mirror of
https://github.com/github/codeql.git
synced 2026-05-16 20:27:06 +02:00
Compare commits
2 Commits
codeql-cli
...
ginsbach/w
| Author | SHA1 | Date | |
|---|---|---|---|
|
8cdd8b6ae0 | ||
|
|
0194af9432 |
@@ -1,6 +1,5 @@
|
||||
{ "provide": [ "*/ql/src/qlpack.yml",
|
||||
"*/ql/test/qlpack.yml",
|
||||
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
|
||||
"*/ql/examples/qlpack.yml",
|
||||
"*/upgrades/qlpack.yml",
|
||||
"misc/legacy-support/*/qlpack.yml",
|
||||
|
||||
4
.github/workflows/check-change-note.yml
vendored
4
.github/workflows/check-change-note.yml
vendored
@@ -19,5 +19,5 @@ jobs:
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
|
||||
grep true -c
|
||||
gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
|
||||
jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
|
||||
|
||||
97
.github/workflows/csv-coverage-pr-artifacts.yml
vendored
97
.github/workflows/csv-coverage-pr-artifacts.yml
vendored
@@ -1,97 +0,0 @@
|
||||
name: Check framework coverage changes
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '.github/workflows/csv-coverage-pr-comment.yml'
|
||||
- '*/ql/src/**/*.ql'
|
||||
- '*/ql/src/**/*.qll'
|
||||
- 'misc/scripts/library-coverage/*.py'
|
||||
# input data files
|
||||
- '*/documentation/library-coverage/cwe-sink.csv'
|
||||
- '*/documentation/library-coverage/frameworks.csv'
|
||||
branches:
|
||||
- main
|
||||
- 'rc/*'
|
||||
|
||||
jobs:
|
||||
generate:
|
||||
name: Generate framework coverage artifacts
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Dump GitHub context
|
||||
env:
|
||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||
run: echo "$GITHUB_CONTEXT"
|
||||
- name: Clone self (github/codeql) - MERGE
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: merge
|
||||
- name: Clone self (github/codeql) - BASE
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
fetch-depth: 2
|
||||
path: base
|
||||
- run: |
|
||||
git checkout HEAD^1
|
||||
git log -1 --format='%H'
|
||||
working-directory: base
|
||||
- name: Set up Python 3.8
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.8
|
||||
- name: Download CodeQL CLI
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
||||
- name: Unzip CodeQL CLI
|
||||
run: unzip -d codeql-cli codeql-linux64.zip
|
||||
- name: Generate CSV files on merge commit of the PR
|
||||
run: |
|
||||
echo "Running generator on merge"
|
||||
PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
|
||||
mkdir out_merge
|
||||
cp framework-coverage-*.csv out_merge/
|
||||
cp framework-coverage-*.rst out_merge/
|
||||
- name: Generate CSV files on base commit of the PR
|
||||
run: |
|
||||
echo "Running generator on base"
|
||||
PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
|
||||
mkdir out_base
|
||||
cp framework-coverage-*.csv out_base/
|
||||
cp framework-coverage-*.rst out_base/
|
||||
- name: Generate diff of coverage reports
|
||||
run: |
|
||||
python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
|
||||
- name: Upload CSV package list
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: csv-framework-coverage-merge
|
||||
path: |
|
||||
out_merge/framework-coverage-*.csv
|
||||
out_merge/framework-coverage-*.rst
|
||||
- name: Upload CSV package list
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: csv-framework-coverage-base
|
||||
path: |
|
||||
out_base/framework-coverage-*.csv
|
||||
out_base/framework-coverage-*.rst
|
||||
- name: Upload comparison results
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: comparison
|
||||
path: |
|
||||
comparison.md
|
||||
- name: Save PR number
|
||||
run: |
|
||||
mkdir -p pr
|
||||
echo ${{ github.event.pull_request.number }} > pr/NR
|
||||
- name: Upload PR number
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: pr
|
||||
path: pr/
|
||||
34
.github/workflows/csv-coverage-pr-comment.yml
vendored
34
.github/workflows/csv-coverage-pr-comment.yml
vendored
@@ -1,34 +0,0 @@
|
||||
name: Comment on PR with framework coverage changes
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
workflows: ["Check framework coverage changes"]
|
||||
types:
|
||||
- completed
|
||||
|
||||
jobs:
|
||||
check:
|
||||
name: Check framework coverage differences and comment
|
||||
runs-on: ubuntu-latest
|
||||
if: >
|
||||
${{ github.event.workflow_run.event == 'pull_request' &&
|
||||
github.event.workflow_run.conclusion == 'success' }}
|
||||
|
||||
steps:
|
||||
- name: Dump GitHub context
|
||||
env:
|
||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||
run: echo "$GITHUB_CONTEXT"
|
||||
- name: Clone self (github/codeql)
|
||||
uses: actions/checkout@v2
|
||||
- name: Set up Python 3.8
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.8
|
||||
|
||||
- name: Check coverage difference file and comment
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
RUN_ID: ${{ github.event.workflow_run.id }}
|
||||
run: |
|
||||
python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"
|
||||
42
.github/workflows/csv-coverage-timeseries.yml
vendored
42
.github/workflows/csv-coverage-timeseries.yml
vendored
@@ -1,42 +0,0 @@
|
||||
name: Build framework coverage timeseries reports
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Clone self (github/codeql)
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: script
|
||||
- name: Clone self (github/codeql) for analysis
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: codeqlModels
|
||||
fetch-depth: 0
|
||||
- name: Set up Python 3.8
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.8
|
||||
- name: Download CodeQL CLI
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
||||
- name: Unzip CodeQL CLI
|
||||
run: unzip -d codeql-cli codeql-linux64.zip
|
||||
- name: Build modeled package list
|
||||
run: |
|
||||
CLI=$(realpath "codeql-cli/codeql")
|
||||
echo $CLI
|
||||
PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
|
||||
- name: Upload timeseries CSV
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: framework-coverage-timeseries
|
||||
path: framework-coverage-timeseries-*.csv
|
||||
|
||||
44
.github/workflows/csv-coverage-update.yml
vendored
44
.github/workflows/csv-coverage-update.yml
vendored
@@ -1,44 +0,0 @@
|
||||
name: Update framework coverage reports
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
- cron: "0 0 * * *"
|
||||
|
||||
jobs:
|
||||
update:
|
||||
name: Update framework coverage report
|
||||
if: github.event.repository.fork == false
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Dump GitHub context
|
||||
env:
|
||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||
run: echo "$GITHUB_CONTEXT"
|
||||
- name: Clone self (github/codeql)
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: ql
|
||||
fetch-depth: 0
|
||||
- name: Set up Python 3.8
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.8
|
||||
- name: Download CodeQL CLI
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
||||
- name: Unzip CodeQL CLI
|
||||
run: unzip -d codeql-cli codeql-linux64.zip
|
||||
|
||||
- name: Generate coverage files
|
||||
run: |
|
||||
PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
|
||||
|
||||
- name: Create pull request with changes
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"
|
||||
49
.github/workflows/csv-coverage.yml
vendored
49
.github/workflows/csv-coverage.yml
vendored
@@ -1,49 +0,0 @@
|
||||
name: Build framework coverage reports
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
qlModelShaOverride:
|
||||
description: 'github/codeql repo SHA used for looking up the CSV models'
|
||||
required: false
|
||||
|
||||
jobs:
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Clone self (github/codeql)
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: script
|
||||
- name: Clone self (github/codeql) for analysis
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: codeqlModels
|
||||
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
||||
- name: Set up Python 3.8
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.8
|
||||
- name: Download CodeQL CLI
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
|
||||
- name: Unzip CodeQL CLI
|
||||
run: unzip -d codeql-cli codeql-linux64.zip
|
||||
- name: Build modeled package list
|
||||
run: |
|
||||
PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
|
||||
- name: Upload CSV package list
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: framework-coverage-csv
|
||||
path: framework-coverage-*.csv
|
||||
- name: Upload RST package list
|
||||
uses: actions/upload-artifact@v2
|
||||
with:
|
||||
name: framework-coverage-rst
|
||||
path: framework-coverage-*.rst
|
||||
|
||||
@@ -250,10 +250,6 @@
|
||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
|
||||
"csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
|
||||
],
|
||||
"SSA PrintAliasAnalysis": [
|
||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
|
||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
|
||||
],
|
||||
"C++ SSA AliasAnalysisImports": [
|
||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
|
||||
"cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
|
||||
@@ -443,22 +439,10 @@
|
||||
],
|
||||
"CryptoAlgorithms Python/JS": [
|
||||
"javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
|
||||
"python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
|
||||
"python/ql/src/semmle/crypto/Crypto.qll"
|
||||
],
|
||||
"SensitiveDataHeuristics Python/JS": [
|
||||
"javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
|
||||
"python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
|
||||
],
|
||||
"ReDoS Util Python/JS": [
|
||||
"javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll",
|
||||
"python/ql/src/semmle/python/security/performance/ReDoSUtil.qll"
|
||||
],
|
||||
"ReDoS Exponential Python/JS": [
|
||||
"javascript/ql/src/semmle/javascript/security/performance/ExponentialBackTracking.qll",
|
||||
"python/ql/src/semmle/python/security/performance/ExponentialBackTracking.qll"
|
||||
],
|
||||
"ReDoS Polynomial Python/JS": [
|
||||
"javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
|
||||
"python/ql/src/semmle/python/security/performance/SuperlinearBackTracking.qll"
|
||||
]
|
||||
}
|
||||
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm
|
||||
* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm
|
||||
* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm
|
||||
* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm
|
||||
* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.
|
||||
@@ -1,4 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively.
|
||||
* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure.
|
||||
* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm
|
||||
* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.
|
||||
@@ -1,2 +0,0 @@
|
||||
lgtm,codescanning
|
||||
* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms. There are now fewer false positive results.
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/offset-use-before-range-check
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.2
|
||||
* @precision medium
|
||||
* @tags reliability
|
||||
* security
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/descriptor-may-not-be-closed
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @tags efficiency
|
||||
* security
|
||||
* external/cwe/cwe-775
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/descriptor-never-closed
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @tags efficiency
|
||||
* security
|
||||
* external/cwe/cwe-775
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/file-may-not-be-closed
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @tags efficiency
|
||||
* security
|
||||
* external/cwe/cwe-775
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/file-never-closed
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @tags efficiency
|
||||
* security
|
||||
* external/cwe/cwe-775
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/global-use-before-init
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-457
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/inconsistent-nullness-testing
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-476
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/initialization-not-run
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-456
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/late-negative-test
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-823
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/memory-may-not-be-freed
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @tags efficiency
|
||||
* security
|
||||
* external/cwe/cwe-401
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/memory-never-freed
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @tags efficiency
|
||||
* security
|
||||
* external/cwe/cwe-401
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/missing-negativity-test
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-823
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/missing-null-test
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 7.5
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-476
|
||||
|
||||
@@ -3,7 +3,6 @@
|
||||
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @id cpp/new-free-mismatch
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/overflow-calculated
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.8
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-131
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/overflow-destination
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision low
|
||||
* @tags reliability
|
||||
* security
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* may result in a buffer overflow.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id cpp/static-buffer-overflow
|
||||
* @tags reliability
|
||||
@@ -15,7 +14,6 @@
|
||||
|
||||
import cpp
|
||||
import semmle.code.cpp.commons.Buffer
|
||||
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
||||
import LoopBounds
|
||||
|
||||
private predicate staticBufferBase(VariableAccess access, Variable v) {
|
||||
@@ -53,8 +51,6 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
|
||||
loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
|
||||
loop.limit() >= bufaccess.bufferSize() and
|
||||
loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
|
||||
// Ensure that we don't have an upper bound on the array index that's less than the buffer size.
|
||||
not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
|
||||
msg =
|
||||
"Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
|
||||
loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
|
||||
@@ -98,22 +94,17 @@ class CallWithBufferSize extends FunctionCall {
|
||||
}
|
||||
|
||||
int statedSizeValue() {
|
||||
// `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
|
||||
// result in this case we pick the minimum value obtainable from dataflow and range analysis.
|
||||
result =
|
||||
upperBound(statedSizeExpr())
|
||||
.minimum(min(Expr statedSizeSrc |
|
||||
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
|
||||
|
|
||||
statedSizeSrc.getValue().toInt()
|
||||
))
|
||||
exists(Expr statedSizeSrc |
|
||||
DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
|
||||
result = statedSizeSrc.getValue().toInt()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
predicate wrongBufferSize(Expr error, string msg) {
|
||||
exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
|
||||
staticBuffer(call.buffer(), buf, bufsize) and
|
||||
statedSize = call.statedSizeValue() and
|
||||
statedSize = min(call.statedSizeValue()) and
|
||||
statedSize > bufsize and
|
||||
error = call.statedSizeExpr() and
|
||||
msg =
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/return-stack-allocated-object
|
||||
* @problem.severity warning
|
||||
* @security-severity 2.1
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-562
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
<overview>
|
||||
<p>
|
||||
This rule finds calls to a function that ignore the return value. A function call is only marked
|
||||
as a violation if at least 90% of the total calls to that function check the return value. Not
|
||||
as a violation if at least 80% of the total calls to that function check the return value. Not
|
||||
checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
|
||||
These functions return the status information and the return values should always be checked
|
||||
to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* @name Return value of a function is ignored
|
||||
* @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
|
||||
* @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
|
||||
* @kind problem
|
||||
* @id cpp/return-value-ignored
|
||||
* @problem.severity recommendation
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* an instance of the type of the pointer may result in a buffer overflow
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision medium
|
||||
* @id cpp/allocation-too-small
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* multiple instances of the type of the pointer may result in a buffer overflow
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision medium
|
||||
* @id cpp/suspicious-allocation-size
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/use-after-free
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-416
|
||||
|
||||
@@ -7,6 +7,10 @@
|
||||
|
||||
import cpp
|
||||
|
||||
class AnonymousCompilation extends Compilation {
|
||||
override string toString() { result = "<compilation>" }
|
||||
}
|
||||
|
||||
string describe(Compilation c) {
|
||||
if c.getArgument(1) = "--mimic"
|
||||
then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
|
||||
@@ -15,4 +19,4 @@ string describe(Compilation c) {
|
||||
|
||||
from Compilation c
|
||||
where not c.normalTermination()
|
||||
select "Extraction aborted for " + describe(c)
|
||||
select c, "Extraction aborted for " + describe(c), 2
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* to a larger type.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 8.1
|
||||
* @precision very-high
|
||||
* @id cpp/bad-addition-overflow-check
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* be a sign that the result can overflow the type converted from.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision high
|
||||
* @id cpp/integer-multiplication-cast-to-long
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* unsigned integer values.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision high
|
||||
* @id cpp/signed-overflow-check
|
||||
* @tags correctness
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* use the width of the base type, leading to misaligned reads.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id cpp/upcast-array-pointer-arithmetic
|
||||
* @tags correctness
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* from an untrusted source, this can be used for exploits.
|
||||
* @kind problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id cpp/non-constant-format
|
||||
* @tags maintainability
|
||||
|
||||
@@ -3,7 +3,6 @@
|
||||
* @description Using the return value from snprintf without proper checks can cause overflow.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision high
|
||||
* @id cpp/overflowing-snprintf
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* a source of security issues.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.0
|
||||
* @precision high
|
||||
* @id cpp/wrong-number-format-arguments
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* behavior.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @id cpp/wrong-type-format-argument
|
||||
* @tags reliability
|
||||
@@ -19,32 +18,28 @@ import cpp
|
||||
* Holds if the argument corresponding to the `pos` conversion specifier
|
||||
* of `ffc` is expected to have type `expected`.
|
||||
*/
|
||||
pragma[noopt]
|
||||
private predicate formattingFunctionCallExpectedType(
|
||||
FormattingFunctionCall ffc, int pos, Type expected
|
||||
) {
|
||||
ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
|
||||
exists(FormattingFunction f, int i, FormatLiteral fl |
|
||||
ffc instanceof FormattingFunctionCall and
|
||||
ffc.getTarget() = f and
|
||||
f.getFormatParameterIndex() = i and
|
||||
ffc.getArgument(i) = fl and
|
||||
fl.getConversionType(pos) = expected
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the argument corresponding to the `pos` conversion specifier
|
||||
* of `ffc` could alternatively have type `expected`, for example on a different
|
||||
* platform.
|
||||
*/
|
||||
private predicate formattingFunctionCallAlternateType(
|
||||
FormattingFunctionCall ffc, int pos, Type expected
|
||||
) {
|
||||
ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the argument corresponding to the `pos` conversion specifier
|
||||
* of `ffc` is `arg` and has type `actual`.
|
||||
* of `ffc` is expected to have type `expected` and the corresponding
|
||||
* argument `arg` has type `actual`.
|
||||
*/
|
||||
pragma[noopt]
|
||||
predicate formattingFunctionCallActualType(
|
||||
FormattingFunctionCall ffc, int pos, Expr arg, Type actual
|
||||
) {
|
||||
predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
|
||||
exists(Expr argConverted |
|
||||
formattingFunctionCallExpectedType(ffc, pos, expected) and
|
||||
ffc.getConversionArgument(pos) = arg and
|
||||
argConverted = arg.getFullyConverted() and
|
||||
actual = argConverted.getType()
|
||||
@@ -76,8 +71,7 @@ class ExpectedType extends Type {
|
||||
ExpectedType() {
|
||||
exists(Type t |
|
||||
(
|
||||
formattingFunctionCallExpectedType(_, _, t) or
|
||||
formattingFunctionCallAlternateType(_, _, t) or
|
||||
formatArgType(_, _, t, _, _) or
|
||||
formatOtherArgType(_, _, t, _, _)
|
||||
) and
|
||||
this = t.getUnspecifiedType()
|
||||
@@ -96,11 +90,7 @@ class ExpectedType extends Type {
|
||||
*/
|
||||
predicate trivialConversion(ExpectedType expected, Type actual) {
|
||||
exists(Type exp, Type act |
|
||||
(
|
||||
formattingFunctionCallExpectedType(_, _, exp) or
|
||||
formattingFunctionCallAlternateType(_, _, exp)
|
||||
) and
|
||||
formattingFunctionCallActualType(_, _, _, act) and
|
||||
formatArgType(_, _, exp, _, act) and
|
||||
expected = exp.getUnspecifiedType() and
|
||||
actual = act.getUnspecifiedType()
|
||||
) and
|
||||
@@ -155,13 +145,9 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
|
||||
from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
|
||||
where
|
||||
(
|
||||
formattingFunctionCallExpectedType(ffc, n, expected) and
|
||||
formattingFunctionCallActualType(ffc, n, arg, actual) and
|
||||
formatArgType(ffc, n, expected, arg, actual) and
|
||||
not exists(Type anyExpected |
|
||||
(
|
||||
formattingFunctionCallExpectedType(ffc, n, anyExpected) or
|
||||
formattingFunctionCallAlternateType(ffc, n, anyExpected)
|
||||
) and
|
||||
formatArgType(ffc, n, anyExpected, arg, actual) and
|
||||
trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
|
||||
)
|
||||
or
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/incorrect-not-operator-usage
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @precision medium
|
||||
* @tags security
|
||||
* external/cwe/cwe-480
|
||||
|
||||
@@ -3,7 +3,6 @@
|
||||
* @description Using alloca in a loop can lead to a stack overflow
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @id cpp/alloca-in-loop
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/improper-null-termination
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @tags security
|
||||
* external/cwe/cwe-170
|
||||
* external/cwe/cwe-665
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* on undefined behavior and may lead to memory corruption.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 2.1
|
||||
* @precision high
|
||||
* @id cpp/pointer-overflow-check
|
||||
* @tags reliability
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/potential-buffer-overflow
|
||||
* @problem.severity warning
|
||||
* @security-severity 10.0
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-676
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* as the third argument may result in a buffer overflow.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id cpp/bad-strncpy-size
|
||||
* @tags reliability
|
||||
|
||||
@@ -7,7 +7,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/suspicious-call-to-memset
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 10.0
|
||||
* @precision medium
|
||||
* @tags reliability
|
||||
* correctness
|
||||
|
||||
@@ -2,7 +2,3 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
|
||||
|
||||
strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest.
|
||||
//Also fails if dest is a pointer and not an array.
|
||||
|
||||
strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
|
||||
|
||||
strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.
|
||||
|
||||
@@ -4,17 +4,7 @@
|
||||
<qhelp>
|
||||
<overview>
|
||||
<p>The standard library function <code>strncat</code> appends a source string to a target string.
|
||||
The third argument defines the maximum number of characters to append and should be less than or equal
|
||||
to the remaining space in the destination buffer.</p>
|
||||
|
||||
<p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
|
||||
the third argument to the entire size of the destination buffer.
|
||||
Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
|
||||
|
||||
<p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
|
||||
byte to be written ouside the <code>dest</code> buffer.</p>
|
||||
|
||||
<p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
|
||||
The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
|
||||
|
||||
</overview>
|
||||
<recommendation>
|
||||
@@ -35,10 +25,6 @@ byte to be written ouside the <code>dest</code> buffer.</p>
|
||||
<li>
|
||||
M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method & Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
|
||||
</li>
|
||||
<li>
|
||||
CERT C Coding Standard:
|
||||
<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
|
||||
</li>
|
||||
|
||||
|
||||
</references>
|
||||
|
||||
@@ -1,15 +1,14 @@
|
||||
/**
|
||||
* @name Potentially unsafe call to strncat
|
||||
* @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
|
||||
* @description Calling 'strncat' with the size of the destination buffer
|
||||
* as the third argument may result in a buffer overflow.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id cpp/unsafe-strncat
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* security
|
||||
* external/cwe/cwe-788
|
||||
* external/cwe/cwe-676
|
||||
* external/cwe/cwe-119
|
||||
* external/cwe/cwe-251
|
||||
@@ -17,53 +16,11 @@
|
||||
|
||||
import cpp
|
||||
import Buffer
|
||||
import semmle.code.cpp.models.implementations.Strcat
|
||||
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
|
||||
|
||||
/**
|
||||
* Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
|
||||
* destination arguments, respectively.
|
||||
*/
|
||||
predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
|
||||
exists(StrcatFunction strcat |
|
||||
strcat = call.getTarget() and
|
||||
sizeArg = call.getArgument(strcat.getParamSize()) and
|
||||
destArg = call.getArgument(strcat.getParamDest())
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
|
||||
* argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
|
||||
*/
|
||||
predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
|
||||
interestringCallWithArgs(fc, sizeArg, destArg) and
|
||||
exists(VariableAccess va |
|
||||
va = sizeArg.(BufferSizeExpr).getArg() and
|
||||
destArg.getTarget() = va.getTarget()
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
|
||||
* argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
|
||||
*/
|
||||
predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
|
||||
interestringCallWithArgs(fc, sizeArg, destArg) and
|
||||
exists(SubExpr sub, int n |
|
||||
// The destination buffer is an array of size n
|
||||
destArg.getUnspecifiedType().(ArrayType).getSize() = n and
|
||||
// The size argument is equivalent to a subtraction
|
||||
globalValueNumber(sizeArg).getAnExpr() = sub and
|
||||
// ... where the left side of the subtraction is the constant n
|
||||
globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
|
||||
// ... and the right side of the subtraction is a call to `strlen` where the argument is the
|
||||
// destination buffer.
|
||||
globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
|
||||
globalValueNumber(destArg).getAnExpr()
|
||||
)
|
||||
}
|
||||
|
||||
from FunctionCall fc, Expr sizeArg, Expr destArg
|
||||
where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
|
||||
from FunctionCall fc, VariableAccess va1, VariableAccess va2
|
||||
where
|
||||
fc.getTarget().(Function).hasName("strncat") and
|
||||
va1 = fc.getArgument(0) and
|
||||
va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
|
||||
va1.getTarget() = va2.getTarget()
|
||||
select fc, "Potentially unsafe call to strncat."
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* the machine pointer size.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.8
|
||||
* @precision medium
|
||||
* @id cpp/suspicious-sizeof
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/uninitialized-local
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @precision medium
|
||||
* @tags security
|
||||
* external/cwe/cwe-665
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* may result in a buffer overflow
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.8
|
||||
* @precision medium
|
||||
* @id cpp/unsafe-strcat
|
||||
* @tags reliability
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/self-assignment-check
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.0
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-826
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind path-problem
|
||||
* @id cpp/unsafe-use-of-this
|
||||
* @problem.severity error
|
||||
* @security-severity 7.5
|
||||
* @precision very-high
|
||||
* @tags correctness
|
||||
* language-features
|
||||
|
||||
@@ -7,7 +7,6 @@
|
||||
* undefined data.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 5.0
|
||||
* @precision very-high
|
||||
* @id cpp/too-few-arguments
|
||||
* @tags correctness
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
* @tags reliability
|
||||
* external/cwe/cwe-573
|
||||
* external/cwe/cwe-252
|
||||
* @opaque-id SM02344
|
||||
* @microsoft.severity Important
|
||||
*/
|
||||
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/memset-may-be-deleted
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @precision high
|
||||
* @tags security
|
||||
* external/cwe/cwe-14
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind path-problem
|
||||
* @precision low
|
||||
* @problem.severity error
|
||||
* @security-severity 7.8
|
||||
* @tags security external/cwe/cwe-20
|
||||
*/
|
||||
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind path-problem
|
||||
* @precision low
|
||||
* @problem.severity error
|
||||
* @security-severity 7.8
|
||||
* @tags security external/cwe/cwe-20
|
||||
*/
|
||||
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* attacker to access unexpected resources.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.5
|
||||
* @precision medium
|
||||
* @id cpp/path-injection
|
||||
* @tags security
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* to command injection.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.8
|
||||
* @precision low
|
||||
* @id cpp/command-line-injection
|
||||
* @tags security
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* allows for a cross-site scripting vulnerability.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 6.1
|
||||
* @precision high
|
||||
* @id cpp/cgi-xss
|
||||
* @tags security
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* to SQL Injection.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 8.8
|
||||
* @precision high
|
||||
* @id cpp/sql-injection
|
||||
* @tags security
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* commands.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.2
|
||||
* @precision medium
|
||||
* @id cpp/uncontrolled-process-operation
|
||||
* @tags security
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/overflow-buffer
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 9.3
|
||||
* @tags security
|
||||
* external/cwe/cwe-119
|
||||
* external/cwe/cwe-121
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* overflow.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id cpp/badly-bounded-write
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* of data written may overflow.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id cpp/overrunning-write
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* take extreme values.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id cpp/overrunning-write-with-float
|
||||
* @tags reliability
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* of data written may overflow.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.3
|
||||
* @precision medium
|
||||
* @id cpp/unbounded-write
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* a specific value to terminate the argument list.
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.8
|
||||
* @precision medium
|
||||
* @id cpp/unterminated-variadic-call
|
||||
* @tags reliability
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/unclear-array-index-validation
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.8
|
||||
* @tags security
|
||||
* external/cwe/cwe-129
|
||||
*/
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* terminator can cause a buffer overrun.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
* @security-severity 9.8
|
||||
* @precision high
|
||||
* @id cpp/no-space-for-terminator
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* or data representation problems.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id cpp/tainted-format-string
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* or data representation problems.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id cpp/tainted-format-string-through-global
|
||||
* @tags reliability
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/user-controlled-null-termination-tainted
|
||||
* @problem.severity warning
|
||||
* @security-severity 10.0
|
||||
* @tags security
|
||||
* external/cwe/cwe-170
|
||||
*/
|
||||
|
||||
@@ -2,9 +2,8 @@
|
||||
* @name User-controlled data in arithmetic expression
|
||||
* @description Arithmetic operations on user-controlled data that is
|
||||
* not validated can cause overflows.
|
||||
* @kind path-problem
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.6
|
||||
* @precision low
|
||||
* @id cpp/tainted-arithmetic
|
||||
* @tags security
|
||||
@@ -16,39 +15,22 @@ import cpp
|
||||
import semmle.code.cpp.security.Overflow
|
||||
import semmle.code.cpp.security.Security
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
import Bounded
|
||||
|
||||
bindingset[op]
|
||||
predicate missingGuard(Operation op, Expr e, string effect) {
|
||||
missingGuardAgainstUnderflow(op, e) and effect = "underflow"
|
||||
or
|
||||
missingGuardAgainstOverflow(op, e) and effect = "overflow"
|
||||
or
|
||||
not e instanceof VariableAccess and effect = "overflow"
|
||||
}
|
||||
|
||||
class Configuration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element e) {
|
||||
exists(Operation op |
|
||||
missingGuard(op, e, _) and
|
||||
op.getAnOperand() = e
|
||||
|
|
||||
op instanceof UnaryArithmeticOperation or
|
||||
op instanceof BinaryArithmeticOperation
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isBarrier(Expr e) {
|
||||
super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
|
||||
}
|
||||
}
|
||||
|
||||
from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
|
||||
from Expr origin, Operation op, Expr e, string effect
|
||||
where
|
||||
taintedWithPath(origin, e, sourceNode, sinkNode) and
|
||||
isUserInput(origin, _) and
|
||||
tainted(origin, e) and
|
||||
op.getAnOperand() = e and
|
||||
missingGuard(op, e, effect)
|
||||
select e, sourceNode, sinkNode,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
|
||||
"User-provided value"
|
||||
(
|
||||
missingGuardAgainstUnderflow(op, e) and effect = "underflow"
|
||||
or
|
||||
missingGuardAgainstOverflow(op, e) and effect = "overflow"
|
||||
or
|
||||
not e instanceof VariableAccess and effect = "overflow"
|
||||
) and
|
||||
(
|
||||
op instanceof UnaryArithmeticOperation or
|
||||
op instanceof BinaryArithmeticOperation
|
||||
)
|
||||
select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
origin, "User-provided value"
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* validated can cause overflows.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.6
|
||||
* @precision medium
|
||||
* @id cpp/uncontrolled-arithmetic
|
||||
* @tags security
|
||||
@@ -15,62 +14,34 @@
|
||||
import cpp
|
||||
import semmle.code.cpp.security.Overflow
|
||||
import semmle.code.cpp.security.Security
|
||||
import semmle.code.cpp.security.FlowSources
|
||||
import semmle.code.cpp.ir.dataflow.TaintTracking
|
||||
import DataFlow::PathGraph
|
||||
import Bounded
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
|
||||
/**
|
||||
* A function that outputs random data such as `std::rand`.
|
||||
*/
|
||||
abstract class RandomFunction extends Function {
|
||||
/**
|
||||
* Gets the `FunctionOutput` that describes how this function returns the random data.
|
||||
*/
|
||||
FunctionOutput getFunctionOutput() { result.isReturnValue() }
|
||||
predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
|
||||
|
||||
predicate isRandCallOrParent(Expr e) {
|
||||
isRandCall(e) or
|
||||
isRandCallOrParent(e.getAChild())
|
||||
}
|
||||
|
||||
/**
|
||||
* The standard function `std::rand`.
|
||||
*/
|
||||
private class StdRand extends RandomFunction {
|
||||
StdRand() {
|
||||
this.hasGlobalOrStdOrBslName("rand") and
|
||||
this.getNumberOfParameters() = 0
|
||||
predicate isRandValue(Expr e) {
|
||||
isRandCall(e)
|
||||
or
|
||||
exists(MacroInvocation mi |
|
||||
e = mi.getExpr() and
|
||||
isRandCallOrParent(e)
|
||||
)
|
||||
}
|
||||
|
||||
class SecurityOptionsArith extends SecurityOptions {
|
||||
override predicate isUserInput(Expr expr, string cause) {
|
||||
isRandValue(expr) and
|
||||
cause = "rand" and
|
||||
not expr.getParent*() instanceof DivExpr
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The Unix function `rand_r`.
|
||||
*/
|
||||
private class RandR extends RandomFunction {
|
||||
RandR() {
|
||||
this.hasGlobalName("rand_r") and
|
||||
this.getNumberOfParameters() = 1
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The Unix function `random`.
|
||||
*/
|
||||
private class Random extends RandomFunction {
|
||||
Random() {
|
||||
this.hasGlobalName("random") and
|
||||
this.getNumberOfParameters() = 1
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The Windows `rand_s` function.
|
||||
*/
|
||||
private class RandS extends RandomFunction {
|
||||
RandS() {
|
||||
this.hasGlobalName("rand_s") and
|
||||
this.getNumberOfParameters() = 1
|
||||
}
|
||||
|
||||
override FunctionOutput getFunctionOutput() { result.isParameterDeref(0) }
|
||||
}
|
||||
predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
|
||||
|
||||
predicate missingGuard(VariableAccess va, string effect) {
|
||||
exists(Operation op | op.getAnOperand() = va |
|
||||
@@ -80,47 +51,30 @@ predicate missingGuard(VariableAccess va, string effect) {
|
||||
)
|
||||
}
|
||||
|
||||
class UncontrolledArithConfiguration extends TaintTracking::Configuration {
|
||||
UncontrolledArithConfiguration() { this = "UncontrolledArithConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
exists(RandomFunction rand, Call call | call.getTarget() = rand |
|
||||
rand.getFunctionOutput().isReturnValue() and
|
||||
source.asExpr() = call
|
||||
or
|
||||
exists(int n |
|
||||
source.asDefiningArgument() = call.getArgument(n) and
|
||||
rand.getFunctionOutput().isParameterDeref(n)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
bounded(node.asExpr())
|
||||
class Configuration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element e) {
|
||||
isDiv(e)
|
||||
or
|
||||
// If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
|
||||
// only used as a bit pattern.
|
||||
node.asExpr() =
|
||||
any(Operation op |
|
||||
op instanceof BitwiseOrExpr or
|
||||
op instanceof BitwiseAndExpr or
|
||||
op instanceof ComplementExpr
|
||||
).getAnOperand*()
|
||||
missingGuard(e, _)
|
||||
}
|
||||
}
|
||||
|
||||
/** Gets the expression that corresponds to `node`, if any. */
|
||||
Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
|
||||
/**
|
||||
* A value that undergoes division is likely to be bounded within a safe
|
||||
* range.
|
||||
*/
|
||||
predicate guardedByAssignDiv(Expr origin) {
|
||||
exists(VariableAccess va |
|
||||
taintedWithPath(origin, va, _, _) and
|
||||
isDiv(va)
|
||||
)
|
||||
}
|
||||
|
||||
from
|
||||
UncontrolledArithConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
|
||||
VariableAccess va, string effect
|
||||
from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
|
||||
where
|
||||
config.hasFlowPath(source, sink) and
|
||||
sink.getNode().asExpr() = va and
|
||||
missingGuard(va, effect)
|
||||
select sink.getNode(), source, sink,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
getExpr(source.getNode()), "Uncontrolled value"
|
||||
taintedWithPath(origin, va, sourceNode, sinkNode) and
|
||||
missingGuard(va, effect) and
|
||||
not guardedByAssignDiv(origin)
|
||||
select va, sourceNode, sinkNode,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
|
||||
"Uncontrolled value"
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/arithmetic-with-extreme-values
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.6
|
||||
* @precision low
|
||||
* @tags security
|
||||
* reliability
|
||||
|
||||
@@ -1,55 +0,0 @@
|
||||
/**
|
||||
* This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
|
||||
* and `cpp/tainted-arithmetic`.
|
||||
*/
|
||||
|
||||
private import cpp
|
||||
private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
||||
private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
|
||||
|
||||
/**
|
||||
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
|
||||
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
|
||||
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
|
||||
*/
|
||||
pragma[inline]
|
||||
private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
|
||||
operand1 != operand2 and
|
||||
e = operand1 and
|
||||
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
|
||||
* operation that may greatly reduce the range of possible values.
|
||||
*/
|
||||
predicate bounded(Expr e) {
|
||||
(
|
||||
e instanceof UnaryArithmeticOperation or
|
||||
e instanceof BinaryArithmeticOperation or
|
||||
e instanceof AssignArithmeticOperation
|
||||
) and
|
||||
not convertedExprMightOverflow(e)
|
||||
or
|
||||
// Optimitically assume that a remainder expression always yields a much smaller value.
|
||||
e = any(RemExpr rem).getLeftOperand()
|
||||
or
|
||||
e = any(AssignRemExpr rem).getLValue()
|
||||
or
|
||||
exists(BitwiseAndExpr andExpr |
|
||||
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
|
||||
)
|
||||
or
|
||||
exists(AssignAndExpr andExpr |
|
||||
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
|
||||
)
|
||||
or
|
||||
// Optimitically assume that a division always yields a much smaller value.
|
||||
e = any(DivExpr div).getLeftOperand()
|
||||
or
|
||||
e = any(AssignDivExpr div).getLValue()
|
||||
or
|
||||
e = any(RShiftExpr shift).getLeftOperand()
|
||||
or
|
||||
e = any(AssignRShiftExpr div).getLValue()
|
||||
}
|
||||
@@ -5,7 +5,6 @@
|
||||
* @id cpp/comparison-with-wider-type
|
||||
* @kind problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 7.8
|
||||
* @precision high
|
||||
* @tags reliability
|
||||
* security
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/integer-overflow-tainted
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision low
|
||||
* @tags security
|
||||
* external/cwe/cwe-190
|
||||
|
||||
@@ -4,17 +4,14 @@
|
||||
* user can result in integer overflow.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @security-severity 8.1
|
||||
* @precision medium
|
||||
* @id cpp/uncontrolled-allocation-size
|
||||
* @tags reliability
|
||||
* security
|
||||
* external/cwe/cwe-190
|
||||
* external/cwe/cwe-789
|
||||
*/
|
||||
|
||||
import cpp
|
||||
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
|
||||
@@ -30,27 +27,6 @@ predicate allocSink(Expr alloc, Expr tainted) {
|
||||
|
||||
class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element tainted) { allocSink(_, tainted) }
|
||||
|
||||
override predicate isBarrier(Expr e) {
|
||||
super.isBarrier(e)
|
||||
or
|
||||
// There can be two separate reasons for `convertedExprMightOverflow` not holding:
|
||||
// 1. `e` really cannot overflow.
|
||||
// 2. `e` isn't analyzable.
|
||||
// If we didn't rule out case 2 we would place barriers on anything that isn't analyzable.
|
||||
(
|
||||
e instanceof UnaryArithmeticOperation or
|
||||
e instanceof BinaryArithmeticOperation or
|
||||
e instanceof AssignArithmeticOperation
|
||||
) and
|
||||
not convertedExprMightOverflow(e)
|
||||
or
|
||||
// Subtracting two pointers is either well-defined (and the result will likely be small), or
|
||||
// terribly undefined and dangerous. Here, we assume that the programmer has ensured that the
|
||||
// result is well-defined (i.e., the two pointers point to the same object), and thus the result
|
||||
// will likely be small.
|
||||
e = any(PointerDiffExpr diff).getAnOperand()
|
||||
}
|
||||
}
|
||||
|
||||
predicate taintedAllocSize(
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/unsigned-difference-expression-compared-zero
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.8
|
||||
* @precision medium
|
||||
* @tags security
|
||||
* correctness
|
||||
|
||||
@@ -4,7 +4,6 @@
|
||||
* @kind problem
|
||||
* @id cpp/hresult-boolean-conversion
|
||||
* @problem.severity error
|
||||
* @security-severity 7.5
|
||||
* @precision high
|
||||
* @tags security
|
||||
* external/cwe/cwe-253
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* vulnerable to spoofing attacks.
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @security-severity 8.1
|
||||
* @precision medium
|
||||
* @id cpp/user-controlled-bypass
|
||||
* @tags security
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user