Compare commits

..

24 Commits

Author SHA1 Message Date
Max Schaefer
eb3d0f5b0e Add merlyn.md which explains the changes on this branch. 2021-04-19 15:04:21 +01:00
Max Schaefer
09cf8e8b01 Remove RequestHeaderAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
bd8212c090 Remove RequestInputAccess. 2021-04-19 15:04:21 +01:00
Max Schaefer
f106d186e4 Remove MultipartyRemoteFlow. 2021-04-19 15:04:21 +01:00
Max Schaefer
e2c84407b4 Revert changes to Express::RequestInputAccess in c45d84f8f3 and 9cacfab7c6. 2021-04-19 15:04:21 +01:00
Max Schaefer
67b15125c7 Revert changes to Express::RequestInputAccess in d84f1b47c2. 2021-04-19 15:04:21 +01:00
Max Schaefer
caf763a969 Revert changes to Express::RequestInputAccess in ed48efe5b4. 2021-04-19 15:04:21 +01:00
Max Schaefer
4f8f5048f3 Revert changes to Express::RequestInputAccess in 83f0514475. 2021-04-19 15:04:21 +01:00
Max Schaefer
2366679d9b Revert changes to Express::RequestInputAccess in e2fbf8a68c. 2021-04-19 15:04:21 +01:00
Max Schaefer
66399c055e Remove MicroBodyParserCall. 2021-04-19 15:04:21 +01:00
Max Schaefer
85c02a430e Remove ServerRequestDataEvent. 2021-04-19 15:04:20 +01:00
Max Schaefer
29945b8ed0 Remove VueRouterFlowSource. 2021-04-19 15:04:20 +01:00
Max Schaefer
a8ef1bc32a Remove ServerlessHandlerEventAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
0781a138af Remove ReceivedItemAsRemoteFlow. 2021-04-19 15:04:20 +01:00
Max Schaefer
6fd67c4d8e Remove ReactRouterSource. 2021-04-19 15:04:19 +01:00
Max Schaefer
89747ecf83 Revert changes to `PostMessageEventHandler in cb7de27. 2021-04-19 15:03:51 +01:00
Max Schaefer
c013e3f9c3 Remove NodeJSNetServerItemAsRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
3b14b27635 Remove NextParams. 2021-04-19 15:03:51 +01:00
Max Schaefer
2ae32be934 Revert changes to ClientRequestData from 0b55aed626. 2021-04-19 15:03:51 +01:00
Max Schaefer
6647f6b9c4 Remove FormidableRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
41ceb291de Remove BusBoyRemoteFlow. 2021-04-19 15:03:51 +01:00
Max Schaefer
615418d2e3 Remove AngularSource. 2021-04-19 15:03:49 +01:00
Max Schaefer
0ba76f7d0e Revert "JS: Move $() sink into separate dataflow config"
This reverts commit 50a015c73e.
2021-04-19 15:03:11 +01:00
Max Schaefer
d97a10ef8a Revert "JS: Address review comments"
This reverts commit c91cdb5194.
2021-04-19 14:57:18 +01:00
1932 changed files with 21271 additions and 71748 deletions

View File

@@ -1,6 +1,5 @@
{ "provide": [ "*/ql/src/qlpack.yml", { "provide": [ "*/ql/src/qlpack.yml",
"*/ql/test/qlpack.yml", "*/ql/test/qlpack.yml",
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
"*/ql/examples/qlpack.yml", "*/ql/examples/qlpack.yml",
"*/upgrades/qlpack.yml", "*/upgrades/qlpack.yml",
"misc/legacy-support/*/qlpack.yml", "misc/legacy-support/*/qlpack.yml",

View File

@@ -19,5 +19,5 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' | gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
grep true -c jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status

View File

@@ -1,30 +0,0 @@
name: Mark stale issues
on:
workflow_dispatch:
schedule:
- cron: "30 1 * * *"
jobs:
stale:
if: github.repository == 'github/codeql'
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
days-before-stale: 14
days-before-close: 7
only-labels: awaiting-response
# do not mark PRs as stale
days-before-pr-stale: -1
days-before-pr-close: -1
# Uncomment for dry-run
# debug-only: true
# operations-per-run: 1000

View File

@@ -19,18 +19,13 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
pull-requests: read
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v2 uses: actions/checkout@v2
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@main uses: github/codeql-action/init@v1
# Override language selection by uncommenting this and choosing your languages # Override language selection by uncommenting this and choosing your languages
with: with:
languages: csharp languages: csharp
@@ -39,7 +34,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@main uses: github/codeql-action/autobuild@v1
# Command-line programs to run using the OS shell. # Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl # 📚 https://git.io/JvXDl
@@ -53,4 +48,4 @@ jobs:
# make release # make release
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@main uses: github/codeql-action/analyze@v1

View File

@@ -1,77 +0,0 @@
name: Build/check CSV flow coverage report
on:
workflow_dispatch:
inputs:
qlModelShaOverride:
description: 'github/codeql repo SHA used for looking up the CSV models'
required: false
push:
branches:
- main
- 'rc/**'
pull_request:
paths:
- '.github/workflows/csv-coverage.yml'
- '*/ql/src/**/*.ql'
- '*/ql/src/**/*.qll'
- 'misc/scripts/library-coverage/*.py'
# input data files
- '*/documentation/library-coverage/cwe-sink.csv'
- '*/documentation/library-coverage/frameworks.csv'
# coverage report files
- '*/documentation/library-coverage/flow-model-coverage.csv'
- '*/documentation/library-coverage/flow-model-coverage.rst'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v2
with:
path: script
- name: Clone self (github/codeql) at a given SHA for analysis
if: github.event.inputs.qlModelShaOverride != ''
uses: actions/checkout@v2
with:
path: codeqlModels
ref: github.event.inputs.qlModelShaOverride
- name: Clone self (github/codeql) for analysis
if: github.event.inputs.qlModelShaOverride == ''
uses: actions/checkout@v2
with:
path: codeqlModels
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
with:
repo: "github/codeql-cli-binaries"
version: "latest"
file: "codeql-linux64.zip"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Build modeled package list
run: |
PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
- name: Upload CSV package list
uses: actions/upload-artifact@v2
with:
name: csv-flow-model-coverage
path: flow-model-coverage-*.csv
- name: Upload RST package list
uses: actions/upload-artifact@v2
with:
name: rst-flow-model-coverage
path: flow-model-coverage-*.rst
# - name: Check coverage files
# if: github.event.pull_request
# run: |
# python script/misc/scripts/library-coverage/compare-files.py codeqlModels

View File

@@ -70,4 +70,3 @@
## Changes to libraries ## Changes to libraries
* The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction. * The predicate `TypeAnnotation.hasQualifiedName` now works in more cases when the imported library was not present during extraction.
* The class `DomBasedXss::Configuration` has been deprecated, as it has been split into `DomBasedXss::HtmlInjectionConfiguration` and `DomBasedXss::JQueryHtmlOrSelectorInjectionConfiguration`. Unless specifically working with jQuery sinks, subclasses should instead be based on `HtmlInjectionConfiguration`. To use both configurations in a query, see [Xss.ql](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/Xss.ql) for an example.

View File

@@ -5,7 +5,6 @@
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll", "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll", "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll", "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
"java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll", "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll", "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
"cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll", "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
@@ -57,10 +56,6 @@
"csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll", "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
"python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll" "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
], ],
"DataFlow Java/C# Flow Summaries": [
"java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
],
"SsaReadPosition Java/C#": [ "SsaReadPosition Java/C#": [
"java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll", "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
"csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll" "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
@@ -250,10 +245,6 @@
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll", "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
"csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll" "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
], ],
"SSA PrintAliasAnalysis": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
],
"C++ SSA AliasAnalysisImports": [ "C++ SSA AliasAnalysisImports": [
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll", "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll" "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
@@ -443,10 +434,6 @@
], ],
"CryptoAlgorithms Python/JS": [ "CryptoAlgorithms Python/JS": [
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll", "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
"python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll" "python/ql/src/semmle/crypto/Crypto.qll"
],
"SensitiveDataHeuristics Python/JS": [
"javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
"python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
] ]
} }

View File

@@ -1,2 +0,0 @@
lgtm
* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

View File

@@ -1,2 +0,0 @@
lgtm,codescanning
* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.

View File

@@ -1,2 +0,0 @@
lgtm
* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

View File

@@ -1,2 +0,0 @@
codescanning
* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).

View File

@@ -1,2 +0,0 @@
lgtm,codescanning
* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.

View File

@@ -1,2 +0,0 @@
lgtm,codescanning
* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.

View File

@@ -1,2 +0,0 @@
lgtm,codescanning
* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

View File

@@ -1,2 +0,0 @@
lgtm
* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

View File

@@ -1,2 +0,0 @@
lgtm
* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

View File

@@ -1,2 +0,0 @@
lgtm,codescanning
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

View File

@@ -1,2 +0,0 @@
lgtm
* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

View File

@@ -1,2 +0,0 @@
lgtm,codescanning
* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).

View File

@@ -1,2 +0,0 @@
lgtm
* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

View File

@@ -1,4 +0,0 @@
lgtm,codescanning
* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively.
* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure.
* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/offset-use-before-range-check * @id cpp/offset-use-before-range-check
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision medium * @precision medium
* @tags reliability * @tags reliability
* security * security

View File

@@ -39,7 +39,7 @@ then replace all the relevant occurrences in the code.</p>
</li> </li>
<li> <li>
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>). Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
</li> </li>
<li> <li>
<a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a> <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

View File

@@ -38,7 +38,7 @@ constant.</p>
</li> </li>
<li> <li>
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>). Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
</li> </li>
<li> <li>
<a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a> <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>

View File

@@ -21,7 +21,7 @@ Review the purpose of the each global variable flagged by this rule and update e
<li> <li>
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997).
Chapter 1: Naming, Rec 1.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>). Chapter 1: Naming, Rec 1.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
</li> </li>
<li> <li>
<a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>. <a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.

View File

@@ -45,7 +45,7 @@ this rule.
</li> </li>
<li> <li>
Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997. Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
(<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>). (<a href="http://mongers.org/industrial-c++/">PDF</a>).
</li> </li>
<li> <li>
cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>. cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/descriptor-may-not-be-closed * @id cpp/descriptor-may-not-be-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/descriptor-never-closed * @id cpp/descriptor-never-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/file-may-not-be-closed * @id cpp/file-may-not-be-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/file-never-closed * @id cpp/file-never-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/global-use-before-init * @id cpp/global-use-before-init
* @problem.severity warning * @problem.severity warning
* @security-severity 6.9
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-457 * external/cwe/cwe-457

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/inconsistent-nullness-testing * @id cpp/inconsistent-nullness-testing
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-476 * external/cwe/cwe-476

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/initialization-not-run * @id cpp/initialization-not-run
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-456 * external/cwe/cwe-456

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/late-negative-test * @id cpp/late-negative-test
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-823 * external/cwe/cwe-823

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/memory-may-not-be-freed * @id cpp/memory-may-not-be-freed
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-401 * external/cwe/cwe-401

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/memory-never-freed * @id cpp/memory-never-freed
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-401 * external/cwe/cwe-401

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/missing-negativity-test * @id cpp/missing-negativity-test
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-823 * external/cwe/cwe-823

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/missing-null-test * @id cpp/missing-null-test
* @problem.severity recommendation * @problem.severity recommendation
* @security-severity 3.6
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-476 * external/cwe/cwe-476

View File

@@ -3,7 +3,6 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'. * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6
* @precision high * @precision high
* @id cpp/new-free-mismatch * @id cpp/new-free-mismatch
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/overflow-calculated * @id cpp/overflow-calculated
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-131 * external/cwe/cwe-131

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/overflow-destination * @id cpp/overflow-destination
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @precision low * @precision low
* @tags reliability * @tags reliability
* security * security

View File

@@ -4,7 +4,6 @@
* may result in a buffer overflow. * may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @precision medium * @precision medium
* @id cpp/static-buffer-overflow * @id cpp/static-buffer-overflow
* @tags reliability * @tags reliability
@@ -15,7 +14,6 @@
import cpp import cpp
import semmle.code.cpp.commons.Buffer import semmle.code.cpp.commons.Buffer
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import LoopBounds import LoopBounds
private predicate staticBufferBase(VariableAccess access, Variable v) { private predicate staticBufferBase(VariableAccess access, Variable v) {
@@ -53,8 +51,6 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
loop.limit() >= bufaccess.bufferSize() and loop.limit() >= bufaccess.bufferSize() and
loop.counter().getAnAccess() = bufaccess.getArrayOffset() and loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
// Ensure that we don't have an upper bound on the array index that's less than the buffer size.
not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
msg = msg =
"Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " + "Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " + loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -98,22 +94,17 @@ class CallWithBufferSize extends FunctionCall {
} }
int statedSizeValue() { int statedSizeValue() {
// `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful exists(Expr statedSizeSrc |
// result in this case we pick the minimum value obtainable from dataflow and range analysis. DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
result = result = statedSizeSrc.getValue().toInt()
upperBound(statedSizeExpr()) )
.minimum(min(Expr statedSizeSrc |
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
|
statedSizeSrc.getValue().toInt()
))
} }
} }
predicate wrongBufferSize(Expr error, string msg) { predicate wrongBufferSize(Expr error, string msg) {
exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize | exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
staticBuffer(call.buffer(), buf, bufsize) and staticBuffer(call.buffer(), buf, bufsize) and
statedSize = call.statedSizeValue() and statedSize = min(call.statedSizeValue()) and
statedSize > bufsize and statedSize > bufsize and
error = call.statedSizeExpr() and error = call.statedSizeExpr() and
msg = msg =

View File

@@ -4,12 +4,9 @@
* @kind problem * @kind problem
* @id cpp/return-stack-allocated-object * @id cpp/return-stack-allocated-object
* @problem.severity warning * @problem.severity warning
* @security-severity 2.9
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-562 * external/cwe/cwe-562
* @deprecated This query is not suitable for production use and has been deprecated. Use
* cpp/return-stack-allocated-memory instead.
*/ */
import semmle.code.cpp.pointsto.PointsTo import semmle.code.cpp.pointsto.PointsTo

View File

@@ -7,7 +7,7 @@
<overview> <overview>
<p> <p>
This rule finds calls to a function that ignore the return value. A function call is only marked This rule finds calls to a function that ignore the return value. A function call is only marked
as a violation if at least 90% of the total calls to that function check the return value. Not as a violation if at least 80% of the total calls to that function check the return value. Not
checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>. checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
These functions return the status information and the return values should always be checked These functions return the status information and the return values should always be checked
to see if the operation succeeded before operating on any data modified or resources allocated by these functions. to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
@@ -32,7 +32,7 @@ Check the return value of functions that return status information.
<references> <references>
<li> <li>
M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>). M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
</li> </li>
<li> <li>
The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>. The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.

View File

@@ -1,6 +1,6 @@
/** /**
* @name Return value of a function is ignored * @name Return value of a function is ignored
* @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation. * @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
* @kind problem * @kind problem
* @id cpp/return-value-ignored * @id cpp/return-value-ignored
* @problem.severity recommendation * @problem.severity recommendation

View File

@@ -4,7 +4,6 @@
* an instance of the type of the pointer may result in a buffer overflow * an instance of the type of the pointer may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4
* @precision medium * @precision medium
* @id cpp/allocation-too-small * @id cpp/allocation-too-small
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* multiple instances of the type of the pointer may result in a buffer overflow * multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4
* @precision medium * @precision medium
* @id cpp/suspicious-allocation-size * @id cpp/suspicious-allocation-size
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* @kind problem * @kind problem
* @id cpp/use-after-free * @id cpp/use-after-free
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-416 * external/cwe/cwe-416

View File

@@ -6,7 +6,6 @@
* to a larger type. * to a larger type.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @precision very-high * @precision very-high
* @id cpp/bad-addition-overflow-check * @id cpp/bad-addition-overflow-check
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* be a sign that the result can overflow the type converted from. * be a sign that the result can overflow the type converted from.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision high * @precision high
* @id cpp/integer-multiplication-cast-to-long * @id cpp/integer-multiplication-cast-to-long
* @tags reliability * @tags reliability

View File

@@ -5,13 +5,10 @@
* unsigned integer values. * unsigned integer values.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision high * @precision high
* @id cpp/signed-overflow-check * @id cpp/signed-overflow-check
* @tags correctness * @tags correctness
* security * security
* external/cwe/cwe-128
* external/cwe/cwe-190
*/ */
import cpp import cpp

View File

@@ -6,14 +6,13 @@
* use the width of the base type, leading to misaligned reads. * use the width of the base type, leading to misaligned reads.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @precision high * @precision high
* @id cpp/upcast-array-pointer-arithmetic
* @tags correctness * @tags correctness
* reliability * reliability
* security * security
* external/cwe/cwe-119 * external/cwe/cwe-119
* external/cwe/cwe-843 * external/cwe/cwe-843
* @id cpp/upcast-array-pointer-arithmetic
*/ */
import cpp import cpp

View File

@@ -6,7 +6,6 @@
* from an untrusted source, this can be used for exploits. * from an untrusted source, this can be used for exploits.
* @kind problem * @kind problem
* @problem.severity recommendation * @problem.severity recommendation
* @security-severity 6.9
* @precision high * @precision high
* @id cpp/non-constant-format * @id cpp/non-constant-format
* @tags maintainability * @tags maintainability

View File

@@ -3,14 +3,11 @@
* @description Using the return value from snprintf without proper checks can cause overflow. * @description Using the return value from snprintf without proper checks can cause overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision high * @precision high
* @id cpp/overflowing-snprintf * @id cpp/overflowing-snprintf
* @tags reliability * @tags reliability
* correctness * correctness
* security * security
* external/cwe/cwe-190
* external/cwe/cwe-253
*/ */
import cpp import cpp

View File

@@ -4,13 +4,11 @@
* a source of security issues. * a source of security issues.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9
* @precision high * @precision high
* @id cpp/wrong-number-format-arguments * @id cpp/wrong-number-format-arguments
* @tags reliability * @tags reliability
* correctness * correctness
* security * security
* external/cwe/cwe-234
* external/cwe/cwe-685 * external/cwe/cwe-685
*/ */

View File

@@ -4,7 +4,6 @@
* behavior. * behavior.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 6.4
* @precision high * @precision high
* @id cpp/wrong-type-format-argument * @id cpp/wrong-type-format-argument
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/incorrect-not-operator-usage * @id cpp/incorrect-not-operator-usage
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6
* @precision medium * @precision medium
* @tags security * @tags security
* external/cwe/cwe-480 * external/cwe/cwe-480

View File

@@ -26,7 +26,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a> MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
</li> </li>
<li> <li>
M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>). M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
</li> </li>

View File

@@ -3,7 +3,6 @@
* @description Using alloca in a loop can lead to a stack overflow * @description Using alloca in a loop can lead to a stack overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6
* @precision high * @precision high
* @id cpp/alloca-in-loop * @id cpp/alloca-in-loop
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/improper-null-termination * @id cpp/improper-null-termination
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags security * @tags security
* external/cwe/cwe-170 * external/cwe/cwe-170
* external/cwe/cwe-665 * external/cwe/cwe-665

View File

@@ -4,12 +4,10 @@
* on undefined behavior and may lead to memory corruption. * on undefined behavior and may lead to memory corruption.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9
* @precision high * @precision high
* @id cpp/pointer-overflow-check * @id cpp/pointer-overflow-check
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-758
*/ */
import cpp import cpp

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/potential-buffer-overflow * @id cpp/potential-buffer-overflow
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-676 * external/cwe/cwe-676

View File

@@ -13,7 +13,6 @@
import cpp import cpp
import semmle.code.cpp.dataflow.EscapesTree import semmle.code.cpp.dataflow.EscapesTree
import semmle.code.cpp.models.interfaces.PointerWrapper
import semmle.code.cpp.dataflow.DataFlow import semmle.code.cpp.dataflow.DataFlow
/** /**
@@ -40,10 +39,6 @@ predicate hasNontrivialConversion(Expr e) {
e instanceof ParenthesisExpr e instanceof ParenthesisExpr
) )
or or
// A smart pointer can be stack-allocated while the data it points to is heap-allocated.
// So we exclude such "conversions" from this predicate.
e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
or
hasNontrivialConversion(e.getConversion()) hasNontrivialConversion(e.getConversion())
} }

View File

@@ -4,7 +4,6 @@
* as the third argument may result in a buffer overflow. * as the third argument may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @precision medium * @precision medium
* @id cpp/bad-strncpy-size * @id cpp/bad-strncpy-size
* @tags reliability * @tags reliability

View File

@@ -7,7 +7,6 @@
* @kind problem * @kind problem
* @id cpp/suspicious-call-to-memset * @id cpp/suspicious-call-to-memset
* @problem.severity recommendation * @problem.severity recommendation
* @security-severity 10.0
* @precision medium * @precision medium
* @tags reliability * @tags reliability
* correctness * correctness

View File

@@ -2,7 +2,3 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest. strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest.
//Also fails if dest is a pointer and not an array. //Also fails if dest is a pointer and not an array.
strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.

View File

@@ -4,17 +4,7 @@
<qhelp> <qhelp>
<overview> <overview>
<p>The standard library function <code>strncat</code> appends a source string to a target string. <p>The standard library function <code>strncat</code> appends a source string to a target string.
The third argument defines the maximum number of characters to append and should be less than or equal The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
to the remaining space in the destination buffer.</p>
<p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
the third argument to the entire size of the destination buffer.
Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
<p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
byte to be written ouside the <code>dest</code> buffer.</p>
<p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
</overview> </overview>
<recommendation> <recommendation>
@@ -35,10 +25,6 @@ byte to be written ouside the <code>dest</code> buffer.</p>
<li> <li>
M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room, 2002. M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
</li> </li>
<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
</li>
</references> </references>

View File

@@ -1,15 +1,14 @@
/** /**
* @name Potentially unsafe call to strncat * @name Potentially unsafe call to strncat
* @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow. * @description Calling 'strncat' with the size of the destination buffer
* as the third argument may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @precision medium * @precision medium
* @id cpp/unsafe-strncat * @id cpp/unsafe-strncat
* @tags reliability * @tags reliability
* correctness * correctness
* security * security
* external/cwe/cwe-788
* external/cwe/cwe-676 * external/cwe/cwe-676
* external/cwe/cwe-119 * external/cwe/cwe-119
* external/cwe/cwe-251 * external/cwe/cwe-251
@@ -17,53 +16,11 @@
import cpp import cpp
import Buffer import Buffer
import semmle.code.cpp.models.implementations.Strcat
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/** from FunctionCall fc, VariableAccess va1, VariableAccess va2
* Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and where
* destination arguments, respectively. fc.getTarget().(Function).hasName("strncat") and
*/ va1 = fc.getArgument(0) and
predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) { va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
exists(StrcatFunction strcat | va1.getTarget() = va2.getTarget()
strcat = call.getTarget() and
sizeArg = call.getArgument(strcat.getParamSize()) and
destArg = call.getArgument(strcat.getParamDest())
)
}
/**
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
* argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
*/
predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
interestringCallWithArgs(fc, sizeArg, destArg) and
exists(VariableAccess va |
va = sizeArg.(BufferSizeExpr).getArg() and
destArg.getTarget() = va.getTarget()
)
}
/**
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
* argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
*/
predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
interestringCallWithArgs(fc, sizeArg, destArg) and
exists(SubExpr sub, int n |
// The destination buffer is an array of size n
destArg.getUnspecifiedType().(ArrayType).getSize() = n and
// The size argument is equivalent to a subtraction
globalValueNumber(sizeArg).getAnExpr() = sub and
// ... where the left side of the subtraction is the constant n
globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
// ... and the right side of the subtraction is a call to `strlen` where the argument is the
// destination buffer.
globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
globalValueNumber(destArg).getAnExpr()
)
}
from FunctionCall fc, Expr sizeArg, Expr destArg
where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
select fc, "Potentially unsafe call to strncat." select fc, "Potentially unsafe call to strncat."

View File

@@ -5,7 +5,6 @@
* the machine pointer size. * the machine pointer size.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision medium * @precision medium
* @id cpp/suspicious-sizeof * @id cpp/suspicious-sizeof
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/uninitialized-local * @id cpp/uninitialized-local
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision medium * @precision medium
* @tags security * @tags security
* external/cwe/cwe-665 * external/cwe/cwe-665

View File

@@ -4,7 +4,6 @@
* may result in a buffer overflow * may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision medium * @precision medium
* @id cpp/unsafe-strcat * @id cpp/unsafe-strcat
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/self-assignment-check * @id cpp/self-assignment-check
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-826 * external/cwe/cwe-826

View File

@@ -6,12 +6,10 @@
* @kind path-problem * @kind path-problem
* @id cpp/unsafe-use-of-this * @id cpp/unsafe-use-of-this
* @problem.severity error * @problem.severity error
* @security-severity 3.6
* @precision very-high * @precision very-high
* @tags correctness * @tags correctness
* language-features * language-features
* security * security
* external/cwe/cwe-670
*/ */
import cpp import cpp

View File

@@ -7,14 +7,11 @@
* undefined data. * undefined data.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9
* @precision very-high * @precision very-high
* @id cpp/too-few-arguments * @id cpp/too-few-arguments
* @tags correctness * @tags correctness
* maintainability * maintainability
* security * security
* external/cwe/cwe-234
* external/cwe/cwe-685
*/ */
import cpp import cpp

View File

@@ -29,7 +29,7 @@ build time: the more included files, the longer the compilation time.</p>
<a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a> <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
</li> </li>
<li> <li>
<a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice - <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
Designing Header Files</a> Designing Header Files</a>
</li> </li>

View File

@@ -35,7 +35,7 @@ they are contributing to unnecessarily long build times and creating artificial
<a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a> <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
</li> </li>
<li> <li>
<a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice - <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
Designing Header Files</a> Designing Header Files</a>
</li> </li>
</references> </references>

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/memset-may-be-deleted * @id cpp/memset-may-be-deleted
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4
* @precision high * @precision high
* @tags security * @tags security
* external/cwe/cwe-14 * external/cwe/cwe-14

View File

@@ -5,7 +5,6 @@
* @kind path-problem * @kind path-problem
* @precision low * @precision low
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @tags security external/cwe/cwe-20 * @tags security external/cwe/cwe-20
*/ */

View File

@@ -5,7 +5,6 @@
* @kind path-problem * @kind path-problem
* @precision low * @precision low
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @tags security external/cwe/cwe-20 * @tags security external/cwe/cwe-20
*/ */

View File

@@ -4,7 +4,6 @@
* attacker to access unexpected resources. * attacker to access unexpected resources.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4
* @precision medium * @precision medium
* @id cpp/path-injection * @id cpp/path-injection
* @tags security * @tags security

View File

@@ -5,7 +5,6 @@
* to command injection. * to command injection.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @precision low * @precision low
* @id cpp/command-line-injection * @id cpp/command-line-injection
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* allows for a cross-site scripting vulnerability. * allows for a cross-site scripting vulnerability.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9
* @precision high * @precision high
* @id cpp/cgi-xss * @id cpp/cgi-xss
* @tags security * @tags security

View File

@@ -5,7 +5,6 @@
* to SQL Injection. * to SQL Injection.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @security-severity 6.4
* @precision high * @precision high
* @id cpp/sql-injection * @id cpp/sql-injection
* @tags security * @tags security

View File

@@ -5,7 +5,6 @@
* commands. * commands.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.0
* @precision medium * @precision medium
* @id cpp/uncontrolled-process-operation * @id cpp/uncontrolled-process-operation
* @tags security * @tags security

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/overflow-buffer * @id cpp/overflow-buffer
* @problem.severity recommendation * @problem.severity recommendation
* @security-severity 10.0
* @tags security * @tags security
* external/cwe/cwe-119 * external/cwe/cwe-119
* external/cwe/cwe-121 * external/cwe/cwe-121

View File

@@ -5,7 +5,6 @@
* overflow. * overflow.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @precision high * @precision high
* @id cpp/badly-bounded-write * @id cpp/badly-bounded-write
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* of data written may overflow. * of data written may overflow.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @precision medium * @precision medium
* @id cpp/overrunning-write * @id cpp/overrunning-write
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* take extreme values. * take extreme values.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @precision medium * @precision medium
* @id cpp/overrunning-write-with-float * @id cpp/overrunning-write-with-float
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,6 @@
* of data written may overflow. * of data written may overflow.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @precision medium * @precision medium
* @id cpp/unbounded-write * @id cpp/unbounded-write
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* a specific value to terminate the argument list. * a specific value to terminate the argument list.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision medium * @precision medium
* @id cpp/unterminated-variadic-call * @id cpp/unterminated-variadic-call
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/unclear-array-index-validation * @id cpp/unclear-array-index-validation
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @tags security * @tags security
* external/cwe/cwe-129 * external/cwe/cwe-129
*/ */

View File

@@ -5,7 +5,6 @@
* terminator can cause a buffer overrun. * terminator can cause a buffer overrun.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9
* @precision high * @precision high
* @id cpp/no-space-for-terminator * @id cpp/no-space-for-terminator
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* or data representation problems. * or data representation problems.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.9
* @precision high * @precision high
* @id cpp/tainted-format-string * @id cpp/tainted-format-string
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* or data representation problems. * or data representation problems.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.9
* @precision high * @precision high
* @id cpp/tainted-format-string-through-global * @id cpp/tainted-format-string-through-global
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/user-controlled-null-termination-tainted * @id cpp/user-controlled-null-termination-tainted
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0
* @tags security * @tags security
* external/cwe/cwe-170 * external/cwe/cwe-170
*/ */

View File

@@ -4,7 +4,6 @@
* not validated can cause overflows. * not validated can cause overflows.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision low * @precision low
* @id cpp/tainted-arithmetic * @id cpp/tainted-arithmetic
* @tags security * @tags security

View File

@@ -4,7 +4,6 @@
* validated can cause overflows. * validated can cause overflows.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision medium * @precision medium
* @id cpp/uncontrolled-arithmetic * @id cpp/uncontrolled-arithmetic
* @tags security * @tags security
@@ -16,107 +15,34 @@ import cpp
import semmle.code.cpp.security.Overflow import semmle.code.cpp.security.Overflow
import semmle.code.cpp.security.Security import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking import semmle.code.cpp.security.TaintTracking
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import TaintedWithPath import TaintedWithPath
predicate isUnboundedRandCall(FunctionCall fc) { predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
exists(Function func | func = fc.getTarget() |
func.hasGlobalOrStdOrBslName("rand") and predicate isRandCallOrParent(Expr e) {
not bounded(fc) and isRandCall(e) or
func.getNumberOfParameters() = 0 isRandCallOrParent(e.getAChild())
)
} }
/** predicate isRandValue(Expr e) {
* An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or isRandCall(e)
* a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
*/
pragma[inline]
predicate boundedDiv(Expr e, Expr left) { e = left }
/**
* An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
* an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
* when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
* allowed by the result type of `rem`.
*/
pragma[inline]
predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
e = left and
upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
}
/**
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
*/
pragma[inline]
predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
operand1 != operand2 and
e = operand1 and
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
}
/**
* Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
* of possible values.
*/
predicate bounded(Expr e) {
// For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
// maximum possible value of the result type of the operation.
// For example, the function call `rand()` is considered bounded in the following program:
// ```
// int i = rand() % (UINT8_MAX + 1);
// ```
// but not in:
// ```
// unsigned char uc = rand() % (UINT8_MAX + 1);
// ```
exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
or
exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
or
exists(BitwiseAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
exists(AssignAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
// Optimitically assume that a division always yields a much smaller value.
boundedDiv(e, any(DivExpr div).getLeftOperand())
or
boundedDiv(e, any(AssignDivExpr div).getLValue())
or
boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
or
boundedDiv(e, any(AssignRShiftExpr div).getLValue())
}
predicate isUnboundedRandCallOrParent(Expr e) {
isUnboundedRandCall(e)
or
isUnboundedRandCallOrParent(e.getAChild())
}
predicate isUnboundedRandValue(Expr e) {
isUnboundedRandCall(e)
or or
exists(MacroInvocation mi | exists(MacroInvocation mi |
e = mi.getExpr() and e = mi.getExpr() and
isUnboundedRandCallOrParent(e) isRandCallOrParent(e)
) )
} }
class SecurityOptionsArith extends SecurityOptions { class SecurityOptionsArith extends SecurityOptions {
override predicate isUserInput(Expr expr, string cause) { override predicate isUserInput(Expr expr, string cause) {
isUnboundedRandValue(expr) and isRandValue(expr) and
cause = "rand" cause = "rand" and
not expr.getParent*() instanceof DivExpr
} }
} }
predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
predicate missingGuard(VariableAccess va, string effect) { predicate missingGuard(VariableAccess va, string effect) {
exists(Operation op | op.getAnOperand() = va | exists(Operation op | op.getAnOperand() = va |
missingGuardAgainstUnderflow(op, va) and effect = "underflow" missingGuardAgainstUnderflow(op, va) and effect = "underflow"
@@ -126,15 +52,29 @@ predicate missingGuard(VariableAccess va, string effect) {
} }
class Configuration extends TaintTrackingConfiguration { class Configuration extends TaintTrackingConfiguration {
override predicate isSink(Element e) { missingGuard(e, _) } override predicate isSink(Element e) {
isDiv(e)
or
missingGuard(e, _)
}
}
override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) } /**
* A value that undergoes division is likely to be bounded within a safe
* range.
*/
predicate guardedByAssignDiv(Expr origin) {
exists(VariableAccess va |
taintedWithPath(origin, va, _, _) and
isDiv(va)
)
} }
from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
where where
taintedWithPath(origin, va, sourceNode, sinkNode) and taintedWithPath(origin, va, sourceNode, sinkNode) and
missingGuard(va, effect) missingGuard(va, effect) and
not guardedByAssignDiv(origin)
select va, sourceNode, sinkNode, select va, sourceNode, sinkNode,
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
"Uncontrolled value" "Uncontrolled value"

View File

@@ -6,7 +6,6 @@
* @kind problem * @kind problem
* @id cpp/arithmetic-with-extreme-values * @id cpp/arithmetic-with-extreme-values
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision low * @precision low
* @tags security * @tags security
* reliability * reliability

View File

@@ -5,7 +5,6 @@
* @id cpp/comparison-with-wider-type * @id cpp/comparison-with-wider-type
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision high * @precision high
* @tags reliability * @tags reliability
* security * security
@@ -50,9 +49,7 @@ where
small = rel.getLesserOperand() and small = rel.getLesserOperand() and
large = rel.getGreaterOperand() and large = rel.getGreaterOperand() and
rel = l.getCondition().getAChild*() and rel = l.getCondition().getAChild*() and
forall(Expr conv | conv = large.getConversion*() | upperBound(large).log2() > getComparisonSize(small) * 8 and
upperBound(conv).log2() > getComparisonSize(small) * 8
) and
// Ignore cases where the smaller type is int or larger // Ignore cases where the smaller type is int or larger
// These are still bugs, but you should need a very large string or array to // These are still bugs, but you should need a very large string or array to
// trigger them. We will want to disable this for some applications, but it's // trigger them. We will want to disable this for some applications, but it's

View File

@@ -5,7 +5,6 @@
* @kind problem * @kind problem
* @id cpp/integer-overflow-tainted * @id cpp/integer-overflow-tainted
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9
* @precision low * @precision low
* @tags security * @tags security
* external/cwe/cwe-190 * external/cwe/cwe-190
@@ -29,7 +28,6 @@ predicate outOfBoundsExpr(Expr expr, string kind) {
from Expr use, Expr origin, string kind from Expr use, Expr origin, string kind
where where
not use.getUnspecifiedType() instanceof PointerType and
outOfBoundsExpr(use, kind) and outOfBoundsExpr(use, kind) and
tainted(origin, use) and tainted(origin, use) and
origin != use and origin != use and

Some files were not shown because too many files have changed in this diff Show More