Compare commits

..

18 Commits

Author SHA1 Message Date
Sotiris Dragonas
48b841c309 adjust model for realtime 2026-07-07 10:45:09 +02:00
Sotiris Dragonas
8d3071d298 Add the missing alerts 2026-07-06 16:53:45 +02:00
Sotiris Dragonas
f0b64142e6 Merge branch 'main' into bazookamusic/python-prompt-injection 2026-07-03 15:54:02 +02:00
Sotiris Dragonas
15df1f3d02 Simpler change note 2026-07-02 16:14:16 +02:00
Sotiris Dragonas
3948f3f4aa Note tool-description coverage in prompt-injection change note
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-07-02 16:13:03 +02:00
Sotiris Dragonas
2bee6b845c Merge branch 'bazookamusic/python-prompt-injection' of https://github.com/github/codeql into bazookamusic/python-prompt-injection 2026-07-02 16:12:33 +02:00
Sotiris Dragonas
49e0d6d791 Delete summary 2026-07-02 16:00:15 +02:00
Sotiris Dragonas
2eb2d623a6 Add proper coverage of tools 2026-07-02 15:59:39 +02:00
Sotiris Dragonas
27d2a2b16e Fix google genai models 2026-07-02 15:42:18 +02:00
Sotiris Dragonas
4c965e72e5 Merge branch 'main' into bazookamusic/python-prompt-injection 2026-07-02 15:04:51 +03:00
Sotiris Dragonas
56614cb240 Python: remove redundant DataFlow import in SystemPromptInjectionCustomizations
DataFlow is provided transitively; the explicit import is unused.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-29 10:42:21 +03:00
Sotiris Dragonas
a06f22aeaa Python: apply codeql query format to prompt-injection framework files
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-29 10:40:04 +03:00
Sotiris Dragonas
0abd325944 Python: stabilize XsltInjection test MaD index via PrettyPrintModels
Use the PrettyPrintModels postprocess so the test reports a stable
per-test model index instead of a brittle global MaD number that drifts
when models are added elsewhere.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-29 10:37:58 +03:00
Sotiris Dragonas
4fbb02d4e1 Merge branch 'main' into bazookamusic/python-prompt-injection 2026-06-29 10:30:22 +03:00
Sotiris Dragonas
018ba92b1e Add additional Python prompt-injection sinks for uncovered SDK methods
Cover prompt-carrying public API methods that were missing from the
framework models:

- OpenAI: videos.create/create_and_poll/edit/remix/extend (Sora, user),
  beta.realtime.sessions.create instructions (system), and role-filtered
  beta.threads.messages.create content (Assistants API).
- Anthropic: legacy completions.create prompt (user).
- agents: Agent.as_tool tool_description (system).
- Google GenAI: caches.create CreateCachedContentConfig system_instruction
  (system) and contents (user).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 17:02:14 +03:00
Sotiris Dragonas
8e5f214041 Fix OpenRouter Python API and expand model coverage
Verified all prompt-injection framework models against the real Python
SDK sources:

- OpenRouter: the official openrouter SDK uses client.chat.send(messages=)
  (not chat.completions.create), client.embeddings.generate(input=) (not
  embeddings.create), and client.responses.send(input=, instructions=).
  Corrected the framework qll and model, and fixed the test files that
  used the wrong API.
- Anthropic: added the managed-agents system prompt sink
  (beta.agents.create/update Argument[system:]).
- Google GenAI: added models.edit_image Argument[prompt:] as user content.

OpenAI, agents and LangChain models were confirmed correct against their
SDK sources.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 16:53:37 +03:00
Sotiris Dragonas
72bc52b2fd Python: promote prompt injection queries from experimental to production
Mirror the JavaScript layout from PR #21953:
- Move SystemPromptInjection.ql / UserPromptInjection.ql to src/Security/CWE-1427
- Move customizations, query and framework libs to python/ql/lib
- Move the AIPrompt concept to the production Concepts.qll
- Drop the experimental tag; py/system-prompt-injection (high precision) now
  joins the code-scanning, security-extended and security-and-quality suites,
  while py/user-prompt-injection (low precision) stays out of the default suites
- Move query tests to python/ql/test/query-tests/Security

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 16:30:29 +03:00
Sotiris Dragonas
db493ef30a Python: port prompt injection queries (system + user) from JS PR #21953
Replace the experimental py/prompt-injection query with two queries mirroring
the JavaScript split:
- py/system-prompt-injection (system prompt / tool description / developer prompt)
- py/user-prompt-injection (user-role prompt)

Supports OpenAI (+Agents), Anthropic, Google GenAI, LangChain and OpenRouter
via MaD models plus role-filtered framework sinks that MaD cannot express.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-18 13:52:51 +03:00
1327 changed files with 7949 additions and 8001 deletions

View File

@@ -1,2 +1 @@
query: jsf/4.13 Functions/AV Rule 107.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
jsf/4.13 Functions/AV Rule 107.ql

View File

@@ -1,2 +1 @@
query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql

View File

@@ -48,7 +48,7 @@ void test1()
void test2()
{
Lock<Mutex> myLock(); // $ Alert[cpp/function-in-block] // BAD (interpreted as a function declaration, this does nothing)
Lock<Mutex> myLock(); // BAD (interpreted as a function declaration, this does nothing)
// ...
}
@@ -62,14 +62,14 @@ void test3()
void test4()
{
Lock<Mutex>(myMutex); // $ Alert[cpp/local-variable-hides-global-variable] // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
Lock<Mutex>(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
// ...
}
void test5()
{
Lock<Mutex> myLock(Mutex); // $ Alert[cpp/function-in-block] // BAD (interpreted as a function declaration, this does nothing)
Lock<Mutex> myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing)
// ...
}
@@ -86,7 +86,7 @@ public:
void test7()
{
Lock<Mutex>(memberMutex); // $ MISSING: Alert // BAD (creates an uninitialized variable called `memberMutex`, probably not intended) [NOT DETECTED]
Lock<Mutex>(memberMutex); // BAD (creates an uninitialized variable called `memberMutex`, probably not intended) [NOT DETECTED]
// ...
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql

View File

@@ -19,7 +19,7 @@ void test1(int p)
{
sys_somesystemcall(&p);
unsafe_put_user(123, &p); // $ MISSING: Alert // BAD [NOT DETECTED]
unsafe_put_user(123, &p); // BAD [NOT DETECTED]
}
void test2(int p)
@@ -40,7 +40,7 @@ void test3()
sys_somesystemcall(&v);
unsafe_put_user(123, &v); // $ MISSING: Alert // BAD [NOT DETECTED]
unsafe_put_user(123, &v); // BAD [NOT DETECTED]
}
void test4()
@@ -68,7 +68,7 @@ void test5()
sys_somesystemcall(&myData);
unsafe_put_user(123, &(myData.x)); // $ MISSING: Alert // BAD [NOT DETECTED]
unsafe_put_user(123, &(myData.x)); // BAD [NOT DETECTED]
}
void test6()

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql

View File

@@ -3,6 +3,6 @@ void workFunction_0(char *s) {
char buf[80], buf1[8];
if(len<0) return;
memset(buf,0,len); //GOOD
memset(buf1,0,len1); // $ Alert //BAD
memset(buf1,0,len1); //BAD
if(len1<0) return;
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-078/WordexpTainted.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-078/WordexpTainted.ql

View File

@@ -19,14 +19,14 @@ enum {
int wordexp(const char *restrict s, wordexp_t *restrict p, int flags);
int main(int argc, char** argv) { // $ Source
int main(int argc, char** argv) {
char *filePath = argv[2];
{
// BAD: the user string is injected directly into `wordexp` which performs command substitution
wordexp_t we;
wordexp(filePath, &we, 0); // $ Alert
wordexp(filePath, &we, 0);
}
{

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql

View File

@@ -20,7 +20,7 @@ void myFclose(FILE * fmy)
int main(int argc, char *argv[])
{
fe = fopen("myFile.txt", "wt");
fclose(fe); // $ Alert // BAD
fclose(fe); // BAD
fe = fopen("myFile.txt", "wt");
myFclose(fe); // GOOD
return 0;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql

View File

@@ -11,7 +11,7 @@ void workFunction_0(char *s) {
while(intIndex > 2)
{
buf[intIndex] = 1;
int intIndex; // $ Alert // BAD
int intIndex; // BAD
intIndex--;
}
intIndex = 10;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql

View File

@@ -8,7 +8,7 @@ int strlen(const char *string);
// the following function is homebrew crypto written for this test. This is a bad algorithm
// on multiple levels and should never be used in cryptography.
void encryptString(char *string, unsigned int key) { // $ Alert
void encryptString(char *string, unsigned int key) {
char *ptr = string;
int len = strlen(string);
@@ -27,7 +27,7 @@ void encryptString(char *string, unsigned int key) { // $ Alert
// the following function is homebrew crypto written for this test. This is a bad algorithm
// on multiple levels and should never be used in cryptography.
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { // $ Alert
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) {
unsigned int state[2];
unsigned int t;
@@ -48,7 +48,7 @@ void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int d
// the following function resembles an implementation of the AES "mix columns"
// step. It is not accurate, efficient or safe and should never be used in
// cryptography.
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
// The "mix columns" step takes four bytes as inputs. Each byte represents a
// polynomial with 8 one-bit coefficients, e.g. input bits 00001101
// represent the polynomial x^3 + x^2 + 1. Arithmetic is reduced modulo
@@ -80,7 +80,7 @@ void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert
// the following function resembles initialization of an S-box as may be done
// in an implementation of DES, AES and other encryption algorithms. It is not
// accurate, efficient or safe and should never be used in cryptography.
void init_aes_sbox(unsigned char data[256]) { // $ Alert
void init_aes_sbox(unsigned char data[256]) {
// initialize `data` in a loop using lots of ^, ^= and << operations and
// a few fixed constants.
unsigned int state = 0x12345678;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql

View File

@@ -63,7 +63,7 @@ static void badTest1(const char* ptr)
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // $ Alert // BAD:we can get unpredictable results
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results
wprintf(L"%lc", wc);
ptr += ret;
}
@@ -73,7 +73,7 @@ static void badTest2(const char* ptr)
int ret;
int len;
len = strlen(ptr);
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // $ Alert // BAD:we can get unpredictable results
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results
wprintf(L"%lc", wc);
ptr += ret;
}
@@ -103,7 +103,7 @@ static void badTest3(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, MB_CUR_MAX); // $ Alert // BAD
ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -120,7 +120,7 @@ static void badTest4(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, 16); // $ Alert // BAD
ret = mbtowc(wc, ptr, 16); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -137,7 +137,7 @@ static void badTest5(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // $ Alert // BAD
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -155,7 +155,7 @@ static void badTest6(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && wc_len > 0) {
ret = mbtowc(wc, ptr, wc_len); // $ Alert // BAD
ret = mbtowc(wc, ptr, wc_len); // BAD
if (ret <0)
if (checkErrors()) {
++ptr;
@@ -178,7 +178,7 @@ static void badTest7(const char* ptr,int wc_len)
len = wc_len;
wchar_t *wc = new wchar_t[wc_len];
while (*ptr && wc_len > 0) {
ret = mbtowc(wc, ptr, len); // $ Alert // BAD
ret = mbtowc(wc, ptr, len); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)
@@ -194,7 +194,7 @@ static void badTest8(const char* ptr,wchar_t *wc)
int len;
len = strlen(ptr);
while (*ptr && len > 0) {
ret = mbtowc(wc, ptr, len); // $ Alert // BAD
ret = mbtowc(wc, ptr, len); // BAD
if (ret <0)
break;
if (ret == 0 || ret > len)

View File

@@ -25,8 +25,8 @@ void* calloc (size_t num, size_t size);
void* malloc (size_t size);
static void badTest1(void *src, int size) {
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // $ Alert // BAD
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // $ Alert // BAD
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD
}
void goodTest2(){
wchar_t src[] = L"0123456789ABCDEF";
@@ -42,7 +42,7 @@ void goodTest2(){
static void badTest2(){
wchar_t src[] = L"0123456789ABCDEF";
char dst[16];
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // $ Alert // BAD
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD
printf("%s\n", dst);
}
static void goodTest3(){
@@ -55,7 +55,7 @@ static void badTest3(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // $ Alert // BAD
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
}
static void goodTest4(){
char src[] = "0123456789ABCDEF";
@@ -67,13 +67,13 @@ static void badTest4(){
char src[] = "0123456789ABCDEF";
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
wchar_t * dst = (wchar_t*)malloc(size + 1);
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // $ Alert // BAD
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
}
static int goodTest5(void *src){
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD
}
static int badTest5 (void *src) {
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // $ Alert // BAD
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD
}
static void goodTest6(WCHAR *src)
{
@@ -90,6 +90,6 @@ static void goodTest6(WCHAR *src)
static void badTest6(WCHAR *src)
{
char dst[5] ="";
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // $ Alert // BAD
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD
printf("%s\n", dst);
}

View File

@@ -12,11 +12,11 @@ size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbsta
static void badTest1(void *src, int size) {
mbstowcs((wchar_t*)src,(char*)src,size); // $ Alert // BAD
mbstowcs((wchar_t*)src,(char*)src,size); // BAD
_locale_t locale;
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // $ Alert // BAD
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD
mbstate_t *mbstate;
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // $ Alert // BAD
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD
}
static void goodTest2(){
char src[] = "0123456789ABCDEF";
@@ -32,7 +32,7 @@ static void goodTest2(){
static void badTest2(){
char src[] = "0123456789ABCDEF";
wchar_t dst[16];
mbstowcs(dst, src,16); // $ Alert // BAD
mbstowcs(dst, src,16); // BAD
printf("%s\n", dst);
}
static void goodTest3(){
@@ -45,7 +45,7 @@ static void badTest3(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
mbstowcs(dst, src,size+1); // $ Alert // BAD
mbstowcs(dst, src,size+1); // BAD
}
static void goodTest4(){
char src[] = "0123456789ABCDEF";
@@ -57,13 +57,13 @@ static void badTest4(){
char src[] = "0123456789ABCDEF";
int size = mbstowcs(NULL, src,NULL);
wchar_t * dst = (wchar_t*)malloc(size + 1);
mbstowcs(dst, src,size+1); // $ Alert // BAD
mbstowcs(dst, src,size+1); // BAD
}
static int goodTest5(void *src){
return mbstowcs(NULL, (char*)src,NULL); // GOOD
}
static int badTest5 (void *src) {
return mbstowcs(NULL, (char*)src,3); // $ Alert // BAD
return mbstowcs(NULL, (char*)src,3); // BAD
}
static void goodTest6(void *src){
wchar_t dst[5];
@@ -77,6 +77,6 @@ static void goodTest6(void *src){
}
static void badTest6(void *src){
wchar_t dst[5];
mbstowcs(dst, (char*)src,260); // $ Alert // BAD
mbstowcs(dst, (char*)src,260); // BAD
printf("%s\n", dst);
}

View File

@@ -13,7 +13,7 @@ static size_t badTest1(unsigned char *src){
int cb = 0;
unsigned char dst[50];
while( cb < sizeof(dst) )
dst[cb++]=*src++; // $ Alert // BAD
dst[cb++]=*src++; // BAD
return _mbclen(dst);
}
static void goodTest2(unsigned char *src){
@@ -33,7 +33,7 @@ static void badTest2(unsigned char *src){
unsigned char dst[50];
while( cb < sizeof(dst) )
{
_mbccpy(dst+cb,src); // $ Alert // BAD
_mbccpy(dst+cb,src); // BAD
cb+=_mbclen(src);
src=_mbsinc(src);
}
@@ -44,5 +44,5 @@ static void goodTest3(){
}
static void badTest3(){
wchar_t name[50];
name[sizeof(name) - 1] = L'\0'; // $ Alert // BAD
name[sizeof(name) - 1] = L'\0'; // BAD
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql

View File

@@ -10,31 +10,31 @@ void test()
int y = getAnInt();
char *buffer1 = (char *)malloc(x + y); // GOOD
char *buffer2 = (char *)malloc(x * y); // $ Alert // BAD
char *buffer2 = (char *)malloc(x * y); // BAD
int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // $ Alert // BAD
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD
if ((x <= 1000) && (y <= 1000))
{
char *buffer5 = (char *)malloc(x * y); // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE]
char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE]
}
size_t size1 = x * y; // $ Source
char *buffer5 = (char *)malloc(size1); // $ Alert // BAD
size_t size1 = x * y;
char *buffer5 = (char *)malloc(size1); // BAD
size_t size2 = x;
size2 *= y;
char *buffer6 = (char *)malloc(size2); // $ MISSING: Alert // BAD [NOT DETECTED]
char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED]
char *buffer7 = new char[x * 10]; // GOOD
char *buffer8 = new char[x * y]; // $ Alert // BAD
char *buffer9 = new char[x * x]; // $ Alert // BAD
char *buffer8 = new char[x * y]; // BAD
char *buffer9 = new char[x * x]; // BAD
}
// --- custom allocators ---
void *MyMalloc1(size_t size) { return malloc(size); } // $ Alert // [additional detection here]
void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
void *MyMalloc2(size_t size);
void customAllocatorTests()
@@ -42,6 +42,6 @@ void customAllocatorTests()
int x = getAnInt();
int y = getAnInt();
char *buffer1 = (char *)MyMalloc1(x * y); // $ Alert Source // BAD
char *buffer2 = (char *)MyMalloc2(x * y); // $ Alert // BAD
char *buffer1 = (char *)MyMalloc1(x * y); // BAD
char *buffer2 = (char *)MyMalloc2(x * y); // BAD
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql

View File

@@ -6,17 +6,17 @@ void functionWork(char aA[10],unsigned int aUI) {
int aI;
aI = (aUI*8)/10; // GOOD
aI = aUI*8; // $ Alert // BAD
aI = aUI*8; // BAD
aP = aA+aI;
aI = (int)aUI*8; // GOOD
aL = (unsigned long)(aI*aI); // $ Alert // BAD
aL = (unsigned long)(aI*aI); // BAD
aL = ((unsigned long)aI*aI); // GOOD
testCall((unsigned long)(aI*aI)); // $ Alert // BAD
testCall((unsigned long)(aI*aI)); // BAD
testCall(((unsigned long)aI*aI)); // GOOD
if((unsigned long)(aI*aI) > aL) // $ Alert // BAD
if((unsigned long)(aI*aI) > aL) // BAD
return;
if(((unsigned long)aI*aI) > aL) // GOOD
return;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql

View File

@@ -15,49 +15,49 @@ void test()
unsigned short b1 = getAnUnsignedShort();
unsigned short c1 = getAnUnsignedShort();
if (a+b>c) a = c-b; // $ Alert // BAD
if (a+b>c) { a = c-b; } // $ Alert // BAD
if (b+a>c) a = c-b; // $ Alert // BAD
if (b+a>c) { a = c-b; } // $ Alert // BAD
if (c>a+b) a = c-b; // $ Alert // BAD
if (c>a+b) { a = c-b; } // $ Alert // BAD
if (c>b+a) a = c-b; // $ Alert // BAD
if (c>b+a) { a = c-b; } // $ Alert // BAD
if (a+b>c) a = c-b; // BAD
if (a+b>c) { a = c-b; } // BAD
if (b+a>c) a = c-b; // BAD
if (b+a>c) { a = c-b; } // BAD
if (c>a+b) a = c-b; // BAD
if (c>a+b) { a = c-b; } // BAD
if (c>b+a) a = c-b; // BAD
if (c>b+a) { a = c-b; } // BAD
if (a+b>=c) a = c-b; // $ Alert // BAD
if (a+b>=c) { a = c-b; } // $ Alert // BAD
if (b+a>=c) a = c-b; // $ Alert // BAD
if (b+a>=c) { a = c-b; } // $ Alert // BAD
if (c>=a+b) a = c-b; // $ Alert // BAD
if (c>=a+b) { a = c-b; } // $ Alert // BAD
if (c>=b+a) a = c-b; // $ Alert // BAD
if (c>=b+a) { a = c-b; } // $ Alert // BAD
if (a+b>=c) a = c-b; // BAD
if (a+b>=c) { a = c-b; } // BAD
if (b+a>=c) a = c-b; // BAD
if (b+a>=c) { a = c-b; } // BAD
if (c>=a+b) a = c-b; // BAD
if (c>=a+b) { a = c-b; } // BAD
if (c>=b+a) a = c-b; // BAD
if (c>=b+a) { a = c-b; } // BAD
if (a+b<c) a = c-b; // $ Alert // BAD
if (a+b<c) { a = c-b; } // $ Alert // BAD
if (b+a<c) a = c-b; // $ Alert // BAD
if (b+a<c) { a = c-b; } // $ Alert // BAD
if (c<a+b) a = c-b; // $ Alert // BAD
if (c<a+b) { a = c-b; } // $ Alert // BAD
if (c<b+a) a = c-b; // $ Alert // BAD
if (c<b+a) { a = c-b; } // $ Alert // BAD
if (a+b<c) a = c-b; // BAD
if (a+b<c) { a = c-b; } // BAD
if (b+a<c) a = c-b; // BAD
if (b+a<c) { a = c-b; } // BAD
if (c<a+b) a = c-b; // BAD
if (c<a+b) { a = c-b; } // BAD
if (c<b+a) a = c-b; // BAD
if (c<b+a) { a = c-b; } // BAD
if (a+b<=c) a = c-b; // $ Alert // BAD
if (a+b<=c) { a = c-b; } // $ Alert // BAD
if (b+a<=c) a = c-b; // $ Alert // BAD
if (b+a<=c) { a = c-b; } // $ Alert // BAD
if (c<=a+b) a = c-b; // $ Alert // BAD
if (c<=a+b) { a = c-b; } // $ Alert // BAD
if (c<=b+a) a = c-b; // $ Alert // BAD
if (c<=b+a) { a = c-b; } // $ Alert // BAD
if (a+b<=c) a = c-b; // BAD
if (a+b<=c) { a = c-b; } // BAD
if (b+a<=c) a = c-b; // BAD
if (b+a<=c) { a = c-b; } // BAD
if (c<=a+b) a = c-b; // BAD
if (c<=a+b) { a = c-b; } // BAD
if (c<=b+a) a = c-b; // BAD
if (c<=b+a) { a = c-b; } // BAD
if (a+b>d) a = d-b; // $ Alert // BAD
if (a+b>d) a = d-b; // BAD
if (a+(double)b>c) a = c-b; // GOOD
if (a+(-x)>c) a = c-(-y); // GOOD
if (a+b>c) { b++; a = c-b; } // GOOD
if (a+d>c) a = c-d; // GOOD
if (a1+b1>c1) a1 = c1-b1; // GOOD
if (a+b<=c) { /* ... */ } else { a = c-b; } // $ Alert // BAD
if (a+b<=c) { return; } a = c-b; // $ Alert // BAD
if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
if (a+b<=c) { return; } a = c-b; // BAD
}

View File

@@ -1,2 +1 @@
query: experimental/Likely Bugs/ArrayAccessProductFlow.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Likely Bugs/ArrayAccessProductFlow.ql

View File

@@ -1,13 +1,13 @@
char *malloc(int size);
void test1(int size) {
char *arr = malloc(size); // $ Source
char *arr = malloc(size);
for (int i = 0; i < size; i++) {
arr[i] = 0; // GOOD
}
for (int i = 0; i <= size; i++) {
arr[i] = i; // $ Alert // BAD
arr[i] = i; // BAD
}
}
@@ -18,7 +18,7 @@ typedef struct {
array_t mk_array(int size) {
array_t arr;
arr.p = malloc(size); // $ Source
arr.p = malloc(size);
arr.size = size;
return arr;
@@ -32,7 +32,7 @@ void test2(int size) {
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // $ Alert // BAD
arr.p[i] = i; // BAD
}
}
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // $ Alert // BAD
arr.p[i] = i; // BAD
}
}
@@ -52,7 +52,7 @@ void test3(int size) {
void test4(int size) {
array_t arr;
arr.p = malloc(size); // $ Source
arr.p = malloc(size);
arr.size = size;
for (int i = 0; i < arr.size; i++) {
@@ -60,13 +60,13 @@ void test4(int size) {
}
for (int i = 0; i <= arr.size; i++) {
arr.p[i] = i; // $ Alert // BAD
arr.p[i] = i; // BAD
}
}
array_t *mk_array_p(int size) {
array_t *arr = (array_t*) malloc(sizeof(array_t));
arr->p = malloc(size); // $ Source
arr->p = malloc(size);
arr->size = size;
return arr;
@@ -80,7 +80,7 @@ void test5(int size) {
}
for (int i = 0; i <= arr->size; i++) {
arr->p[i] = i; // $ Alert // BAD
arr->p[i] = i; // BAD
}
}
@@ -90,7 +90,7 @@ void test6_callee(array_t *arr) {
}
for (int i = 0; i <= arr->size; i++) {
arr->p[i] = i; // $ Alert // BAD
arr->p[i] = i; // BAD
}
}
@@ -105,6 +105,6 @@ void test7(int size) {
}
for (char *p = arr; p <= arr + size; p++) {
*p = 0; // $ MISSING: Alert // BAD [NOT DETECTED]
*p = 0; // BAD [NOT DETECTED]
}
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

View File

@@ -32,60 +32,60 @@ void testOneArray(OneArray *arr) {
void testBig(BigArray *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // $ Alert // BAD
arr->buf[MAX_SIZE+1] = 0; // $ Alert // BAD
arr->buf[MAX_SIZE] = 0; // BAD
arr->buf[MAX_SIZE+1] = 0; // BAD
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // $ Alert // BAD
arr->buf[i] = 0; // BAD
}
}
void testFields(ArrayAndFields *arr) {
arr->buf[MAX_SIZE-1] = 0; // GOOD
arr->buf[MAX_SIZE] = 0; // $ Alert // BAD?
arr->buf[MAX_SIZE+1] = 0; // $ Alert // BAD?
arr->buf[MAX_SIZE] = 0; // BAD?
arr->buf[MAX_SIZE+1] = 0; // BAD?
for(int i = 0; i < MAX_SIZE; i++) {
arr->buf[i] = 0; // GOOD
}
for(int i = 0; i <= MAX_SIZE; i++) {
arr->buf[i] = 0; // $ Alert // BAD?
arr->buf[i] = 0; // BAD?
}
for(int i = 0; i < MAX_SIZE+2; i++) {
arr->buf[i] = 0; // $ Alert // BAD?
arr->buf[i] = 0; // BAD?
}
// is this different if it's a memcpy?
}
void assignThroughPointer(int *p) { // $ Sink
void assignThroughPointer(int *p) {
*p = 0; // ??? should the result go at a flow source?
}
void addToPointerAndAssign(int *p) {
p[MAX_SIZE-1] = 0; // GOOD
p[MAX_SIZE] = 0; // $ Alert // BAD
p[MAX_SIZE] = 0; // BAD
}
void testInterproc(BigArray *arr) {
assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
assignThroughPointer(&arr->buf[MAX_SIZE]); // $ Alert // BAD
assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
addToPointerAndAssign(arr->buf); // $ Source
addToPointerAndAssign(arr->buf);
}
#define MAX_SIZE_BYTES 4096
void testCharIndex(BigArray *arr) {
char *charBuf = (char*) arr->buf; // $ Source
char *charBuf = (char*) arr->buf;
charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
charBuf[MAX_SIZE_BYTES] = 0; // $ Alert // BAD
charBuf[MAX_SIZE_BYTES] = 0; // BAD
}
void testEqRefinement() {
@@ -125,7 +125,7 @@ void testStackAllocated() {
char *arr[MAX_SIZE];
for(int i = 0; i <= MAX_SIZE; i++) {
arr[i] = 0; // $ Alert // BAD
arr[i] = 0; // BAD
}
}
@@ -133,18 +133,18 @@ int strncmp(const char*, const char*, int);
char testStrncmp2(char *arr) {
if(strncmp(arr, "<test>", 6) == 0) {
arr += 6; // $ Alert
arr += 6;
}
return *arr; // $ SPURIOUS: Sink // GOOD [FALSE POSITIVE]
return *arr; // GOOD [FALSE POSITIVE]
}
void testStrncmp1() {
char asdf[5];
testStrncmp2(asdf); // $ Source
testStrncmp2(asdf);
}
void countdownBuf1(int **p) {
*--(*p) = 1; // $ SPURIOUS: Sink // GOOD [FALSE POSITIVE]
*--(*p) = 1; // GOOD [FALSE POSITIVE]
*--(*p) = 2; // GOOD
*--(*p) = 3; // GOOD
*--(*p) = 4; // GOOD
@@ -153,7 +153,7 @@ void countdownBuf1(int **p) {
void countdownBuf2() {
int buf[4];
int *x = buf + 4; // $ Alert
int *x = buf + 4;
countdownBuf1(&x);
}
@@ -182,7 +182,7 @@ int countdownLength1(int *p, int len) {
}
int callCountdownLength() {
int buf[6];
return countdownLength1(buf, 6);
@@ -192,7 +192,7 @@ int countdownLength2() {
int buf[6];
int len = 6;
int *p = buf;
if(len % 8) {
return -1;
}
@@ -215,10 +215,10 @@ int countdownLength2() {
void pointer_size_larger_than_array_element_size() {
unsigned char buffer[100]; // getByteSize() = 100
int *ptr = (int *)buffer; // $ Source // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99
ptr[25] = 0; // $ Alert // BAD: writes bytes 100, 101, 102, 103
ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103
}
struct vec2 { int x, y; };
@@ -226,10 +226,10 @@ struct vec3 { int x, y, z; };
void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() {
vec3 array[3]; // getByteSize() = 9 * sizeof(int)
vec2 *ptr = (vec2 *)array; // $ Source // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
ptr[3] = vec2{}; // GOOD: writes ints 6, 7
ptr[4] = vec2{}; // $ Alert // BAD: writes ints 8, 9
ptr[4] = vec2{}; // BAD: writes ints 8, 9
}
void pointer_size_larger_than_array_element_size_and_does_not_divide_it() {
@@ -258,7 +258,7 @@ void call_use(unsigned char* p, int n) {
if(n == 3) {
unsigned char x = p[0];
unsigned char y = p[1];
unsigned char z = p[2]; // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
use(x, y, z);
}
}
@@ -283,7 +283,7 @@ void test_call_use2() {
call_call_use(buffer1,1);
unsigned char buffer2[2];
call_call_use(buffer2,2); // $ Source
call_call_use(buffer2,2);
unsigned char buffer3[3];
call_call_use(buffer3,3);
@@ -296,7 +296,7 @@ int guardingCallee(int *arr, int size) {
int sum;
for (int i = 0; i < size; i++) {
sum += arr[i]; // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE] - guarded by size
sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size
}
return sum;
}
@@ -304,9 +304,9 @@ int guardingCallee(int *arr, int size) {
int guardingCaller() {
int arr1[MAX_SIZE];
guardingCallee(arr1, MAX_SIZE);
int arr2[10];
guardingCallee(arr2, 10); // $ Source
guardingCallee(arr2, 10);
}
// simplified md5 padding
@@ -319,10 +319,10 @@ void correlatedCondition(int num) {
end = temp + 56;
}
else if (num < 64) {
end = temp + 64; // $ SPURIOUS: Alert // GOOD [FALSE POSITVE]
end = temp + 64; // GOOD [FALSE POSITVE]
}
char *temp2 = temp + num;
while(temp2 != end) { // $ Sink
while(temp2 != end) {
*temp2 = 0;
temp2++;
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql

View File

@@ -9,7 +9,7 @@ int main(int argc, char *argv[])
{
//umask(0022);
FILE *fp;
fp = fopen("myFile.txt","w"); // $ Alert // BAD
fp = fopen("myFile.txt","w"); // BAD
//chmod("myFile.txt",0644);
fprintf(fp,"%s\n","data to file");
fclose(fp);

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql

View File

@@ -10,8 +10,8 @@ int main(int argc, char *argv[])
{
FILE *fp;
char buf[128];
fp = fopen("myFile.txt","r+"); // $ MISSING: Alert // BAD [NOT DETECTED]
fgets(buf,128,fp);
fp = fopen("myFile.txt","r+"); // BAD [NOT DETECTED]
fgets(buf,128,fp);
fprintf(fp,"%s\n","data to file");
fclose(fp);
return 0;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql

View File

@@ -9,13 +9,13 @@ int chdir(char *path);
void exit(int status);
int funTest1(){
if (chroot("/myFold/myTmp") == -1) { // $ Alert // BAD
if (chroot("/myFold/myTmp") == -1) { // BAD
exit(-1);
}
return 0;
}
int funTest2(){
int funTest2(){
if (chdir("/myFold/myTmp") == -1) { // GOOD
exit(-1);
}
@@ -25,8 +25,8 @@ int funTest2(){
return 0;
}
int funTest3(){
chdir("/myFold/myTmp"); // $ Alert // BAD
int funTest3(){
chdir("/myFold/myTmp"); // BAD
return 0;
}
int main(int argc, char *argv[])

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql

View File

@@ -6,7 +6,7 @@ int fclose(FILE *stream);
void funcTest1()
{
umask(0666); // $ Alert // BAD
umask(0666); // BAD
FILE *fe;
fe = fopen("myFile.txt", "wt");
fclose(fe);
@@ -27,7 +27,7 @@ void funcTest2(int mode)
FILE *fe;
fe = fopen("myFile.txt", "wt");
fclose(fe);
chmod("myFile.txt",0555-mode); // $ Alert // BAD
chmod("myFile.txt",0555-mode); // BAD
}
void funcTest2g(int mode)

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-285/PamAuthorization.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-285/PamAuthorization.ql

View File

@@ -26,7 +26,7 @@ bool PamAuthBad(const std::string &username_in,
return false;
}
err = pam_authenticate(pamh, 0); // $ Alert
err = pam_authenticate(pamh, 0);
if (err != PAM_SUCCESS)
return err;

View File

@@ -7,7 +7,7 @@ namespace std{
CURLOPT_URL,
CURLOPT_SSL_VERIFYHOST,
CURLOPT_SSL_VERIFYPEER
};
};
CURL *curl_easy_init();
void curl_easy_cleanup(CURL *handle);
@@ -22,8 +22,8 @@ char host[] = "codeql.com";
void bad(void) {
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); // $ Alert
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); // $ Alert
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
curl_easy_perform(curl.get());
}
@@ -31,7 +31,7 @@ void bad(void) {
void good(void) {
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 2);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
curl_easy_perform(curl.get());
}
@@ -40,3 +40,4 @@ int main(int c, char** argv){
bad();
good();
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-295/CurlSSL.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-295/CurlSSL.ql

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql

View File

@@ -54,7 +54,7 @@ void file()
FILE *file;
// BAD: write zipcode to file in cleartext
fputs(theZipcode, file); // $ Alert
fputs(theZipcode, file);
// GOOD: encrypt first
char *encrypted = encrypt(theZipcode);
@@ -71,15 +71,15 @@ int main(int argc, char **argv)
char *buff4;
// BAD: write medical to buffer in cleartext
sprintf(buff1, "%s", medical); // $ Alert Source
sprintf(buff1, "%s", medical);
// BAD: write medical to buffer in cleartext
char *temp = medical; // $ Source
sprintf(buff2, "%s", temp); // $ Alert
char *temp = medical;
sprintf(buff2, "%s", temp);
// BAD: write medical to buffer in cleartext
char *buff5 = func(medical); // $ Source
sprintf(buff3, "%s", buff5); // $ Alert
char *buff5 = func(medical);
sprintf(buff3, "%s", buff5);
char *buff6 = encrypt(medical);
// GOOD: encrypt first
@@ -93,10 +93,10 @@ void stream()
ofstream mystream;
// BAD: write zipcode to file in cleartext
mystream << "the zipcode is: " << theZipcode; // $ Alert Source
mystream << "the zipcode is: " << theZipcode;
// BAD: write zipcode to file in cleartext
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); // $ Alert
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode));
// GOOD: encrypt first
char *encrypted = encrypt(theZipcode);

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql

View File

@@ -44,13 +44,13 @@ int getSize2(int type) {
int badTestf1(int type, int met) {
int is = getSize(type);
if (met == 1) return 123 / is; // $ Alert // BAD
else return 123 / getSize2(type); // $ Alert // BAD
if (met == 1) return 123 / is; // BAD
else return 123 / getSize2(type); // BAD
}
int badTestf2(int type) {
int is;
is = getSize(type);
return 123 / is; // $ Alert // BAD
return 123 / is; // BAD
}
int badTestf3(int type, int met) {
@@ -58,31 +58,31 @@ int badTestf3(int type, int met) {
is = getSize(type);
switch (met) {
case 1:
if (is >= 0) return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
if (is >= 0) return 123 / is; // BAD [NOT DETECTED]
case 2:
if (0 == is) return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
if (0 == is) return 123 / is; // BAD [NOT DETECTED]
case 3:
if (!is & 123 / is) // $ Alert // BAD
if (!is & 123 / is) // BAD
return 123;
case 4:
if (!is | 123 / is) // $ Alert // BAD
if (!is | 123 / is) // BAD
return 123;
case 5:
if (123 / is || !is) // $ Alert // BAD
if (123 / is || !is) // BAD
return 123;
case 6:
if (123 / is && !is) // $ Alert // BAD
if (123 / is && !is) // BAD
return 123;
case 7:
if (!is) return 123 / is; // $ Alert // BAD
if (!is) return 123 / is; // BAD
case 8:
if (is > -1) return 123 / is; // $ Alert // BAD
if (is > -1) return 123 / is; // BAD
case 9:
if (is < 2) return 123 / is; // $ Alert // BAD
if (is < 2) return 123 / is; // BAD
}
if (is != 0) return -1;
if (is == 0) type += 1;
return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
return 123 / is; // BAD [NOT DETECTED]
}
int goodTestf3(int type, int met) {
@@ -92,7 +92,7 @@ int goodTestf3(int type, int met) {
case 1:
if (is < 0) return 123 / is; // GOOD
case 2:
if (!is && 123 / is) // GOOD
if (!is && 123 / is) // GOOD
return 123;
case 3:
if (!is || 123 / is) // GOOD
@@ -112,10 +112,10 @@ int goodTestf3a(int type, int met) {
if (is < 0)
return 123 / is; // GOOD
case 2:
if (!is && 123 / is) // GOOD
if (!is && 123 / is) // GOOD
return 123;
case 3:
if (!is || 123 / is) // GOOD
if (!is || 123 / is) // GOOD
return 123;
}
return 1;
@@ -125,20 +125,20 @@ int badTestf4(int type) {
int is = getSize(type);
int d;
d = type * is;
return 123 / d; // $ Alert // BAD
return 123 / d; // BAD
}
int badTestf5(int type) {
int is = getSize(type);
int d;
d = is / type;
return 123 / d; // $ Alert // BAD
return 123 / d; // BAD
}
int badTestf6(int type) {
int is = getSize(type);
int d;
d = is / type;
return type * 123 / d; // $ Alert // BAD
return type * 123 / d; // BAD
}
int badTestf7(int type, int met) {
@@ -150,7 +150,7 @@ int badTestf7(int type, int met) {
return 123 / is; // GOOD
}
quit:
return 123 / is; // $ Alert // BAD
return 123 / is; // BAD
}
int goodTestf7(int type, int met) {
@@ -169,8 +169,8 @@ int goodTestf7(int type, int met) {
int badTestf8(int type) {
int is = getSize(type);
type /= is; // $ Alert // BAD
type %= is; // $ Alert // BAD
type /= is; // BAD
type %= is; // BAD
return type;
}
@@ -184,7 +184,7 @@ float getSizeFloat(float type) {
}
float badTestf9(float type) {
float is = getSizeFloat(type);
return 123 / is; // $ Alert // BAD
return 123 / is; // BAD
}
float goodTestf9(float type) {
float is = getSizeFloat(type);
@@ -196,18 +196,18 @@ int badTestf10(int type) {
int out = type;
int is = getSize(type);
if (is > -2) {
out /= 123 / (is + 1); // $ Alert // BAD
out /= 123 / (is + 1); // BAD
}
if (is > 0) {
return 123 / (is - 1); // $ Alert // BAD
return 123 / (is - 1); // BAD
}
if (is <= 0) return 0;
return 123 / (is - 1); // $ Alert // BAD
return 123 / (is - 1); // BAD
return 0;
}
int badTestf11(int type) {
int is = getSize(type);
return 123 / (is - 3); // $ Alert // BAD
return 123 / (is - 3); // BAD
}
int goodTestf11(int type) {
@@ -223,7 +223,7 @@ int badTestf12(FILE * f) {
int a;
int ret = -1;
a = getc(f);
if (a == 0) ret = 123 / a; // $ MISSING: Alert // BAD [NOT DETECTED]
if (a == 0) ret = 123 / a; // BAD [NOT DETECTED]
return ret;
}
@@ -255,14 +255,14 @@ int badMySubDiv(int type, int is) {
void badTestf13(int type) {
int is = getSize(type);
badMyDiv(type, is); // $ Alert // BAD
badMyDiv(type, is - 2); // $ Alert // BAD
badMySubDiv(type, is); // $ Alert // BAD
badMyDiv(type, is); // BAD
badMyDiv(type, is - 2); // BAD
badMySubDiv(type, is); // BAD
goodMyDiv(type, is); // GOOD
if (is < 5)
badMySubDiv(type, is); // $ Alert // BAD
badMySubDiv(type, is); // BAD
if (is < 0)
badMySubDiv(type, is); // $ MISSING: Alert // BAD [NOT DETECTED]
badMySubDiv(type, is); // BAD [NOT DETECTED]
if (is > 5)
badMySubDiv(type, is); // GOOD
if (is == 0)
@@ -270,9 +270,9 @@ void badTestf13(int type) {
if (is > 0)
badMyDiv(type, is); // GOOD
if (is < 5)
badMyDiv(type, is - 3); // $ Alert // BAD
badMyDiv(type, is - 3); // BAD
if (is < 0)
badMyDiv(type, is + 1); // $ Alert // BAD
badMyDiv(type, is + 1); // BAD
if (is > 5)
badMyDiv(type, is - 3); // GOOD
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql

View File

@@ -13,7 +13,7 @@ int fclose(FILE *stream);
int funcTest1()
{
FILE *fp;
char *filename = tmpnam(NULL); // $ Alert // BAD
char *filename = tmpnam(NULL); // BAD
fp = fopen(filename,"w");
fprintf(fp,"%s\n","data to file");
fclose(fp);
@@ -39,7 +39,7 @@ int funcTest3()
FILE *fp;
char filename[80];
strcat(filename, "/tmp/tmp.name");
fp = fopen(filename,"w"); // $ MISSING: Alert // BAD [NOT DETECTED]
fp = fopen(filename,"w"); // BAD [NOT DETECTED]
fprintf(fp,"%s\n","data to file");
fclose(fp);
return 0;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql

View File

@@ -31,7 +31,7 @@ unsigned char * badResize_0(unsigned char * buffer,size_t currentSize,size_t new
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
buffer = (unsigned char *)realloc(buffer, newSize);
}
return buffer;
}
@@ -60,7 +60,7 @@ unsigned char * badResize_1_0(unsigned char * buffer,size_t currentSize,size_t n
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
buffer = (unsigned char *)realloc(buffer, newSize);
}
return buffer;
}
@@ -136,7 +136,7 @@ unsigned char * badResize_1_1(unsigned char * buffer,size_t currentSize,size_t n
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
buffer = (unsigned char *)realloc(buffer, newSize);
}
if(!buffer)
aFakeFailed_1(1, 1);
@@ -183,7 +183,7 @@ unsigned char * badResize_2_0(unsigned char * buffer,size_t currentSize,size_t n
assert(buffer!=0);
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
buffer = (unsigned char *)realloc(buffer, newSize);
}
return buffer;
}
@@ -279,7 +279,7 @@ unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t
unsigned char *tmp = buffer;
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
buffer = (unsigned char *)realloc(buffer, newSize);
if (buffer == NULL)
{
free(tmp);
@@ -296,7 +296,7 @@ unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t
unsigned char *tmp = buffer;
if (currentSize < newSize)
{
tmp = (unsigned char *)realloc(tmp, newSize); // $ Alert
tmp = (unsigned char *)realloc(tmp, newSize);
if (tmp != 0)
{
buffer = tmp;
@@ -325,7 +325,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
buffer = (unsigned char *)realloc(buffer, newSize);
}
if (cond)
{
@@ -339,7 +339,7 @@ unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
if (currentSize < newSize)
{
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
buffer = (unsigned char *)realloc(buffer, newSize);
assert(cond); // irrelevant
}
return buffer;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-409/DecompressionBombs.ql

View File

@@ -15,12 +15,12 @@ BrotliDecoderResult BrotliDecoderDecompressStream(
void brotli_test(int argc, const char **argv) {
uint8_t output[1024];
size_t output_size = sizeof(output);
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // $ Alert // BAD
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
size_t input_size = 1024;
const uint8_t *input_p = (const uint8_t*)argv[2];
uint8_t *output_p = output;
size_t out_size;
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // $ Alert // BAD
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
&output_p, &out_size);
}

View File

@@ -19,7 +19,7 @@ static int read_data(archive *ar) {
size_t size;
la_int64_t offset;
int r = archive_read_data_block(ar, &buff, &size, &offset); // $ Alert // BAD
int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
if (r == ARCHIVE_EOF)
return ARCHIVE_OK;
if (r < ARCHIVE_OK)

View File

@@ -4,7 +4,7 @@ void minizip_test(int argc, const char **argv);
void zlib_test(int argc, const char **argv);
void zstd_test(int argc, const char **argv);
int main(int argc, const char **argv) { // $ Source
int main(int argc, const char **argv) {
brotli_test(argc, argv);
libarchive_test(argc, argv);
minizip_test(argc, argv);

View File

@@ -14,7 +14,7 @@ void minizip_test(int argc, const char **argv) {
int32_t bytes_read;
char buf[4096];
while(true) {
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // $ Alert // BAD
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
if (bytes_read <= 0) {
break;
}
@@ -23,7 +23,7 @@ void minizip_test(int argc, const char **argv) {
void *zip_reader = mz_zip_reader_create();
mz_zip_reader_open_file(zip_reader, argv[1]);
mz_zip_reader_goto_first_entry(zip_reader);
mz_zip_reader_entry_save(zip_reader, 0, 0); // $ Alert // BAD
mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
UnzOpen(argv[3]); // $ Alert // BAD
UnzOpen(argv[3]); // BAD
}

View File

@@ -22,7 +22,7 @@ void UnsafeInflate(char *input) {
infstream.next_out = output; // output char array
inflateInit(&infstream);
inflate(&infstream, 0); // $ Alert // BAD
inflate(&infstream, 0); // BAD
}
@@ -38,7 +38,7 @@ void UnsafeGzread(char *fileName) {
gzFile inFileZ = gzopen(fileName, "rb");
unsigned char unzipBuffer[8192];
while (true) {
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // $ Alert // BAD
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
break;
}
}
@@ -48,7 +48,7 @@ void UnsafeGzfread(char *fileName) {
gzFile inFileZ = gzopen(fileName, "rb");
while (true) {
char buffer[1000];
if (!gzfread(buffer, 999, 1, inFileZ)) { // $ Alert // BAD
if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
break;
}
}
@@ -59,7 +59,7 @@ void UnsafeGzgets(char *fileName) {
char *buffer = new char[4000000000];
char *result;
while (true) {
result = gzgets(inFileZ, buffer, 1000000000); // $ Alert // BAD
result = gzgets(inFileZ, buffer, 1000000000); // BAD
if (result == nullptr) {
break;
}
@@ -74,7 +74,7 @@ void InflateString(char *input) {
uLong source_length = 500;
uLong destination_length = sizeof(output);
uncompress(output, &destination_length, (Bytef *) input, source_length); // $ Alert // BAD
uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
}
void zlib_test(int argc, char **argv) {

View File

@@ -36,7 +36,7 @@ void zstd_test(int argc, const char **argv) {
ZSTD_inBuffer input = {buffIn, read, 0};
while (input.pos < input.size) {
ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // $ Alert // BAD
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD
CHECK_ZSTD(ret);
}
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-415/DoubleFree.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-415/DoubleFree.ql

View File

@@ -8,14 +8,14 @@ void workFunction_0(char *s) {
char *buf;
buf = (char *) malloc(intSize);
free(buf); // GOOD
if(buf) free(buf); // $ Alert // BAD
if(buf) free(buf); // BAD
}
void workFunction_1(char *s) {
int intSize = 10;
char *buf;
buf = (char *) malloc(intSize);
free(buf); // GOOD
free(buf); // $ Alert // BAD
free(buf); // BAD
}
void workFunction_2(char *s) {
int intSize = 10;
@@ -54,7 +54,7 @@ void workFunction_5(char *s, int intFlag) {
if(intFlag) {
free(buf); // GOOD
}
free(buf); // $ Alert // BAD
free(buf); // BAD
}
void workFunction_6(char *s, int intFlag) {
int intSize = 10;
@@ -75,7 +75,7 @@ void workFunction_7(char *s) {
char *buf1;
buf = (char *) malloc(intSize);
buf1 = (char *) realloc(buf,intSize*4);
free(buf); // $ Alert // BAD
free(buf); // BAD
}
void workFunction_8(char *s) {
int intSize = 10;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql

View File

@@ -68,7 +68,7 @@ void funcWork1b() {
}
delete [] bufMyData;
} // $ Alert
}
}
void funcWork1() {
@@ -97,7 +97,7 @@ void funcWork1() {
}
delete [] bufMyData;
} // $ Alert
}
}
void funcWork2() {
@@ -125,7 +125,7 @@ void funcWork2() {
}
delete [] bufMyData;
} // $ Alert
}
}
void funcWork3() {
int a;
@@ -148,7 +148,7 @@ void funcWork3() {
}
delete [] bufMyData;
} // $ Alert
}
}
@@ -180,7 +180,7 @@ void funcWork4b() {
catch (...)
{
delete valData; // BAD
} // $ Alert
}
}
void funcWork5() {
int a;
@@ -218,7 +218,7 @@ void funcWork5b() {
catch (...)
{
delete valData; // BAD
} // $ Alert
}
}
void funcWork6() {
int a;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql

View File

@@ -25,7 +25,7 @@ void testFunction(char c1,int i1)
case 9:
break;
dafault:
} // $ Alert
}
switch(c1){ // BAD
c1=c1*2;
@@ -35,7 +35,7 @@ void testFunction(char c1,int i1)
break;
case 9:
break;
} // $ Alert
}
if((c1<6)&&(c1>0))
switch(c1){ // BAD
@@ -47,7 +47,7 @@ void testFunction(char c1,int i1)
break;
case 1:
break;
} // $ Alert
}
if((c1<6)&&(c1>0))
switch(c1){ // BAD
@@ -55,6 +55,6 @@ void testFunction(char c1,int i1)
break;
case 1:
break;
} // $ Alert
}
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql

View File

@@ -42,7 +42,7 @@ int gootTest2(SSL *ssl)
int badTest1(SSL *ssl)
{
int ret;
switch ((ret = SSL_shutdown(ssl))) { // $ Alert
switch ((ret = SSL_shutdown(ssl))) {
case 1:
break;
case 0:
@@ -58,7 +58,7 @@ int badTest1(SSL *ssl)
int badTest2(SSL *ssl)
{
int ret;
ret = SSL_shutdown(ssl); // $ Alert
ret = SSL_shutdown(ssl);
switch (ret) {
case 1:
break;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-675/DoubleRelease.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-675/DoubleRelease.ql

View File

@@ -6,7 +6,7 @@ extern FILE * fe;
void test1()
{
FILE *f;
f = fopen("myFile.txt", "wt");
fclose(f); // GOOD
f = NULL;
@@ -15,9 +15,9 @@ void test1()
void test2()
{
FILE *f;
f = fopen("myFile.txt", "wt");
fclose(f); // $ Alert // BAD
fclose(f); // BAD
fclose(f);
}
@@ -25,17 +25,17 @@ void test3()
{
FILE *f;
FILE *g;
f = fopen("myFile.txt", "wt");
g = f;
fclose(f); // $ Alert // BAD
fclose(f); // BAD
fclose(g);
}
int fGtest4_1()
{
fe = fopen("myFile.txt", "wt");
fclose(fe); // $ Alert // BAD
fe = fopen("myFile.txt", "wt");
fclose(fe); // BAD
return -1;
}
@@ -46,7 +46,7 @@ int fGtest4_2()
}
void Gtest4()
{
{
fGtest4_1();
fGtest4_2();
}
@@ -76,7 +76,7 @@ int main(int argc, char *argv[])
test1();
test2();
test3();
Gtest4();
Gtest5();
return 0;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql

View File

@@ -5,25 +5,25 @@ void workFunction_0(char *s) {
int intSize;
char buf[80];
if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // $ Alert[cpp/errors-when-using-bit-operations] // BAD
if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
if(intSize>0 && tmpFunction()) return;
if(intSize<0 & tmpFunction()) return; // $ Alert[cpp/errors-when-using-bit-operations] // BAD
if(intSize<0 & tmpFunction()) return; // BAD
}
void workFunction_1(char *s) {
int intA,intB;
if(intA + intB) return; // $ Alert[cpp/errors-after-refactoring] // BAD
if(intA + intB) return; // BAD
if(intA + intB>4) return; // GOOD
if(intA>0 && (intA + intB)) return; // $ Alert[cpp/errors-after-refactoring] // BAD
if(intA>0 && (intA + intB)) return; // BAD
while(intA>0)
{
if(intB - intA<10) break;
intA--;
}while(intA>0); // $ Alert[cpp/errors-after-refactoring] // BAD
}while(intA>0); // BAD
for(intA=100; intA>0; intA--)
{
if(intB - intA<10) break;
}while(intA>0); // $ Alert[cpp/errors-after-refactoring] // BAD
}while(intA>0); // BAD
while(intA>0)
{
if(intB - intA<10) break;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql

View File

@@ -32,13 +32,13 @@ void funcTest2()
void funcTest3()
{
std::runtime_error("msg error"); // $ Alert // BAD
std::runtime_error("msg error"); // BAD
throw std::runtime_error("msg error"); // GOOD
}
void TestFunc()
{
funcTest1(); // $ Alert
DllMain(); // $ Alert
funcTest1();
DllMain();
funcTest2();
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql

View File

@@ -49,9 +49,9 @@ int functionWork1b(int retIndex) {
char a[10];
int b;
int *p = &b;
scanf("%i", &i); // $ Alert // BAD
scanf("%s", a); // $ Alert // BAD
scanf("%i", p); // $ Alert // BAD
scanf("%i", &i); // BAD
scanf("%s", a); // BAD
scanf("%i", p); // BAD
if(retIndex == 0)
return (int)*a;
if(retIndex == 1)
@@ -60,7 +60,7 @@ int functionWork1b(int retIndex) {
}
int functionWork1_() {
int i;
scanf("%i",&i); // $ MISSING: Alert // BAD [NOT DETECTED]
scanf("%i",&i); // BAD [NOT DETECTED]
if(i<10)
return -1;
return i;
@@ -102,9 +102,9 @@ int functionWork2b() {
char a[10];
int b;
int *p = &b;
scanf("%i", &i); // $ Alert // BAD
scanf("%s", a); // $ Alert // BAD
scanf("%i", p); // $ Alert // BAD
scanf("%i", &i); // BAD
scanf("%s", a); // BAD
scanf("%i", p); // BAD
globalVal = i;
globalVala = a;
globalValp = p;
@@ -112,12 +112,12 @@ int functionWork2b() {
}
int functionWork2b_() {
char a[10];
scanf("%s", a); // $ Alert // BAD
scanf("%s", a); // BAD
globalVala2 = a[0];
return 0;
}
int functionWork3b(int * i) {
scanf("%i", i); // $ Alert // BAD
scanf("%i", i); // BAD
return 0;
}
int functionWork3() {

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql

View File

@@ -10,10 +10,10 @@ char tmpFunction2(char * buf)
}
void workFunction_0(char *s, char * buf) {
int intA;
intA = tmpFunction1(buf) + tmpFunction2(buf); // $ Alert // BAD
intA = tmpFunction1(buf) + tmpFunction2(buf); // BAD
intA = tmpFunction1(buf); //GOOD
intA += tmpFunction2(buf); // GOOD
buf[intA] = intA++; // $ Alert // BAD
buf[intA] = intA++; // BAD
intA++;
buf[intA] = intA; // GOOD
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql

View File

@@ -1,14 +1,14 @@
void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1)
{
if(b1||b2&&b3) // $ Alert //BAD
if(b1||b2&&b3) //BAD
return;
if((b1||b2)&&b3) //GOOD
return;
if(b1||(b2&&b3)) //GOOD
return;
if(b1||b2&i1) // $ Alert //BAD
if(b1||b2&i1) //BAD
return;
if((b1||b2)&i1) //GOOD
return;
@@ -16,28 +16,28 @@ void testFunction(int i1, int i2, int i3, bool b1, bool b2, bool b3, char c1)
return;
if(b1&&b2&0) //GOOD
return;
if(b1||b2|i1) // $ Alert //BAD
if(b1||b2|i1) //BAD
return;
if((b1||b2)|i1) //GOOD
return;
if(i1|i2&c1) // $ Alert //BAD
if(i1|i2&c1) //BAD
return;
if((i1|i2)&i3) //GOOD
return;
if(i1^i2&c1) // $ Alert //BAD
if(i1^i2&c1) //BAD
return;
if((i1^i2)&i3) //GOOD
return;
if(i1|i2^c1) // $ Alert //BAD
if(i1|i2^c1) //BAD
return;
if((i1|i2)^i3) //GOOD
return;
if(b1|b2^b3) // $ Alert //BAD
if(b1|b2^b3) //BAD
return;
if((b1|b2)^b3) //GOOD
return;
}

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql

View File

@@ -12,23 +12,23 @@ void strlen_test1(){
unsigned char buff1[12];
struct buffers buffAll;
struct buffers * buffAll1;
buff1[strlen(buff1)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll.array[strlen(buffAll.array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll.pointer[strlen(buffAll.pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll1->array[strlen(buffAll1->array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buffAll1->pointer[strlen(buffAll1->pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff1.array[strlen(globalBuff1.array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff2->array[strlen(globalBuff2->array)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // $ Alert[cpp/access-memory-location-after-end-buffer-strlen] // BAD
buff1[strlen(buff1)]=0; // BAD
buffAll.array[strlen(buffAll.array)]=0; // BAD
buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD
buffAll1->array[strlen(buffAll1->array)]=0; // BAD
buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD
globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD
globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD
globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD
globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD
}
void strlen_test2(){
unsigned char buff1[12],buff1_c[12];
struct buffers buffAll,buffAll_c;
struct buffers * buffAll1,*buffAll1_c;
buff1[strlen(buff1_c)]=0; // GOOD
buffAll.array[strlen(buffAll_c.array)]=0; // GOOD
buffAll.pointer[strlen(buffAll.array)]=0; // GOOD

View File

@@ -7,13 +7,13 @@ void testFunction()
int i1,i2,i3;
bool b1,b2,b3;
char c1,c2,c3;
b1 = -b2; // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
b1 = -b2; //BAD
b1 = !b2; //GOOD
b1++; // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
++b1; // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
if(i1=tmpFunc()!=i2) // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
b1++; //BAD
++b1; //BAD
if(i1=tmpFunc()!=i2) //BAD
return;
if(i1=tmpFunc()!=11) // $ Alert[cpp/operator-precedence-logic-error-when-use-bool-type] //BAD
if(i1=tmpFunc()!=11) //BAD
return;
if((i1=tmpFunc())!=i2) //GOOD
return;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql

View File

@@ -24,7 +24,7 @@ bool badTest1(SSL *ssl,char *text)
char buf[256];
if( peer = SSL_get_peer_certificate(ssl))
{
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // $ Alert // BAD
X509_NAME_oneline(X509_get_subject_name(peer),buf,1024); // BAD
if((char*)strcasestr(buf,text)) return true;
}
return false;

View File

@@ -16,7 +16,7 @@ int main(int argc, char **argv)
// BAD, do not use scanf without specifying a length first
char buf1[10];
scanf("%s", buf1); // $ Alert
scanf("%s", buf1);
// GOOD, length is specified. The length should be one less than the size of the destination buffer, since the last character is the NULL terminator.
char buf2[20];
@@ -25,7 +25,7 @@ int main(int argc, char **argv)
// BAD, do not use scanf without specifying a length first
char file[10];
fscanf(file, "%s", buf2); // $ Alert
fscanf(file, "%s", buf2);
// GOOD, with 'sscanf' the input can be checked first and enough room allocated [FALSE POSITIVE]
if (argc >= 1)
@@ -33,7 +33,7 @@ int main(int argc, char **argv)
char *src = argv[0];
char *dest = (char *)malloc(strlen(src) + 1);
sscanf(src, "%s", dest); // $ Alert
sscanf(src, "%s", dest);
}
return 0;

View File

@@ -1,2 +1 @@
query: experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/IRConsistency.ql
semmle/code/cpp/ir/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/raw/IRConsistency.ql
semmle/code/cpp/ir/implementation/raw/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/IRConsistency.ql
semmle/code/cpp/ir/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/PrintIR.ql
semmle/code/cpp/ir/PrintIR.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.ql

View File

@@ -1 +1 @@
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql
semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.ql

View File

@@ -6,10 +6,11 @@ void f(void) {
long long int z;
z = (long long int)p1; // OK: long long int is big enough
i = (short int)p2; // $ Alert // Bad: short is too small
i = (short int)p2; // Bad: short is too small
i = (short int)(long long int)p3; // OK: we assume they know what
// they are doing if they go
// via a large-enough type
i = (short int)(void *)p4; // $ Alert // Bad: Going via a pointer type is
i = (short int)(void *)p4; // Bad: Going via a pointer type is
// not convincing
}

View File

@@ -1,2 +1 @@
query: Likely Bugs/Conversion/LossyPointerCast.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql
Likely Bugs/Conversion/LossyPointerCast.ql

Some files were not shown because too many files have changed in this diff Show More