buf1; // BAD: specified width is too large + std::cin >> buf1; // BAD: specified width is too large // $ Alert[cpp/dangerous-cin] std::cin.width(int_func()); std::cin >> buf1; // GOOD: controlled by width() std::wcin.width(10); - std::cin >> buf2; // BAD: uncontrolled by width() + std::cin >> buf2; // BAD: uncontrolled by width() // $ Alert[cpp/dangerous-cin] std::wcin >> wbuf; // GOOD: controlled by width() std::cin >> std::setw(10) >> buf1; // GOOD: controlled by setw - std::cin >> std::setw(10) >> buf1 >> buf2; // BAD: buf2 is uncontrolled - std::cin >> std::setw(20) >> buf1; // BAD: specified width is too large + std::cin >> std::setw(10) >> buf1 >> buf2; // BAD: buf2 is uncontrolled // $ Alert[cpp/dangerous-cin] + std::cin >> std::setw(20) >> buf1; // BAD: specified width is too large // $ Alert[cpp/dangerous-cin] std::cin.width(20); std::cin.width(10); @@ -222,7 +222,7 @@ void test2() char buf[10]; int i; - (std::cin >> i) >> buf; // BAD: use of operator>> into a statically-allocated character array + (std::cin >> i) >> buf; // BAD: use of operator>> into a statically-allocated character array // $ Alert[cpp/dangerous-cin] (std::cin >> i).width(10); std::cin >> buf; // GOOD: controlled by width() @@ -234,7 +234,7 @@ void test2() char buf[10]; std::string str; - std::cin >> std::setw(10) >> str >> buf; // BAD: buf is uncontrolled + std::cin >> std::setw(10) >> str >> buf; // BAD: buf is uncontrolled // $ Alert[cpp/dangerous-cin] } } @@ -246,8 +246,8 @@ void test3(char c, int val, char *str) char buffer10[10]; MyCharArray myBuffer10; - gets(buffer10); // BAD: use of gets - gets(myBuffer10); // BAD: use of gets + gets(buffer10); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] + gets(myBuffer10); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] sprintf(buffer10, "%c", c); // GOOD sprintf(myBuffer10, "%c", c); // GOOD @@ -255,8 +255,8 @@ void test3(char c, int val, char *str) sprintf(buffer10, "%s", str); // BAD: potential buffer overflow [NOT DETECTED] sprintf(myBuffer10, "%s", str); // BAD: potential buffer overflow [NOT DETECTED] - sprintf(buffer10, "val: %i", val); // BAD: potential buffer overflow - sprintf(myBuffer10, "val: %i", val); // BAD: potential buffer overflow + sprintf(buffer10, "val: %i", val); // BAD: potential buffer overflow // $ Alert[cpp/overrunning-write] + sprintf(myBuffer10, "val: %i", val); // BAD: potential buffer overflow // $ Alert[cpp/overrunning-write] } void test3_caller() @@ -269,8 +269,8 @@ void test4() char buffer8[8]; char *buffer8_ptr = buffer8; - sprintf(buffer8, "12345678"); // BAD: buffer overflow - sprintf(buffer8_ptr, "12345678"); // BAD: buffer overflow + sprintf(buffer8, "12345678"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] + sprintf(buffer8_ptr, "12345678"); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } typedef void *va_list; @@ -284,7 +284,7 @@ void test5(va_list args, float f) vsprintf(buffer10, "123456789", args); // GOOD vsprintf(buffer10, "1234567890", args); // BAD: buffer overflow [NOT DETECTED] - sprintf(buffer64, "%f", f); // BAD: potential buffer overflow + sprintf(buffer64, "%f", f); // BAD: potential buffer overflow // $ Alert[cpp/overrunning-write-with-float] vsprintf(buffer4, "123", args); // GOOD vsprintf(buffer4, "1234", args); // BAD: buffer overflow [NOT DETECTED] @@ -305,28 +305,28 @@ namespace custom_sprintf_impl { void regression_test1() { char buffer8[8]; - sprintf(buffer8, "12345678"); // BAD: potential buffer overflow + sprintf(buffer8, "12345678"); // BAD: potential buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } } void test6(unsigned unsigned_value, int value) { char buffer2[2], buffer3[3], buffer4[4], buffer5[5]; - sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow - sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow + sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] + sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] if (unsigned_value < 1000) { sprintf(buffer4, "%u", unsigned_value); // GOOD } - sprintf(buffer4, "%u", -100); // BAD: buffer overflow + sprintf(buffer4, "%u", -100); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] if(unsigned_value == (unsigned)-100) { - sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow + sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow // $ Alert[cpp/very-likely-overrunning-write] } - sprintf(buffer4, "%d", value); // BAD: buffer overflow + sprintf(buffer4, "%d", value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] if (value < 1000) { - sprintf(buffer4, "%d", value); // BAD: buffer overflow + sprintf(buffer4, "%d", value); // BAD: buffer overflow // $ Alert[cpp/overrunning-write] if(value > -100) { sprintf(buffer4, "%d", value); // GOOD @@ -338,28 +338,28 @@ void test6(unsigned unsigned_value, int value) { sprintf(buffer2, "%u", 5); // GOOD sprintf(buffer2, "%d", 5); // GOOD - sprintf(buffer2, "%d", -1); // BAD + sprintf(buffer2, "%d", -1); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer2, "%d", 9); // GOOD - sprintf(buffer2, "%d", 10); // BAD + sprintf(buffer2, "%d", 10); // BAD // $ Alert[cpp/very-likely-overrunning-write] - sprintf(buffer2, "%u", -1); // BAD + sprintf(buffer2, "%u", -1); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer2, "%u", 9); // GOOD - sprintf(buffer2, "%u", 10); // BAD + sprintf(buffer2, "%u", 10); // BAD // $ Alert[cpp/very-likely-overrunning-write] unsigned char unsigned_char = unsigned_value; - sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD + sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD // $ Alert[cpp/overrunning-write] sprintf(buffer4, "%u", (unsigned)unsigned_char); // GOOD: 0..255 fits unsigned small = unsigned_value >> (sizeof(unsigned_value) * 8 - 9); // in range 0..511 - sprintf(buffer3, "%u", small); // BAD + sprintf(buffer3, "%u", small); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer4, "%u", small); // GOOD small = unsigned_value & ((1u << 9) - 1); // in range 0..511 - sprintf(buffer3, "%u", small); // BAD + sprintf(buffer3, "%u", small); // BAD // $ Alert[cpp/very-likely-overrunning-write] sprintf(buffer4, "%u", small); // GOOD: 0..511 fits char c = value; - sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit + sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit // $ Alert[cpp/overrunning-write] sprintf(buffer5, "%d", (int)c); // GOOD: -127..128 fits } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c index 732fd5f0f44..61c7817b5b9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.c @@ -39,22 +39,22 @@ bool BoolFunction2() HRESULT IncorrectHresultFunction() { - return BoolFunction(); // BUG + return BoolFunction(); // BUG // $ Alert } HRESULT IncorrectHresultFunction2() { - return BoolFunction2(); // BUG + return BoolFunction2(); // BUG // $ Alert } void IncorrectTypeConversionTest() { HRESULT hr = HresultFunction(); - if ((BOOL)hr) // BUG + if ((BOOL)hr) // BUG // $ Alert { // ... } - if ((bool)hr) // BUG + if ((bool)hr) // BUG // $ Alert { // ... } @@ -63,11 +63,11 @@ void IncorrectTypeConversionTest() { // ... } - if (SUCCEEDED(BoolFunction())) // BUG + if (SUCCEEDED(BoolFunction())) // BUG // $ Alert { // ... } - if (SUCCEEDED(BoolFunction2())) // BUG + if (SUCCEEDED(BoolFunction2())) // BUG // $ Alert { // ... } @@ -75,11 +75,11 @@ void IncorrectTypeConversionTest() { { // ... } - BOOL b = IncorrectHresultFunction(); // BUG - bool b2 = IncorrectHresultFunction(); // BUG + BOOL b = IncorrectHresultFunction(); // BUG // $ Alert + bool b2 = IncorrectHresultFunction(); // BUG // $ Alert hr = E_UNEXPECTED; - if (!hr) // BUG + if (!hr) // BUG // $ Alert { // ... } @@ -89,7 +89,7 @@ void IncorrectTypeConversionTest() { } hr = S_FALSE; - if (hr) // BUG + if (hr) // BUG // $ Alert { // ... } @@ -103,7 +103,7 @@ void IncorrectTypeConversionTest() { // ... } - while (!HresultFunction()) {}; // BUG + while (!HresultFunction()) {}; // BUG // $ Alert while (FAILED(HresultFunction())) {}; // Correct Usage switch(hr) // Correct Usage diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp index d2857226bfa..8e1ede3d618 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.cpp @@ -36,22 +36,22 @@ bool BoolFunction2() HRESULT IncorrectHresultFunction() { - return BoolFunction(); // BUG + return BoolFunction(); // BUG // $ Alert } HRESULT IncorrectHresultFunction2() { - return BoolFunction2(); // BUG + return BoolFunction2(); // BUG // $ Alert } void IncorrectTypeConversionTest() { HRESULT hr = HresultFunction(); - if ((BOOL)hr) // BUG + if ((BOOL)hr) // BUG // $ Alert { // ... } - if ((bool)hr) // BUG + if ((bool)hr) // BUG // $ Alert { // ... } @@ -60,11 +60,11 @@ void IncorrectTypeConversionTest() { // ... } - if (SUCCEEDED(BoolFunction())) // BUG + if (SUCCEEDED(BoolFunction())) // BUG // $ Alert { // ... } - if (SUCCEEDED(BoolFunction2())) // BUG + if (SUCCEEDED(BoolFunction2())) // BUG // $ Alert { // ... } @@ -72,11 +72,11 @@ void IncorrectTypeConversionTest() { { // ... } - BOOL b = IncorrectHresultFunction(); // BUG - bool b2 = IncorrectHresultFunction(); // BUG + BOOL b = IncorrectHresultFunction(); // BUG // $ Alert + bool b2 = IncorrectHresultFunction(); // BUG // $ Alert hr = E_UNEXPECTED; - if (!hr) // BUG + if (!hr) // BUG // $ Alert { // ... } @@ -86,7 +86,7 @@ void IncorrectTypeConversionTest() { } hr = S_FALSE; - if (hr) // BUG + if (hr) // BUG // $ Alert { // ... } @@ -100,7 +100,7 @@ void IncorrectTypeConversionTest() { // ... } - while (!HresultFunction()) {}; // BUG + while (!HresultFunction()) {}; // BUG // $ Alert while (FAILED(HresultFunction())) {}; // Correct Usage switch(hr) // Correct Usage diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref index a345e5c6dfb..101c0a1e3e2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-253/HResultBooleanConversion.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-253/HResultBooleanConversion.ql \ No newline at end of file +query: Security/CWE/CWE-253/HResultBooleanConversion.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected index 117f94cfad8..205d347a774 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected @@ -1,3 +1,10 @@ +#select +| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | *call to getenv | an environment variable | +| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | *call to getenv | an environment variable | +| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | *call to getenv | an environment variable | +| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | +| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | +| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | edges | test.cpp:16:25:16:42 | *call to getenv | test.cpp:16:25:16:42 | *call to getenv | provenance | | | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | provenance | | @@ -25,10 +32,3 @@ nodes | test.cpp:56:14:56:20 | *address | semmle.label | *address | | test.cpp:60:14:60:20 | *address | semmle.label | *address | subpaths -#select -| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:42 | *call to getenv | test.cpp:20:14:20:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:42 | *call to getenv | an environment variable | -| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:42 | *call to getenv | test.cpp:31:14:31:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:42 | *call to getenv | an environment variable | -| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:42 | *call to getenv | test.cpp:42:14:42:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:42 | *call to getenv | an environment variable | -| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:52:14:52:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | -| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:56:14:56:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | -| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:42 | *call to getenv | test.cpp:60:14:60:20 | *address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:42 | *call to getenv | an environment variable | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref index cf3c4b27d27..3e4f219f523 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-290/AuthenticationBypass.ql \ No newline at end of file +query: Security/CWE/CWE-290/AuthenticationBypass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp index 72b9155cb84..92fe7c24748 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp @@ -13,51 +13,51 @@ int isServer; void processRequest1() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source // BAD: the address is controllable by the user, so it // could be spoofed to bypass the security check. - if (strcmp(address, "127.0.0.1")) { + if (strcmp(address, "127.0.0.1")) { // $ Alert isServer = 1; } } void processRequest2() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source // BAD: the address is controllable by the user, so it // could be spoofed to bypass the security check. - if (strcmp(address, "www.mycompany.com")) { + if (strcmp(address, "www.mycompany.com")) { // $ Alert isServer = 1; } } void processRequest3() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source // BAD: the address is controllable by the user, so it // could be spoofed to bypass the security check. - if (strcmp(address, "www.mycompany.co.uk")) { + if (strcmp(address, "www.mycompany.co.uk")) { // $ Alert isServer = 1; } } void processRequest4() { - const char *address = getenv("SERVERIP"); + const char *address = getenv("SERVERIP"); // $ Source bool cond = false; - if (strcmp(address, "127.0.0.1")) { cond = true; } // BAD + if (strcmp(address, "127.0.0.1")) { cond = true; } // BAD // $ Alert if (strcmp(address, "127_0_0_1")) { cond = true; } // GOOD (not an IP) if (strcmp(address, "127.0.0")) { cond = true; } // GOOD (not an IP) if (strcmp(address, "127.0.0.0.1")) { cond = true; } // GOOD (not an IP) - if (strcmp(address, "http://mycompany")) { cond = true; } // BAD + if (strcmp(address, "http://mycompany")) { cond = true; } // BAD // $ Alert if (strcmp(address, "http_//mycompany")) { cond = true; } // GOOD (not an address) if (strcmp(address, "htt://mycompany")) { cond = true; } // GOOD (not an address) if (strcmp(address, "httpp://mycompany")) { cond = true; } // GOOD (not an address) - if (strcmp(address, "mycompany.com")) { cond = true; } // BAD + if (strcmp(address, "mycompany.com")) { cond = true; } // BAD // $ Alert if (strcmp(address, "mycompany_com")) { cond = true; } // GOOD (not an address) if (strcmp(address, "mycompany.c")) { cond = true; } // GOOD (not an address) if (strcmp(address, "mycompany.comm")) { cond = true; } // GOOD (not an address) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref index 493b42eeae1..116b386747b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-295/SSLResultConflation.ql \ No newline at end of file +query: Security/CWE/CWE-295/SSLResultConflation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref index f019c08b357..fc0209620fe 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-295/SSLResultNotChecked.ql \ No newline at end of file +query: Security/CWE/CWE-295/SSLResultNotChecked.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp index 74f00600a50..d059123b30b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp @@ -15,7 +15,7 @@ bool is_ok(int result) bool is_maybe_ok(int result) { - return (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) + return (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] } void test1_1(SSL *ssl) @@ -35,7 +35,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((result == 0) || (result == 1)) // BAD (conflates OK and a non-OK codes) + if ((result == 0) || (result == 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } } @@ -51,7 +51,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((result == 0) || (false) || (result == 2)) // BAD (conflates OK and a non-OK codes) + if ((result == 0) || (false) || (result == 2)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } } @@ -59,7 +59,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((0 == result) || (1 == result)) // BAD (conflates OK and a non-OK codes) + if ((0 == result) || (1 == result)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } } @@ -67,7 +67,7 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - if ((result != 0) && (result != 1)) // BAD (conflates OK and a non-OK codes) + if ((result != 0) && (result != 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } else { // conflation occurs here @@ -80,11 +80,11 @@ void test1_1(SSL *ssl) int result2 = get_verify_result_indirect(ssl); int result3 = something_else(ssl); - if ((result == 0) || (result_cpy == 1)) // BAD (conflates OK and a non-OK codes) + if ((result == 0) || (result_cpy == 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } - if ((result2 == 0) || (result2 == 1)) // BAD (conflates OK and a non-OK codes) + if ((result2 == 0) || (result2 == 1)) // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] { } @@ -104,9 +104,9 @@ void test1_1(SSL *ssl) { int result = SSL_get_verify_result(ssl); - bool ok = (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) + bool ok = (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes) // $ Alert[cpp/certificate-result-conflation] - if (ok) { + if (ok) { // $ Alert[cpp/certificate-result-conflation] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp index ed6e3989f2b..46f89f79868 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp @@ -10,7 +10,7 @@ bool maybe(); bool test2_1(SSL *ssl) { - int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called) + int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called) // $ Alert[cpp/certificate-not-checked] return true; } @@ -25,7 +25,7 @@ bool test2_2(SSL *ssl) bool test2_3(SSL *ssl) { - int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result may not be called) + int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result may not be called) // $ Alert[cpp/certificate-not-checked] if (maybe()) { @@ -58,7 +58,7 @@ bool test2_5(SSL *ssl) { int cert, result; - cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is not used reliably) + cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is not used reliably) // $ Alert[cpp/certificate-not-checked] if ((cert != 0) && (maybe())) { result = SSL_get_verify_result(ssl); @@ -86,7 +86,7 @@ bool test2_7(SSL *ssl) { int cert; - cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is only called when there is not a cert) + cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is only called when there is not a cert) // $ Alert[cpp/certificate-not-checked] if (cert != 0) return false; if (SSL_get_verify_result(ssl) != 0) return false; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected index 4133d62f00a..7598d27e215 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected @@ -1,3 +1,6 @@ +#select +| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | *call to gets | test2.cpp:110:3:110:6 | *call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | *call to gets | user input (string read by gets) | +| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | **argv | user input (a command-line argument) | edges | test.cpp:53:27:53:30 | **argv | test.cpp:54:17:54:23 | *access to array | provenance | | | test.cpp:54:17:54:23 | *access to array | test.cpp:58:25:58:29 | *input | provenance | | @@ -7,6 +10,3 @@ nodes | test.cpp:54:17:54:23 | *access to array | semmle.label | *access to array | | test.cpp:58:25:58:29 | *input | semmle.label | *input | subpaths -#select -| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | *call to gets | test2.cpp:110:3:110:6 | *call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | *call to gets | user input (string read by gets) | -| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | **argv | test.cpp:58:25:58:29 | *input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | **argv | user input (a command-line argument) | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref index 6c83c30d549..05046b6a5d5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-311/CleartextBufferWrite.ql \ No newline at end of file +query: Security/CWE/CWE-311/CleartextBufferWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected index e283cbeb57b..067222327f2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected @@ -1,3 +1,19 @@ +#select +| test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:43:36:43:43 | password | this source. | +| test2.cpp:44:2:44:8 | call to fprintf | test2.cpp:44:37:44:45 | thepasswd | test2.cpp:44:37:44:45 | thepasswd | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:44:37:44:45 | thepasswd | this source. | +| test2.cpp:45:2:45:8 | call to fprintf | test2.cpp:45:38:45:47 | accountkey | test2.cpp:45:38:45:47 | accountkey | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:45:38:45:47 | accountkey | this source. | +| test2.cpp:50:2:50:8 | call to fprintf | test2.cpp:50:41:50:53 | passwd_config | test2.cpp:50:41:50:53 | passwd_config | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:50:41:50:53 | passwd_config | this source. | +| test2.cpp:54:2:54:8 | call to fprintf | test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:54:41:54:52 | widepassword | this source. | +| test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. | +| test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. | +| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. | +| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. | +| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. | +| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | +| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | +| test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | edges | test2.cpp:62:18:62:25 | password | test2.cpp:62:18:62:25 | password | provenance | | | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | provenance | | @@ -26,19 +42,3 @@ nodes | test.cpp:73:43:73:53 | thePassword | semmle.label | thePassword | | test.cpp:73:63:73:73 | thePassword | semmle.label | thePassword | subpaths -#select -| test2.cpp:43:2:43:8 | call to fprintf | test2.cpp:43:36:43:43 | password | test2.cpp:43:36:43:43 | password | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:43:36:43:43 | password | this source. | -| test2.cpp:44:2:44:8 | call to fprintf | test2.cpp:44:37:44:45 | thepasswd | test2.cpp:44:37:44:45 | thepasswd | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:44:37:44:45 | thepasswd | this source. | -| test2.cpp:45:2:45:8 | call to fprintf | test2.cpp:45:38:45:47 | accountkey | test2.cpp:45:38:45:47 | accountkey | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:45:38:45:47 | accountkey | this source. | -| test2.cpp:50:2:50:8 | call to fprintf | test2.cpp:50:41:50:53 | passwd_config | test2.cpp:50:41:50:53 | passwd_config | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:50:41:50:53 | passwd_config | this source. | -| test2.cpp:54:2:54:8 | call to fprintf | test2.cpp:54:41:54:52 | widepassword | test2.cpp:54:41:54:52 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:54:41:54:52 | widepassword | this source. | -| test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. | -| test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. | -| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. | -| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | *buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. | -| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | *buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. | -| test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. | -| test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. | -| test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref index f047858d880..9469736d8c7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-311/CleartextFileWrite.ql \ No newline at end of file +query: Security/CWE/CWE-311/CleartextFileWrite.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected index fae3d76599a..370555e6811 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected @@ -1,3 +1,44 @@ +#select +| test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@. | test3.cpp:22:15:22:23 | password1 | password1 | +| test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@. | test3.cpp:26:15:26:23 | password2 | password2 | +| test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:47:15:47:22 | password | password | +| test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:55:15:55:22 | password | password | +| test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:74:21:74:29 | password1 | password1 | +| test3.cpp:83:3:83:6 | call to recv | test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | This operation receives into 'ptr', which may put unencrypted sensitive data into $@. | test3.cpp:81:15:81:22 | password | password | +| test3.cpp:101:3:101:6 | call to read | test3.cpp:101:12:101:19 | password | test3.cpp:101:12:101:19 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:101:12:101:19 | password | password | +| test3.cpp:114:2:114:5 | call to recv | test3.cpp:134:11:134:18 | password | test3.cpp:114:14:114:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@. | test3.cpp:134:11:134:18 | password | password | +| test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:138:24:138:32 | password1 | password1 | +| test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:126:9:126:23 | global_password | global_password | +| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password | +| test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@. | test3.cpp:228:26:228:33 | password | password | +| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:241:8:241:15 | password | password | +| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | This operation transmits '*data', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password | +| test3.cpp:290:2:290:5 | call to send | test3.cpp:317:11:317:19 | password1 | test3.cpp:290:14:290:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:317:11:317:19 | password1 | password1 | +| test3.cpp:295:2:295:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | +| test3.cpp:300:2:300:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | +| test3.cpp:341:4:341:7 | call to recv | test3.cpp:341:16:341:23 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:341:16:341:23 | password | password | +| test3.cpp:388:3:388:6 | call to recv | test3.cpp:388:15:388:22 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:388:15:388:22 | password | password | +| test3.cpp:414:3:414:6 | call to recv | test3.cpp:414:15:414:24 | password | test3.cpp:414:15:414:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:414:15:414:24 | password | password | +| test3.cpp:420:3:420:6 | call to recv | test3.cpp:420:15:420:24 | password | test3.cpp:420:15:420:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:420:15:420:24 | password | password | +| test3.cpp:431:2:431:6 | call to fgets | test3.cpp:431:8:431:15 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:431:8:431:15 | password | password | +| test3.cpp:507:2:507:5 | call to send | test3.cpp:507:14:507:39 | social_security_number | test3.cpp:507:14:507:39 | social_security_number | This operation transmits 'social_security_number', which may contain unencrypted sensitive data from $@. | test3.cpp:507:14:507:39 | social_security_number | social_security_number | +| test3.cpp:508:2:508:5 | call to send | test3.cpp:508:14:508:33 | socialSecurityNo | test3.cpp:508:14:508:33 | socialSecurityNo | This operation transmits 'socialSecurityNo', which may contain unencrypted sensitive data from $@. | test3.cpp:508:14:508:33 | socialSecurityNo | socialSecurityNo | +| test3.cpp:509:2:509:5 | call to send | test3.cpp:509:14:509:29 | homePostCode | test3.cpp:509:14:509:29 | homePostCode | This operation transmits 'homePostCode', which may contain unencrypted sensitive data from $@. | test3.cpp:509:14:509:29 | homePostCode | homePostCode | +| test3.cpp:510:2:510:5 | call to send | test3.cpp:510:14:510:28 | my_zip_code | test3.cpp:510:14:510:28 | my_zip_code | This operation transmits 'my_zip_code', which may contain unencrypted sensitive data from $@. | test3.cpp:510:14:510:28 | my_zip_code | my_zip_code | +| test3.cpp:511:2:511:5 | call to send | test3.cpp:511:14:511:26 | telephone | test3.cpp:511:14:511:26 | telephone | This operation transmits 'telephone', which may contain unencrypted sensitive data from $@. | test3.cpp:511:14:511:26 | telephone | telephone | +| test3.cpp:512:2:512:5 | call to send | test3.cpp:512:14:512:36 | mobile_phone_number | test3.cpp:512:14:512:36 | mobile_phone_number | This operation transmits 'mobile_phone_number', which may contain unencrypted sensitive data from $@. | test3.cpp:512:14:512:36 | mobile_phone_number | mobile_phone_number | +| test3.cpp:513:2:513:5 | call to send | test3.cpp:513:14:513:22 | email | test3.cpp:513:14:513:22 | email | This operation transmits 'email', which may contain unencrypted sensitive data from $@. | test3.cpp:513:14:513:22 | email | email | +| test3.cpp:514:2:514:5 | call to send | test3.cpp:514:14:514:38 | my_credit_card_number | test3.cpp:514:14:514:38 | my_credit_card_number | This operation transmits 'my_credit_card_number', which may contain unencrypted sensitive data from $@. | test3.cpp:514:14:514:38 | my_credit_card_number | my_credit_card_number | +| test3.cpp:515:2:515:5 | call to send | test3.cpp:515:14:515:35 | my_bank_account_no | test3.cpp:515:14:515:35 | my_bank_account_no | This operation transmits 'my_bank_account_no', which may contain unencrypted sensitive data from $@. | test3.cpp:515:14:515:35 | my_bank_account_no | my_bank_account_no | +| test3.cpp:516:2:516:5 | call to send | test3.cpp:516:14:516:29 | employerName | test3.cpp:516:14:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@. | test3.cpp:516:14:516:29 | employerName | employerName | +| test3.cpp:517:2:517:5 | call to send | test3.cpp:517:14:517:29 | medical_info | test3.cpp:517:14:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@. | test3.cpp:517:14:517:29 | medical_info | medical_info | +| test3.cpp:518:2:518:5 | call to send | test3.cpp:518:14:518:28 | license_key | test3.cpp:518:14:518:28 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | test3.cpp:518:14:518:28 | license_key | license_key | +| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude | +| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude | +| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString | +| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString | +| test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone | +| test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address | edges | test3.cpp:74:21:74:29 | password1 | test3.cpp:74:21:74:29 | password1 | provenance | | | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | provenance | | @@ -140,44 +181,3 @@ nodes | test3.cpp:578:14:578:16 | str | semmle.label | str | subpaths | test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer | test3.cpp:117:13:117:14 | *id | test3.cpp:138:21:138:22 | call to id | -#select -| test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@. | test3.cpp:22:15:22:23 | password1 | password1 | -| test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@. | test3.cpp:26:15:26:23 | password2 | password2 | -| test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:47:15:47:22 | password | password | -| test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:55:15:55:22 | password | password | -| test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:74:21:74:29 | password1 | password1 | -| test3.cpp:83:3:83:6 | call to recv | test3.cpp:81:15:81:22 | password | test3.cpp:83:15:83:17 | ptr | This operation receives into 'ptr', which may put unencrypted sensitive data into $@. | test3.cpp:81:15:81:22 | password | password | -| test3.cpp:101:3:101:6 | call to read | test3.cpp:101:12:101:19 | password | test3.cpp:101:12:101:19 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:101:12:101:19 | password | password | -| test3.cpp:114:2:114:5 | call to recv | test3.cpp:134:11:134:18 | password | test3.cpp:114:14:114:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@. | test3.cpp:134:11:134:18 | password | password | -| test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:138:24:138:32 | password1 | password1 | -| test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:126:9:126:23 | global_password | global_password | -| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password | -| test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@. | test3.cpp:228:26:228:33 | password | password | -| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:241:8:241:15 | password | password | -| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | *data | This operation transmits '*data', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password | -| test3.cpp:290:2:290:5 | call to send | test3.cpp:317:11:317:19 | password1 | test3.cpp:290:14:290:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:317:11:317:19 | password1 | password1 | -| test3.cpp:295:2:295:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | -| test3.cpp:300:2:300:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 | -| test3.cpp:341:4:341:7 | call to recv | test3.cpp:341:16:341:23 | password | test3.cpp:341:16:341:23 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:341:16:341:23 | password | password | -| test3.cpp:388:3:388:6 | call to recv | test3.cpp:388:15:388:22 | password | test3.cpp:388:15:388:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:388:15:388:22 | password | password | -| test3.cpp:414:3:414:6 | call to recv | test3.cpp:414:15:414:24 | password | test3.cpp:414:15:414:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:414:15:414:24 | password | password | -| test3.cpp:420:3:420:6 | call to recv | test3.cpp:420:15:420:24 | password | test3.cpp:420:15:420:24 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:420:15:420:24 | password | password | -| test3.cpp:431:2:431:6 | call to fgets | test3.cpp:431:8:431:15 | password | test3.cpp:431:8:431:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:431:8:431:15 | password | password | -| test3.cpp:507:2:507:5 | call to send | test3.cpp:507:14:507:39 | social_security_number | test3.cpp:507:14:507:39 | social_security_number | This operation transmits 'social_security_number', which may contain unencrypted sensitive data from $@. | test3.cpp:507:14:507:39 | social_security_number | social_security_number | -| test3.cpp:508:2:508:5 | call to send | test3.cpp:508:14:508:33 | socialSecurityNo | test3.cpp:508:14:508:33 | socialSecurityNo | This operation transmits 'socialSecurityNo', which may contain unencrypted sensitive data from $@. | test3.cpp:508:14:508:33 | socialSecurityNo | socialSecurityNo | -| test3.cpp:509:2:509:5 | call to send | test3.cpp:509:14:509:29 | homePostCode | test3.cpp:509:14:509:29 | homePostCode | This operation transmits 'homePostCode', which may contain unencrypted sensitive data from $@. | test3.cpp:509:14:509:29 | homePostCode | homePostCode | -| test3.cpp:510:2:510:5 | call to send | test3.cpp:510:14:510:28 | my_zip_code | test3.cpp:510:14:510:28 | my_zip_code | This operation transmits 'my_zip_code', which may contain unencrypted sensitive data from $@. | test3.cpp:510:14:510:28 | my_zip_code | my_zip_code | -| test3.cpp:511:2:511:5 | call to send | test3.cpp:511:14:511:26 | telephone | test3.cpp:511:14:511:26 | telephone | This operation transmits 'telephone', which may contain unencrypted sensitive data from $@. | test3.cpp:511:14:511:26 | telephone | telephone | -| test3.cpp:512:2:512:5 | call to send | test3.cpp:512:14:512:36 | mobile_phone_number | test3.cpp:512:14:512:36 | mobile_phone_number | This operation transmits 'mobile_phone_number', which may contain unencrypted sensitive data from $@. | test3.cpp:512:14:512:36 | mobile_phone_number | mobile_phone_number | -| test3.cpp:513:2:513:5 | call to send | test3.cpp:513:14:513:22 | email | test3.cpp:513:14:513:22 | email | This operation transmits 'email', which may contain unencrypted sensitive data from $@. | test3.cpp:513:14:513:22 | email | email | -| test3.cpp:514:2:514:5 | call to send | test3.cpp:514:14:514:38 | my_credit_card_number | test3.cpp:514:14:514:38 | my_credit_card_number | This operation transmits 'my_credit_card_number', which may contain unencrypted sensitive data from $@. | test3.cpp:514:14:514:38 | my_credit_card_number | my_credit_card_number | -| test3.cpp:515:2:515:5 | call to send | test3.cpp:515:14:515:35 | my_bank_account_no | test3.cpp:515:14:515:35 | my_bank_account_no | This operation transmits 'my_bank_account_no', which may contain unencrypted sensitive data from $@. | test3.cpp:515:14:515:35 | my_bank_account_no | my_bank_account_no | -| test3.cpp:516:2:516:5 | call to send | test3.cpp:516:14:516:29 | employerName | test3.cpp:516:14:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@. | test3.cpp:516:14:516:29 | employerName | employerName | -| test3.cpp:517:2:517:5 | call to send | test3.cpp:517:14:517:29 | medical_info | test3.cpp:517:14:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@. | test3.cpp:517:14:517:29 | medical_info | medical_info | -| test3.cpp:518:2:518:5 | call to send | test3.cpp:518:14:518:28 | license_key | test3.cpp:518:14:518:28 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | test3.cpp:518:14:518:28 | license_key | license_key | -| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude | -| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude | -| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString | -| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | *buffer | This operation transmits '*buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString | -| test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone | -| test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref index bb3fc66f1f1..5388c41bed6 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-311/CleartextTransmission.ql \ No newline at end of file +query: Security/CWE/CWE-311/CleartextTransmission.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp index f7be37b6c9f..e7eecffb487 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test.cpp @@ -42,7 +42,7 @@ void file() { FILE *file; // BAD: write password to file in cleartext - fputs(thePassword, file); + fputs(thePassword, file); // $ Alert[cpp/cleartext-storage-file] // GOOD: encrypt first char *encrypted = encrypt(thePassword); @@ -50,12 +50,12 @@ void file() { } // test for CleartextBufferWrite -int main(int argc, char** argv) { +int main(int argc, char** argv) { // $ Source[cpp/cleartext-storage-buffer] char *input = argv[2]; char *passwd; // BAD: write password to buffer in cleartext - sprintf(passwd, "%s", input); + sprintf(passwd, "%s", input); // $ Alert[cpp/cleartext-storage-buffer] // GOOD: encrypt first sprintf(passwd, "%s", encrypt(input)); @@ -67,10 +67,10 @@ void stream() { ofstream mystream; // BAD: write password to file in cleartext - mystream << "the password is: " << thePassword; + mystream << "the password is: " << thePassword; // $ Alert[cpp/cleartext-storage-file] Source[cpp/cleartext-storage-file] // BAD: write password to file in cleartext - (mystream << "the password is: ").write(thePassword, strlen(thePassword)); + (mystream << "the password is: ").write(thePassword, strlen(thePassword)); // $ Alert[cpp/cleartext-storage-file] // GOOD: encrypt first char *encrypted = encrypt(thePassword); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp index ff10fba761b..b19118598d4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test2.cpp @@ -40,37 +40,37 @@ int getPasswordMaxChars(); void tests(FILE *log, myStruct &s) { - fprintf(log, "password = %s\n", s.password); // BAD - fprintf(log, "thepasswd = %s\n", s.thepasswd); // BAD - fprintf(log, "accountkey = %s\n", s.accountkey); // BAD + fprintf(log, "password = %s\n", s.password); // BAD // $ Alert[cpp/cleartext-storage-file] + fprintf(log, "thepasswd = %s\n", s.thepasswd); // BAD // $ Alert[cpp/cleartext-storage-file] + fprintf(log, "accountkey = %s\n", s.accountkey); // BAD // $ Alert[cpp/cleartext-storage-file] fprintf(log, "password_hash = %s\n", s.password_hash); // GOOD fprintf(log, "encrypted_passwd = %s\n", s.encrypted_passwd); // GOOD fprintf(log, "password_file = %s\n", s.password_file); // GOOD fprintf(log, "password_path = %s\n", s.password_path); // GOOD - fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED] + fprintf(log, "passwd_config = %s\n", s.passwd_config); // DUBIOUS [REPORTED] // $ Alert[cpp/cleartext-storage-file] fprintf(log, "num_passwords = %i\n", s.num_passwords); // GOOD fprintf(log, "password_tries = %i\n", *(s.password_tries)); // GOOD fprintf(log, "have_passwd = %i\n", s.have_passwd); // GOOD - fprintf(log, "widepassword = %ls\n", s.widepassword); // BAD - fprintf(log, "widepassword = %S\n", s.widepassword); // BAD + fprintf(log, "widepassword = %ls\n", s.widepassword); // BAD // $ Alert[cpp/cleartext-storage-file] + fprintf(log, "widepassword = %S\n", s.widepassword); // BAD // $ Alert[cpp/cleartext-storage-file] - fprintf(log, "getPassword() = %s\n", getPassword()); // BAD + fprintf(log, "getPassword() = %s\n", getPassword()); // BAD // $ Alert[cpp/cleartext-storage-file] fprintf(log, "getPasswordHash() = %s\n", getPasswordHash()); // GOOD fprintf(log, "getPasswordMaxChars() = %i\n", getPasswordMaxChars()); // GOOD { - char *cpy1 = s.password; + char *cpy1 = s.password; // $ Source[cpp/cleartext-storage-file] char *cpy2 = crypt(s.password); - fprintf(log, "cpy1 = %s\n", cpy1); // BAD + fprintf(log, "cpy1 = %s\n", cpy1); // BAD // $ Alert[cpp/cleartext-storage-file] fprintf(log, "cpy2 = %s\n", cpy2); // GOOD } { char buf[1024]; - strcpy(buf, s.password); - fprintf(log, "buf = %s\n", buf); // BAD + strcpy(buf, s.password); // $ Source[cpp/cleartext-storage-file] + fprintf(log, "buf = %s\n", buf); // BAD // $ Alert[cpp/cleartext-storage-file] strcpy(buf, s.password_hash); fprintf(log, "buf = %s\n", buf); // GOOD @@ -95,8 +95,8 @@ void tests(FILE *log, myStruct &s) { char buffer[1024]; - snprintf(buffer, 1024, "password = %s", s.password); - fprintf(log, "log: %s", buffer); // BAD + snprintf(buffer, 1024, "password = %s", s.password); // $ Source[cpp/cleartext-storage-file] + fprintf(log, "log: %s", buffer); // BAD // $ Alert[cpp/cleartext-storage-file] } } @@ -107,6 +107,6 @@ void test_gets() { char password[1024]; - gets(password); // BAD + gets(password); // BAD // $ Alert[cpp/cleartext-storage-buffer] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp index 35700d229e7..bd89d8b4d9c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp @@ -19,11 +19,11 @@ void test_send(const char *password1, const char *password2, const char *passwor { LogonUserA(val(), val(), password1, val(), val(), val()); // proof `password1` is plaintext - send(val(), password1, strlen(password1), val()); // BAD: `password1` is sent plaintext (certainly) + send(val(), password1, strlen(password1), val()); // BAD: `password1` is sent plaintext (certainly) // $ Alert[cpp/cleartext-transmission] } { - send(val(), password2, strlen(password2), val()); // BAD: `password2` is sent plaintext (probably) + send(val(), password2, strlen(password2), val()); // BAD: `password2` is sent plaintext (probably) // $ Alert[cpp/cleartext-transmission] } { @@ -44,7 +44,7 @@ void test_receive() { char password[256]; - recv(val(), password, 256, val()); // BAD: `password` is received plaintext (certainly) + recv(val(), password, 256, val()); // BAD: `password` is received plaintext (certainly) // $ Alert[cpp/cleartext-transmission] LogonUserA(val(), val(), password, val(), val(), val()); // (proof `password` is plaintext) } @@ -52,7 +52,7 @@ void test_receive() { char password[256]; - recv(val(), password, 256, val()); // BAD: `password` is received plaintext (probably) + recv(val(), password, 256, val()); // BAD: `password` is received plaintext (probably) // $ Alert[cpp/cleartext-transmission] } { @@ -71,16 +71,16 @@ void test_receive() void test_dataflow(const char *password1) { { - const char *ptr = password1; + const char *ptr = password1; // $ Source[cpp/cleartext-transmission] - send(val(), ptr, strlen(ptr), val()); // BAD: `password` is sent plaintext + send(val(), ptr, strlen(ptr), val()); // BAD: `password` is sent plaintext // $ Alert[cpp/cleartext-transmission] } { char password[256]; - char *ptr = password; + char *ptr = password; // $ Source[cpp/cleartext-transmission] - recv(val(), ptr, 256, val()); // BAD: `password` is received plaintext + recv(val(), ptr, 256, val()); // BAD: `password` is received plaintext // $ Alert[cpp/cleartext-transmission] } { @@ -98,7 +98,7 @@ void test_read() char password[256]; int fd = val(); - read(fd, password, 256); // BAD: `password` is received plaintext + read(fd, password, 256); // BAD: `password` is received plaintext // $ Alert[cpp/cleartext-transmission] } { @@ -111,7 +111,7 @@ void test_read() void my_recv(char *buffer, size_t bufferSize) { - recv(val(), buffer, bufferSize, val()); + recv(val(), buffer, bufferSize, val()); // $ Alert[cpp/cleartext-transmission] } const char *id(const char *buffer) @@ -123,7 +123,7 @@ char *global_password; char *get_global_str() { - return global_password; + return global_password; // $ Source[cpp/cleartext-transmission] } void test_interprocedural(const char *password1) @@ -131,19 +131,19 @@ void test_interprocedural(const char *password1) { char password[256]; - my_recv(password, 256); // BAD: `password` is received plaintext [detected in `my_recv`] + my_recv(password, 256); // BAD: `password` is received plaintext [detected in `my_recv`] // $ Source[cpp/cleartext-transmission] } { - const char *ptr = id(password1); + const char *ptr = id(password1); // $ Source[cpp/cleartext-transmission] - send(val(), ptr, strlen(ptr), val()); // BAD: `password1` is sent plaintext + send(val(), ptr, strlen(ptr), val()); // BAD: `password1` is sent plaintext // $ Alert[cpp/cleartext-transmission] } { char *data = get_global_str(); - send(val(), data, strlen(data), val()); // BAD: `global_password` is sent plaintext + send(val(), data, strlen(data), val()); // BAD: `global_password` is sent plaintext // $ Alert[cpp/cleartext-transmission] } } @@ -154,9 +154,9 @@ void test_taint(const char *password) { char buffer[16]; - strncpy(buffer, password, 16); + strncpy(buffer, password, 16); // $ Source[cpp/cleartext-transmission] buffer[15] = 0; - send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext + send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext // $ Alert[cpp/cleartext-transmission] } } @@ -225,7 +225,7 @@ int get_socket(int from); void test_more_stdio(const char *password) { send(get_socket(1), password, 128, val()); // GOOD: `getsocket(1)` is probably standard output - send(get_socket(val()), password, 128, val()); // BAD + send(get_socket(val()), password, 128, val()); // BAD // $ Alert[cpp/cleartext-transmission] } typedef struct {} FILE; @@ -238,7 +238,7 @@ void test_fgets(FILE *stream) { char password[128]; - fgets(password, 128, stream); // BAD + fgets(password, 128, stream); // BAD // $ Alert[cpp/cleartext-transmission] fgets(password, 128, STDIN_STREAM); // GOOD: `STDIN_STREAM` is probably standard input } @@ -267,9 +267,9 @@ void test_crypt_more() { char data[256], password[256]; - strcpy(data, password); // not proof of anything + strcpy(data, password); // not proof of anything // $ Source[cpp/cleartext-transmission] - send(val(), data, strlen(data), val()); // BAD: password is sent plaintext + send(val(), data, strlen(data), val()); // BAD: password is sent plaintext // $ Alert[cpp/cleartext-transmission] } } @@ -287,17 +287,17 @@ void target2(char *data) void target3(char *data) { - send(val(), data, strlen(data), val()); // BAD: data is a plaintext password + send(val(), data, strlen(data), val()); // BAD: data is a plaintext password // $ Alert[cpp/cleartext-transmission] } void target4(char *data) { - send(val(), data, strlen(data), val()); // BAD: data is a plaintext password + send(val(), data, strlen(data), val()); // BAD: data is a plaintext password // $ Alert[cpp/cleartext-transmission] } void target5(char *data) { - send(val(), data, strlen(data), val()); // BAD: from one source this is a plaintext password + send(val(), data, strlen(data), val()); // BAD: from one source this is a plaintext password // $ Alert[cpp/cleartext-transmission] } void target6(char *data) @@ -314,12 +314,12 @@ void test_multiple_sources_source(char *password1, char *password2) target2(password1); } else { target2(password1); - target3(password1); + target3(password1); // $ Source[cpp/cleartext-transmission] } if (cond()) { - char *data = password2; + char *data = password2; // $ Source[cpp/cleartext-transmission] target4(data); target5(data); @@ -338,7 +338,7 @@ void test_loops() { char password[256]; - recv(val(), password, 256, val()); // BAD: not encrypted + recv(val(), password, 256, val()); // BAD: not encrypted // $ Alert[cpp/cleartext-transmission] // ... } @@ -385,7 +385,7 @@ void test_more_clues() { char password[256]; - recv(val(), password, 256, val()); // BAD: not encrypted + recv(val(), password, 256, val()); // BAD: not encrypted // $ Alert[cpp/cleartext-transmission] } { @@ -411,13 +411,13 @@ void test_member_password() { packet p; - recv(val(), p.password, 256, val()); // BAD: not encrypted + recv(val(), p.password, 256, val()); // BAD: not encrypted // $ Alert[cpp/cleartext-transmission] } { packet p; - recv(val(), p.password, 256, val()); // GOOD: password is encrypted [FALSE POSITIVE] + recv(val(), p.password, 256, val()); // GOOD: password is encrypted [FALSE POSITIVE] // $ Alert[cpp/cleartext-transmission] decrypt_inplace(p.password); // proof that `password` was in fact encrypted } } @@ -428,7 +428,7 @@ void test_stdin_param(FILE *stream) { char password[128]; - fgets(password, 128, stream); // GOOD: from standard input (see call below) [FALSE POSITIVE] + fgets(password, 128, stream); // GOOD: from standard input (see call below) [FALSE POSITIVE] // $ Alert[cpp/cleartext-transmission] } void test_stdin() @@ -504,18 +504,18 @@ struct person_info void tests2(person_info *pi) { // direct cases - send(val(), pi->social_security_number, strlen(pi->social_security_number), val()); // BAD - send(val(), pi->socialSecurityNo, strlen(pi->socialSecurityNo), val()); // BAD - send(val(), pi->homePostCode, strlen(pi->homePostCode), val()); // BAD - send(val(), pi->my_zip_code, strlen(pi->my_zip_code), val()); // BAD - send(val(), pi->telephone, strlen(pi->telephone), val()); // BAD - send(val(), pi->mobile_phone_number, strlen(pi->mobile_phone_number), val()); // BAD - send(val(), pi->email, strlen(pi->email), val()); // BAD - send(val(), pi->my_credit_card_number, strlen(pi->my_credit_card_number), val()); // BAD - send(val(), pi->my_bank_account_no, strlen(pi->my_bank_account_no), val()); // BAD - send(val(), pi->employerName, strlen(pi->employerName), val()); // BAD - send(val(), pi->medical_info, strlen(pi->medical_info), val()); // BAD - send(val(), pi->license_key, strlen(pi->license_key), val()); // BAD + send(val(), pi->social_security_number, strlen(pi->social_security_number), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->socialSecurityNo, strlen(pi->socialSecurityNo), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->homePostCode, strlen(pi->homePostCode), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->my_zip_code, strlen(pi->my_zip_code), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->telephone, strlen(pi->telephone), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->mobile_phone_number, strlen(pi->mobile_phone_number), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->email, strlen(pi->email), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->my_credit_card_number, strlen(pi->my_credit_card_number), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->my_bank_account_no, strlen(pi->my_bank_account_no), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->employerName, strlen(pi->employerName), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->medical_info, strlen(pi->medical_info), val()); // BAD // $ Alert[cpp/cleartext-transmission] + send(val(), pi->license_key, strlen(pi->license_key), val()); // BAD // $ Alert[cpp/cleartext-transmission] send(val(), pi->license_key_hash, strlen(pi->license_key_hash), val()); // GOOD send(val(), pi->my_zip_file, strlen(pi->my_zip_file), val()); // GOOD @@ -523,14 +523,14 @@ void tests2(person_info *pi) { char buffer[1024]; - snprintf(buffer, 1024, "lat = %f\n", pi->my_latitude); - send(val(), buffer, strlen(buffer), val()); // BAD + snprintf(buffer, 1024, "lat = %f\n", pi->my_latitude); // $ Source[cpp/cleartext-transmission] + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } { char buffer[1024]; - snprintf(buffer, 1024, "long = %f\n", pi->home_longitude); - send(val(), buffer, strlen(buffer), val()); // BAD + snprintf(buffer, 1024, "long = %f\n", pi->home_longitude); // $ Source[cpp/cleartext-transmission] + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } { char buffer[1024]; @@ -548,15 +548,15 @@ void tests2(person_info *pi) { char buffer[1024]; - snprintf(buffer, 1024, "salary = %s\n", pi->salaryString); - send(val(), buffer, strlen(buffer), val()); // BAD + snprintf(buffer, 1024, "salary = %s\n", pi->salaryString); // $ Source[cpp/cleartext-transmission] + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } { char buffer[1024]; - char *sal = pi->salaryString; + char *sal = pi->salaryString; // $ Source[cpp/cleartext-transmission] snprintf(buffer, 1024, "salary = %s\n", sal); - send(val(), buffer, strlen(buffer), val()); // BAD + send(val(), buffer, strlen(buffer), val()); // BAD // $ Alert[cpp/cleartext-transmission] } } @@ -568,14 +568,14 @@ void tests3() { const char *str; - str = get_home_phone(); - send(val(), str, strlen(str), val()); // BAD + str = get_home_phone(); // $ Source[cpp/cleartext-transmission] + send(val(), str, strlen(str), val()); // BAD // $ Alert[cpp/cleartext-transmission] str = get_home(); send(val(), str, strlen(str), val()); // GOOD (probably not personal info) - str = get_home_address(); - send(val(), str, strlen(str), val()); // BAD + str = get_home_address(); // $ Source[cpp/cleartext-transmission] + send(val(), str, strlen(str), val()); // BAD // $ Alert[cpp/cleartext-transmission] } int fscanf(FILE* stream, const char* format, ... ); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected index 971cdb4f3ff..00185bff5fa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected @@ -1,3 +1,10 @@ +#select +| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | *http:// | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | +| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | edges | test.cpp:11:26:11:28 | *url | test.cpp:15:30:15:32 | *url | provenance | | | test.cpp:24:13:24:17 | **url_g | test.cpp:38:11:38:15 | *url_g | provenance | | @@ -41,10 +48,3 @@ nodes | test.cpp:116:3:116:37 | *... = ... | semmle.label | *... = ... | | test.cpp:121:11:121:13 | *ptr | semmle.label | *ptr | subpaths -#select -| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | *http:// | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | -| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | *http://example.com | test.cpp:15:30:15:32 | *url | This URL may be constructed with the HTTP protocol. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref index c9c917ad045..5a18a73768b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-319/UseOfHttp.ql \ No newline at end of file +query: Security/CWE/CWE-319/UseOfHttp.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp index 573e021979d..ba977d43448 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp @@ -12,7 +12,7 @@ void openUrl(const char *url) { // ... - host myHost = gethostbyname(url); + host myHost = gethostbyname(url); // $ Sink // ... } @@ -21,19 +21,19 @@ void doNothing(char *url) { } -const char *url_g = "http://example.com"; // BAD +const char *url_g = "http://example.com"; // BAD // $ Alert void test() { - openUrl("http://example.com"); // BAD + openUrl("http://example.com"); // BAD // $ Alert openUrl("https://example.com"); // GOOD (https) openUrl("http://localhost/example"); // GOOD (localhost) openUrl("https://localhost/example"); // GOOD (https, localhost) doNothing("http://example.com"); // GOOD (URL not used) { - const char *url_l = "http://example.com"; // BAD - const char *urls[] = { "http://example.com" }; // BAD + const char *url_l = "http://example.com"; // BAD // $ Alert + const char *urls[] = { "http://example.com" }; // BAD // $ Alert openUrl(url_g); openUrl(url_l); @@ -43,7 +43,7 @@ void test() { char buffer[1024]; - strcpy(buffer, "http://"); // BAD + strcpy(buffer, "http://"); // BAD // $ Alert strcat(buffer, "example.com"); openUrl(buffer); @@ -107,7 +107,7 @@ void test4(char *url) void test5() { - char *url_string = "http://example.com"; // BAD + char *url_string = "http://example.com"; // BAD // $ Alert char *ptr; ptr = strstr(url_string, "https://"); // GOOD (https) diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected index ca20f65bec7..4f1a66d4cdf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected @@ -1,10 +1,10 @@ +#select +| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 | +| test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 | +| test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 | edges nodes | test.cpp:34:45:34:48 | 1024 | semmle.label | 1024 | | test.cpp:35:49:35:52 | 1024 | semmle.label | 1024 | | test.cpp:37:43:37:46 | 1024 | semmle.label | 1024 | subpaths -#select -| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 | -| test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 | -| test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref index e869f87150a..790ce8b2718 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-326/InsufficientKeySize.ql \ No newline at end of file +query: Security/CWE/CWE-326/InsufficientKeySize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp index 18780fc05c0..5e606f46baf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-326/test.cpp @@ -31,8 +31,8 @@ void test1(EVP_PKEY_CTX *ctx) { EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048); // low key sizes - EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, 1024); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, 1024); + EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, 1024); // $ Alert + EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, 1024); // $ Alert // RSA sets bits per-key rather than with parameters - EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024); + EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024); // $ Alert } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref index 8424dee1a9b..ead42dd0386 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql \ No newline at end of file +query: Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp index 91af0f7eede..2ab9fc8457d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp @@ -35,7 +35,7 @@ void my_implementation6(const char *str); void test_macros(void *data, size_t amount, const char *str) { - ENCRYPT_WITH_DES(data, amount); // BAD + ENCRYPT_WITH_DES(data, amount); // BAD // $ Alert ENCRYPT_WITH_RC2(data, amount); // BAD ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm) ENCRYPT_WITH_3DES(data, amount); // BAD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp index 95fc532c842..9c8eb0933ed 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp @@ -46,7 +46,7 @@ void encrypt_bad(char *data, size_t amount, keytype key, int algo) { case ALGO_DES: { - my_des_implementation(data, amount, key); // BAD + my_des_implementation(data, amount, key); // BAD // $ Alert } break; case ALGO_AES: diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref index c7d2e9c45f4..cbced86ff2e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-367/TOCTOUFilesystemRace.ql \ No newline at end of file +query: Security/CWE/CWE-367/TOCTOUFilesystemRace.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp index 96425debc7c..4fb08a116b9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp @@ -66,7 +66,7 @@ void test2_1(const char *path) if (stat(path, &buf)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -80,7 +80,7 @@ void test2_2(const char *path) stat(path, &buf); if (buf.foo > 0) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -95,7 +95,7 @@ void test2_3(const char *path) stat(path, buf_ptr); if (buf_ptr->foo > 0) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -112,7 +112,7 @@ void test2_4(const char *path) stat(path, &buf); if (stat_condition(&buf)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -127,7 +127,7 @@ void test2_5(const char *path) stat(path, buf_ptr); if (stat_condition(buf_ptr)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert } // ... @@ -154,7 +154,7 @@ void test2_7(const char *path, int arg) if (stat(path, &buf)) { - f = open(path, arg); // BAD + f = open(path, arg); // BAD // $ Alert } // ... @@ -167,7 +167,7 @@ void test2_8(const char *path, int arg) if (lstat(path, &buf)) { - f = open(path, arg); // BAD + f = open(path, arg); // BAD // $ Alert } // ... @@ -206,7 +206,7 @@ void test2_11(const char *path, int arg) if (stat(path, &buf)) { - f = open(path, arg); // GOOD (here stat is just a redundant check that the file exists / path is valid, confirmed by the return value of open) [FALSE POSITIVE] + f = open(path, arg); // GOOD (here stat is just a redundant check that the file exists / path is valid, confirmed by the return value of open) [FALSE POSITIVE] // $ Alert if (f == -1) { // handle error @@ -225,7 +225,7 @@ void test2_12(const char *path, int arg) { if (buf.foo == 11) // check a property of the file { - f = open(path, arg); // BAD + f = open(path, arg); // BAD // $ Alert if (f == -1) { // handle error @@ -246,7 +246,7 @@ void test2_13(const char *path, int arg) return; } - f = fopen(path, "wt"); // BAD + f = fopen(path, "wt"); // BAD // $ Alert // ... } @@ -294,7 +294,7 @@ void test4_1(const char *path) fclose(f); - chmod(path, 0); // BAD + chmod(path, 0); // BAD // $ Alert } } @@ -326,7 +326,7 @@ void test6_1(const char *path) if (access(path)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert // ... } @@ -352,7 +352,7 @@ void test6_3(const char *path) if (!access(path)) { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert // ... } @@ -366,7 +366,7 @@ void test6_4(const char *path) { // ... } else { - f = fopen(path, "r"); // BAD + f = fopen(path, "r"); // BAD // $ Alert // ... } @@ -397,7 +397,7 @@ void test7_1(const char *path) fclose(f); - chmod(path, 1234); // BAD + chmod(path, 1234); // BAD // $ Alert } } @@ -405,7 +405,7 @@ void test7_1(const char *path1, const char *path2) { if (!rename(path1, path2)) { - chmod(path2, 1234); // BAD + chmod(path2, 1234); // BAD // $ Alert } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref index fb2d78f87df..b0ce57b346f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/IteratorToExpiredContainer.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-416/IteratorToExpiredContainer.ql +query: Security/CWE/CWE-416/IteratorToExpiredContainer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp index d4e3c5b269a..fe30cb863a4 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/IteratorToExpiredContainer/test.cpp @@ -677,10 +677,10 @@ std::vector> return_self_by_value(const std::vector& v) { } std::vector& ref_to_first_in_returnValue_1() { - return returnValue()[0]; // BAD + return returnValue()[0]; // BAD // $ Alert } std::vector& ref_to_first_in_returnValue_2() { @@ -732,7 +732,7 @@ std::vector& ref_to_first_in_returnValue_2() { } std::vector& ref_to_first_in_returnValue_3() { - return returnValue()[0]; // BAD + return returnValue()[0]; // BAD // $ Alert } std::vector first_in_returnValue_1() { @@ -854,7 +854,7 @@ struct PlusPlusReturnByValueIterator void test7() { PlusPlusReturnByValueIterator it; - it.operator++(); // GOOD [FALSE POSITIVE] + it.operator++(); // GOOD [FALSE POSITIVE] // $ Alert it.begin(); } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected index b7decda2651..670caa2291c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.expected @@ -1,3 +1,18 @@ +#select +| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free | +| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free | +| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free | +| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free | +| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free | +| test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | +| test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | +| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free | +| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free | +| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free | +| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free | +| test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete | +| test.cpp:248:12:248:15 | data | test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:248:12:248:15 | data | Memory may have been previously freed by $@. | test.cpp:243:2:243:5 | call to free | call to free | +| test.cpp:255:13:255:16 | data | test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:255:13:255:16 | data | Memory may have been previously freed by $@. | test.cpp:250:2:250:5 | call to free | call to free | edges | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | provenance | | | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | provenance | | @@ -58,18 +73,3 @@ nodes | test.cpp:255:9:255:10 | *i2 [data] | semmle.label | *i2 [data] | | test.cpp:255:13:255:16 | data | semmle.label | data | subpaths -#select -| test.cpp:41:6:41:9 | data | test.cpp:39:7:39:10 | pointer to free output argument | test.cpp:41:6:41:9 | data | Memory may have been previously freed by $@. | test.cpp:39:2:39:5 | call to free | call to free | -| test.cpp:79:7:79:10 | data | test.cpp:75:7:75:10 | pointer to free output argument | test.cpp:79:7:79:10 | data | Memory may have been previously freed by $@. | test.cpp:75:2:75:5 | call to free | call to free | -| test.cpp:108:6:108:9 | data | test.cpp:106:7:106:10 | pointer to free output argument | test.cpp:108:6:108:9 | data | Memory may have been previously freed by $@. | test.cpp:106:2:106:5 | call to free | call to free | -| test.cpp:119:6:119:9 | data | test.cpp:116:7:116:10 | pointer to free output argument | test.cpp:119:6:119:9 | data | Memory may have been previously freed by $@. | test.cpp:116:2:116:5 | call to free | call to free | -| test.cpp:130:6:130:9 | data | test.cpp:127:7:127:10 | pointer to free output argument | test.cpp:130:6:130:9 | data | Memory may have been previously freed by $@. | test.cpp:127:2:127:5 | call to free | call to free | -| test.cpp:165:2:165:2 | c | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:165:2:165:2 | c | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | -| test.cpp:166:3:166:4 | * ... | test.cpp:164:9:164:9 | pointer to operator delete output argument | test.cpp:166:3:166:4 | * ... | Memory may have been previously freed by $@. | test.cpp:164:2:164:10 | delete | delete | -| test.cpp:186:6:186:9 | data | test.cpp:181:7:181:10 | pointer to free output argument | test.cpp:186:6:186:9 | data | Memory may have been previously freed by $@. | test.cpp:181:2:181:5 | call to free | call to free | -| test.cpp:197:6:197:9 | data | test.cpp:192:7:192:10 | pointer to free output argument | test.cpp:197:6:197:9 | data | Memory may have been previously freed by $@. | test.cpp:192:2:192:5 | call to free | call to free | -| test.cpp:209:6:209:9 | data | test.cpp:203:7:203:10 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:203:2:203:5 | call to free | call to free | -| test.cpp:209:6:209:9 | data | test.cpp:207:8:207:11 | pointer to free output argument | test.cpp:209:6:209:9 | data | Memory may have been previously freed by $@. | test.cpp:207:3:207:6 | call to free | call to free | -| test.cpp:217:6:217:6 | x | test.cpp:216:9:216:9 | pointer to operator delete output argument | test.cpp:217:6:217:6 | x | Memory may have been previously freed by $@. | test.cpp:216:2:216:9 | delete | delete | -| test.cpp:248:12:248:15 | data | test.cpp:243:7:243:16 | pointer to free output argument | test.cpp:248:12:248:15 | data | Memory may have been previously freed by $@. | test.cpp:243:2:243:5 | call to free | call to free | -| test.cpp:255:13:255:16 | data | test.cpp:250:7:250:17 | pointer to free output argument | test.cpp:255:13:255:16 | data | Memory may have been previously freed by $@. | test.cpp:250:2:250:5 | call to free | call to free | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref index c0ef8616cdc..09609096489 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/UseAfterFree.qlref @@ -1 +1,2 @@ -Critical/UseAfterFree.ql +query: Critical/UseAfterFree.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp index deac3866336..251b936cc11 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseAfterFree/test.cpp @@ -36,9 +36,9 @@ void test1() char* data; data = (char *)malloc(100*sizeof(char)); use_if_nonzero(data); // GOOD - free(data); + free(data); // $ Source use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void test2() @@ -72,11 +72,11 @@ void test4() { char* data; data = (char *)malloc(100*sizeof(char)); - free(data); + free(data); // $ Source if (data) { use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } } @@ -103,9 +103,9 @@ void test6() char *data, *data2; data = (char *)malloc(100*sizeof(char)); data2 = data; - free(data); + free(data); // $ Source use_if_nonzero(data2); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void test7() @@ -113,10 +113,10 @@ void test7() char *data, *data2; data = (char *)malloc(100*sizeof(char)); data2 = data; - free(data); + free(data); // $ Source data2 = NULL; use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void test8() @@ -124,10 +124,10 @@ void test8() char *data, *data2; data2 = (char *)malloc(100*sizeof(char)); data = data2; - free(data); + free(data); // $ Source data2 = NULL; use_if_nonzero(data); // BAD [NOT DETECTED] - use(data); // BAD + use(data); // BAD // $ Alert } void noReturnWrapper() { noReturn(); } @@ -161,9 +161,9 @@ public: void test11() { myClass* c = new myClass(); - delete(c); - c->myMethod(); // BAD - (*c).myMethod(); // BAD + delete(c); // $ Source + c->myMethod(); // BAD // $ Alert + (*c).myMethod(); // BAD // $ Alert } template T test() @@ -178,43 +178,43 @@ template T test() void test12(int count) { char* data = NULL; - free(data); + free(data); // $ Source for (int i = 0; i < count; i++) { data = NULL; } - use(data); // BAD + use(data); // BAD // $ Alert } void test13() { char* data = NULL; - free(data); + free(data); // $ Source for (int i = 0; i < 2; i++) { data = NULL; } - use(data); // GOOD [FALSE POSITIVE] + use(data); // GOOD [FALSE POSITIVE] // $ Alert } void test14() { char* data = NULL; - free(data); + free(data); // $ Source for (int i = 0; i < 2; i++) { data = NULL; - free(data); + free(data); // $ Source } - use(data); // BAD + use(data); // BAD // $ Alert } template T test15() { T* x; use(x); // GOOD - delete x; - use(x); // BAD [NOT DETECTED] + delete x; // $ Source + use(x); // BAD [NOT DETECTED] // $ Alert } void test15runner(void) { @@ -240,17 +240,17 @@ struct myStruct { }; void malloc_after_free(myStruct *s) { - free(s->i1.data); + free(s->i1.data); // $ Source s->i1.data = (char *)malloc(100*sizeof(char)); if (s->i1.data == 0) { return; } - use(s->i1.data); // GOOD [FALSE POSITIVE] + use(s->i1.data); // GOOD [FALSE POSITIVE] // $ Alert - free(s->i2->data); + free(s->i2->data); // $ Source s->i2->data = (char *)malloc(100*sizeof(char)); if (s->i2->data == 0) { return; } - use(s->i2->data); // GOOD [FALSE POSITIVE] + use(s->i2->data); // GOOD [FALSE POSITIVE] // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref index a69a1a7f4e5..a367b49f59d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref @@ -1,2 +1,2 @@ - -Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql \ No newline at end of file +query: Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp index 4b3d934088d..ebd098315a2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp @@ -162,11 +162,11 @@ void call_by_cref(const S&); void call(const char*); const char* test1(bool b1, bool b2) { - auto s1 = std::string("hello").c_str(); // BAD - auto s2 = b1 ? std::string("hello").c_str() : ""; // BAD - auto s3 = b2 ? "" : std::string("hello").c_str(); // BAD + auto s1 = std::string("hello").c_str(); // BAD // $ Alert + auto s2 = b1 ? std::string("hello").c_str() : ""; // BAD // $ Alert + auto s3 = b2 ? "" : std::string("hello").c_str(); // BAD // $ Alert const char* s4; - s4 = std::string("hello").c_str(); // BAD + s4 = std::string("hello").c_str(); // BAD // $ Alert call(std::string("hello").c_str()); // GOOD call(b1 ? std::string("hello").c_str() : ""); // GOOD @@ -175,24 +175,24 @@ const char* test1(bool b1, bool b2) { call_by_cref({ std::string("hello").c_str() }); // GOOD std::vector v1; - v1.push_back(std::string("hello").c_str()); // BAD + v1.push_back(std::string("hello").c_str()); // BAD // $ Alert std::vector v2; - v2.push_back({ std::string("hello").c_str() }); // BAD + v2.push_back({ std::string("hello").c_str() }); // BAD // $ Alert - S s5[] = { { std::string("hello").c_str() } }; // BAD + S s5[] = { { std::string("hello").c_str() } }; // BAD // $ Alert char c = std::string("hello").c_str()[0]; // GOOD - auto s6 = std::string("hello").data(); // BAD - auto s7 = b1 ? std::string("hello").data() : ""; // BAD - auto s8 = b2 ? "" : std::string("hello").data(); // BAD + auto s6 = std::string("hello").data(); // BAD // $ Alert + auto s7 = b1 ? std::string("hello").data() : ""; // BAD // $ Alert + auto s8 = b2 ? "" : std::string("hello").data(); // BAD // $ Alert char* s9; - s9 = std::string("hello").data(); // BAD + s9 = std::string("hello").data(); // BAD // $ Alert - const char* s13 = b1 ? std::string("hello").c_str() : s1; // BAD + const char* s13 = b1 ? std::string("hello").c_str() : s1; // BAD // $ Alert - return std::string("hello").c_str(); // BAD + return std::string("hello").c_str(); // BAD // $ Alert } void test2(bool b1, bool b2) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref index 4c613e5c5ac..c2d7ade0856 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/UseOfUniquePointerAfterLifetimeEnds.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql \ No newline at end of file +query: Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp index 18cc66b8367..f133f80206a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfUniquePtrAfterLifetimeEnds/test.cpp @@ -153,14 +153,14 @@ std::unique_ptr get_unique_ptr(); const S* test1(bool b1, bool b2) { auto s1 = *get_unique_ptr(); // GOOD - auto s1a = &*get_unique_ptr(); // BAD - auto s1b = get_unique_ptr().get(); // BAD + auto s1a = &*get_unique_ptr(); // BAD // $ Alert + auto s1b = get_unique_ptr().get(); // BAD // $ Alert auto s1c = get_unique_ptr()->s; // GOOD - auto s1d = &(get_unique_ptr()->s); // BAD - auto s2 = b1 ? get_unique_ptr().get() : nullptr; // BAD - auto s3 = b2 ? nullptr :get_unique_ptr().get(); // BAD + auto s1d = &(get_unique_ptr()->s); // BAD // $ Alert + auto s2 = b1 ? get_unique_ptr().get() : nullptr; // BAD // $ Alert + auto s3 = b2 ? nullptr :get_unique_ptr().get(); // BAD // $ Alert const S* s4; - s4 = get_unique_ptr().get(); // BAD + s4 = get_unique_ptr().get(); // BAD // $ Alert call(get_unique_ptr().get()); // GOOD call(b1 ? get_unique_ptr().get() : nullptr); // GOOD @@ -169,14 +169,14 @@ const S* test1(bool b1, bool b2) { call_by_ref(*get_unique_ptr()); // GOOD std::vector v1; - v1.push_back(get_unique_ptr().get()); // BAD + v1.push_back(get_unique_ptr().get()); // BAD // $ Alert - S* s5[] = { get_unique_ptr().get() }; // BAD + S* s5[] = { get_unique_ptr().get() }; // BAD // $ Alert S s6 = b1 ? *get_unique_ptr() : *get_unique_ptr(); // GOOD - S& s7 = b1 ? *get_unique_ptr() : *get_unique_ptr(); // BAD + S& s7 = b1 ? *get_unique_ptr() : *get_unique_ptr(); // BAD // $ Alert - return &*get_unique_ptr(); // BAD + return &*get_unique_ptr(); // BAD // $ Alert } void test2(bool b1, bool b2) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp index 547237c2bea..cc314f35bc5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.cpp @@ -100,31 +100,31 @@ void positiveTestCases() wchar_t* lpApplicationName = NULL; // CreateProcessA - CreateProcessA( //BUG + CreateProcessA( //BUG // $ Alert NULL, (char*)"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessW - CreateProcessW( //BUG + CreateProcessW( //BUG // $ Alert NULL, (wchar_t*)L"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcess - CreateProcess( //BUG + CreateProcess( //BUG // $ Alert NULL, (wchar_t*)L"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // lpCommandLine as hardcoded variable - CreateProcess( //BUG + CreateProcess( //BUG // $ Alert NULL, (wchar_t*)lpCommandLine, NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessWithTokenW - CreateProcessWithTokenW( //BUG + CreateProcessWithTokenW( //BUG // $ Alert h, LOGON_WITH_PROFILE, NULL, @@ -132,7 +132,7 @@ void positiveTestCases() 0, NULL, NULL, NULL, NULL); // CreateProcessWithLogonW - CreateProcessWithLogonW( //BUG + CreateProcessWithLogonW( //BUG // $ Alert (const wchar_t*)L"UserName", (const wchar_t*)L"CONTOSO", (const wchar_t*)L"", @@ -142,21 +142,21 @@ void positiveTestCases() 0, NULL, NULL, NULL, NULL); // CreateProcessAsUserA - CreateProcessAsUserA( //BUG + CreateProcessAsUserA( //BUG // $ Alert h, NULL, (char*)"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessAsUserW - CreateProcessAsUserW( //BUG + CreateProcessAsUserW( //BUG // $ Alert h, NULL, (wchar_t*)L"C:\\Program Files\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); // CreateProcessAsUser - CreateProcessAsUser( //BUG + CreateProcessAsUser( //BUG // $ Alert h, NULL, (wchar_t*)L"C:\\Program Files\\MyApp", @@ -164,7 +164,7 @@ void positiveTestCases() // CreateProcess with a hardcoded variable for application Name (NULL) // Variation: tab instead of space - CreateProcess( //BUG + CreateProcess( //BUG // $ Alert lpApplicationName, (wchar_t*)L"C:\\Program\tFiles\\MyApp", NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); @@ -173,7 +173,7 @@ void positiveTestCases() void PositiveTestCasesWithCmdLineParameter(wchar_t* lpCommandLine) { // lpCommandLine as variable - CreateProcess( //BUG - Depends on the caller + CreateProcess( //BUG - Depends on the caller // $ Alert NULL, lpCommandLine, NULL, NULL, FALSE, 0, NULL, NULL, NULL, NULL); @@ -206,7 +206,7 @@ void PositiveTestCasesWithAppNameParameter(wchar_t* lpApplicationName) { void* h = 0; - CreateProcessWithTokenW( //BUG - Depends on the caller. In this case the caller sends NULL + CreateProcessWithTokenW( //BUG - Depends on the caller. In this case the caller sends NULL // $ Alert h, LOGON_WITH_PROFILE, lpApplicationName, @@ -255,7 +255,7 @@ void TestCaseProbablyBug() lpApplicationName = (const wchar_t*)L"app.exe"; } - CreateProcessWithLogonW( // BUG (Probably - depends on a condition that may be false) + CreateProcessWithLogonW( // BUG (Probably - depends on a condition that may be false) // $ Alert (const wchar_t*)L"UserName", (const wchar_t*)L"CONTOSO", (const wchar_t*)L"", diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref index f2012f0c678..75d4eecadc1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-428/UnsafeCreateProcessCall.ql \ No newline at end of file +query: Security/CWE/CWE-428/UnsafeCreateProcessCall.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref index 5150d627257..81d04da795e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/ConditionallyUninitializedVariable.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql +query: Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp index ccb15904d02..b895621db06 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/examples.cpp @@ -35,7 +35,7 @@ void notifyGood(int deviceNumber) { int notifyBad(int deviceNumber) { DeviceConfig config; - initDeviceConfig(&config, deviceNumber); + initDeviceConfig(&config, deviceNumber); // $ Alert // BAD: Using config without checking the status code that is returned if (config.isEnabled) { notifyChannel(config.channel); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp index a3c9b0a24aa..46b9cbf8b3e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/ConditionallyUninitializedVariable/test.cpp @@ -19,7 +19,7 @@ void test1() int a, b, c, d, e, f; int result1, result2; - maybeInitialize1(&a); // BAD (initialization not checked) + maybeInitialize1(&a); // BAD (initialization not checked) // $ Alert use(a); if (maybeInitialize1(&b) == 1) // GOOD @@ -65,7 +65,7 @@ void test2() { int a, b; - maybeInitialize2(&a); // BAD (initialization not checked) + maybeInitialize2(&a); // BAD (initialization not checked) // $ Alert use(a); if (maybeInitialize2(&b)) // GOOD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected index 6773f5aef94..d35519d860f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.expected @@ -1,3 +1,18 @@ +#select +| errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x | +| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | +| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | +| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x | +| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i | +| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a | +| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a | +| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val | +| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j | +| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j | +| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x | +| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x | +| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x | +| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x | edges nodes | errors.cpp:13:7:13:7 | definition of x | semmle.label | definition of x | @@ -14,18 +29,3 @@ nodes | test.cpp:466:6:466:6 | definition of x | semmle.label | definition of x | | test.cpp:472:6:472:6 | definition of x | semmle.label | definition of x | | test.cpp:479:6:479:6 | definition of x | semmle.label | definition of x | -#select -| errors.cpp:14:18:14:18 | x | errors.cpp:13:7:13:7 | definition of x | errors.cpp:13:7:13:7 | definition of x | The variable $@ may not be initialized at this access. | errors.cpp:13:7:13:7 | x | x | -| test.cpp:12:6:12:8 | foo | test.cpp:11:6:11:8 | definition of foo | test.cpp:11:6:11:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:11:6:11:8 | foo | foo | -| test.cpp:113:6:113:8 | foo | test.cpp:111:6:111:8 | definition of foo | test.cpp:111:6:111:8 | definition of foo | The variable $@ may not be initialized at this access. | test.cpp:111:6:111:8 | foo | foo | -| test.cpp:227:3:227:3 | x | test.cpp:226:7:226:7 | definition of x | test.cpp:226:7:226:7 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:226:7:226:7 | x | x | -| test.cpp:251:13:251:13 | i | test.cpp:249:6:249:6 | definition of i | test.cpp:249:6:249:6 | definition of i | The variable $@ may not be initialized at this access. | test.cpp:249:6:249:6 | i | i | -| test.cpp:344:10:344:10 | a | test.cpp:341:7:341:7 | definition of a | test.cpp:341:7:341:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:341:7:341:7 | a | a | -| test.cpp:377:10:377:10 | a | test.cpp:366:7:366:7 | definition of a | test.cpp:366:7:366:7 | definition of a | The variable $@ may not be initialized at this access. | test.cpp:366:7:366:7 | a | a | -| test.cpp:386:9:386:11 | val | test.cpp:367:6:367:8 | definition of val | test.cpp:367:6:367:8 | definition of val | The variable $@ may not be initialized at this access. | test.cpp:367:6:367:8 | val | val | -| test.cpp:425:10:425:10 | j | test.cpp:422:9:422:9 | definition of j | test.cpp:422:9:422:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:422:9:422:9 | j | j | -| test.cpp:444:9:444:9 | j | test.cpp:439:9:439:9 | definition of j | test.cpp:439:9:439:9 | definition of j | The variable $@ may not be initialized at this access. | test.cpp:439:9:439:9 | j | j | -| test.cpp:462:2:462:2 | x | test.cpp:460:6:460:6 | definition of x | test.cpp:460:6:460:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:460:6:460:6 | x | x | -| test.cpp:468:7:468:7 | x | test.cpp:466:6:466:6 | definition of x | test.cpp:466:6:466:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:466:6:466:6 | x | x | -| test.cpp:475:2:475:2 | x | test.cpp:472:6:472:6 | definition of x | test.cpp:472:6:472:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:472:6:472:6 | x | x | -| test.cpp:482:7:482:7 | x | test.cpp:479:6:479:6 | definition of x | test.cpp:479:6:479:6 | definition of x | The variable $@ may not be initialized at this access. | test.cpp:479:6:479:6 | x | x | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref index 834d9576ddc..402ebbae6eb 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/UninitializedLocal.qlref @@ -1 +1,2 @@ -Likely Bugs/Memory Management/UninitializedLocal.ql +query: Likely Bugs/Memory Management/UninitializedLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp index 07bb61f943e..ae7e767158c 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/errors.cpp @@ -10,6 +10,6 @@ void * operator new(unsigned long, bool); void operator delete(void*, bool); int f2() { - int x; - new(true) int (x); // BAD, ignore implicit error expression + int x; // $ Source Sink + new(true) int (x); // BAD, ignore implicit error expression // $ Alert } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp index 14c00675545..408781de438 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-457/semmle/tests/test.cpp @@ -8,8 +8,8 @@ void test1() { } void test2() { - int foo; - use(foo); // BAD + int foo; // $ Source Sink + use(foo); // BAD // $ Alert } void test3(bool b) { @@ -108,9 +108,9 @@ void test12() { } void test13() { - int foo; + int foo; // $ Source Sink &foo; - use(foo); // BAD + use(foo); // BAD // $ Alert } void init(int* p) { *p = 1; } @@ -223,8 +223,8 @@ void test19() { void test20() { - int x; - x += 0; // BAD + int x; // $ Source Sink + x += 0; // BAD // $ Alert use(x); } @@ -246,9 +246,9 @@ void test21() MyValue v1(1); MyValue v2; MyValue v3; - int i; + int i; // $ Source Sink - v3 = v1 >> i; // BAD: i is not initialized + v3 = v1 >> i; // BAD: i is not initialized // $ Alert v3 = v2 >> 1; // BAD: v2 is not initialized [NOT DETECTED] } @@ -338,10 +338,10 @@ int test28() { } int test29() { - bool a, b = true, c = true; + bool a, b = true, c = true; // $ Source Sink int val; - while ((a && b) || c) // BAD (a is uninitialized) + while ((a && b) || c) // BAD (a is uninitialized) // $ Alert { val = 1; b = false; @@ -363,8 +363,8 @@ int test30() { int test31() { bool loop = true; bool stop = false; - bool a, b = true, c = true; - int val; + bool a, b = true, c = true; // $ Source Sink + int val; // $ Source Sink while (loop || false) { @@ -374,7 +374,7 @@ int test31() { { stop = true; } - while ((a && b) || c) // BAD (a is uninitialized) + while ((a && b) || c) // BAD (a is uninitialized) // $ Alert { b = false; c = false; @@ -383,7 +383,7 @@ int test31() { { } while (false); - return val; // BAD + return val; // BAD // $ Alert } int test32() { @@ -419,10 +419,10 @@ int test34() { } int test35() { - int i, j; + int i, j; // $ Source Sink for (int i = 0; i < 10; i++, j = 1) { - return j; // BAD + return j; // BAD // $ Alert } } @@ -436,12 +436,12 @@ int test36() { } int test38() { - int i, j; + int i, j; // $ Source Sink for (int i = 0; false; i++, j = 1) { } - return j; // BAD + return j; // BAD // $ Alert } void test39() { @@ -457,29 +457,29 @@ void test40() { } void test41() { - int x; + int x; // $ Source Sink - x++; // BAD + x++; // BAD // $ Alert } void test42() { - int x; + int x; // $ Source Sink - void(x++); // BAD + void(x++); // BAD // $ Alert } void test43() { - int x; + int x; // $ Source Sink int y = 1; - x + y; // BAD + x + y; // BAD // $ Alert } void test44() { - int x; + int x; // $ Source Sink int y = 1; - void(x + y); // BAD + void(x + y); // BAD // $ Alert } enum class State { StateA, StateB, StateC }; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref index 2a673380ba1..1c96d9e4607 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScaling.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/IncorrectPointerScaling.ql \ No newline at end of file +query: Security/CWE/CWE-468/IncorrectPointerScaling.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref index d14a9ca77f2..bc325696a76 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingChar.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/IncorrectPointerScalingChar.ql +query: Security/CWE/CWE-468/IncorrectPointerScalingChar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref index 46650070ece..1627ede6302 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/IncorrectPointerScalingVoid.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql +query: Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp index a4d42f4521f..9f6b046a90b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/IncorrectPointerScaling/test.cpp @@ -10,7 +10,7 @@ int test2(int i) { char *charPointer = (char *)intArray; // BAD [FALSE NEGATIVE of IncorrectPointerScaling.ql]: the pointer arithmetic // uses type char*, so the offset is not scaled by sizeof(int). - return *(int *)(charPointer + i); + return *(int *)(charPointer + i); // $ Alert[cpp/incorrect-pointer-scaling-char] } int test3(int i) { @@ -47,7 +47,7 @@ char* test7( int *p = (int*)x; // BAD: the type of x is double*, but it has been cast to int* // so the pointer add is scaled by sizeof(int). - return (char *)(p + 1); + return (char *)(p + 1); // $ Alert[cpp/suspicious-pointer-scaling] } char* test8( @@ -74,7 +74,7 @@ char* test10(int* x) { // only part of an integer is architecture-dependent. If the pointer returned // from this function is dereferenced, the result will depend on int size and // endianness regardless of whether the offset is scaled by sizeof(int). - return (char*)x + 1; + return (char*)x + 1; // $ Alert[cpp/incorrect-pointer-scaling-char] } char* test10b(int* x) { @@ -91,7 +91,7 @@ short* test10c(int* x) { // from this function is dereferenced, the result will depend on int size and // endianness regardless of whether the offset is scaled by (sizeof(int) / // sizeof(short)). - return (short*)x + 1; + return (short*)x + 1; // $ Alert[cpp/suspicious-pointer-scaling] } int test11(int* x, int* y) { @@ -116,7 +116,7 @@ int test13(mystruct *p) { // computes the byte offset of a member. Code like this is commonly seen in // projects that use C/C++ for their low-level control over memory. int offset = (char *)&p->int_field - (char *)p; - return *(int *)((char*)p + offset); + return *(int *)((char*)p + offset); // $ Alert[cpp/incorrect-pointer-scaling-char] } int test14(int arr[12][12]) { @@ -127,22 +127,22 @@ int test14(int arr[12][12]) { int test15(int arr[12][12]) { // BAD: the type of the pointer is int but it has been scaled by sizeof(short) - return *(int*)((short*) arr + 1); + return *(int*)((short*) arr + 1); // $ Alert[cpp/suspicious-pointer-scaling] } void* test16(int* x) { // BAD: void pointer arithmetic is not portable across compilers - return (void*)x + 1; + return (void*)x + 1; // $ Alert[cpp/suspicious-pointer-scaling-void] } void* test17(int* x) { // BAD: void pointer arithmetic is not portable across compilers - return (void*)x + sizeof(int); + return (void*)x + sizeof(int); // $ Alert[cpp/suspicious-pointer-scaling-void] } int test18(int i) { int intArray[2][2] = { {1, 2}, {3, 4} }; char *charPointer = (char *)intArray; // BAD: the pointer arithmetic uses type char*, so the offset is not scaled by sizeof(int). - return *(int *)(charPointer + i); + return *(int *)(charPointer + i); // $ Alert[cpp/incorrect-pointer-scaling-char] } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref index 8c2dec10e17..bcea0a07598 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql \ No newline at end of file +query: Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp index b0b590fba69..bcc4400b293 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp @@ -2,8 +2,8 @@ void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32) { *(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1) - *(p_short + sizeof(int)); // BAD - *(p_int + sizeof(int)); // BAD + *(p_short + sizeof(int)); // BAD // $ Alert + *(p_int + sizeof(int)); // BAD // $ Alert *(p_8 + sizeof(int)); // GOOD (`sizeof(uint8_t)` is 1, but there's an error in the type) *(p_16 + sizeof(int)); // BAD [NOT DETECTED] *(p_32 + sizeof(int)); // BAD [NOT DETECTED] diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp index fa2bd934cca..11073db5d6d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp @@ -3,7 +3,7 @@ int test1(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer + (i * sizeof(int))); + return *(intPointer + (i * sizeof(int))); // $ Alert } int test2(int i) { @@ -11,7 +11,7 @@ int test2(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer - (i * sizeof(int))); + return *(intPointer - (i * sizeof(int))); // $ Alert } int test3(int i) { @@ -19,7 +19,7 @@ int test3(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer + sizeof(int)); + return *(intPointer + sizeof(int)); // $ Alert } int test4(int i) { @@ -27,7 +27,7 @@ int test4(int i) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer - sizeof(int)); + return *(intPointer - sizeof(int)); // $ Alert } int test5(int i, int j) { @@ -35,7 +35,7 @@ int test5(int i, int j) { int *intPointer = intArray; // BAD: the offset is already automatically scaled by sizeof(int), // so this code will compute the wrong offset. - return *(intPointer + (i * sizeof(int) * j)); + return *(intPointer + (i * sizeof(int) * j)); // $ Alert } void test6(int i) { @@ -58,7 +58,7 @@ void test7(int i) { int v; v = *(intPointer + i); // GOOD - v = *(intPointer + (i * sizeof(int))); // BAD: scaled twice by sizeof(int) + v = *(intPointer + (i * sizeof(int))); // BAD: scaled twice by sizeof(int) // $ Alert v = *(charPointer + i); // GOOD (actually rather dubious, but this could be correct code) v = *(charPointer + (i * sizeof(int))); // GOOD v = *(int *)(voidPointer + i); // GOOD (actually rather dubious, but this could be correct code) @@ -86,7 +86,7 @@ public: myIntsPointer((myInt *)malloc(sizeof(MyABC) * 2)) { myChar *secondPtr = myCharsPointer + sizeof(MyABC); // GOOD - myInt *secondPtrInt = myIntsPointer + sizeof(MyABC); // BAD + myInt *secondPtrInt = myIntsPointer + sizeof(MyABC); // BAD // $ Alert } private: diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected index e217064d1df..58f42bec0c8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.expected @@ -1,4 +1,4 @@ +#select edges nodes subpaths -#select diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref index 0c88835bf1f..0cb5a0a34d7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/ExposedSystemData.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-497/ExposedSystemData.ql \ No newline at end of file +query: Security/CWE/CWE-497/ExposedSystemData.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected index 3fc58925ff7..62c2ad7896b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected @@ -1,8 +1,8 @@ +#select +| tests.c:70:70:70:77 | *password | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | *password | *password | edges | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | provenance | | nodes | tests.c:57:21:57:28 | *password | semmle.label | *password | | tests.c:70:70:70:77 | *password | semmle.label | *password | subpaths -#select -| tests.c:70:70:70:77 | *password | tests.c:57:21:57:28 | *password | tests.c:70:70:70:77 | *password | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | *password | *password | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref index 4f7305ce697..fd804eefffa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-497/PotentiallyExposedSystemData.ql \ No newline at end of file +query: Security/CWE/CWE-497/PotentiallyExposedSystemData.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c index 4b1df2a96e1..b12215c1cb7 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/tests.c @@ -54,7 +54,7 @@ void CWE535_Info_Exposure_Shell_Error__w32_char_01_bad() if (LogonUserA( username, domain, - password, + password, // $ Source[cpp/potential-system-data-exposure] LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &pHandle) != 0) @@ -67,6 +67,6 @@ void CWE535_Info_Exposure_Shell_Error__w32_char_01_bad() printLine("Unable to login."); } /* FLAW: Write sensitive data to stderr */ - fprintf(stderr, "User attempted access with password: %s\n", password); + fprintf(stderr, "User attempted access with password: %s\n", password); // $ Alert[cpp/potential-system-data-exposure] } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected index 9756dde70dd..e678961de2e 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected @@ -1,3 +1,21 @@ +#select +| tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:36 | *call to getenv | *call to getenv | +| tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:36 | *call to getenv | *call to getenv | +| tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:36 | *call to getenv | *call to getenv | +| tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:39 | *call to getenv | *call to getenv | +| tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:62 | *call to getenv | *call to getenv | +| tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:64 | *call to getenv | *call to getenv | +| tests.cpp:71:27:71:38 | *global_token | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:71:27:71:38 | *global_token | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | +| tests.cpp:73:27:73:31 | *maybe | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:73:27:73:31 | *maybe | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | +| tests.cpp:88:15:88:17 | *msg | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:88:15:88:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | +| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | +| tests.cpp:111:15:111:17 | *tmp | tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:111:15:111:17 | *tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:35 | *call to getenv | *call to getenv | +| tests.cpp:119:7:119:12 | *buffer | tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:119:7:119:12 | *buffer | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:35 | *call to getenv | *call to getenv | +| tests.cpp:124:15:124:17 | *msg | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:124:15:124:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | +| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | +| tests.cpp:141:15:141:20 | *secret | tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | This operation potentially exposes sensitive system data from $@. | tests.cpp:139:17:139:22 | *call to getenv | *call to getenv | +| tests_passwd.cpp:18:29:18:31 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | +| tests_passwd.cpp:19:26:19:28 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | edges | tests.cpp:62:7:62:18 | **global_token | tests.cpp:62:7:62:18 | **global_token | provenance | | | tests.cpp:62:7:62:18 | **global_token | tests.cpp:69:2:69:43 | *... = ... | provenance | | @@ -55,21 +73,3 @@ nodes | tests_passwd.cpp:18:29:18:31 | *pwd | semmle.label | *pwd | | tests_passwd.cpp:19:26:19:28 | *pwd | semmle.label | *pwd | subpaths -#select -| tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | tests.cpp:48:15:48:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:36 | *call to getenv | *call to getenv | -| tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | tests.cpp:49:15:49:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:36 | *call to getenv | *call to getenv | -| tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | tests.cpp:50:15:50:36 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:36 | *call to getenv | *call to getenv | -| tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | tests.cpp:57:18:57:39 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:39 | *call to getenv | *call to getenv | -| tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | tests.cpp:58:41:58:62 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:62 | *call to getenv | *call to getenv | -| tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | tests.cpp:59:43:59:64 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:64 | *call to getenv | *call to getenv | -| tests.cpp:71:27:71:38 | *global_token | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:71:27:71:38 | *global_token | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | -| tests.cpp:73:27:73:31 | *maybe | tests.cpp:62:22:62:27 | *call to getenv | tests.cpp:73:27:73:31 | *maybe | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | *call to getenv | *call to getenv | -| tests.cpp:88:15:88:17 | *msg | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:88:15:88:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | -| tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | tests.cpp:97:13:97:34 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:34 | *call to getenv | *call to getenv | -| tests.cpp:111:15:111:17 | *tmp | tests.cpp:131:14:131:35 | *call to getenv | tests.cpp:111:15:111:17 | *tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:35 | *call to getenv | *call to getenv | -| tests.cpp:119:7:119:12 | *buffer | tests.cpp:132:14:132:35 | *call to getenv | tests.cpp:119:7:119:12 | *buffer | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:35 | *call to getenv | *call to getenv | -| tests.cpp:124:15:124:17 | *msg | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:124:15:124:17 | *msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | -| tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | tests.cpp:133:14:133:35 | *call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:35 | *call to getenv | *call to getenv | -| tests.cpp:141:15:141:20 | *secret | tests.cpp:139:17:139:22 | *call to getenv | tests.cpp:141:15:141:20 | *secret | This operation potentially exposes sensitive system data from $@. | tests.cpp:139:17:139:22 | *call to getenv | *call to getenv | -| tests_passwd.cpp:18:29:18:31 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:18:29:18:31 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | -| tests_passwd.cpp:19:26:19:28 | *pwd | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | tests_passwd.cpp:19:26:19:28 | *pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | *call to getpwnam | *call to getpwnam | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref index 4f7305ce697..fd804eefffa 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-497/PotentiallyExposedSystemData.ql \ No newline at end of file +query: Security/CWE/CWE-497/PotentiallyExposedSystemData.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp index 25a071bee46..cebf2d395e3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests.cpp @@ -45,21 +45,21 @@ void test1() { std::ostream cout_copy = std::cout; - std::cout << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable - std::cerr << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable - std::clog << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable + std::cout << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + std::cerr << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + std::clog << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert someotherostream << getenv("SECRET_TOKEN"); // GOOD: not output cout_copy << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable [NOT DETECTED] std::cout << getenv("USERPROFILE"); // BAD: outputs PATH environment variable [NOT DETECTED] std::cout << getenv("PATH"); // BAD: outputs PATH environment variable [NOT DETECTED] - std::cout.write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable - (std::cout << "SECRET_TOKEN = ").write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable - std::cout.write("SECRET_TOKEN = ", 7) << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable + std::cout.write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + (std::cout << "SECRET_TOKEN = ").write(getenv("SECRET_TOKEN"), strlen(getenv("SECRET_TOKEN"))); // BAD: outputs SECRET_TOKEN environment variable // $ Alert + std::cout.write("SECRET_TOKEN = ", 7) << getenv("SECRET_TOKEN"); // BAD: outputs SECRET_TOKEN environment variable // $ Alert } -char *global_token = getenv("SECRET_TOKEN"); +char *global_token = getenv("SECRET_TOKEN"); // $ Source char *global_other = "Hello, world!"; void test2(bool cond) @@ -68,9 +68,9 @@ void test2(bool cond) maybe = cond ? global_token : global_other; - printf("token = '%s'\n", global_token); // BAD: outputs SECRET_TOKEN environment variable + printf("token = '%s'\n", global_token); // BAD: outputs SECRET_TOKEN environment variable // $ Alert printf("other = '%s'\n", global_other); - printf("maybe = '%s'\n", maybe); // BAD: may output SECRET_TOKEN environment variable + printf("maybe = '%s'\n", maybe); // BAD: may output SECRET_TOKEN environment variable // $ Alert } void test3() @@ -85,7 +85,7 @@ void test3() void myOutputFn(const char *msg) { - printf("%s", msg); + printf("%s", msg); // $ Alert } void myOtherFn(const char *msg) @@ -94,7 +94,7 @@ void myOtherFn(const char *msg) void test4() { - myOutputFn(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable + myOutputFn(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Alert Source myOtherFn(getenv("SECRET_TOKEN")); // GOOD: does not output anything. } @@ -108,7 +108,7 @@ void myOutputFn3(const char *msg) { const char *tmp = msg; - printf("%s", tmp); + printf("%s", tmp); // $ Alert } void myOutputFn4(const char *msg) @@ -116,29 +116,29 @@ void myOutputFn4(const char *msg) char buffer[4096]; sprintf(buffer, "log: %s\n", msg); - puts(buffer); + puts(buffer); // $ Alert } void myOutputFn5(const char *msg) { - printf("%s", msg); + printf("%s", msg); // $ Alert msg = ""; } void test5() { myOutputFn2(getenv("SECRET_TOKEN")); // GOOD: myOutputFn2 doesn't actually output the parameter - myOutputFn3(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable - myOutputFn4(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable - myOutputFn5(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable + myOutputFn3(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Source + myOutputFn4(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Source + myOutputFn5(getenv("SECRET_TOKEN")); // BAD: outputs the SECRET_TOKEN environment variable // $ Alert Source } void RtlZeroMemory(void* dst, size_t len); void test_clear_memory(char *username) { - char* secret = getenv("SECRET_TOKEN"); + char* secret = getenv("SECRET_TOKEN"); // $ Source - printf("%s", secret); // BAD + printf("%s", secret); // BAD // $ Alert RtlZeroMemory(secret, 1024); printf("%s", secret); // GOOD } \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp index 6de8ed84d06..3e3fd2158ce 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_passwd.cpp @@ -13,9 +13,9 @@ void test6(char *username) { passwd *pwd; - pwd = getpwnam(username); + pwd = getpwnam(username); // $ Source - printf("pw_passwd = %s\n", pwd->pw_passwd); // BAD - printf("pw_dir = %s\n", pwd->pw_dir); // BAD + printf("pw_passwd = %s\n", pwd->pw_passwd); // BAD // $ Alert + printf("pw_dir = %s\n", pwd->pw_dir); // BAD // $ Alert printf("sizeof(passwd) = %i\n", sizeof(passwd)); // GOOD } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref index fe4bb214bb4..10f5cbc30be 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql +query: Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp index 9df901ca5a9..f24875a137f 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp @@ -18,7 +18,7 @@ void *operator new(std::size_t, const std::nothrow_t &) noexcept; void *operator new[](std::size_t, const std::nothrow_t &) noexcept; void bad_new_in_condition() { - if (!(new int)) { // BAD + if (!(new int)) { // BAD // $ Alert return; } } @@ -26,53 +26,53 @@ void bad_new_in_condition() { void foo(int**); void bad_new_missing_exception_handling() { - int *p1 = new int[100]; // BAD + int *p1 = new int[100]; // BAD // $ Alert if (p1 == 0) return; - int *p2 = new int[100]; // BAD + int *p2 = new int[100]; // BAD // $ Alert if (!p2) return; - int *p3 = new int[100]; // BAD + int *p3 = new int[100]; // BAD // $ Alert if (p3 == NULL) return; - int *p4 = new int[100]; // BAD + int *p4 = new int[100]; // BAD // $ Alert if (p4 == nullptr) return; - int *p5 = new int[100]; // BAD + int *p5 = new int[100]; // BAD // $ Alert if (p5) {} else return; int *p6; - p6 = new int[100]; // BAD + p6 = new int[100]; // BAD // $ Alert if (p6 == 0) return; int *p7; - p7 = new int[100]; // BAD + p7 = new int[100]; // BAD // $ Alert if (!p7) return; int *p8; - p8 = new int[100]; // BAD + p8 = new int[100]; // BAD // $ Alert if (p8 == NULL) return; int *p9; - p9 = new int[100]; // BAD + p9 = new int[100]; // BAD // $ Alert if (p9 != nullptr) { } else return; int *p10; - p10 = new int[100]; // BAD + p10 = new int[100]; // BAD // $ Alert if (p10 != 0) { } int *p11; do { - p11 = new int[100]; // BAD + p11 = new int[100]; // BAD // $ Alert } while (!p11); int* p12 = new int[100]; @@ -89,11 +89,11 @@ void bad_new_missing_exception_handling() { void bad_new_nothrow_in_exception_body() { try { - new (std::nothrow) int[100]; // BAD - int *p1 = new (std::nothrow) int[100]; // BAD + new (std::nothrow) int[100]; // BAD // $ Alert + int *p1 = new (std::nothrow) int[100]; // BAD // $ Alert int *p2; - p2 = new (std::nothrow) int[100]; // BAD + p2 = new (std::nothrow) int[100]; // BAD // $ Alert } catch (const std::bad_alloc &) { } } @@ -157,7 +157,7 @@ struct Bar { void bad_placement_new_with_exception_handling() { char buffer[1024]; - try { new (buffer) Foo; } // BAD (placement new should not fail) + try { new (buffer) Foo; } // BAD (placement new should not fail) // $ Alert catch (...) { } } @@ -226,7 +226,7 @@ void good_new_with_throwing_call() { void bad_new_with_nonthrowing_call() { try { - int* p1 = new(std::nothrow) int; // BAD + int* p1 = new(std::nothrow) int; // BAD // $ Alert calls_non_throwing(p1); } catch(...) { } @@ -239,7 +239,7 @@ void bad_new_with_nonthrowing_call() { void bad_new_catch_baseclass_of_bad_alloc() { try { - int* p = new(std::nothrow) int; // BAD + int* p = new(std::nothrow) int; // BAD // $ Alert } catch(const std::exception&) { } } @@ -273,7 +273,7 @@ namespace qhelp { // BAD: the allocation will throw an unhandled exception // instead of returning a null pointer. void bad1(std::size_t length) noexcept { - int* dest = new int[length]; + int* dest = new int[length]; // $ Alert if(!dest) { return; } @@ -285,7 +285,7 @@ namespace qhelp { // instead return a null pointer. void bad2(std::size_t length) noexcept { try { - int* dest = new(std::nothrow) int[length]; + int* dest = new(std::nothrow) int[length]; // $ Alert std::memset(dest, 0, length); // ... } catch(std::bad_alloc&) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected index 1376a03ce88..288e811fc73 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected @@ -1,3 +1,34 @@ +#select +| tests2.cpp:22:2:22:2 | *p | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser | +| tests2.cpp:37:2:37:2 | *p | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser | +| tests2.cpp:51:2:51:2 | *p | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser | +| tests3.cpp:25:2:25:2 | *p | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | *call to createXMLReader | XML parser | +| tests3.cpp:38:2:38:6 | *p_3_3 | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:38:2:38:6 | *p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | *call to createXMLReader | XML parser | +| tests3.cpp:56:2:56:6 | *p_3_5 | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:56:2:56:6 | *p_3_5 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | *call to createXMLReader | XML parser | +| tests3.cpp:63:2:63:2 | *p | tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | *call to createXMLReader | XML parser | +| tests3.cpp:70:2:70:2 | *p | tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | *call to createXMLReader | XML parser | +| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser | +| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser | +| tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:46:34:46:68 | ... \| ... | XML parser | +| tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser | +| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser | +| tests5.cpp:29:2:29:2 | *p | tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | *call to createLSParser | XML parser | +| tests5.cpp:43:2:43:2 | *p | tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | *call to createLSParser | XML parser | +| tests5.cpp:59:2:59:2 | *p | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | *call to createLSParser | XML parser | +| tests5.cpp:77:2:77:5 | *g_p2 | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:77:2:77:5 | *g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | *call to createLSParser | XML parser | +| tests5.cpp:83:2:83:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | +| tests5.cpp:89:2:89:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:89:2:89:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | +| tests.cpp:17:2:17:2 | *p | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser | +| tests.cpp:31:2:31:2 | *p | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser | +| tests.cpp:39:2:39:2 | *p | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:39:2:39:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | call to XercesDOMParser | XML parser | +| tests.cpp:56:2:56:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:56:2:56:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | +| tests.cpp:60:2:60:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:60:2:60:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | +| tests.cpp:69:2:69:2 | *p | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser | +| tests.cpp:80:2:80:2 | *p | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser | +| tests.cpp:88:3:88:3 | *q | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | +| tests.cpp:104:3:104:3 | *q | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | +| tests.cpp:113:2:113:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | +| tests.cpp:117:2:117:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | edges | tests2.cpp:20:17:20:31 | *new | tests2.cpp:22:2:22:2 | *p | provenance | | | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:20:17:20:31 | *new | provenance | | @@ -185,34 +216,3 @@ nodes | tests.cpp:128:18:128:18 | *q | semmle.label | *q | subpaths | tests.cpp:126:18:126:18 | *q | tests.cpp:112:39:112:39 | *p | tests.cpp:112:39:112:39 | *p | tests.cpp:126:18:126:18 | test10_doParseB output argument | -#select -| tests2.cpp:22:2:22:2 | *p | tests2.cpp:20:17:20:31 | call to SAXParser | tests2.cpp:22:2:22:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | call to SAXParser | XML parser | -| tests2.cpp:37:2:37:2 | *p | tests2.cpp:33:17:33:31 | call to SAXParser | tests2.cpp:37:2:37:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | call to SAXParser | XML parser | -| tests2.cpp:51:2:51:2 | *p | tests2.cpp:49:12:49:12 | call to SAXParser | tests2.cpp:51:2:51:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:49:12:49:12 | call to SAXParser | XML parser | -| tests3.cpp:25:2:25:2 | *p | tests3.cpp:23:21:23:53 | *call to createXMLReader | tests3.cpp:25:2:25:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | *call to createXMLReader | XML parser | -| tests3.cpp:38:2:38:6 | *p_3_3 | tests3.cpp:35:24:35:56 | *call to createXMLReader | tests3.cpp:38:2:38:6 | *p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | *call to createXMLReader | XML parser | -| tests3.cpp:56:2:56:6 | *p_3_5 | tests3.cpp:48:24:48:56 | *call to createXMLReader | tests3.cpp:56:2:56:6 | *p_3_5 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:48:24:48:56 | *call to createXMLReader | XML parser | -| tests3.cpp:63:2:63:2 | *p | tests3.cpp:60:21:60:53 | *call to createXMLReader | tests3.cpp:63:2:63:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:60:21:60:53 | *call to createXMLReader | XML parser | -| tests3.cpp:70:2:70:2 | *p | tests3.cpp:67:21:67:53 | *call to createXMLReader | tests3.cpp:70:2:70:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:67:21:67:53 | *call to createXMLReader | XML parser | -| tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:26:34:26:48 | XML_PARSE_NOENT | XML parser | -| tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:36:34:36:50 | XML_PARSE_DTDLOAD | XML parser | -| tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:46:34:46:68 | ... \| ... | XML parser | -| tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser | -| tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | XML_PARSE_DTDLOAD | XML parser | -| tests5.cpp:29:2:29:2 | *p | tests5.cpp:27:25:27:38 | *call to createLSParser | tests5.cpp:29:2:29:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:27:25:27:38 | *call to createLSParser | XML parser | -| tests5.cpp:43:2:43:2 | *p | tests5.cpp:40:25:40:38 | *call to createLSParser | tests5.cpp:43:2:43:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:40:25:40:38 | *call to createLSParser | XML parser | -| tests5.cpp:59:2:59:2 | *p | tests5.cpp:55:25:55:38 | *call to createLSParser | tests5.cpp:59:2:59:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:55:25:55:38 | *call to createLSParser | XML parser | -| tests5.cpp:77:2:77:5 | *g_p2 | tests5.cpp:70:17:70:30 | *call to createLSParser | tests5.cpp:77:2:77:5 | *g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | *call to createLSParser | XML parser | -| tests5.cpp:83:2:83:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:83:2:83:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | -| tests5.cpp:89:2:89:2 | *p | tests5.cpp:81:25:81:38 | *call to createLSParser | tests5.cpp:89:2:89:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | *call to createLSParser | XML parser | -| tests.cpp:17:2:17:2 | *p | tests.cpp:15:23:15:43 | call to XercesDOMParser | tests.cpp:17:2:17:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | call to XercesDOMParser | XML parser | -| tests.cpp:31:2:31:2 | *p | tests.cpp:28:23:28:43 | call to XercesDOMParser | tests.cpp:31:2:31:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | call to XercesDOMParser | XML parser | -| tests.cpp:39:2:39:2 | *p | tests.cpp:35:23:35:43 | call to XercesDOMParser | tests.cpp:39:2:39:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | call to XercesDOMParser | XML parser | -| tests.cpp:56:2:56:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:56:2:56:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | -| tests.cpp:60:2:60:2 | *p | tests.cpp:51:23:51:43 | call to XercesDOMParser | tests.cpp:60:2:60:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | call to XercesDOMParser | XML parser | -| tests.cpp:69:2:69:2 | *p | tests.cpp:66:23:66:43 | call to XercesDOMParser | tests.cpp:69:2:69:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | call to XercesDOMParser | XML parser | -| tests.cpp:80:2:80:2 | *p | tests.cpp:73:23:73:43 | call to XercesDOMParser | tests.cpp:80:2:80:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | call to XercesDOMParser | XML parser | -| tests.cpp:88:3:88:3 | *q | tests.cpp:85:24:85:44 | call to XercesDOMParser | tests.cpp:88:3:88:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | call to XercesDOMParser | XML parser | -| tests.cpp:104:3:104:3 | *q | tests.cpp:100:24:100:44 | call to XercesDOMParser | tests.cpp:104:3:104:3 | *q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | call to XercesDOMParser | XML parser | -| tests.cpp:113:2:113:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:113:2:113:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | -| tests.cpp:117:2:117:2 | *p | tests.cpp:122:23:122:43 | call to XercesDOMParser | tests.cpp:117:2:117:2 | *p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | call to XercesDOMParser | XML parser | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref index 866f8697caf..185788f319d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-611/XXE.ql +query: Security/CWE/CWE-611/XXE.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp index 51ae57f54d9..2c0e719c39b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp @@ -12,9 +12,9 @@ public: // --- void test1(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test2(InputSource &data) { @@ -25,18 +25,18 @@ void test2(InputSource &data) { } void test3(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test4(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(true); p->setCreateEntityReferenceNodes(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5(InputSource &data) { @@ -48,44 +48,44 @@ void test5(InputSource &data) { } void test6(InputSource &data) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(true); p->parse(data); // GOOD p->setDisableDefaultEntityResolution(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert p->setDisableDefaultEntityResolution(true); p->parse(data); // GOOD p->setCreateEntityReferenceNodes(false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert p->setCreateEntityReferenceNodes(true); p->parse(data); // GOOD } void test7(InputSource &data, bool cond) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(cond); - p->parse(data); // BAD (parser may not be correctly configured) + p->parse(data); // BAD (parser may not be correctly configured) // $ Alert } void test8(InputSource &data, bool cond) { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source if (cond) { p->setDisableDefaultEntityResolution(true); } - p->parse(data); // BAD (parser may not be correctly configured) + p->parse(data); // BAD (parser may not be correctly configured) // $ Alert } void test9(InputSource &data) { { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source XercesDOMParser &q = *p; - q.parse(data); // BAD (parser not correctly configured) + q.parse(data); // BAD (parser not correctly configured) // $ Alert } { @@ -97,11 +97,11 @@ void test9(InputSource &data) { } { - XercesDOMParser *p = new XercesDOMParser(); + XercesDOMParser *p = new XercesDOMParser(); // $ Source XercesDOMParser &q = *p; p->setDisableDefaultEntityResolution(true); - q.parse(data); // GOOD [FALSE POSITIVE] + q.parse(data); // GOOD [FALSE POSITIVE] // $ Alert } } @@ -110,16 +110,16 @@ void test10_doParseA(XercesDOMParser *p, InputSource &data) { } void test10_doParseB(XercesDOMParser *p, InputSource &data) { - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test10_doParseC(XercesDOMParser *p, InputSource &data) { - p->parse(data); // BAD (parser may not be correctly configured) + p->parse(data); // BAD (parser may not be correctly configured) // $ Alert } void test10(InputSource &data) { XercesDOMParser *p = new XercesDOMParser(); - XercesDOMParser *q = new XercesDOMParser(); + XercesDOMParser *q = new XercesDOMParser(); // $ Source p->setDisableDefaultEntityResolution(true); test10_doParseA(p, data); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp index 8154536fd95..93b2f34f64d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp @@ -17,9 +17,9 @@ public: // --- void test2_1(InputSource &data) { - SAXParser *p = new SAXParser(); + SAXParser *p = new SAXParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test2_2(InputSource &data) { @@ -30,11 +30,11 @@ void test2_2(InputSource &data) { } void test2_3(InputSource &data) { - SAXParser *p = new SAXParser(); + SAXParser *p = new SAXParser(); // $ Source bool v = false; p->setDisableDefaultEntityResolution(v); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test2_4(InputSource &data) { @@ -46,9 +46,9 @@ void test2_4(InputSource &data) { } void test2_5(InputSource &data) { - SAXParser p; + SAXParser p; // $ Source - p.parse(data); // BAD (parser not correctly configured) + p.parse(data); // BAD (parser not correctly configured) // $ Alert } void test2_6(InputSource &data) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp index 064eadac4fa..29b5a2b5e90 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp @@ -20,9 +20,9 @@ public: // --- void test3_1(InputSource &data) { - SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); + SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test3_2(InputSource &data) { @@ -32,10 +32,10 @@ void test3_2(InputSource &data) { p->parse(data); // GOOD } -SAX2XMLReader *p_3_3 = XMLReaderFactory::createXMLReader(); +SAX2XMLReader *p_3_3 = XMLReaderFactory::createXMLReader(); // $ Source void test3_3(InputSource &data) { - p_3_3->parse(data); // BAD (parser not correctly configured) + p_3_3->parse(data); // BAD (parser not correctly configured) // $ Alert } SAX2XMLReader *p_3_4 = XMLReaderFactory::createXMLReader(); @@ -45,7 +45,7 @@ void test3_4(InputSource &data) { p_3_4->parse(data); // GOOD } -SAX2XMLReader *p_3_5 = XMLReaderFactory::createXMLReader(); +SAX2XMLReader *p_3_5 = XMLReaderFactory::createXMLReader(); // $ Source void test3_5_init() { p_3_5->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true); @@ -53,21 +53,21 @@ void test3_5_init() { void test3_5(InputSource &data) { test3_5_init(); - p_3_5->parse(data); // GOOD [FALSE POSITIVE] + p_3_5->parse(data); // GOOD [FALSE POSITIVE] // $ Alert } void test3_6(InputSource &data) { - SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); + SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); // $ Source p->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test3_7(InputSource &data) { - SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); + SAX2XMLReader *p = XMLReaderFactory::createXMLReader(); // $ Source p->setFeature(XMLUni::fgXercesHarmlessOption, true); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test3_8(InputSource &data) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp index 642c1866629..bde073797ac 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests4.cpp @@ -23,7 +23,7 @@ void xmlFreeDoc(xmlDoc *ptr); void test4_1(const char *fileName) { xmlDoc *p; - p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -33,7 +33,7 @@ void test4_1(const char *fileName) { void test4_2(const char *fileName) { xmlDoc *p; - p = xmlReadFile(fileName, NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -43,7 +43,7 @@ void test4_2(const char *fileName) { void test4_3(const char *fileName) { xmlDoc *p; - p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT | XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, XML_PARSE_NOENT | XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -74,7 +74,7 @@ void test4_6(const char *fileName) { xmlDoc *p; int flags = XML_PARSE_NOENT; - p = xmlReadFile(fileName, NULL, flags); // BAD (parser not correctly configured) + p = xmlReadFile(fileName, NULL, flags); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); @@ -127,7 +127,7 @@ void test4_10(const char *ptr, int sz) { void test4_11(const char *ptr, int sz) { xmlDoc *p; - p = xmlReadMemory(ptr, sz, "", NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) + p = xmlReadMemory(ptr, sz, "", NULL, XML_PARSE_DTDLOAD); // BAD (parser not correctly configured) // $ Alert if (p != NULL) { xmlFreeDoc(p); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp index 063c47b025e..b14a438ebb3 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp @@ -24,9 +24,9 @@ public: // --- void test5_1(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5_2(DOMImplementationLS *impl, InputSource &data) { @@ -37,10 +37,10 @@ void test5_2(DOMImplementationLS *impl, InputSource &data) { } void test5_3(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source p->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5_4(DOMImplementationLS *impl, InputSource &data) { @@ -52,11 +52,11 @@ void test5_4(DOMImplementationLS *impl, InputSource &data) { } void test5_5(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source DOMConfiguration *cfg = p->getDomConfig(); cfg->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } DOMImplementationLS *g_impl; @@ -67,26 +67,26 @@ void test5_6_init() { g_p1 = g_impl->createLSParser(); g_p1->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, true); - g_p2 = g_impl->createLSParser(); + g_p2 = g_impl->createLSParser(); // $ Source } void test5_6() { test5_6_init(); g_p1->parse(*g_data); // GOOD - g_p2->parse(*g_data); // BAD (parser not correctly configured) + g_p2->parse(*g_data); // BAD (parser not correctly configured) // $ Alert } void test5_7(DOMImplementationLS *impl, InputSource &data) { - DOMLSParser *p = impl->createLSParser(); + DOMLSParser *p = impl->createLSParser(); // $ Source - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert p->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, true); p->parse(data); // GOOD p->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, false); - p->parse(data); // BAD (parser not correctly configured) + p->parse(data); // BAD (parser not correctly configured) // $ Alert } void test5_8(DOMImplementationLS *impl, InputSource &data) { diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref index 5a35bf81fd9..a5067fc5ee1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/DangerousUseOfCin.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousUseOfCin.ql +query: Security/CWE/CWE-676/DangerousUseOfCin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp index 704c2a87b3f..a5d0d3019ae 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/SAMATE/DangerousUseOfCin/test.cpp @@ -56,7 +56,7 @@ void CWE676_Use_of_Potentially_Dangerous_Function__basic_17_bad() char charBuffer[CHAR_BUFFER_SIZE]; /* FLAW: using cin in an inherently dangerous fashion */ /* INCIDENTAL CWE120 Buffer Overflow since cin extraction is unbounded. */ - cin >> charBuffer; // BAD + cin >> charBuffer; // BAD // $ Alert charBuffer[CHAR_BUFFER_SIZE-1] = '\0'; printLine(charBuffer); } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref index 5a35bf81fd9..a5067fc5ee1 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/DangerousUseOfCin.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousUseOfCin.ql +query: Security/CWE/CWE-676/DangerousUseOfCin.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp index 4c5d4bb99bf..75248ba1e97 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/DangerousUseOfCin/test.cpp @@ -49,7 +49,7 @@ void bad() { char buffer[BUFFER_SIZE]; // BAD: Use of 'cin' without specifying the length of the input. - cin >> buffer; + cin >> buffer; // $ Alert buffer[BUFFER_SIZE-1] = '\0'; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref index e4649946851..41d5b35b3c9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/DangerousFunctionOverflow.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/DangerousFunctionOverflow.ql +query: Security/CWE/CWE-676/DangerousFunctionOverflow.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref index 45388d46e2e..8fb8f0fceaf 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/PotentiallyDangerousFunction.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/PotentiallyDangerousFunction.ql +query: Security/CWE/CWE-676/PotentiallyDangerousFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c index 34ca23748c8..f3629169bbc 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c @@ -28,7 +28,7 @@ char *asctime(const struct tm *timeptr); // Code under test int is_morning() { - struct tm *now = gmtime(time(NULL)); // BAD: gmtime uses shared state + struct tm *now = gmtime(time(NULL)); // BAD: gmtime uses shared state // $ Alert[cpp/potentially-dangerous-function] return (now->tm_hour < 12); } @@ -39,13 +39,13 @@ void testGets() { char *buf2 = malloc(1024); char *s; - gets(buf1); // BAD: use of gets - s = gets(buf2); // BAD: use of gets + gets(buf1); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] + s = gets(buf2); // BAD: use of gets // $ Alert[cpp/dangerous-function-overflow] } void testTime() { - struct tm *now = localtime(time(NULL)); // BAD: localtime uses shared state - char *time_string = ctime(time(NULL)); // BAD: localtime uses shared state - char *time_string2 = asctime(now); // BAD: localtime uses shared state + struct tm *now = localtime(time(NULL)); // BAD: localtime uses shared state // $ Alert[cpp/potentially-dangerous-function] + char *time_string = ctime(time(NULL)); // BAD: localtime uses shared state // $ Alert[cpp/potentially-dangerous-function] + char *time_string2 = asctime(now); // BAD: localtime uses shared state // $ Alert[cpp/potentially-dangerous-function] } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c index 61243f3db1a..5bcdc9632d5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.c @@ -17,13 +17,13 @@ void test_open() { open(a_file, O_NONBLOCK); // GOOD open(a_file, O_RDWR | O_CLOEXEC); // GOOD open(a_file, O_APPEND); // GOOD - open(a_file, O_CREAT); // BAD + open(a_file, O_CREAT); // BAD // $ Alert[cpp/open-call-with-mode-argument] open(a_file, O_CREAT, 0); // GOOD - open(a_file, O_TMPFILE); // BAD + open(a_file, O_TMPFILE); // BAD // $ Alert[cpp/open-call-with-mode-argument] open(a_file, O_TMPFILE, 0); // GOOD openat(0, a_file, O_APPEND); // GOOD - openat(0, a_file, O_CREAT); // BAD + openat(0, a_file, O_CREAT); // BAD // $ Alert[cpp/open-call-with-mode-argument] openat(0, a_file, O_CREAT, 0); // GOOD - openat(0, a_file, O_TMPFILE); // BAD + openat(0, a_file, O_TMPFILE); // BAD // $ Alert[cpp/open-call-with-mode-argument] openat(0, a_file, O_TMPFILE, 0); // GOOD } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref index 68198ec2a3b..e1ff489c243 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/OpenCallMissingModeArgument.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-732/OpenCallMissingModeArgument.ql \ No newline at end of file +query: Security/CWE/CWE-732/OpenCallMissingModeArgument.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp index f2f7d80e44a..09a32989a5a 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp @@ -67,13 +67,13 @@ void Test() { PSECURITY_DESCRIPTOR pSecurityDescriptor; BOOL b; - b = SetSecurityDescriptorDacl(pSecurityDescriptor, + b = SetSecurityDescriptorDacl(pSecurityDescriptor, // $ Alert[cpp/unsafe-dacl-security-descriptor] TRUE, // Dacl Present NULL, // NULL pointer to DACL == BUG FALSE); PACL pDacl = NULL; - b = SetSecurityDescriptorDacl(pSecurityDescriptor, + b = SetSecurityDescriptorDacl(pSecurityDescriptor, // $ Alert[cpp/unsafe-dacl-security-descriptor] TRUE, // Dacl Present pDacl, // NULL pointer to DACL == BUG FALSE); @@ -117,7 +117,7 @@ void Test2() FALSE); PACL pDacl2 = returnNull(); - SetSecurityDescriptorDacl( + SetSecurityDescriptorDacl( // $ Alert[cpp/unsafe-dacl-security-descriptor] pSecurityDescriptor, TRUE, // Dacl Present pDacl2, // NULL pointer to DACL == BUG diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref index 6d8a0fc4019..3484b0b876b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql \ No newline at end of file +query: Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp index de7ff6183f5..72ca3bf6fb8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/DiningPhilosophers.cpp @@ -20,11 +20,11 @@ namespace std template void unlock (Mutex1& a, Mutex2& b, Mutexes&... cde); } -std::mutex fork1; -std::mutex fork2; -std::mutex fork3; -std::mutex fork4; -std::mutex fork5; +std::mutex fork1; // $ Alert[cpp/lock-order-cycle] +std::mutex fork2; // $ Alert[cpp/lock-order-cycle] +std::mutex fork3; // $ Alert[cpp/lock-order-cycle] +std::mutex fork4; // $ Alert[cpp/lock-order-cycle] +std::mutex fork5; // $ Alert[cpp/lock-order-cycle] void eat(int ph); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref index 0c60fed4501..fadfcb8e122 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/LockOrderCycle.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-764/LockOrderCycle.ql +query: Security/CWE/CWE-764/LockOrderCycle.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref index 95a3396b199..a7e20049403 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/TwiceLocked.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-764/TwiceLocked.ql +query: Security/CWE/CWE-764/TwiceLocked.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref index 4ea1070113d..ca770b8b4a5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/UnreleasedLock.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-764/UnreleasedLock.ql +query: Security/CWE/CWE-764/UnreleasedLock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp index 9114e545fd5..67ad8f2dd58 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-764/semmle/tests/test.cpp @@ -22,8 +22,8 @@ namespace std void test_1() { std::mutex mtx; - mtx.lock(); - mtx.lock(); + mtx.lock(); // $ Alert[cpp/unreleased-lock] + mtx.lock(); // $ Alert[cpp/twice-locked] Alert[cpp/unreleased-lock] mtx.unlock(); } @@ -32,7 +32,7 @@ void test_2() { std::mutex mtx; mtx.lock(); - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] mtx.unlock(); mtx.unlock(); } @@ -51,7 +51,7 @@ void test_3() void test_4(bool something) { std::mutex mtx; - mtx.lock(); + mtx.lock(); // $ Alert[cpp/unreleased-lock] if (something) { mtx.unlock(); } else { @@ -85,8 +85,8 @@ void test_7() { std::mutex mtx1; std::mutex mtx2; - mtx1.lock(); - mtx2.lock(); + mtx1.lock(); // $ Alert[cpp/unreleased-lock] + mtx2.lock(); // $ Alert[cpp/unreleased-lock] std::unlock(mtx1, mtx2); } @@ -105,7 +105,7 @@ void test_8() void test_9() { std::mutex mtx; - if (mtx.try_lock()) { + if (mtx.try_lock()) { // $ Alert[cpp/unreleased-lock] return; } mtx.unlock(); @@ -134,7 +134,7 @@ std::mutex static_mtx02; // Helper function for testing the inter-procedural analysis. void set02() { - static_mtx02.lock(); + static_mtx02.lock(); // $ Alert[cpp/twice-locked] } // Helper function for testing the inter-procedural analysis. @@ -153,7 +153,7 @@ std::mutex static_mtx03; // Helper function for testing the inter-procedural analysis. void set03() { - static_mtx03.lock(); + static_mtx03.lock(); // $ Alert[cpp/twice-locked] } // Helper function for testing the inter-procedural analysis. @@ -174,7 +174,7 @@ void interproc_test_03(int n) { // BAD. void interproc_test_04(int n) { static std::mutex mtx; - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] if (n < 10) { // BAD: recursive call will attempt to lock the mutex again. interproc_test_04(n+1); @@ -215,7 +215,7 @@ void interproc_test_06() { void interproc_test_07() { std::mutex mtx; set(mtx); - set(mtx); + set(mtx); // $ Alert[cpp/twice-locked] unset(mtx); } @@ -224,7 +224,7 @@ void interproc_test_08(std::mutex &mtx, int n) { set(mtx); if (n < 10) { // BAD: recursive call will attempt to lock the mutex again. - interproc_test_08(mtx, n+1); + interproc_test_08(mtx, n+1); // $ Alert[cpp/twice-locked] } unset(mtx); } @@ -300,7 +300,7 @@ void interproc_test_09() { void test_10() { std::mutex mtx; - if (!mtx.try_lock()) { // [FALSE POSITIVE] + if (!mtx.try_lock()) { // [FALSE POSITIVE] // $ Alert[cpp/unreleased-lock] } else { mtx.unlock(); } @@ -310,7 +310,7 @@ void test_10() void test_11() { std::mutex mtx; - if (!mtx.try_lock()) { // [FALSE POSITIVE] + if (!mtx.try_lock()) { // [FALSE POSITIVE] // $ Alert[cpp/unreleased-lock] return; } @@ -357,7 +357,7 @@ void twice_locked_1() std::mutex mtx; mtx.lock(); - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] mtx.unlock(); mtx.unlock(); } @@ -380,13 +380,13 @@ void twice_locked_3() if (mtx.try_lock()) { - mtx.lock(); + mtx.lock(); // $ Alert[cpp/twice-locked] mtx.unlock(); mtx.unlock(); } } -std::mutex static_mtx_01a, static_mtx_01b; +std::mutex static_mtx_01a, static_mtx_01b; // $ Alert[cpp/lock-order-cycle] // BAD void lock_order_1(int cond) @@ -439,7 +439,7 @@ struct data_t { bool test_mutex(data_t *data) { - CHECK(mutex_lock(&(data->mutex))); // GOOD [FALSE POSITIVE] + CHECK(mutex_lock(&(data->mutex))); // GOOD [FALSE POSITIVE] // $ Alert[cpp/unreleased-lock] data->val = 1; CHECK(mutex_unlock(&(data->mutex))); @@ -479,7 +479,7 @@ int test_MyClass_good(MyClass *obj) int test_MyClass_bad(MyClass *obj) { - pthread_mutex_lock(&obj->lock); + pthread_mutex_lock(&obj->lock); // $ Alert[cpp/unreleased-lock] if (maybe()) { return -1; // BAD diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref index fd711c007f0..8d189be099b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileMayNotBeClosed.qlref @@ -1 +1,2 @@ -Critical/FileMayNotBeClosed.ql \ No newline at end of file +query: Critical/FileMayNotBeClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref index 825ac26f500..25b57b1736d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/FileNeverClosed.qlref @@ -1 +1,2 @@ -Critical/FileNeverClosed.ql +query: Critical/FileNeverClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref index 33da8e296e2..84fd18014db 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryMayNotBeFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryMayNotBeFreed.ql \ No newline at end of file +query: Critical/MemoryMayNotBeFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref index 2d1336a55eb..108a872987d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/MemoryNeverFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryNeverFreed.ql \ No newline at end of file +query: Critical/MemoryNeverFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp index e7b889deb08..83770de1c98 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/SAMATE/tests.cpp @@ -68,7 +68,7 @@ namespace CWE401_Memory_Leak__new_int_17 for(i = 0; i < 1; i++) { /* POTENTIAL FLAW: Allocate memory on the heap */ - data = new int; // BAD + data = new int; // BAD // $ Alert[cpp/memory-never-freed] /* Initialize and make use of data */ *data = 5; printIntLine(*data); @@ -133,7 +133,7 @@ void CWE401_Memory_Leak__char_malloc_32_bad() { char * data = *dataPtr1; /* POTENTIAL FLAW: Allocate memory on the heap */ - data = (char *)malloc(100*sizeof(char)); // BAD + data = (char *)malloc(100*sizeof(char)); // BAD // $ Alert[cpp/memory-never-freed] /* Initialize and make use of data */ strcpy(data, "A String"); printLine(data); @@ -195,7 +195,7 @@ static void CWE401_Memory_Leak__char_malloc_32_goodB2G() void CWE401_Memory_Leak__malloc_realloc_char_01_bad() { { - char * data = (char *)malloc(100*sizeof(char)); // BAD + char * data = (char *)malloc(100*sizeof(char)); // BAD // $ Alert[cpp/memory-may-not-be-freed] /* Initialize and make use of data */ strcpy(data, "A String"); printLine(data); @@ -217,7 +217,7 @@ void CWE775_Missing_Release_of_File_Descriptor_or_Handle__fopen_no_close_17_bad( FILE * data; data = NULL; /* POTENTIAL FLAW: Open a file without closing it */ - data = fopen("BadSource_fopen.txt", "w+"); // BAD + data = fopen("BadSource_fopen.txt", "w+"); // BAD // $ Alert[cpp/file-never-closed] for(j = 0; j < 1; j++) { /* FLAW: No attempt to close the file */ @@ -249,7 +249,7 @@ void CWE775_Missing_Release_of_File_Descriptor_or_Handle__open_no_close_01_bad() /* Initialize data */ data = -1; /* POTENTIAL FLAW: Open a file without closing it */ - data = OPEN("BadSource_open.txt", O_RDWR|O_CREAT, S_IREAD|S_IWRITE); // BAD + data = OPEN("BadSource_open.txt", O_RDWR|O_CREAT, S_IREAD|S_IWRITE); // BAD // $ Alert[cpp/file-never-closed] /* FLAW: No attempt to close the file */ ; /* empty statement needed for some flow variants */ } @@ -275,7 +275,7 @@ void CWE775_Missing_Release_of_File_Descriptor_or_Handle__w32CreateFile_no_close /* Initialize data */ data = INVALID_HANDLE_VALUE; /* POTENTIAL FLAW: Open a file without closing it */ - data = CreateFile("BadSource_w32CreateFile.txt", // BAD + data = CreateFile("BadSource_w32CreateFile.txt", // BAD // $ Alert[cpp/file-never-closed] (GENERIC_WRITE|GENERIC_READ), 0, NULL, @@ -322,7 +322,7 @@ void CWE401_Memory_Leak__twoIntsStruct_realloc_01_bad() twoIntsStruct * data; data = NULL; /* POTENTIAL FLAW: Allocate memory on the heap */ - data = (twoIntsStruct *)realloc(data, 100*sizeof(twoIntsStruct)); + data = (twoIntsStruct *)realloc(data, 100*sizeof(twoIntsStruct)); // $ Alert[cpp/memory-may-not-be-freed] if (data == NULL) {exit(-1);} /* Initialize and make use of data */ data[0].intOne = 0; diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref index fd711c007f0..8d189be099b 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileMayNotBeClosed.qlref @@ -1 +1,2 @@ -Critical/FileMayNotBeClosed.ql \ No newline at end of file +query: Critical/FileMayNotBeClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref index 825ac26f500..25b57b1736d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/FileNeverClosed.qlref @@ -1 +1,2 @@ -Critical/FileNeverClosed.ql +query: Critical/FileNeverClosed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp index 1e24ded49f5..ae7c1e5cdc0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-file/test.cpp @@ -48,7 +48,7 @@ void test4() FILE *f; // fopen, never fclose (BAD: f is never closed) - f = fopen("myFile.txt", "wt"); + f = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-never-closed] } void test5(int cond) @@ -56,7 +56,7 @@ void test5(int cond) FILE *f; // fopen, sometimes fclose (BAD: f is not always closed) - f = fopen("myFile.txt", "wt"); + f = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-may-not-be-closed] if (cond == 0) { fclose(f); @@ -66,7 +66,7 @@ void test5(int cond) void test6(int cond) { // fopen, sometimes fclose (BAD: f is not always closed) - FILE *f = fopen("myFile.txt", "wt"); + FILE *f = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-may-not-be-closed] if (cond == 0) { @@ -82,7 +82,7 @@ void test7() // fopen, assign, close f twice (BAD: g is never closed) f = fopen("myFile.txt", "wt"); - g = fopen("myFile.txt", "wt"); + g = fopen("myFile.txt", "wt"); // $ Alert[cpp/file-may-not-be-closed] g = f; fclose(g); fclose(f); @@ -112,10 +112,10 @@ void test8(int cond) test8_close(f); // fopen, don't close (BAD: g is never closed) - g = test8_open(); + g = test8_open(); // $ Alert[cpp/file-may-not-be-closed] // fopen, sometimes fclose (BAD: h is not always closed) - h = test8_open(); + h = test8_open(); // $ Alert[cpp/file-may-not-be-closed] if (cond == 0) { return; @@ -130,7 +130,7 @@ public: { a = fopen("myFile1.txt", "rt"); // closed in destructor (GOOD) b = fopen("myFile2.txt", "rt"); // unreliably closed in destructor (BAD) [NOT REPORTED] - c = fopen("myFile3.txt", "rt"); // never closed in destructor (BAD) + c = fopen("myFile3.txt", "rt"); // never closed in destructor (BAD) // $ Alert[cpp/file-never-closed] } void myOpenMethod(const char *filename) @@ -181,7 +181,7 @@ void test11() FILE *f, *g; // fopen, assign, but do not close (BAD) - f = fopen("myFile1.bin", "rb"); + f = fopen("myFile1.bin", "rb"); // $ Alert[cpp/file-never-closed] g = f; } @@ -218,7 +218,7 @@ void test13(int cond) void test14() { - FILE *f = fopen("f.txt", "rt"); // fopen, forget, don't close (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, forget, don't close (BAD) // $ Alert[cpp/file-may-not-be-closed] f = 0; fclose(f); @@ -237,7 +237,7 @@ void test15() void test16() { FILE *f = fopen("f.txt", "rt"); // fopen, always close in loop (GOOD) - FILE *g = fopen("g.txt", "rt"); // fopen, don't close in loop (BAD) + FILE *g = fopen("g.txt", "rt"); // fopen, don't close in loop (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 1; i++) @@ -250,7 +250,7 @@ void test16() void test17() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 0; i++) @@ -273,7 +273,7 @@ void test18() void test19() { - FILE *f = fopen("f.txt", "rt"); // fopen, return in loop, don't close (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, return in loop, don't close (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 1; i++) @@ -296,7 +296,7 @@ void test20() void test21() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop increment (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close in loop increment (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 0; fclose(f)) @@ -307,7 +307,7 @@ void test21() void test22() { FILE *f = fopen("f.txt", "rt"); // fopen, close in condition inside loop (GOOD) - FILE *g = fopen("g.txt", "rt"); // fopen, don't close in condition inside loop (BAD) + FILE *g = fopen("g.txt", "rt"); // fopen, don't close in condition inside loop (BAD) // $ Alert[cpp/file-may-not-be-closed] bool b = true; while (b) @@ -353,7 +353,7 @@ void test24() void test25() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close in nested loops (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close in nested loops (BAD) // $ Alert[cpp/file-may-not-be-closed] int i, j, k; for (i = 0; i < 1; i++) @@ -381,7 +381,7 @@ void test26() void test27() { - FILE *f = fopen("f.txt", "rt"); // fopen, don't close after loop (BAD) + FILE *f = fopen("f.txt", "rt"); // fopen, don't close after loop (BAD) // $ Alert[cpp/file-may-not-be-closed] int i; for (i = 0; i < 10; i++) @@ -460,7 +460,7 @@ void test29() void test30() { // cases that do not involve a variable - fopen("myFile.txt", "wt"); // BAD: not closed + fopen("myFile.txt", "wt"); // BAD: not closed // $ Alert[cpp/file-never-closed] fclose(fopen("myFile.txt", "wt")); // GOOD } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref index 33da8e296e2..84fd18014db 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryMayNotBeFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryMayNotBeFreed.ql \ No newline at end of file +query: Critical/MemoryMayNotBeFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref index 2d1336a55eb..108a872987d 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/MemoryNeverFreed.qlref @@ -1 +1,2 @@ -Critical/MemoryNeverFreed.ql \ No newline at end of file +query: Critical/MemoryNeverFreed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp index 29b5709b965..7bc2b737057 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-772/semmle/tests-memory/test.cpp @@ -59,7 +59,7 @@ void test5(int cond) // malloc, sometimes free void *ptr; - ptr = malloc(sizeof(char) * 1024); // BAD: not always freed + ptr = malloc(sizeof(char) * 1024); // BAD: not always freed // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { free(ptr); @@ -71,7 +71,7 @@ void test6(int cond) // malloc, sometimes free void *ptr; - ptr = malloc(sizeof(char) * 1024); // BAD: not always freed + ptr = malloc(sizeof(char) * 1024); // BAD: not always freed // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { return; @@ -95,7 +95,7 @@ void test8() // malloc, reassign, don't free char *a, *b; - a = (char *)malloc(10); // BAD: a is not freed + a = (char *)malloc(10); // BAD: a is not freed // $ Alert[cpp/memory-never-freed] b = a; } @@ -104,7 +104,7 @@ void test9() // malloc, overwrite, don't free char *a; - a = (char *)malloc(10); // BAD: not freed + a = (char *)malloc(10); // BAD: not freed // $ Alert[cpp/memory-may-not-be-freed] a = (char *)malloc(20); free(a); } @@ -133,10 +133,10 @@ void test10(int cond) test10_free(a); // alloc, don't free b - b = test10_alloc(); // BAD: b is never freed + b = test10_alloc(); // BAD: b is never freed // $ Alert[cpp/memory-may-not-be-freed] // alloc, sometimes free c - c = test10_alloc(); // BAD: c is not always freed + c = test10_alloc(); // BAD: c is not always freed // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { return; @@ -151,7 +151,7 @@ public: { a = (char *)malloc(1); // freed in destructor (GOOD) b = (char *)malloc(1); // unreliably freed in destructor (BAD) [NOT REPORTED] - c = (char *)malloc(1); // never freed in destructor (BAD) + c = (char *)malloc(1); // never freed in destructor (BAD) // $ Alert[cpp/memory-never-freed] } void myAllocMethod(int amount) @@ -196,9 +196,9 @@ void test13() void *a = new int; // new, delete (GOOD) void *b = new char[10]; // new, delete (GOOD) char *c = new char[20]; // new, delete (GOOD) - void *d = new int; // new, don't delete (BAD) - void *e = new char[10]; // new, don't delete (BAD) - char *f = new char[20]; // new, don't delete (BAD) + void *d = new int; // new, don't delete (BAD) // $ Alert[cpp/memory-never-freed] + void *e = new char[10]; // new, don't delete (BAD) // $ Alert[cpp/memory-never-freed] + char *f = new char[20]; // new, don't delete (BAD) // $ Alert[cpp/memory-never-freed] delete (int *)a; delete [] (int *)b; @@ -232,26 +232,26 @@ void test14() ff(a); // alloc, don't free via function pointer (BAD) - b = af(2000); + b = af(2000); // $ Alert[cpp/memory-may-not-be-freed] } void test15() { void *ptr1, *ptr2, *ptr3; - ptr1 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) + ptr1 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) // $ Alert[cpp/memory-may-not-be-freed] ptr1 = realloc(ptr1, 20); // realloc 20 bytes (GOOD) ptr1 = realloc(ptr1, 0); // free (GOOD) - ptr2 = realloc(NULL, 10); // alloc 10 bytes (BAD - only freed if the call below succeeds) - ptr2 = realloc(ptr2, 20); // realloc 20 bytes, never free (BAD) + ptr2 = realloc(NULL, 10); // alloc 10 bytes (BAD - only freed if the call below succeeds) // $ Alert[cpp/memory-may-not-be-freed] + ptr2 = realloc(ptr2, 20); // realloc 20 bytes, never free (BAD) // $ Alert[cpp/memory-may-not-be-freed] - ptr3 = realloc(NULL, 10); // alloc 10 bytes, never free (BAD) + ptr3 = realloc(NULL, 10); // alloc 10 bytes, never free (BAD) // $ Alert[cpp/memory-never-freed] } void test16(int cond) { - void *ptr = malloc(1024); // not always freed (BAD) + void *ptr = malloc(1024); // not always freed (BAD) // $ Alert[cpp/memory-may-not-be-freed] if (ptr) { if (cond) @@ -271,7 +271,7 @@ void test16(int cond) void test17(int cond) { // malloc, sometimes free (BAD: ptr is not always freed) - void *ptr = malloc(1024); + void *ptr = malloc(1024); // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { @@ -284,7 +284,7 @@ void test17(int cond) void test18(int cond) { // malloc, sometimes free (BAD: ptr is not always freed) - void *ptr = malloc(1024); + void *ptr = malloc(1024); // $ Alert[cpp/memory-may-not-be-freed] if (cond == 0) { @@ -352,12 +352,12 @@ void test22(int cond) { // new, don't delete (BAD) - Vector3 *myVector2 = new Vector3(1.0f, 2.0f, 3.0f); + Vector3 *myVector2 = new Vector3(1.0f, 2.0f, 3.0f); // $ Alert[cpp/memory-never-freed] } { // new, sometimes delete (BAD) - Vector3 *myVector3 = new Vector3(1.0f, 2.0f, 3.0f); + Vector3 *myVector3 = new Vector3(1.0f, 2.0f, 3.0f); // $ Alert[cpp/memory-may-not-be-freed] if (cond) { delete myVector3; @@ -379,7 +379,7 @@ void test23() { { // malloc, free incorrectly (BAD) - char *buffer = (char *)malloc(100); + char *buffer = (char *)malloc(100); // $ Alert[cpp/memory-may-not-be-freed] free(buffer + 10); } @@ -394,7 +394,7 @@ void test23() { // new, delete incorrectly - container *c = new container; // BAD: not deleted + container *c = new container; // BAD: not deleted // $ Alert[cpp/memory-never-freed] c->thingPtr = new thing; delete c->thingPtr; @@ -448,7 +448,7 @@ void test25() } realloc(ptr2, 0); // equivalent to free(ptr2) (GOOD) - ptr3 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if next realloc fails) + ptr3 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if next realloc fails) // $ Alert[cpp/memory-may-not-be-freed] ptr4 = realloc(ptr3, 20); // realloc 20 bytes (GOOD) if (ptr4 != NULL) // (this checks for success instead of failure!) { @@ -457,7 +457,7 @@ void test25() } realloc(ptr4, 0); // equivalent to free(ptr4) (GOOD) - ptr5 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) + ptr5 = realloc(NULL, 10); // alloc 10 bytes (BAD - not freed if the next realloc fails) // $ Alert[cpp/memory-may-not-be-freed] ptr6 = realloc(ptr5, 20); // realloc 20 bytes (GOOD) ptr7 = realloc(ptr6, 0); // free (GOOD) } @@ -519,10 +519,10 @@ void test27() { void *ptr = NULL; - ptr = realloc(ptr, 10); // BAD (not freed if the second realloc fails) + ptr = realloc(ptr, 10); // BAD (not freed if the second realloc fails) // $ Alert[cpp/memory-may-not-be-freed] if (ptr != NULL) { - ptr = realloc(ptr, 20); // BAD (not freed) + ptr = realloc(ptr, 20); // BAD (not freed) // $ Alert[cpp/memory-may-not-be-freed] if (ptr != NULL) { dostuff(); diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected index fc3a964b2bf..5a1e5dbcbc5 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected @@ -1,3 +1,5 @@ +#select +| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on $@ to raise privilege at $@. | test.cpp:20:29:20:47 | *call to getenv | an environment variable | test.cpp:25:9:25:27 | ... = ... | ... = ... | edges | test.cpp:20:29:20:47 | *call to getenv | test.cpp:20:29:20:47 | *call to getenv | provenance | | | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | provenance | TaintFunction | @@ -6,5 +8,3 @@ nodes | test.cpp:20:29:20:47 | *call to getenv | semmle.label | *call to getenv | | test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... | subpaths -#select -| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:47 | *call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on $@ to raise privilege at $@. | test.cpp:20:29:20:47 | *call to getenv | an environment variable | test.cpp:25:9:25:27 | ... = ... | ... = ... | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref index bb8c6c324a3..b12367abe28 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-807/TaintedCondition.ql \ No newline at end of file +query: Security/CWE/CWE-807/TaintedCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp index 641cbaa7be7..2f7eaa12cca 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/test.cpp @@ -17,11 +17,11 @@ const char *currentUser; void processRequest() { - const char *userName = getenv("USER_NAME"); + const char *userName = getenv("USER_NAME"); // $ Source // BAD: the condition is controllable by the user, and // the body of the if makes a security decision. - if (!strcmp(userName, "admin")) { + if (!strcmp(userName, "admin")) { // $ Alert adminPrivileges = 1; } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref index cef3e6686ea..e734453a5d9 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/InfiniteLoopWithUnsatisfiableExitCondition.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql \ No newline at end of file +query: Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp index 4ff37591003..7d6b3585df2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-835/semmle/InfiniteLoopWithUnsatisfiableExitCondition/test.cpp @@ -5,7 +5,7 @@ void test00(int n) { } while (1) { // BAD: condition is never true, so loop will not terminate. - if (i == n) { + if (i == n) { // $ Alert break; } } @@ -18,7 +18,7 @@ void test01(int n) { } for (;;) { // BAD: condition is never true, so loop will not terminate. - if (i == n) { + if (i == n) { // $ Alert break; } } @@ -59,7 +59,7 @@ int test05() { int result = 0; // BAD: loop condition is always true. - for (i = 0; i >= 0; i = (i + 1) % 256) + for (i = 0; i >= 0; i = (i + 1) % 256) // $ Alert { result++; } @@ -108,7 +108,7 @@ void test08(int n) { for (i = 0;;) { // BAD: condition is never true, so loop will not terminate. - if (i == n) { + if (i == n) { // $ Alert break; } @@ -124,7 +124,7 @@ void test09(char *str) { { c = *(str++); - if (c < 'a' && c > 'z') // BAD: this condition is always false. + if (c < 'a' && c > 'z') // BAD: this condition is always false. // $ Alert return; } } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected index 6e18306bcd2..a805d06e1e2 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected @@ -1,3 +1,13 @@ +#select +| test.cpp:28:25:28:55 | p | test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | +| test.cpp:33:12:33:30 | p | test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | Conversion from $@ to $@ is invalid. | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | test.cpp:1:8:1:9 | S1 | S1 | +| test.cpp:67:12:67:31 | a | test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | Conversion from $@ to $@ is invalid. | test.cpp:55:8:55:10 | Cat | Cat | test.cpp:60:8:60:10 | Dog | Dog | +| test.cpp:128:24:128:59 | s2 | test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | Conversion from $@ to $@ is invalid. | test.cpp:102:8:102:9 | S2 | S2 | test.cpp:119:8:119:20 | Not_S2_prefix | Not_S2_prefix | +| test.cpp:145:28:145:68 | s1_2 | test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:131:8:131:23 | HasSomeBitFields | HasSomeBitFields | +| test.cpp:159:14:159:33 | a | test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | Conversion from $@ to $@ is invalid. | test.cpp:60:8:60:10 | Dog | Dog | test.cpp:55:8:55:10 | Cat | Cat | +| test.cpp:189:25:189:45 | u64 | test.cpp:187:15:187:24 | new | test.cpp:189:25:189:45 | u64 | Conversion from $@ to $@ is invalid. | test.cpp:175:8:175:13 | UInt64 | UInt64 | test.cpp:184:8:184:22 | UInt8_with_more | UInt8_with_more | +| test.cpp:218:30:218:65 | p | test.cpp:217:13:217:18 | new | test.cpp:218:30:218:65 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:212:8:212:26 | UnrelatedStructSize | UnrelatedStructSize | +| test.cpp:227:29:227:63 | p | test.cpp:226:13:226:18 | new | test.cpp:227:29:227:63 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:221:8:221:25 | TooLargeBufferSize | TooLargeBufferSize | edges | test.cpp:17:13:17:18 | new | test.cpp:17:13:17:18 | new | provenance | | | test.cpp:17:13:17:18 | new | test.cpp:18:21:18:47 | p | provenance | | @@ -104,13 +114,3 @@ nodes | test.cpp:226:13:226:18 | new | semmle.label | new | | test.cpp:227:29:227:63 | p | semmle.label | p | subpaths -#select -| test.cpp:28:25:28:55 | p | test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | -| test.cpp:33:12:33:30 | p | test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | Conversion from $@ to $@ is invalid. | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | test.cpp:1:8:1:9 | S1 | S1 | -| test.cpp:67:12:67:31 | a | test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | Conversion from $@ to $@ is invalid. | test.cpp:55:8:55:10 | Cat | Cat | test.cpp:60:8:60:10 | Dog | Dog | -| test.cpp:128:24:128:59 | s2 | test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | Conversion from $@ to $@ is invalid. | test.cpp:102:8:102:9 | S2 | S2 | test.cpp:119:8:119:20 | Not_S2_prefix | Not_S2_prefix | -| test.cpp:145:28:145:68 | s1_2 | test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:131:8:131:23 | HasSomeBitFields | HasSomeBitFields | -| test.cpp:159:14:159:33 | a | test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | Conversion from $@ to $@ is invalid. | test.cpp:60:8:60:10 | Dog | Dog | test.cpp:55:8:55:10 | Cat | Cat | -| test.cpp:189:25:189:45 | u64 | test.cpp:187:15:187:24 | new | test.cpp:189:25:189:45 | u64 | Conversion from $@ to $@ is invalid. | test.cpp:175:8:175:13 | UInt64 | UInt64 | test.cpp:184:8:184:22 | UInt8_with_more | UInt8_with_more | -| test.cpp:218:30:218:65 | p | test.cpp:217:13:217:18 | new | test.cpp:218:30:218:65 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:212:8:212:26 | UnrelatedStructSize | UnrelatedStructSize | -| test.cpp:227:29:227:63 | p | test.cpp:226:13:226:18 | new | test.cpp:227:29:227:63 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:221:8:221:25 | TooLargeBufferSize | TooLargeBufferSize | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref index 53b17f1e1fd..b0034e45821 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-843/TypeConfusion.ql \ No newline at end of file +query: Security/CWE/CWE-843/TypeConfusion.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp index 982496218ff..00f56700d55 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp @@ -24,13 +24,13 @@ void test2() { } void test3() { - void* p = new S1; - Not_S1_wrapper* s1w = static_cast(p); // BAD + void* p = new S1; // $ Source + Not_S1_wrapper* s1w = static_cast(p); // BAD // $ Alert } void test4() { - void* p = new Not_S1_wrapper; - S1* s1 = static_cast(p); // BAD + void* p = new Not_S1_wrapper; // $ Source + S1* s1 = static_cast(p); // BAD // $ Alert } struct HasBitFields { @@ -63,8 +63,8 @@ struct Dog : public Animal { }; void test6() { - Animal* a = new Cat; - Dog* d = static_cast(a); // BAD + Animal* a = new Cat; // $ Source + Dog* d = static_cast(a); // BAD // $ Alert } void test7() { @@ -124,8 +124,8 @@ struct Not_S2_prefix { }; void test11() { - S2* s2 = new S2; - Not_S2_prefix* s2p = reinterpret_cast(s2); // BAD + S2* s2 = new S2; // $ Source + Not_S2_prefix* s2p = reinterpret_cast(s2); // BAD // $ Alert } struct HasSomeBitFields { @@ -140,9 +140,9 @@ void test12() { S1* s1 = new S1; HasBitFields* hbf = reinterpret_cast(s1); // BAD [NOT DETECTED] - S1* s1_2 = new S1; + S1* s1_2 = new S1; // $ Source // This one has a non-bitfield members. So we detect the problem - HasSomeBitFields* hbf2 = reinterpret_cast(s1_2); // BAD + HasSomeBitFields* hbf2 = reinterpret_cast(s1_2); // BAD // $ Alert } void test13(bool b, Cat* c) { @@ -150,13 +150,13 @@ void test13(bool b, Cat* c) { if(b) { a = c; } else { - a = new Dog; + a = new Dog; // $ Source } // This FP happens despite the `not GoodFlow::flowTo(sinkNode)` condition in the query // because we don't find a flow path from `a = c` to `static_cast(a)` because // the "source" (i.e., `a = c`) doesn't have an allocation. if(b) { - Cat* d = static_cast(a); // GOOD [FALSE POSITIVE] + Cat* d = static_cast(a); // GOOD [FALSE POSITIVE] // $ Alert } } @@ -184,9 +184,9 @@ void test14() { struct UInt8_with_more { UInt8 u8; void* p; }; void test15() { - void* u64 = new UInt64; + void* u64 = new UInt64; // $ Source // ... - UInt8_with_more* u8 = (UInt8_with_more*)u64; // BAD + UInt8_with_more* u8 = (UInt8_with_more*)u64; // BAD // $ Alert } struct SingleInt { @@ -214,8 +214,8 @@ struct UnrelatedStructSize { }; void test17() { - void* p = new S1; - UnrelatedStructSize* uss = static_cast(p); // BAD + void* p = new S1; // $ Source + UnrelatedStructSize* uss = static_cast(p); // BAD // $ Alert } struct TooLargeBufferSize { @@ -223,8 +223,8 @@ struct TooLargeBufferSize { }; void test18() { - void* p = new S1; - TooLargeBufferSize* uss = static_cast(p); // BAD + void* p = new S1; // $ Source + TooLargeBufferSize* uss = static_cast(p); // BAD // $ Alert } // semmle-extractor-options: --gcc -std=c++11 \ No newline at end of file diff --git a/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref b/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref index b60eb791722..d22b1004423 100644 --- a/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref +++ b/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref @@ -1 +1 @@ -Summary/LinesOfCode.ql +query: Summary/LinesOfCode.ql diff --git a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref index baaa947e6af..99a6d132494 100644 --- a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref +++ b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref @@ -1 +1 @@ -Summary/LinesOfUserCode.ql +query: Summary/LinesOfUserCode.ql diff --git a/cpp/ql/test/query-tests/definitions/definitions.qlref b/cpp/ql/test/query-tests/definitions/definitions.qlref index 7b600c094b5..89fab02d103 100644 --- a/cpp/ql/test/query-tests/definitions/definitions.qlref +++ b/cpp/ql/test/query-tests/definitions/definitions.qlref @@ -1 +1 @@ -definitions.ql +query: definitions.ql diff --git a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c index ff4e5ad15a4..1d63e5531a5 100644 --- a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c +++ b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.c @@ -408,7 +408,7 @@ void justStillGood(int x) { justStillGood(199); } -void bad(int x) { +void bad(int x) { // $ Alert bad(2); bad(3); bad(4); diff --git a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref index e2fb899048e..e3c6654bd84 100644 --- a/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref +++ b/cpp/ql/test/query-tests/jsf/3.02 Code Size and Complexity/AV Rule 1/AV Rule 1.qlref @@ -1 +1,2 @@ -jsf/3.02 Code Size and Complexity/AV Rule 1.ql +query: jsf/3.02 Code Size and Complexity/AV Rule 1.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref index b3267de7b8a..36002b9e045 100644 --- a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref +++ b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/AV Rule 13.qlref @@ -1 +1,2 @@ -jsf/4.04 Environment/AV Rule 13.ql +query: jsf/4.04 Environment/AV Rule 13.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp index cd11861c4ec..4d87c501c8e 100644 --- a/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.04 Environment/AV Rule 13/test.cpp @@ -2,9 +2,9 @@ int main() { const char *const_str = ""; - const wchar_t *const_wstr = L""; // BAD + const wchar_t *const_wstr = L""; // BAD // $ Alert char c = 'c'; - wchar_t wc = L'c'; // BAD + wchar_t wc = L'c'; // BAD // $ Alert return 0; } diff --git a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref index 5ae78414335..e06ec8cac8b 100644 --- a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref +++ b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/AV Rule 32.qlref @@ -1 +1,2 @@ -jsf/4.06 Pre-Processing Directives/AV Rule 32.ql +query: jsf/4.06 Pre-Processing Directives/AV Rule 32.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c index 1c4bb4a9913..21f16d449b6 100644 --- a/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c +++ b/cpp/ql/test/query-tests/jsf/4.06 Pre-Processing Directives/AV Rule 32/test.c @@ -1,4 +1,4 @@ #include "test.H" // GOOD #include "test.xpm" // GOOD -#include "test2.c" // BAD +#include "test2.c" // BAD // $ Alert #include "test.def" // GOOD diff --git a/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref b/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref index 57b4d1283c7..729eeaf1071 100644 --- a/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref +++ b/cpp/ql/test/query-tests/jsf/4.07 Header Files/AV Rule 35/AV Rule 35.qlref @@ -1 +1 @@ -jsf/4.07 Header Files/AV Rule 35.ql +query: jsf/4.07 Header Files/AV Rule 35.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref index a39a710f34e..e7c382bff87 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.1.qlref @@ -1 +1,2 @@ -jsf/4.09 Style/AV Rule 53.1.ql +query: jsf/4.09 Style/AV Rule 53.1.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref index 285ffc692c7..10d7349f307 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 53.qlref @@ -1 +1 @@ -jsf/4.09 Style/AV Rule 53.ql +query: jsf/4.09 Style/AV Rule 53.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref index 5aae2758b1c..813d3f75e64 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/AV Rule 54.qlref @@ -1 +1 @@ -jsf/4.09 Style/AV Rule 54.ql +query: jsf/4.09 Style/AV Rule 54.ql diff --git a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c index 47c2408c2fb..1985c5ad67b 100644 --- a/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c +++ b/cpp/ql/test/query-tests/jsf/4.09 Style/AV Rule 53 54/test.c @@ -1,4 +1,4 @@ #include "test" #include "test.abc" #include "test.H" -#include "test'.h" +#include "test'.h" // $ Alert[cpp/jsf/av-rule-53-1] diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp index bc21219cab8..dee5e477a80 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.cpp @@ -1,7 +1,7 @@ class MyClass1 { public: - MyClass1() { // BAD + MyClass1() { // BAD // $ Alert x = 1; } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref index 6ed93402c8b..60e5fd77988 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/AV Rule 73.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 73.ql +query: jsf/4.10 Classes/AV Rule 73.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp index 5c86702e2c2..d0c823c2212 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 73/original.cpp @@ -11,7 +11,7 @@ public: int cmp(const Bad& that); }; -Bad::Bad() : key(-1) // non-compliant +Bad::Bad() : key(-1) // non-compliant // $ Alert { } @@ -73,7 +73,7 @@ public: char getChar(); }; -AlsoGood::AlsoGood() // compliant [FALSE POSITIVE] +AlsoGood::AlsoGood() // compliant [FALSE POSITIVE] // $ Alert { cp = 0; } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref index a878bda7799..d314f74ada7 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/AV Rule 76.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 76.ql +query: jsf/4.10 Classes/AV Rule 76.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp index 0c5e40e7b91..b90069862a2 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 76/test.cpp @@ -2,7 +2,7 @@ class Class1 // good: no pointer members, default assignment operator and copy c { }; -class Class2 // bad: pointer members, default assignment operator and copy constructor +class Class2 // bad: pointer members, default assignment operator and copy constructor // $ Alert { private: int* _a; @@ -13,7 +13,7 @@ public: } }; -class Class3 // bad: pointer members, custom assignment operator and default copy constructor +class Class3 // bad: pointer members, custom assignment operator and default copy constructor // $ Alert { private: int* _a; @@ -30,7 +30,7 @@ public: } }; -class Class4 // bad: pointer members, default assignment operator and custom copy constructor +class Class4 // bad: pointer members, default assignment operator and custom copy constructor // $ Alert { private: int* _a; diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref index 5fe2b71b701..7ccb2e19884 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/AV Rule 77.1.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 77.1.ql +query: jsf/4.10 Classes/AV Rule 77.1.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp index e9e917c840f..ceeb03948e8 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 77.1/test.cpp @@ -7,7 +7,7 @@ class C2 { }; class C3 { - C3(const C3& c, int i = 1); // error + C3(const C3& c, int i = 1); // error // $ Alert }; namespace templates { diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp index 7612ac07c8c..e2b79ae37bf 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.cpp @@ -53,7 +53,7 @@ struct Base_Virtual_VirtualDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtor +struct Base_Virtual_NonVirtualDtor // $ Alert { ~Base_Virtual_NonVirtualDtor(); virtual void VirtualFunction(); @@ -65,7 +65,7 @@ struct Base_Virtual_ImplicitDtor virtual void VirtualFunction(); }; -struct Base_Virtual_NonVirtualDtorWithDefinition +struct Base_Virtual_NonVirtualDtorWithDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithDefinition(); virtual void VirtualFunction(); @@ -75,7 +75,7 @@ Base_Virtual_NonVirtualDtorWithDefinition::~Base_Virtual_NonVirtualDtorWithDefin { } -struct Base_Virtual_NonVirtualDtorWithInlineDefinition +struct Base_Virtual_NonVirtualDtorWithInlineDefinition // $ Alert { ~Base_Virtual_NonVirtualDtorWithInlineDefinition() { diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref index 419d3f69cc5..6c416c54edf 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 78/AV Rule 78.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 78.ql +query: jsf/4.10 Classes/AV Rule 78.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp index 6fb9815dd74..d2267748984 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.cpp @@ -43,23 +43,23 @@ public: MyClass() { myPtr1 = new int; // GOOD - myPtr2 = new int; // BAD: not deleted in destructor + myPtr2 = new int; // BAD: not deleted in destructor // $ Alert myPtr3 = (int *)malloc(sizeof(int)); // GOOD - myPtr4 = (int *)malloc(sizeof(int)); // BAD: not freed in destructor - myPtr5 = new int; // BAD: deleted in close but not in destructor - myPtr6 = (int *)malloc(sizeof(int)); // BAD: freed in close but not in destructor + myPtr4 = (int *)malloc(sizeof(int)); // BAD: not freed in destructor // $ Alert + myPtr5 = new int; // BAD: deleted in close but not in destructor // $ Alert + myPtr6 = (int *)malloc(sizeof(int)); // BAD: freed in close but not in destructor // $ Alert myAutoPtr = new int; // GOOD myFile1 = fopen("file1.txt", "rt"); // GOOD - myFile2 = fopen("file2.txt", "rt"); // BAD: not closed in destructor + myFile2 = fopen("file2.txt", "rt"); // BAD: not closed in destructor // $ Alert - myArray1 = (int *)calloc(100, sizeof(int)); // BAD: not freed in destructor - myArray2 = new int[100]; // BAD: not deleted in destructor + myArray1 = (int *)calloc(100, sizeof(int)); // BAD: not freed in destructor // $ Alert + myArray2 = new int[100]; // BAD: not deleted in destructor // $ Alert myArray3 = new int[100]; // GOOD: deleted in destructor myPtr7 = (int*)realloc(0, sizeof(int)); // GOOD: freed below (assuming the realloc succeeds) - myPtr8 = (int*)realloc(myPtr7, sizeof(int)); // BAD: not freed in destructor + myPtr8 = (int*)realloc(myPtr7, sizeof(int)); // BAD: not freed in destructor // $ Alert } ~MyClass() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref index 34b54bccd46..23a70aede92 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/AV Rule 79.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 79.ql +query: jsf/4.10 Classes/AV Rule 79.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp index 6961a8d3552..84216aa838c 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Container2.cpp @@ -18,7 +18,7 @@ public: void Alloc() { ptr2 = new T(); // GOOD - ptr3 = new T(); // BAD: not deleted in destructor + ptr3 = new T(); // BAD: not deleted in destructor // $ Alert } void Free() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp index fc7ad7de26d..3e4456daf9b 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/DeleteThis.cpp @@ -53,11 +53,11 @@ public: ptr3 = new MyClass2(); // GOOD ptr4 = new MyClass2(); // GOOD ptr5 = new MyClass2(); // GOOD - ptr10 = new MyClass2(); // BAD: not deleted in destructor + ptr10 = new MyClass2(); // BAD: not deleted in destructor // $ Alert ptr11 = new MyClass2(); // GOOD - ptr12 = new MyClass2(); // BAD: not deleted in destructor + ptr12 = new MyClass2(); // BAD: not deleted in destructor // $ Alert ptr13 = new MyClass2(); // GOOD - ptr14 = new MyClass2(); // BAD: not deleted in destructor + ptr14 = new MyClass2(); // BAD: not deleted in destructor // $ Alert ptr15 = new MyClass2(); // GOOD ptr20 = new MyClass2(); // GOOD } @@ -124,7 +124,7 @@ public: b = new MyClass5(); // GOOD c = new MyClass6(); // GOOD - d = new MyClass7(); // BAD + d = new MyClass7(); // BAD // $ Alert e = new MyClass7(); // BAD [NOT DETECTED] f = new MyClass8(); // BAD [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp index bdec96f30df..89d298c299d 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ExternalOwners.cpp @@ -46,7 +46,7 @@ class MyScreen public: MyScreen() { - a = new MyWidget(); // BAD (not deleted) + a = new MyWidget(); // BAD (not deleted) // $ Alert b = new MyWidget(); // GOOD (deleted in widgets destructor) widgets.add(b); diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp index 1b3233c5271..c0b70ee2c17 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Lambda.cpp @@ -21,7 +21,7 @@ public: }; deleter3(); - r4 = new char[4096]; // BAD + r4 = new char[4096]; // BAD // $ Alert r5 = new char[4096]; // GOOD deleter5 = &deleter_for_r5; diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp index bbea9da6f43..ad74ea69e26 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/ListDelete.cpp @@ -18,7 +18,7 @@ class MyThingColection { public: MyThingColection() { - first = new MyThing; // GOOD (all deleted in destructor) [FALSE POSITIVE] + first = new MyThing; // GOOD (all deleted in destructor) [FALSE POSITIVE] // $ Alert first->next = new MyThing; // GOOD (all deleted in destructor) diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp index f5d2b02efaa..03dfbc62b45 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/NoDestructor.cpp @@ -20,7 +20,7 @@ class MyClass5 public: MyClass5() { - n = new MyNumber(); // BAD: not deleted + n = new MyNumber(); // BAD: not deleted // $ Alert } private: diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp index c7794857cb9..68ec8e19952 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/PlacementNew.cpp @@ -33,7 +33,7 @@ public: { void *buffer_ptr = buffer; - p1 = new MyClassForPlacementNew(1); // BAD: not released + p1 = new MyClassForPlacementNew(1); // BAD: not released // $ Alert p2 = new (std::nothrow) MyClassForPlacementNew(2); // BAD: not released [NOT DETECTED] p3 = new (buffer_ptr) MyClassForPlacementNew(3); // GOOD: placement new, not an allocation } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp index 75ad7f4d1fa..013eb6398e7 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/SelfRegistering.cpp @@ -22,7 +22,7 @@ public: bottom = new MyElement(); // GOOD bottom->bind(this); - side = new MyElement(); // BAD (never released) + side = new MyElement(); // BAD (never released) // $ Alert side->donothing(123); } diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp index 7727a038248..0017230d3d0 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Variants.cpp @@ -23,7 +23,7 @@ public: c = d = new int; // GOOD (d is deleted) e = local = new int; // BAD (e is not deleted) [NOT REPORTED] - f = new int; // GOOD (ID(f) is deleted) [FALSE POSITIVE] + f = new int; // GOOD (ID(f) is deleted) [FALSE POSITIVE] // $ Alert g = ID(new int); // GOOD (g is deleted) } @@ -66,10 +66,10 @@ class MyClass6 public: MyClass6() { - a = new int[10]; // BAD - b = (int *)calloc(10, sizeof(int)); // BAD - c = (int *)realloc(0, 10 * sizeof(int)); // BAD - d = strdup("string"); // BAD + a = new int[10]; // BAD // $ Alert + b = (int *)calloc(10, sizeof(int)); // BAD // $ Alert + c = (int *)realloc(0, 10 * sizeof(int)); // BAD // $ Alert + d = strdup("string"); // BAD // $ Alert } ~MyClass6() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp index 6b0eb79f41c..a2c5fb8a991 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 79/Wrapped.cpp @@ -43,7 +43,7 @@ class Wrapped2 public: Wrapped2(int len) { ptr1 = new char[len]; // GOOD - ptr2 = new char[len]; // BAD: not released in destructor + ptr2 = new char[len]; // BAD: not released in destructor // $ Alert Init(len); } @@ -56,7 +56,7 @@ public: void Init(int len) { ptr3 = new char[len]; // GOOD - ptr4 = new char[len]; // BAD: not released in destructor + ptr4 = new char[len]; // BAD: not released in destructor // $ Alert } void Shutdown() diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp index 411902ac32d..c2136dcf287 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.cpp @@ -15,13 +15,13 @@ class Container { }; struct Bad1 { - Bad1& operator=(const Bad1& other) { + Bad1& operator=(const Bad1& other) { // $ Alert return const_cast(other); // BAD (does not return a reference to *this) } }; struct Bad2 { - Bad2 operator=(const Bad2& other) { + Bad2 operator=(const Bad2& other) { // $ Alert return *this; // BAD (return type is not a reference) } }; @@ -60,7 +60,7 @@ public: return *this = TemplateReturnAssignment(_val); // GOOD (calls above `operator=`) } - TemplateReturnAssignment &operator=(bool b) { + TemplateReturnAssignment &operator=(bool b) { // $ Alert return *(new TemplateReturnAssignment(0)); // BAD (does not return a reference to *this) } @@ -196,7 +196,7 @@ struct TemplatedAssignmentGood { struct TemplatedAssignmentBad { template - typename second::type operator=(T val) { // BAD (missing &) + typename second::type operator=(T val) { // BAD (missing &) // $ Alert return *this; } }; diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref index 3e47acb20c8..260d6a99c42 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 82/AV Rule 82.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 82.ql +query: jsf/4.10 Classes/AV Rule 82.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp index 292b8857cb9..18b56dd0d0b 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.cpp @@ -1,12 +1,12 @@ -class MyClass1 { +class MyClass1 { // $ Alert public: int i; bool operator< (const MyClass1 &rhs){ return i < rhs.i; } // BAD: operator>= missing }; -class MyClass2 { +class MyClass2 { // $ Alert public: int i; bool operator< (const MyClass2 &rhs){ return i < rhs.i; } @@ -22,7 +22,7 @@ public: // GOOD }; -class MyClass4 { +class MyClass4 { // $ Alert public: int i; bool operator< (const MyClass4 &rhs){ return i < rhs.i; } @@ -76,7 +76,7 @@ public: MyClass7 myClass7; template -class MyClass8 { +class MyClass8 { // $ Alert public: int i; template @@ -100,7 +100,7 @@ void f8(void) { } template -class MyClass9 { +class MyClass9 { // $ Alert public: int i; template diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref index 2608ffff47c..72f5094881b 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 85/AV Rule 85.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 85.ql +query: jsf/4.10 Classes/AV Rule 85.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref index c08b4c96619..953d90e70be 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/AV Rule 97.qlref @@ -1 +1,2 @@ -jsf/4.10 Classes/AV Rule 97.ql \ No newline at end of file +query: jsf/4.10 Classes/AV Rule 97.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp index df00f154480..8e8b7ab6ba7 100644 --- a/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp +++ b/cpp/ql/test/query-tests/jsf/4.10 Classes/AV Rule 97/jsf97.cpp @@ -3,22 +3,22 @@ typedef int jmp_buf[16]; class C { public: -static int bad1(char xs[10]) +static int bad1(char xs[10]) // $ Alert { return sizeof(xs); } -static int bad2(char xs[]) +static int bad2(char xs[]) // $ Alert { return sizeof(xs); } -static int bad3(chars xs) +static int bad3(chars xs) // $ Alert { return sizeof(xs); } -static int bad4(chars const xs) +static int bad4(chars const xs) // $ Alert { return sizeof(xs); } @@ -37,7 +37,7 @@ static void good_longjmp(jmp_buf j) { } -static void bad_longjmp(int j[16]) +static void bad_longjmp(int j[16]) // $ Alert { } diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref index 57f35c3bcf2..e24890cc9a8 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/AV Rule 107.qlref @@ -1 +1,2 @@ -jsf/4.13 Functions/AV Rule 107.ql +query: jsf/4.13 Functions/AV Rule 107.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c index 975d9e196da..d0fc9396509 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 107/test.c @@ -8,14 +8,14 @@ void test1() { - void inner1(); // BAD - extern int inner2(); // BAD + void inner1(); // BAD // $ Alert + extern int inner2(); // BAD // $ Alert void inner3() {}; // GOOD (this isn't a declaration, it's a GCC nested function) MY_FUNCTION_1(); // GOOD (in a macro) MY_FUNCTION_2(); // GOOD (in a macro) - MYTYPE inner4(); // BAD (function declaration is not in the macro) - void inner5(MYTYPE p); // BAD (function declaration is not in the macro) + MYTYPE inner4(); // BAD (function declaration is not in the macro) // $ Alert + void inner5(MYTYPE p); // BAD (function declaration is not in the macro) // $ Alert } #define STATICASSERT(cond) void staticAssert(int arg[(cond) ? (1) : (-1)]) diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref index fbffe346bcf..16716eca98f 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/AV Rule 114.qlref @@ -1 +1,2 @@ -jsf/4.13 Functions/AV Rule 114.ql +query: jsf/4.13 Functions/AV Rule 114.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c index fc190eb518c..767eb428444 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/complex.c @@ -1,10 +1,10 @@ _Complex double complexTest1(float a, float b) { - _Complex double x = __builtin_complex(a, b); // BAD + _Complex double x = __builtin_complex(a, b); // BAD // $ Alert } _Complex double complexTest2(float a, float b) { - auto x = __builtin_complex(a, b) * 2.0f; // BAD + auto x = __builtin_complex(a, b) * 2.0f; // BAD // $ Alert } _Complex double complexTest3(float a, float b) { diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c index f0b2dff1330..021e9e5d2d7 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.c @@ -5,7 +5,7 @@ int f1(void) { } int f2(void) { - int x = 1; + int x = 1; // $ Alert } // BAD int f3(int b) { @@ -22,7 +22,7 @@ int f3(int b) { int f4(int b) { int x; if (b) { - x = 1; + x = 1; // $ Alert } else { x = 3; return 4; @@ -36,7 +36,7 @@ int f5(void) { int f6(int b) { int x; if (b) { - x = 1; + x = 1; // $ Alert } else { __builtin_unreachable(); } diff --git a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp index 0c7e02ce9ac..d31506df016 100644 --- a/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp +++ b/cpp/ql/test/query-tests/jsf/4.13 Functions/AV Rule 114/test.cpp @@ -15,7 +15,7 @@ MyValue g1() MyValue g2() { // BAD -} +} // $ Alert MyValue g3() { @@ -49,7 +49,7 @@ MyValue g7(bool c) DONOTHING DONOTHING // BAD -} +} // $ Alert typedef void MYVOID; MYVOID g8() @@ -73,7 +73,7 @@ TypePair::first g9() TypePair::second g10() { // BAD (the return type amounts to int) -} +} // $ Alert template typename TypePair::first g11() @@ -85,7 +85,7 @@ template typename TypePair::second g12() { // BAD (the return type amounts to T / int) -} +} // $ Alert void instantiate() { @@ -109,7 +109,7 @@ int g14(int x) { myThrow("fail"); // BAD (doesn't always throw) } -} +} // $ Alert int g15(int x) { @@ -131,14 +131,14 @@ void myConditionalThrow(bool condition, const char *error) int g16(int x) { - myConditionalThrow(x < 10, "fail"); // BAD (doesn't always throw) + myConditionalThrow(x < 10, "fail"); // BAD (doesn't always throw) // $ Alert } int g17(int x) { try { - myConditionalThrow(x < 10, "fail"); + myConditionalThrow(x < 10, "fail"); // $ Alert } catch (...) { return x; // BAD (doesn't always reach this return) } @@ -186,7 +186,7 @@ int g22() { } int g23() { - Aborting().a(); // GOOD [FALSE POSITIVE] + Aborting().a(); // GOOD [FALSE POSITIVE] // $ Alert } [[__noreturn__]] diff --git a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref index 27a18956b40..6bc33e6e8de 100644 --- a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref +++ b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/AV Rule 145.qlref @@ -1 +1,2 @@ -jsf/4.16 Initialization/AV Rule 145.ql +query: jsf/4.16 Initialization/AV Rule 145.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c index cd7b5677909..11a8f359329 100644 --- a/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c +++ b/cpp/ql/test/query-tests/jsf/4.16 Initialization/AV Rule 145/test.c @@ -5,7 +5,7 @@ enum { E1C }; -enum { +enum { // $ Alert E2A = 1, E2B, E2C, @@ -13,7 +13,7 @@ enum { E2E }; -enum { +enum { // $ Alert E3A = 1, E3B = 2, E3C = 10, @@ -35,7 +35,7 @@ enum { E5C }; -enum { +enum { // $ Alert E6A, E6B, E6C = 10, diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref index be23cb77df5..4a9a7d359f8 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/AV Rule 157.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 157.ql +query: jsf/4.21 Operators/AV Rule 157.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c index 69656806dd9..594ffff2eea 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 157/test.c @@ -17,19 +17,19 @@ void f(int x, int y) { if (x && y) x++; - if (x && y++) + if (x && y++) // $ Alert x++; if (x && pureFun()) x++; - if (x && imPureFun()) + if (x && imPureFun()) // $ Alert x++; if (x && strcmp("foo", "bar")) x++; - if (x && unknownFun("foo", "bar")) + if (x && unknownFun("foo", "bar")) // $ Alert x++; } diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref index d6afaadc595..637a63fa173 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/AV Rule 164.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 164.ql +query: jsf/4.21 Operators/AV Rule 164.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c index 99cc6bd7db7..d6f2ceb6148 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 164/test.c @@ -1,28 +1,28 @@ void f(unsigned char uc, signed char sc, int i) { - uc >> -1; // BAD + uc >> -1; // BAD // $ Alert uc >> 0; uc >> 7; - uc >> 8; // BAD + uc >> 8; // BAD // $ Alert - uc << -1; // BAD + uc << -1; // BAD // $ Alert uc << 0; uc << 7; - uc << 8; // BAD + uc << 8; // BAD // $ Alert uc >>= -1; // BAD [NOT DETECTED] uc >>= 0; // BAD [NOT DETECTED] uc >>= 7; uc >>= 8; // BAD [NOT DETECTED] - sc >> -1; // BAD + sc >> -1; // BAD // $ Alert sc >> 0; sc >> 7; - sc >> 8; // BAD + sc >> 8; // BAD // $ Alert - ((unsigned char)i) >> -1; // BAD + ((unsigned char)i) >> -1; // BAD // $ Alert ((unsigned char)i) >> 0; ((unsigned char)i) >> 7; - ((unsigned char)i) >> 8; // BAD + ((unsigned char)i) >> 8; // BAD // $ Alert } diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref index a6ee879dfe9..d80a910b428 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/AV Rule 165.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 165.ql +query: jsf/4.21 Operators/AV Rule 165.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c index 26d53e5a0c3..dc5248ee7c3 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 165/test.c @@ -3,25 +3,25 @@ typedef unsigned int TUI; void f(int i, unsigned int ui, signed int si, TUI tui, volatile unsigned int vui, unsigned u, unsigned short us) { i = -i; - i = -ui; // BAD + i = -ui; // BAD // $ Alert i = -si; ui = -i; - ui = -ui; // BAD + ui = -ui; // BAD // $ Alert ui = -si; si = -i; - si = -ui; // BAD + si = -ui; // BAD // $ Alert si = -si; i = -(int)i; - i = -(unsigned int)i; // BAD + i = -(unsigned int)i; // BAD // $ Alert i = -(signed int)i; ui = -(int)ui; - ui = -(unsigned int)ui; // BAD + ui = -(unsigned int)ui; // BAD // $ Alert ui = -(signed int)ui; - tui = -tui; // BAD - vui = -vui; // BAD - u = -u; // BAD - us = -us; // BAD + tui = -tui; // BAD // $ Alert + vui = -vui; // BAD // $ Alert + u = -u; // BAD // $ Alert + us = -us; // BAD // $ Alert ui = -(5U); // BAD [NOT DETECTED] } diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref index 956118bf8c5..bccd0316158 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/AV Rule 166.qlref @@ -1 +1,2 @@ -jsf/4.21 Operators/AV Rule 166.ql +query: jsf/4.21 Operators/AV Rule 166.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c index e272214215d..5af0c3c7052 100644 --- a/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c +++ b/cpp/ql/test/query-tests/jsf/4.21 Operators/AV Rule 166/test.c @@ -19,8 +19,8 @@ void f(void) { sizeof(vi); sizeof(*ip); sizeof(*vip); - sizeof(global++); + sizeof(global++); // $ Alert sizeof(pure()); - sizeof(impure()); + sizeof(impure()); // $ Alert } diff --git a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp index 36c5d9a84fa..e263b8f89a0 100644 --- a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp +++ b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.cpp @@ -15,31 +15,31 @@ operator_t good_get_operator(bool which) return which ? add : sub; } -int (*bad_get_operator(bool which))(int, int) +int (*bad_get_operator(bool which))(int, int) // $ Alert { return which ? add : sub; } typedef operator_t (*good_meta_t)(bool); -typedef int (*(*bad_meta_t)(bool))(int, int); +typedef int (*(*bad_meta_t)(bool))(int, int); // $ Alert int good_call(operator_t op, int lhs, int rhs) { return op(lhs, rhs); } -int bad_call(int(*op)(int, int), int lhs, int rhs) +int bad_call(int(*op)(int, int), int lhs, int rhs) // $ Alert { return op(lhs, rhs); } typedef int (*good_call_t)(operator_t, int, int); -typedef int (*bad_call_t)(int(*)(int, int), int, int); +typedef int (*bad_call_t)(int(*)(int, int), int, int); // $ Alert void usages() { operator_t good_op = add; - int (*bad_op)(int, int) = good_op; + int (*bad_op)(int, int) = good_op; // $ Alert good_meta_t good_meta_1 = good_get_operator; bad_meta_t good_meta_2 = good_meta_1; diff --git a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref index b4218cca835..18ed00a74cf 100644 --- a/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref +++ b/cpp/ql/test/query-tests/jsf/4.22 Pointers and References/AV Rule 176/176.qlref @@ -1 +1,2 @@ -jsf/4.22 Pointers and References/AV Rule 176.ql +query: jsf/4.22 Pointers and References/AV Rule 176.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref index f6fb0bccea0..a811ca432d0 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/AV Rule 186.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 186.ql +query: jsf/4.24 Control Flow Structures/AV Rule 186.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c index 5dc0c0e9417..b40616d2ecf 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 186/test.c @@ -11,7 +11,7 @@ void called2() x++; } -void not_called() +void not_called() // $ Alert { x++; // BAD: unreachable } @@ -29,7 +29,7 @@ int main(int argc, const char* argv[]) while (1) { x++; } - x++; // BAD: unreachable + x++; // BAD: unreachable // $ Alert } else if (argc > 4) { x++; // BAD: unreachable [NOT DETECTED] } else if (argc > 5) { diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c index 4a0f0e07dd0..42431663c9c 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.c @@ -7,7 +7,7 @@ void m(enum color value) { switch(value) { case red: // compliant case green: // compliant - case blue: // non-compliant + case blue: // non-compliant // $ Alert f(value); case cyan: // compliant case magenta: // compliant @@ -33,7 +33,7 @@ void m(enum color value) { case green: // COMPLIANT f(value); break; - default: // NON-COMPLIANT + default: // NON-COMPLIANT // $ Alert g(value); case cyan: // COMPLIANT g(value); diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref index ee2fb868161..6fb2579f4d3 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/AV Rule 193.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 193.ql +query: jsf/4.24 Control Flow Structures/AV Rule 193.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c index ae2ea4e9c8f..2a2d79d3a54 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/nested.c @@ -17,12 +17,12 @@ void nested1(int i) { void nested2(int i) { switch (i) { - case 1: + case 1: // $ Alert i = 1; break; { ; ; ; ; ; ; ; - default: + default: // $ Alert i = 3; } case 2: diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c index 9cee970ddf1..3f9fe567a53 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 193/test.c @@ -3,7 +3,7 @@ void f1(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert i = 3; // Bad case 4: case 5: @@ -24,14 +24,14 @@ void f2(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert i = 3; // Bad case 4: case 5: case 6: i = 6; break; // OK: has break - default: + default: // $ Alert i = 10; // Bad: default not at end case 7: case 8: @@ -45,7 +45,7 @@ void f3(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert i = 3; // Bad case 4: case 5: @@ -59,7 +59,7 @@ void f3(int i) { return; // OK: has return case 10: case 11: - case 12: + case 12: // $ Alert i = 12; // Bad } } @@ -68,7 +68,7 @@ void f4(int i) { switch(i) { case 1: case 2: - case 3: + case 3: // $ Alert { i = 3; // Bad } diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c index 85a29ed21ba..d401c9aa170 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.c @@ -1,19 +1,19 @@ static void f(int x) { switch(x) { - } + } // $ Alert switch(x) { default:; - } + } // $ Alert switch(x) { case 0:; - } + } // $ Alert switch(x) { default: case 0:; - } + } // $ Alert switch(x) { case 0:; diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref index 6a4f71e8e16..1b51ce65ee6 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 196/AV Rule 196.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 196.ql +query: jsf/4.24 Control Flow Structures/AV Rule 196.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c index b106f648aaa..b5c1309c07e 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.c @@ -10,14 +10,14 @@ int main() j = 0; for (i = 0; i < 10; i++) { - i = 10; // BAD (for loop variable changed in body) + i = 10; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] j = 10; } // nested loops for (i = 0; i < 10; i++) { - for (i = 0; i < 10; i++) // BAD (nested loops with same variable) + for (i = 0; i < 10; i++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { // ... } @@ -26,12 +26,12 @@ int main() { for (j = 0; j < 10; j++) { - i++; // BAD (for loop variable changed in body) - j++; // BAD (for loop variable changed in body) + i++; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] + j++; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] k++; } - for (i = 0; i < 10; i++) // BAD (nested loops with same variable) + for (i = 0; i < 10; i++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { j++; } @@ -40,7 +40,7 @@ int main() { for (j = 0; j < 10; j++) { - for (i = 0; i < 10; i++) // BAD (nested loops with same variable) + for (i = 0; i < 10; i++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { // ... } @@ -50,9 +50,9 @@ int main() { for (j = 0; j < 10; j++) { - for (j = 0; j < 10; j++) // BAD (nested loops with same variable) + for (j = 0; j < 10; j++) // BAD (nested loops with same variable) // $ Alert[cpp/nested-loops-with-same-variable] { - j++; // BAD (for loop variable changed in body) + j++; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] } } } @@ -62,17 +62,17 @@ int main() { c = *char_ptr; *char_ptr += 1; - char_ptr += 1; // BAD (for loop variable changed in body) + char_ptr += 1; // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] } // more nested loops for (i = 0; i < 10; i++) { - for (j = 0; j < 10; i++) // BAD (for loop variable changed in body) + for (j = 0; j < 10; i++) // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] { } - for (i = 0; j < 10; j++) // BAD (for loop variable changed in body) + for (i = 0; j < 10; j++) // BAD (for loop variable changed in body) // $ Alert[cpp/loop-variable-changed] { } } diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref index f972ec2b8b8..95b0090d38d 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/AV Rule 201.qlref @@ -1 +1,2 @@ -jsf/4.24 Control Flow Structures/AV Rule 201.ql +query: jsf/4.24 Control Flow Structures/AV Rule 201.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref index 699de5e67d1..3a75252c410 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/NestedLoopSameVar.qlref @@ -1 +1,2 @@ -Likely Bugs/NestedLoopSameVar.ql +query: Likely Bugs/NestedLoopSameVar.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp index ef9f5ac51d8..62e7cbe1c40 100644 --- a/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp +++ b/cpp/ql/test/query-tests/jsf/4.24 Control Flow Structures/AV Rule 201/StructMembers.cpp @@ -18,12 +18,12 @@ int main() { } - for (s1.b = 0; s1.b < 10; s1.b++) // BAD: same loop variable as a surrounding loop + for (s1.b = 0; s1.b < 10; s1.b++) // BAD: same loop variable as a surrounding loop // $ Alert[cpp/nested-loops-with-same-variable] { } s2.b++; // GOOD - s1.b++; // BAD: modifies loop counter of a surrounding loop + s1.b++; // BAD: modifies loop counter of a surrounding loop // $ Alert[cpp/loop-variable-changed] } } } diff --git a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c index 57f5432c702..76a5c0fdf6a 100644 --- a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c +++ b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.c @@ -1,5 +1,5 @@ -union myUnion1 { // BAD +union myUnion1 { // BAD // $ Alert int asInt; char asChar[4]; }; @@ -16,17 +16,17 @@ union myUnion3 { // GOOD void test1(int *myIntPtr) { - short *myShortPtr = (short *)myIntPtr; // BAD - long long *myLongPtr = (long long *)myIntPtr; // BAD + short *myShortPtr = (short *)myIntPtr; // BAD // $ Alert + long long *myLongPtr = (long long *)myIntPtr; // BAD // $ Alert int myArray[10]; myIntPtr = (int *)myArray; // GOOD - myShortPtr = (short *)myArray; // BAD [BUT DOUBLY REPORTED] + myShortPtr = (short *)myArray; // BAD [BUT DOUBLY REPORTED] // $ Alert return 0; } -union myUnion4 { // GOOD? [FALSE POSITIVE] +union myUnion4 { // GOOD? [FALSE POSITIVE] // $ Alert char myChar; int myInt; }; diff --git a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref index 093bf9f081e..fe56120cad8 100644 --- a/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref +++ b/cpp/ql/test/query-tests/jsf/4.28 Portable Code/AV Rule 210/AV Rule 210.qlref @@ -1 +1,2 @@ -jsf/4.28 Portable Code/AV Rule 210.ql +query: jsf/4.28 Portable Code/AV Rule 210.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql