mirror of
https://github.com/github/codeql.git
synced 2026-07-08 21:15:32 +02:00
Compare commits
320 Commits
jketema/go
...
java-upgra
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
545d541588 | ||
|
|
bf7c48972b | ||
|
|
371e8c27f7 | ||
|
|
25cd352de7 | ||
|
|
8bb12d1507 | ||
|
|
aba008dcd7 | ||
|
|
7b96f66d34 | ||
|
|
3c3f740a25 | ||
|
|
85d800f317 | ||
|
|
134e30260d | ||
|
|
a16e19a3b1 | ||
|
|
69ed2da241 | ||
|
|
bc966f62e2 | ||
|
|
b6d588c1a8 | ||
|
|
5ba1fe315d | ||
|
|
8363d2d66d | ||
|
|
b8f8370c33 | ||
|
|
6ff2a4c0d6 | ||
|
|
1db31327a7 | ||
|
|
19745e13b5 | ||
|
|
9d9590623d | ||
|
|
117a0bb87e | ||
|
|
f67b7299f9 | ||
|
|
366d70bfee | ||
|
|
a812e4aa99 | ||
|
|
fa16728522 | ||
|
|
76d8ae8694 | ||
|
|
843ac7c6b0 | ||
|
|
a2c5d4c818 | ||
|
|
8f026b1dc2 | ||
|
|
bfb3ead314 | ||
|
|
e5bd62dbd3 | ||
|
|
76b4f4f223 | ||
|
|
077b531e41 | ||
|
|
c23c3d9e79 | ||
|
|
036ed04eee | ||
|
|
891e244116 | ||
|
|
c8eb2071d8 | ||
|
|
e7bff859e8 | ||
|
|
6ea146f65b | ||
|
|
a86c7ba422 | ||
|
|
d0cd4ac536 | ||
|
|
c3a0b65c0c | ||
|
|
268e9eadac | ||
|
|
ab1bc853fc | ||
|
|
f4d8358454 | ||
|
|
0a02b16c43 | ||
|
|
4aef485d3c | ||
|
|
5e50fc8471 | ||
|
|
e4a7b4ff51 | ||
|
|
66ddf3b4c6 | ||
|
|
1af9609eed | ||
|
|
4f4cdf434b | ||
|
|
79eeaa2028 | ||
|
|
1f4ae86a84 | ||
|
|
797f58b5d5 | ||
|
|
2308981665 | ||
|
|
32181cd7e8 | ||
|
|
9aaf3f15eb | ||
|
|
d8b89d2581 | ||
|
|
f4d6f582c8 | ||
|
|
36b31a855c | ||
|
|
bced7bb6d2 | ||
|
|
970e991b2c | ||
|
|
982f6a5e8a | ||
|
|
6c3c5ea8af | ||
|
|
226efb3ad7 | ||
|
|
73ec4b8d02 | ||
|
|
cb4a1d0929 | ||
|
|
d664d17a11 | ||
|
|
7263c00b00 | ||
|
|
e9766086cd | ||
|
|
d551ab3afb | ||
|
|
2bf6031c0f | ||
|
|
daf97f7139 | ||
|
|
a5444b573a | ||
|
|
3410f39b3c | ||
|
|
cf51664d69 | ||
|
|
3cbb8ba87e | ||
|
|
b12c67f231 | ||
|
|
41f2e7b6f6 | ||
|
|
11e75c12a8 | ||
|
|
dbbcc1741c | ||
|
|
f37b3e77ff | ||
|
|
b5ec9c25c0 | ||
|
|
9e37ae02fd | ||
|
|
c81d31f2e3 | ||
|
|
f251a572e1 | ||
|
|
43cfa2f8bd | ||
|
|
ca4f751f9b | ||
|
|
b7b731bab7 | ||
|
|
c045da01a1 | ||
|
|
a9617f18a1 | ||
|
|
8a46f03308 | ||
|
|
fc94d1c035 | ||
|
|
a93501a1eb | ||
|
|
06f54d1bbb | ||
|
|
396bea6e6a | ||
|
|
a43c5cee61 | ||
|
|
0e05ea5153 | ||
|
|
8657c8b26e | ||
|
|
449a3ac870 | ||
|
|
fc954c3e1a | ||
|
|
81ed5c59d7 | ||
|
|
8d564d31e6 | ||
|
|
cbcf85a953 | ||
|
|
c0871defe9 | ||
|
|
be39051c29 | ||
|
|
8447b76c12 | ||
|
|
3d8991a4db | ||
|
|
4a7afb7aeb | ||
|
|
37d2224b9d | ||
|
|
0a737c97f3 | ||
|
|
28f0be5c67 | ||
|
|
f353a17431 | ||
|
|
caaed72288 | ||
|
|
08c383df6a | ||
|
|
2625c304bf | ||
|
|
49bde567dd | ||
|
|
d519f79703 | ||
|
|
12bd3e2860 | ||
|
|
3e1ca82cbf | ||
|
|
f1cc1e5c47 | ||
|
|
bfc37e547f | ||
|
|
f14a5678be | ||
|
|
041a8e6adc | ||
|
|
fb424020af | ||
|
|
bda8e7dae1 | ||
|
|
37c8111c18 | ||
|
|
807bb51df7 | ||
|
|
b6abfe6e5c | ||
|
|
b3dc7009a4 | ||
|
|
e59f646870 | ||
|
|
cc3c232631 | ||
|
|
9a5cc3c5e3 | ||
|
|
3983e4db29 | ||
|
|
72f1a0d89b | ||
|
|
96e88a1f9a | ||
|
|
3058198c0d | ||
|
|
d985c48e84 | ||
|
|
330bb17d69 | ||
|
|
818a25b64e | ||
|
|
4237a76251 | ||
|
|
2ef06c9f96 | ||
|
|
727f7d2afa | ||
|
|
8fc2f7c92e | ||
|
|
3c5f70de11 | ||
|
|
1842382e23 | ||
|
|
db449dca6a | ||
|
|
7216d12b9a | ||
|
|
c4b4fde0d7 | ||
|
|
35cd0f829f | ||
|
|
299c8cd914 | ||
|
|
c0c8958db1 | ||
|
|
0ee40417ea | ||
|
|
46382cbc8e | ||
|
|
da3d0cf977 | ||
|
|
93439db87b | ||
|
|
897d16929b | ||
|
|
6f997ae15c | ||
|
|
300e48e48e | ||
|
|
f840f6104a | ||
|
|
70ca7af04c | ||
|
|
7861e9e596 | ||
|
|
664f0125b9 | ||
|
|
1b7f589000 | ||
|
|
eb7f8cc43d | ||
|
|
2767b8dbbf | ||
|
|
b1f60acf2c | ||
|
|
2b2613de4e | ||
|
|
95e030f4e3 | ||
|
|
8155ff7a4f | ||
|
|
14acc7fcab | ||
|
|
37ce885b0c | ||
|
|
caef09bf8e | ||
|
|
52acaec03d | ||
|
|
d6e8555f8b | ||
|
|
b5ef15c70f | ||
|
|
5735ac330d | ||
|
|
5348c7d07c | ||
|
|
f89f304e50 | ||
|
|
ff7dc297d5 | ||
|
|
cacdc467de | ||
|
|
7b800b1dd6 | ||
|
|
1b6ff24642 | ||
|
|
3d1b6b64ed | ||
|
|
ac618e1cb2 | ||
|
|
221a54d22e | ||
|
|
5fcaac7cb2 | ||
|
|
cc215858e4 | ||
|
|
56a1b12c9e | ||
|
|
688213056c | ||
|
|
1c37688ec1 | ||
|
|
336df3ccf4 | ||
|
|
587f9c24ed | ||
|
|
84a3435c12 | ||
|
|
456e33773b | ||
|
|
7c73de0e3c | ||
|
|
af7ae8c4cb | ||
|
|
1c4552edb0 | ||
|
|
5136d872ae | ||
|
|
474bcd4dd1 | ||
|
|
199489a225 | ||
|
|
ae4ccc651c | ||
|
|
0d845c2ea9 | ||
|
|
6d138c2bd4 | ||
|
|
85c39c04e0 | ||
|
|
1ee142d8bd | ||
|
|
a523c7f47f | ||
|
|
5f73754b95 | ||
|
|
e0fa6cf785 | ||
|
|
237c5639e2 | ||
|
|
73ad826d44 | ||
|
|
cc83856c5e | ||
|
|
0fbab225ce | ||
|
|
3403cffe51 | ||
|
|
4aa53b6be9 | ||
|
|
ca09327384 | ||
|
|
969ab78225 | ||
|
|
b67644c127 | ||
|
|
20b4cbe72e | ||
|
|
b582844f96 | ||
|
|
b9a132dac6 | ||
|
|
351d4954d7 | ||
|
|
4bda03fe8d | ||
|
|
89cd6770ae | ||
|
|
9b2e6077f1 | ||
|
|
18913ce4b8 | ||
|
|
a45ef5845a | ||
|
|
d32c4d838d | ||
|
|
8042fba94a | ||
|
|
bbad4f6069 | ||
|
|
929fa1e977 | ||
|
|
3324d07985 | ||
|
|
f6b3d1eade | ||
|
|
402c0f89bc | ||
|
|
af11f6e618 | ||
|
|
7fc4b4856e | ||
|
|
4b8cb3ffac | ||
|
|
0c72a2b982 | ||
|
|
b8c78fdcb7 | ||
|
|
bcf71d0db6 | ||
|
|
5047bee432 | ||
|
|
29eba2f38e | ||
|
|
4fa8a9fb1d | ||
|
|
a24d222d96 | ||
|
|
bcfee987f0 | ||
|
|
933338f627 | ||
|
|
662f522032 | ||
|
|
a4e3761dea | ||
|
|
8129107ebf | ||
|
|
09c7329488 | ||
|
|
f9e1305da3 | ||
|
|
be56df7ad1 | ||
|
|
9865b66308 | ||
|
|
e8fee23093 | ||
|
|
bf50e377c5 | ||
|
|
076b01cbfc | ||
|
|
bb2ec1240a | ||
|
|
03c3ef9528 | ||
|
|
e1d4fe8605 | ||
|
|
11725e8921 | ||
|
|
41297c588c | ||
|
|
31f6e713c5 | ||
|
|
e2347a5c7d | ||
|
|
cd23341dab | ||
|
|
d1d9df7729 | ||
|
|
9bffcf81b5 | ||
|
|
18f49ed1a2 | ||
|
|
5f31632445 | ||
|
|
6a2a337ffe | ||
|
|
cf896f243f | ||
|
|
bae2d18446 | ||
|
|
2fb5321a50 | ||
|
|
0f83586757 | ||
|
|
66c1f037f5 | ||
|
|
2675070291 | ||
|
|
c01264d05c | ||
|
|
63e1cc90e9 | ||
|
|
2182265120 | ||
|
|
0b666d47db | ||
|
|
142ac47166 | ||
|
|
2470c1388a | ||
|
|
fa98557dd9 | ||
|
|
1e167dfa6b | ||
|
|
f362707493 | ||
|
|
15208b70aa | ||
|
|
3522f35ab2 | ||
|
|
938396a751 | ||
|
|
790d4f11be | ||
|
|
8f747a355c | ||
|
|
d17fd2d964 | ||
|
|
4e9c3fb436 | ||
|
|
0e9d17b59c | ||
|
|
6c74cd31e4 | ||
|
|
166406acbb | ||
|
|
b40cb5dedd | ||
|
|
6dd7dedc19 | ||
|
|
7f16853715 | ||
|
|
2d6feb1255 | ||
|
|
880011ce13 | ||
|
|
1b785a8ff6 | ||
|
|
e10743bd08 | ||
|
|
1d8e682e5f | ||
|
|
0baa126473 | ||
|
|
d11b428292 | ||
|
|
ddc9516e92 | ||
|
|
00068948c1 | ||
|
|
28c879f58c | ||
|
|
d51a9a3e1a | ||
|
|
048884bb78 | ||
|
|
2eed6c1736 | ||
|
|
2a8f295a65 | ||
|
|
b8501f1ec5 | ||
|
|
3214253adb | ||
|
|
f7c4e61956 | ||
|
|
575ece6ae2 | ||
|
|
f6ed5c19be | ||
|
|
4298b70f1c | ||
|
|
e88b8c53f3 |
@@ -248,6 +248,7 @@ use_repo(
|
||||
"kotlin-compiler-2.2.20-Beta2",
|
||||
"kotlin-compiler-2.3.0",
|
||||
"kotlin-compiler-2.3.20",
|
||||
"kotlin-compiler-2.4.0",
|
||||
"kotlin-compiler-embeddable-1.8.0",
|
||||
"kotlin-compiler-embeddable-1.9.0-Beta",
|
||||
"kotlin-compiler-embeddable-1.9.20-Beta",
|
||||
@@ -259,6 +260,7 @@ use_repo(
|
||||
"kotlin-compiler-embeddable-2.2.20-Beta2",
|
||||
"kotlin-compiler-embeddable-2.3.0",
|
||||
"kotlin-compiler-embeddable-2.3.20",
|
||||
"kotlin-compiler-embeddable-2.4.0",
|
||||
"kotlin-stdlib-1.8.0",
|
||||
"kotlin-stdlib-1.9.0-Beta",
|
||||
"kotlin-stdlib-1.9.20-Beta",
|
||||
@@ -270,10 +272,11 @@ use_repo(
|
||||
"kotlin-stdlib-2.2.20-Beta2",
|
||||
"kotlin-stdlib-2.3.0",
|
||||
"kotlin-stdlib-2.3.20",
|
||||
"kotlin-stdlib-2.4.0",
|
||||
)
|
||||
|
||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||
go_sdk.download(version = "1.27rc1")
|
||||
go_sdk.download(version = "1.26.4")
|
||||
|
||||
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||
|
||||
@@ -1,3 +1,10 @@
|
||||
## 0.4.38
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
|
||||
## 0.4.37
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
6
actions/ql/lib/change-notes/released/0.4.38.md
Normal file
6
actions/ql/lib/change-notes/released/0.4.38.md
Normal file
@@ -0,0 +1,6 @@
|
||||
## 0.4.38
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.37
|
||||
lastReleaseVersion: 0.4.38
|
||||
|
||||
@@ -42,6 +42,15 @@ string actor_not_attacker_event() {
|
||||
]
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
|
||||
* reusable workflow containing `ej`. Used with transitive closure to
|
||||
* walk up nested reusable workflow chains.
|
||||
*/
|
||||
private ExternalJob getAnOuterCaller(ExternalJob ej) {
|
||||
result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
|
||||
}
|
||||
|
||||
/** An If node that contains an actor, user or label check */
|
||||
abstract class ControlCheck extends AstNode {
|
||||
ControlCheck() {
|
||||
@@ -53,43 +62,170 @@ abstract class ControlCheck extends AstNode {
|
||||
|
||||
predicate protects(AstNode node, Event event, string category) {
|
||||
// The check dominates the step it should protect
|
||||
this.dominates(node) and
|
||||
this.dominates(node, event) and
|
||||
// The check is effective against the event and category
|
||||
this.protectsCategoryAndEvent(category, event.getName()) and
|
||||
// The check can be triggered by the event
|
||||
this.getATriggerEvent() = event
|
||||
this.getATriggerEvent() = event and
|
||||
// For reusable workflows, there must be no unprotected caller chain for this event.
|
||||
(
|
||||
not node.getEnclosingWorkflow() instanceof ReusableWorkflow
|
||||
or
|
||||
this.dominatesSameWorkflow(node, event)
|
||||
or
|
||||
not exists(ExternalJob directCaller |
|
||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||
unprotectedCallerChain(directCaller, event, category)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
predicate dominates(AstNode node) {
|
||||
/**
|
||||
* Holds if this control check must execute and pass before `node` can run.
|
||||
*/
|
||||
predicate dominates(AstNode node, Event event) {
|
||||
this.dominatesSameWorkflow(node, event)
|
||||
or
|
||||
// When the node is inside a reusable workflow,
|
||||
// this check dominates via at least one caller chain.
|
||||
this.dominatesViaCaller(node, event, _)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check dominates `node` within the same workflow.
|
||||
*/
|
||||
predicate dominatesSameWorkflow(AstNode node, Event event) {
|
||||
this.getATriggerEvent() = event and
|
||||
(
|
||||
// Step-level: the check is an `if:` on the step containing `node`,
|
||||
// or on the enclosing job, or on a needed job/step.
|
||||
this instanceof If and
|
||||
(
|
||||
node.getEnclosingStep().getIf() = this or
|
||||
node.getEnclosingJob().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
)
|
||||
or
|
||||
// Job-level: the check is an environment on the enclosing job or a needed job.
|
||||
this instanceof Environment and
|
||||
(
|
||||
node.getEnclosingJob().getEnvironment() = this
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||
)
|
||||
or
|
||||
// Step-level: the check is a Run/UsesStep that precedes `node`'s step
|
||||
// in the same job, or is a step in a needed job.
|
||||
(
|
||||
this instanceof Run or
|
||||
this instanceof UsesStep
|
||||
) and
|
||||
(
|
||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check dominates `node` in a reusable workflow
|
||||
* via the caller chain starting at `directCaller`.
|
||||
*/
|
||||
predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
|
||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||
directCaller.getATriggerEvent() = event and
|
||||
exists(ExternalJob caller |
|
||||
caller = getAnOuterCaller*(directCaller) and
|
||||
this.dominatesCaller(caller)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check directly dominates `caller`.
|
||||
*/
|
||||
predicate dominatesCaller(ExternalJob caller) {
|
||||
this instanceof If and
|
||||
(
|
||||
node.getEnclosingStep().getIf() = this or
|
||||
node.getEnclosingJob().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
caller.getIf() = this or
|
||||
caller.getANeededJob().(LocalJob).getIf() = this or
|
||||
caller.getANeededJob().(LocalJob).getAStep().getIf() = this
|
||||
)
|
||||
or
|
||||
this instanceof Environment and
|
||||
(
|
||||
node.getEnclosingJob().getEnvironment() = this
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||
caller.getEnvironment() = this or
|
||||
caller.getANeededJob().getEnvironment() = this
|
||||
)
|
||||
or
|
||||
(
|
||||
this instanceof Run or
|
||||
this instanceof UsesStep
|
||||
) and
|
||||
(
|
||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
|
||||
)
|
||||
(this instanceof Run or this instanceof UsesStep) and
|
||||
caller.getANeededJob().(LocalJob).getAStep() = this
|
||||
}
|
||||
|
||||
abstract predicate protectsCategoryAndEvent(string category, string event);
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check directly protects `caller`.
|
||||
*/
|
||||
bindingset[caller, event, category]
|
||||
private predicate protectedCaller(ExternalJob caller, Event event, string category) {
|
||||
exists(ControlCheck check |
|
||||
check.protectsCategoryAndEvent(category, event.getName()) and
|
||||
check.getATriggerEvent() = event and
|
||||
check.dominatesCaller(caller)
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
private newtype TCallerState =
|
||||
MkCallerState(ExternalJob caller, Event event, string category) {
|
||||
caller.getATriggerEvent() = event and
|
||||
category = any_category()
|
||||
}
|
||||
|
||||
private class CallerState extends TCallerState, MkCallerState {
|
||||
ExternalJob caller;
|
||||
Event event;
|
||||
string category;
|
||||
|
||||
CallerState() { this = MkCallerState(caller, event, category) }
|
||||
|
||||
ExternalJob getCaller() { result = caller }
|
||||
|
||||
Event getEvent() { result = event }
|
||||
|
||||
string getCategory() { result = category }
|
||||
|
||||
/**
|
||||
* Gets an outer caller state if this caller is not protected.
|
||||
*/
|
||||
CallerState getUnprotectedOuterState() {
|
||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||
result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
|
||||
}
|
||||
|
||||
predicate isUnprotectedOutermost() {
|
||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||
not exists(getAnOuterCaller(this.getCaller()))
|
||||
}
|
||||
|
||||
string toString() { result = caller + " / " + event + " / " + category }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there is a caller path from `caller` to an outer workflow that has no protection.
|
||||
*/
|
||||
bindingset[caller, event, category]
|
||||
private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
|
||||
exists(CallerState start, CallerState outermost |
|
||||
start = MkCallerState(caller, event, category) and
|
||||
outermost = start.getUnprotectedOuterState*() and
|
||||
outermost.isUnprotectedOutermost()
|
||||
)
|
||||
}
|
||||
|
||||
abstract class AssociationCheck extends ControlCheck {
|
||||
// Checks if the actor is a MEMBER/OWNER the repo
|
||||
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.38-dev
|
||||
version: 0.4.39-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 0.6.30
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||
|
||||
## 0.6.29
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
|
||||
where
|
||||
job.isPrivileged() and
|
||||
job.getAStep() = checkout and
|
||||
check.dominates(checkout) and
|
||||
check.dominates(checkout, event) and
|
||||
(
|
||||
job.getATriggerEvent() = event and
|
||||
event.getName() = "pull_request_target" and
|
||||
|
||||
@@ -34,8 +34,8 @@ where
|
||||
check instanceof AssociationCheck or
|
||||
check instanceof PermissionCheck
|
||||
) and
|
||||
check.dominates(checkout) and
|
||||
date_check.dominates(checkout)
|
||||
check.dominates(checkout, event) and
|
||||
date_check.dominates(checkout, event)
|
||||
)
|
||||
or
|
||||
// not issue_comment triggered workflows
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
## 0.6.30
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.29
|
||||
lastReleaseVersion: 0.6.30
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.30-dev
|
||||
version: 0.6.31-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
ref: ${{ inputs.COMMIT_SHA }}
|
||||
- run: |
|
||||
npm install
|
||||
npm run lint
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build_safe:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
build_unsafe:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
31
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_no_needs.yml
vendored
Normal file
31
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_no_needs.yml
vendored
Normal file
@@ -0,0 +1,31 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
#needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # should alert
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
@@ -0,0 +1,26 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -0,0 +1,31 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build_unsafe:
|
||||
# needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||
build_safe:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -0,0 +1,8 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -0,0 +1,26 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -0,0 +1,26 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
# needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -0,0 +1,41 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
needs: is-collaborator
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
build_unsafe:
|
||||
runs-on: ubuntu-latest
|
||||
# needs: is-collaborator
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
@@ -0,0 +1,48 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator-a:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
caller-a:
|
||||
needs: is-collaborator-a
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
is-collaborator-b:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
caller-b:
|
||||
needs: is-collaborator-b
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -93,6 +93,8 @@ edges
|
||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
|
||||
| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
|
||||
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
|
||||
@@ -334,6 +336,17 @@ edges
|
||||
| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
|
||||
| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
|
||||
| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
|
||||
@@ -344,6 +357,9 @@ edges
|
||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
@@ -377,3 +393,5 @@ edges
|
||||
| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
|
||||
@@ -1,3 +1,20 @@
|
||||
## 11.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||
* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
|
||||
* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
|
||||
* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
|
||||
* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
|
||||
* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
|
||||
* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.
|
||||
|
||||
## 10.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* Models-as-data flow summaries now use fully qualified field names (for example, `MyNamespace::MyStruct::myField`) instead of unqualified field names such as `myField`. We recommend updating existing flow summaries to use fully qualified field names. Unqualified field names are still supported, but that support will be removed in a future release.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Removed support for using variables as sources and sinks in models-as-data. Users of this feature should convert such sources and sinks to models defined using the QL language.
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
## 11.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 10.2.0
|
||||
lastReleaseVersion: 11.0.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 10.2.1-dev
|
||||
version: 11.0.1-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -931,31 +931,6 @@ private Element interpretElement0(
|
||||
signature = "" and
|
||||
elementSpec(namespace, type, subtypes, name, signature, _)
|
||||
)
|
||||
or
|
||||
// Member variables
|
||||
elementSpec(namespace, type, subtypes, name, signature, _) and
|
||||
signature = "" and
|
||||
exists(Class namedClass, Class classWithMember, MemberVariable member |
|
||||
member.getName() = name and
|
||||
member = classWithMember.getAMember() and
|
||||
namedClass.hasQualifiedName(namespace, type) and
|
||||
result = member
|
||||
|
|
||||
// field declared in the named type or a subtype of it (or an extension of any)
|
||||
subtypes = true and
|
||||
classWithMember = namedClass.getADerivedClass*()
|
||||
or
|
||||
// field declared directly in the named type (or an extension of it)
|
||||
subtypes = false and
|
||||
classWithMember = namedClass
|
||||
)
|
||||
or
|
||||
// Global or namespace variables
|
||||
elementSpec(namespace, type, subtypes, name, signature, _) and
|
||||
signature = "" and
|
||||
type = "" and
|
||||
subtypes = false and
|
||||
result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name))
|
||||
}
|
||||
|
||||
cached
|
||||
|
||||
@@ -6,6 +6,7 @@ private import cpp as Cpp
|
||||
private import codeql.dataflow.internal.FlowSummaryImpl
|
||||
private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
|
||||
private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific as DataFlowImplSpecific
|
||||
private import semmle.code.cpp.dataflow.ExternalFlow
|
||||
@@ -20,8 +21,22 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
|
||||
|
||||
class SinkBase = Void;
|
||||
|
||||
class FlowSummaryCallBase = CallInstruction;
|
||||
|
||||
predicate callableFromSource(SummarizedCallableBase c) { exists(c.getBlock()) }
|
||||
|
||||
FlowSummaryCallBase getASourceCall(SummarizedCallableBase sc) {
|
||||
result.getStaticCallTarget() = sc
|
||||
}
|
||||
|
||||
DataFlowCallable getSummarizedCallableAsDataFlowCallable(SummarizedCallableBase c) {
|
||||
result.asSummarizedCallable() = c
|
||||
}
|
||||
|
||||
DataFlowCallable getSourceCallEnclosingCallable(FlowSummaryCallBase call) {
|
||||
result.asSourceCallable() = call.getEnclosingFunction()
|
||||
}
|
||||
|
||||
ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
|
||||
|
||||
ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") }
|
||||
@@ -30,6 +45,10 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
|
||||
arg = repeatStars(result.(NormalReturnKind).getIndirectionIndex())
|
||||
}
|
||||
|
||||
ParameterPosition getFlowSummaryParameterPosition(ReturnKind rk) {
|
||||
result = TFlowSummaryPosition(rk)
|
||||
}
|
||||
|
||||
string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() }
|
||||
|
||||
string encodeArgumentPosition(ArgumentPosition pos) { result = pos.toString() }
|
||||
@@ -40,12 +59,24 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
|
||||
arg = repeatStars(rk.(NormalReturnKind).getIndirectionIndex())
|
||||
}
|
||||
|
||||
bindingset[namespace, type, base]
|
||||
private string formatQualifiedName(string namespace, string type, string base) {
|
||||
if namespace = ""
|
||||
then result = type + "::" + base
|
||||
else result = namespace + "::" + type + "::" + base
|
||||
}
|
||||
|
||||
string encodeContent(ContentSet cs, string arg) {
|
||||
exists(FieldContent c |
|
||||
exists(FieldContent c, string namespace, string type, string base |
|
||||
cs.isSingleton(c) and
|
||||
// FieldContent indices have 0 for the address, 1 for content, so we need to subtract one.
|
||||
result = "Field" and
|
||||
arg = repeatStars(c.getIndirectionIndex() - 1) + c.getField().getName()
|
||||
c.getField().hasQualifiedName(namespace, type, base)
|
||||
|
|
||||
arg = repeatStars(c.getIndirectionIndex() - 1) + formatQualifiedName(namespace, type, base)
|
||||
or
|
||||
// TODO: This disjunct can be removed once we stop supporting unqualified field names.
|
||||
arg = repeatStars(c.getIndirectionIndex() - 1) + base
|
||||
)
|
||||
or
|
||||
exists(ElementContent ec |
|
||||
@@ -102,10 +133,22 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
|
||||
private import Make<Location, DataFlowImplSpecific::CppDataFlow, Input> as Impl
|
||||
|
||||
private module StepsInput implements Impl::Private::StepsInputSig {
|
||||
Impl::Private::SummaryNode getSummaryNode(Node n) {
|
||||
result = n.(FlowSummaryNode).getSummaryNode()
|
||||
}
|
||||
|
||||
DataFlowCall getACall(Public::SummarizedCallable sc) {
|
||||
result.getStaticCallTarget().getUnderlyingCallable() = sc
|
||||
}
|
||||
|
||||
Node getSourceOutNode(Input::FlowSummaryCallBase call, ReturnKind rk) {
|
||||
exists(IndirectReturnOutNode out | result = out |
|
||||
out.getCallInstruction() = call and
|
||||
pragma[only_bind_out](rk.(NormalReturnKind).getIndirectionIndex()) =
|
||||
pragma[only_bind_out](out.getIndirectionIndex())
|
||||
)
|
||||
}
|
||||
|
||||
DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
|
||||
|
||||
Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
|
||||
@@ -218,40 +261,11 @@ module SourceSinkInterpretationInput implements
|
||||
|
||||
/** Provides additional sink specification logic. */
|
||||
bindingset[c]
|
||||
predicate interpretOutput(string c, InterpretNode mid, InterpretNode node) {
|
||||
// Allow variables to be picked as output nodes.
|
||||
exists(Node n, Element ast |
|
||||
n = node.asNode() and
|
||||
ast = mid.asElement()
|
||||
|
|
||||
c = "" and
|
||||
n.asExpr().(VariableAccess).getTarget() = ast
|
||||
)
|
||||
}
|
||||
predicate interpretOutput(string c, InterpretNode mid, InterpretNode node) { none() }
|
||||
|
||||
/** Provides additional source specification logic. */
|
||||
bindingset[c]
|
||||
predicate interpretInput(string c, InterpretNode mid, InterpretNode node) {
|
||||
exists(Node n, Element ast, VariableAccess e |
|
||||
n = node.asNode() and
|
||||
ast = mid.asElement() and
|
||||
e.getTarget() = ast
|
||||
|
|
||||
// Allow variables to be picked as input nodes.
|
||||
// We could simply do this as `e = n.asExpr()`, but that would not allow
|
||||
// us to pick `x` as a sink in an example such as `x = source()` (but
|
||||
// only subsequent uses of `x`) since the variable access on `x` doesn't
|
||||
// actually load the value of `x`. So instead, we pick the instruction
|
||||
// node corresponding to the generated `StoreInstruction` and use the
|
||||
// expression associated with the destination instruction. This means
|
||||
// that the `x` in `x = source()` can be marked as an input.
|
||||
c = "" and
|
||||
exists(StoreInstruction store |
|
||||
store.getDestinationAddress().getUnconvertedResultExpression() = e and
|
||||
n.asInstruction() = store
|
||||
)
|
||||
)
|
||||
}
|
||||
predicate interpretInput(string c, InterpretNode mid, InterpretNode node) { none() }
|
||||
}
|
||||
|
||||
module Private {
|
||||
|
||||
@@ -1534,12 +1534,8 @@ class FlowSummaryNode extends Node, TFlowSummaryNode {
|
||||
result = this.getSummaryNode().getSummarizedCallable()
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the enclosing callable. For a `FlowSummaryNode` this is always the
|
||||
* summarized function this node is part of.
|
||||
*/
|
||||
override DataFlowCallable getEnclosingCallable() {
|
||||
result.asSummarizedCallable() = this.getSummarizedCallable()
|
||||
result = FlowSummaryImpl::Private::getEnclosingCallable(this.getSummaryNode())
|
||||
}
|
||||
|
||||
override Location getLocationImpl() { result = this.getSummarizedCallable().getLocation() }
|
||||
|
||||
@@ -561,6 +561,21 @@ class SummaryArgumentNode extends ArgumentNode, FlowSummaryNode {
|
||||
}
|
||||
}
|
||||
|
||||
/** An argument node that re-enters return output as input to a flow summary. */
|
||||
private class FlowSummaryArgumentNode extends ArgumentNode, FlowSummaryNode {
|
||||
private CallInstruction callInstruction;
|
||||
private ReturnKind rk;
|
||||
|
||||
FlowSummaryArgumentNode() {
|
||||
this.getSummaryNode() = FlowSummaryImpl::Private::summaryArgumentNode(callInstruction, rk)
|
||||
}
|
||||
|
||||
override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
|
||||
call.asCallInstruction() = callInstruction and
|
||||
pos = TFlowSummaryPosition(rk)
|
||||
}
|
||||
}
|
||||
|
||||
/** A parameter position represented by an integer. */
|
||||
class ParameterPosition = Position;
|
||||
|
||||
@@ -616,6 +631,18 @@ class IndirectionPosition extends Position, TIndirectionPosition {
|
||||
final override int getIndirectionIndex() { result = indirectionIndex }
|
||||
}
|
||||
|
||||
class FlowSummaryPosition extends Position, TFlowSummaryPosition {
|
||||
ReturnKind rk;
|
||||
|
||||
FlowSummaryPosition() { this = TFlowSummaryPosition(rk) }
|
||||
|
||||
override string toString() { result = "write to: " + rk.toString() }
|
||||
|
||||
override int getArgumentIndex() { none() }
|
||||
|
||||
final override int getIndirectionIndex() { result = rk.getIndirectionIndex() }
|
||||
}
|
||||
|
||||
newtype TPosition =
|
||||
TDirectPosition(int argumentIndex) {
|
||||
exists(any(CallInstruction c).getArgument(argumentIndex))
|
||||
@@ -634,7 +661,8 @@ newtype TPosition =
|
||||
p = f.getParameter(argumentIndex) and
|
||||
indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1]
|
||||
)
|
||||
}
|
||||
} or
|
||||
TFlowSummaryPosition(ReturnKind rk) { FlowSummaryImpl::Private::relevantFlowSummaryPosition(rk) }
|
||||
|
||||
private newtype TReturnKind =
|
||||
TNormalReturnKind(int indirectionIndex) {
|
||||
@@ -1378,6 +1406,8 @@ predicate nodeIsHidden(Node n) {
|
||||
n instanceof InitialGlobalValue
|
||||
or
|
||||
n instanceof SsaSynthNode
|
||||
or
|
||||
n.(FlowSummaryNode).getSummaryNode().isHidden()
|
||||
}
|
||||
|
||||
predicate neverSkipInPathGraph(Node n) {
|
||||
|
||||
@@ -158,7 +158,7 @@ private module Cached {
|
||||
model = ""
|
||||
or
|
||||
// models-as-data summarized flow
|
||||
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
|
||||
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom,
|
||||
nodeTo.(FlowSummaryNode).getSummaryNode(), true, model)
|
||||
}
|
||||
|
||||
|
||||
@@ -67,7 +67,7 @@ private module Cached {
|
||||
model = ""
|
||||
or
|
||||
// models-as-data summarized flow
|
||||
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
|
||||
FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom,
|
||||
nodeTo.(FlowSummaryNode).getSummaryNode(), false, model)
|
||||
or
|
||||
// object->field conflation for content that is a `TaintInheritingContent`.
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.6.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.6.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
cpp/ql/src/change-notes/released/1.6.5.md
Normal file
3
cpp/ql/src/change-notes/released/1.6.5.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 1.6.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.6.4
|
||||
lastReleaseVersion: 1.6.5
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.6.5-dev
|
||||
version: 1.6.6-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
jsf/4.13 Functions/AV Rule 107.ql
|
||||
query: jsf/4.13 Functions/AV Rule 107.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
|
||||
query: Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -48,7 +48,7 @@ void test1()
|
||||
|
||||
void test2()
|
||||
{
|
||||
Lock<Mutex> myLock(); // BAD (interpreted as a function declaration, this does nothing)
|
||||
Lock<Mutex> myLock(); // $ Alert[cpp/function-in-block] // BAD (interpreted as a function declaration, this does nothing)
|
||||
|
||||
// ...
|
||||
}
|
||||
@@ -62,14 +62,14 @@ void test3()
|
||||
|
||||
void test4()
|
||||
{
|
||||
Lock<Mutex>(myMutex); // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
|
||||
Lock<Mutex>(myMutex); // $ Alert[cpp/local-variable-hides-global-variable] // BAD (creates an uninitialized variable called `myMutex`, probably not intended)
|
||||
|
||||
// ...
|
||||
}
|
||||
|
||||
void test5()
|
||||
{
|
||||
Lock<Mutex> myLock(Mutex); // BAD (interpreted as a function declaration, this does nothing)
|
||||
Lock<Mutex> myLock(Mutex); // $ Alert[cpp/function-in-block] // BAD (interpreted as a function declaration, this does nothing)
|
||||
|
||||
// ...
|
||||
}
|
||||
@@ -86,7 +86,7 @@ public:
|
||||
|
||||
void test7()
|
||||
{
|
||||
Lock<Mutex>(memberMutex); // BAD (creates an uninitialized variable called `memberMutex`, probably not intended) [NOT DETECTED]
|
||||
Lock<Mutex>(memberMutex); // $ MISSING: Alert // BAD (creates an uninitialized variable called `memberMutex`, probably not intended) [NOT DETECTED]
|
||||
|
||||
// ...
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
|
||||
query: experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -19,7 +19,7 @@ void test1(int p)
|
||||
{
|
||||
sys_somesystemcall(&p);
|
||||
|
||||
unsafe_put_user(123, &p); // BAD [NOT DETECTED]
|
||||
unsafe_put_user(123, &p); // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
void test2(int p)
|
||||
@@ -40,7 +40,7 @@ void test3()
|
||||
|
||||
sys_somesystemcall(&v);
|
||||
|
||||
unsafe_put_user(123, &v); // BAD [NOT DETECTED]
|
||||
unsafe_put_user(123, &v); // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
void test4()
|
||||
@@ -68,7 +68,7 @@ void test5()
|
||||
|
||||
sys_somesystemcall(&myData);
|
||||
|
||||
unsafe_put_user(123, &(myData.x)); // BAD [NOT DETECTED]
|
||||
unsafe_put_user(123, &(myData.x)); // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
void test6()
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
|
||||
query: experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -3,6 +3,6 @@ void workFunction_0(char *s) {
|
||||
char buf[80], buf1[8];
|
||||
if(len<0) return;
|
||||
memset(buf,0,len); //GOOD
|
||||
memset(buf1,0,len1); //BAD
|
||||
memset(buf1,0,len1); // $ Alert //BAD
|
||||
if(len1<0) return;
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-078/WordexpTainted.ql
|
||||
query: experimental/Security/CWE/CWE-078/WordexpTainted.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -19,14 +19,14 @@ enum {
|
||||
|
||||
int wordexp(const char *restrict s, wordexp_t *restrict p, int flags);
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
int main(int argc, char** argv) { // $ Source
|
||||
char *filePath = argv[2];
|
||||
|
||||
{
|
||||
// BAD: the user string is injected directly into `wordexp` which performs command substitution
|
||||
|
||||
wordexp_t we;
|
||||
wordexp(filePath, &we, 0);
|
||||
wordexp(filePath, &we, 0); // $ Alert
|
||||
}
|
||||
|
||||
{
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
|
||||
query: experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -20,7 +20,7 @@ void myFclose(FILE * fmy)
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
fclose(fe); // BAD
|
||||
fclose(fe); // $ Alert // BAD
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
myFclose(fe); // GOOD
|
||||
return 0;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
|
||||
query: experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -11,7 +11,7 @@ void workFunction_0(char *s) {
|
||||
while(intIndex > 2)
|
||||
{
|
||||
buf[intIndex] = 1;
|
||||
int intIndex; // BAD
|
||||
int intIndex; // $ Alert // BAD
|
||||
intIndex--;
|
||||
}
|
||||
intIndex = 10;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
|
||||
query: experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -8,7 +8,7 @@ int strlen(const char *string);
|
||||
|
||||
// the following function is homebrew crypto written for this test. This is a bad algorithm
|
||||
// on multiple levels and should never be used in cryptography.
|
||||
void encryptString(char *string, unsigned int key) {
|
||||
void encryptString(char *string, unsigned int key) { // $ Alert
|
||||
char *ptr = string;
|
||||
int len = strlen(string);
|
||||
|
||||
@@ -27,7 +27,7 @@ void encryptString(char *string, unsigned int key) {
|
||||
|
||||
// the following function is homebrew crypto written for this test. This is a bad algorithm
|
||||
// on multiple levels and should never be used in cryptography.
|
||||
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) {
|
||||
void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int dataSize, unsigned int key[2]) { // $ Alert
|
||||
unsigned int state[2];
|
||||
unsigned int t;
|
||||
|
||||
@@ -48,7 +48,7 @@ void MyEncrypt(const unsigned int *dataIn, unsigned int *dataOut, unsigned int d
|
||||
// the following function resembles an implementation of the AES "mix columns"
|
||||
// step. It is not accurate, efficient or safe and should never be used in
|
||||
// cryptography.
|
||||
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
|
||||
void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) { // $ Alert
|
||||
// The "mix columns" step takes four bytes as inputs. Each byte represents a
|
||||
// polynomial with 8 one-bit coefficients, e.g. input bits 00001101
|
||||
// represent the polynomial x^3 + x^2 + 1. Arithmetic is reduced modulo
|
||||
@@ -80,7 +80,7 @@ void mix_columns(const uint8_t inputs[4], uint8_t outputs[4]) {
|
||||
// the following function resembles initialization of an S-box as may be done
|
||||
// in an implementation of DES, AES and other encryption algorithms. It is not
|
||||
// accurate, efficient or safe and should never be used in cryptography.
|
||||
void init_aes_sbox(unsigned char data[256]) {
|
||||
void init_aes_sbox(unsigned char data[256]) { // $ Alert
|
||||
// initialize `data` in a loop using lots of ^, ^= and << operations and
|
||||
// a few fixed constants.
|
||||
unsigned int state = 0x12345678;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
|
||||
query: experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -63,7 +63,7 @@ static void badTest1(const char* ptr)
|
||||
int ret;
|
||||
int len;
|
||||
len = strlen(ptr);
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // BAD:we can get unpredictable results
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, 4)) > 0; len-=ret) { // $ Alert // BAD:we can get unpredictable results
|
||||
wprintf(L"%lc", wc);
|
||||
ptr += ret;
|
||||
}
|
||||
@@ -73,7 +73,7 @@ static void badTest2(const char* ptr)
|
||||
int ret;
|
||||
int len;
|
||||
len = strlen(ptr);
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // BAD:we can get unpredictable results
|
||||
for (wchar_t wc; (ret = mbtowc(&wc, ptr, sizeof(wchar_t))) > 0; len-=ret) { // $ Alert // BAD:we can get unpredictable results
|
||||
wprintf(L"%lc", wc);
|
||||
ptr += ret;
|
||||
}
|
||||
@@ -103,7 +103,7 @@ static void badTest3(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, MB_CUR_MAX); // BAD
|
||||
ret = mbtowc(wc, ptr, MB_CUR_MAX); // $ Alert // BAD
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -120,7 +120,7 @@ static void badTest4(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, 16); // BAD
|
||||
ret = mbtowc(wc, ptr, 16); // $ Alert // BAD
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -137,7 +137,7 @@ static void badTest5(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // BAD
|
||||
ret = mbtowc(wc, ptr, sizeof(wchar_t)); // $ Alert // BAD
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -155,7 +155,7 @@ static void badTest6(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && wc_len > 0) {
|
||||
ret = mbtowc(wc, ptr, wc_len); // BAD
|
||||
ret = mbtowc(wc, ptr, wc_len); // $ Alert // BAD
|
||||
if (ret <0)
|
||||
if (checkErrors()) {
|
||||
++ptr;
|
||||
@@ -178,7 +178,7 @@ static void badTest7(const char* ptr,int wc_len)
|
||||
len = wc_len;
|
||||
wchar_t *wc = new wchar_t[wc_len];
|
||||
while (*ptr && wc_len > 0) {
|
||||
ret = mbtowc(wc, ptr, len); // BAD
|
||||
ret = mbtowc(wc, ptr, len); // $ Alert // BAD
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
@@ -194,7 +194,7 @@ static void badTest8(const char* ptr,wchar_t *wc)
|
||||
int len;
|
||||
len = strlen(ptr);
|
||||
while (*ptr && len > 0) {
|
||||
ret = mbtowc(wc, ptr, len); // BAD
|
||||
ret = mbtowc(wc, ptr, len); // $ Alert // BAD
|
||||
if (ret <0)
|
||||
break;
|
||||
if (ret == 0 || ret > len)
|
||||
|
||||
@@ -25,8 +25,8 @@ void* calloc (size_t num, size_t size);
|
||||
void* malloc (size_t size);
|
||||
|
||||
static void badTest1(void *src, int size) {
|
||||
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // BAD
|
||||
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // BAD
|
||||
WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, (LPSTR)src, size, 0, 0); // $ Alert // BAD
|
||||
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)src, -1, (LPCWSTR)src, 30); // $ Alert // BAD
|
||||
}
|
||||
void goodTest2(){
|
||||
wchar_t src[] = L"0123456789ABCDEF";
|
||||
@@ -42,7 +42,7 @@ void goodTest2(){
|
||||
static void badTest2(){
|
||||
wchar_t src[] = L"0123456789ABCDEF";
|
||||
char dst[16];
|
||||
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // BAD
|
||||
WideCharToMultiByte(CP_UTF8, 0, src, -1, dst, 16, NULL, NULL); // $ Alert // BAD
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
static void goodTest3(){
|
||||
@@ -55,7 +55,7 @@ static void badTest3(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
|
||||
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // $ Alert // BAD
|
||||
}
|
||||
static void goodTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
@@ -67,13 +67,13 @@ static void badTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = MultiByteToWideChar(CP_UTF8, 0, src,sizeof(src),NULL,0);
|
||||
wchar_t * dst = (wchar_t*)malloc(size + 1);
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // BAD
|
||||
MultiByteToWideChar(CP_UTF8, 0, src, -1, dst, size+1); // $ Alert // BAD
|
||||
}
|
||||
static int goodTest5(void *src){
|
||||
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 0, 0, 0); // GOOD
|
||||
}
|
||||
static int badTest5 (void *src) {
|
||||
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // BAD
|
||||
return WideCharToMultiByte(CP_ACP, 0, (LPCWSTR)src, -1, 0, 3, 0, 0); // $ Alert // BAD
|
||||
}
|
||||
static void goodTest6(WCHAR *src)
|
||||
{
|
||||
@@ -90,6 +90,6 @@ static void goodTest6(WCHAR *src)
|
||||
static void badTest6(WCHAR *src)
|
||||
{
|
||||
char dst[5] ="";
|
||||
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // BAD
|
||||
WideCharToMultiByte(CP_ACP, 0, src, -1, dst, 260, 0, 0); // $ Alert // BAD
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
|
||||
@@ -12,11 +12,11 @@ size_t mbsrtowcs(wchar_t *wcstr,const char *mbstr,size_t count, mbstate_t *mbsta
|
||||
|
||||
|
||||
static void badTest1(void *src, int size) {
|
||||
mbstowcs((wchar_t*)src,(char*)src,size); // BAD
|
||||
mbstowcs((wchar_t*)src,(char*)src,size); // $ Alert // BAD
|
||||
_locale_t locale;
|
||||
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // BAD
|
||||
_mbstowcs_l((wchar_t*)src,(char*)src,size,locale); // $ Alert // BAD
|
||||
mbstate_t *mbstate;
|
||||
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // BAD
|
||||
mbsrtowcs((wchar_t*)src,(char*)src,size,mbstate); // $ Alert // BAD
|
||||
}
|
||||
static void goodTest2(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
@@ -32,7 +32,7 @@ static void goodTest2(){
|
||||
static void badTest2(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
wchar_t dst[16];
|
||||
mbstowcs(dst, src,16); // BAD
|
||||
mbstowcs(dst, src,16); // $ Alert // BAD
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
static void goodTest3(){
|
||||
@@ -45,7 +45,7 @@ static void badTest3(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = mbstowcs(NULL, src,NULL);
|
||||
wchar_t * dst = (wchar_t*)calloc(size + 1, 1);
|
||||
mbstowcs(dst, src,size+1); // BAD
|
||||
mbstowcs(dst, src,size+1); // $ Alert // BAD
|
||||
}
|
||||
static void goodTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
@@ -57,13 +57,13 @@ static void badTest4(){
|
||||
char src[] = "0123456789ABCDEF";
|
||||
int size = mbstowcs(NULL, src,NULL);
|
||||
wchar_t * dst = (wchar_t*)malloc(size + 1);
|
||||
mbstowcs(dst, src,size+1); // BAD
|
||||
mbstowcs(dst, src,size+1); // $ Alert // BAD
|
||||
}
|
||||
static int goodTest5(void *src){
|
||||
return mbstowcs(NULL, (char*)src,NULL); // GOOD
|
||||
}
|
||||
static int badTest5 (void *src) {
|
||||
return mbstowcs(NULL, (char*)src,3); // BAD
|
||||
return mbstowcs(NULL, (char*)src,3); // $ Alert // BAD
|
||||
}
|
||||
static void goodTest6(void *src){
|
||||
wchar_t dst[5];
|
||||
@@ -77,6 +77,6 @@ static void goodTest6(void *src){
|
||||
}
|
||||
static void badTest6(void *src){
|
||||
wchar_t dst[5];
|
||||
mbstowcs(dst, (char*)src,260); // BAD
|
||||
mbstowcs(dst, (char*)src,260); // $ Alert // BAD
|
||||
printf("%s\n", dst);
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ static size_t badTest1(unsigned char *src){
|
||||
int cb = 0;
|
||||
unsigned char dst[50];
|
||||
while( cb < sizeof(dst) )
|
||||
dst[cb++]=*src++; // BAD
|
||||
dst[cb++]=*src++; // $ Alert // BAD
|
||||
return _mbclen(dst);
|
||||
}
|
||||
static void goodTest2(unsigned char *src){
|
||||
@@ -33,7 +33,7 @@ static void badTest2(unsigned char *src){
|
||||
unsigned char dst[50];
|
||||
while( cb < sizeof(dst) )
|
||||
{
|
||||
_mbccpy(dst+cb,src); // BAD
|
||||
_mbccpy(dst+cb,src); // $ Alert // BAD
|
||||
cb+=_mbclen(src);
|
||||
src=_mbsinc(src);
|
||||
}
|
||||
@@ -44,5 +44,5 @@ static void goodTest3(){
|
||||
}
|
||||
static void badTest3(){
|
||||
wchar_t name[50];
|
||||
name[sizeof(name) - 1] = L'\0'; // BAD
|
||||
name[sizeof(name) - 1] = L'\0'; // $ Alert // BAD
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
|
||||
query: experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -10,31 +10,31 @@ void test()
|
||||
int y = getAnInt();
|
||||
|
||||
char *buffer1 = (char *)malloc(x + y); // GOOD
|
||||
char *buffer2 = (char *)malloc(x * y); // BAD
|
||||
char *buffer2 = (char *)malloc(x * y); // $ Alert // BAD
|
||||
int *buffer3 = (int *)malloc(x * sizeof(int)); // GOOD
|
||||
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // BAD
|
||||
int *buffer4 = (int *)malloc(x * y * sizeof(int)); // $ Alert // BAD
|
||||
|
||||
if ((x <= 1000) && (y <= 1000))
|
||||
{
|
||||
char *buffer5 = (char *)malloc(x * y); // GOOD [FALSE POSITIVE]
|
||||
char *buffer5 = (char *)malloc(x * y); // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
|
||||
size_t size1 = x * y;
|
||||
char *buffer5 = (char *)malloc(size1); // BAD
|
||||
size_t size1 = x * y; // $ Source
|
||||
char *buffer5 = (char *)malloc(size1); // $ Alert // BAD
|
||||
|
||||
size_t size2 = x;
|
||||
size2 *= y;
|
||||
char *buffer6 = (char *)malloc(size2); // BAD [NOT DETECTED]
|
||||
char *buffer6 = (char *)malloc(size2); // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
|
||||
char *buffer7 = new char[x * 10]; // GOOD
|
||||
char *buffer8 = new char[x * y]; // BAD
|
||||
char *buffer9 = new char[x * x]; // BAD
|
||||
char *buffer8 = new char[x * y]; // $ Alert // BAD
|
||||
char *buffer9 = new char[x * x]; // $ Alert // BAD
|
||||
}
|
||||
|
||||
|
||||
// --- custom allocators ---
|
||||
|
||||
void *MyMalloc1(size_t size) { return malloc(size); } // [additional detection here]
|
||||
|
||||
void *MyMalloc1(size_t size) { return malloc(size); } // $ Alert // [additional detection here]
|
||||
void *MyMalloc2(size_t size);
|
||||
|
||||
void customAllocatorTests()
|
||||
@@ -42,6 +42,6 @@ void customAllocatorTests()
|
||||
int x = getAnInt();
|
||||
int y = getAnInt();
|
||||
|
||||
char *buffer1 = (char *)MyMalloc1(x * y); // BAD
|
||||
char *buffer2 = (char *)MyMalloc2(x * y); // BAD
|
||||
char *buffer1 = (char *)MyMalloc1(x * y); // $ Alert Source // BAD
|
||||
char *buffer2 = (char *)MyMalloc2(x * y); // $ Alert // BAD
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
|
||||
query: experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -6,17 +6,17 @@ void functionWork(char aA[10],unsigned int aUI) {
|
||||
int aI;
|
||||
|
||||
aI = (aUI*8)/10; // GOOD
|
||||
aI = aUI*8; // BAD
|
||||
aI = aUI*8; // $ Alert // BAD
|
||||
aP = aA+aI;
|
||||
aI = (int)aUI*8; // GOOD
|
||||
|
||||
aL = (unsigned long)(aI*aI); // BAD
|
||||
|
||||
aL = (unsigned long)(aI*aI); // $ Alert // BAD
|
||||
aL = ((unsigned long)aI*aI); // GOOD
|
||||
|
||||
testCall((unsigned long)(aI*aI)); // BAD
|
||||
|
||||
testCall((unsigned long)(aI*aI)); // $ Alert // BAD
|
||||
testCall(((unsigned long)aI*aI)); // GOOD
|
||||
|
||||
if((unsigned long)(aI*aI) > aL) // BAD
|
||||
|
||||
if((unsigned long)(aI*aI) > aL) // $ Alert // BAD
|
||||
return;
|
||||
if(((unsigned long)aI*aI) > aL) // GOOD
|
||||
return;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
query: experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -15,49 +15,49 @@ void test()
|
||||
unsigned short b1 = getAnUnsignedShort();
|
||||
unsigned short c1 = getAnUnsignedShort();
|
||||
|
||||
if (a+b>c) a = c-b; // BAD
|
||||
if (a+b>c) { a = c-b; } // BAD
|
||||
if (b+a>c) a = c-b; // BAD
|
||||
if (b+a>c) { a = c-b; } // BAD
|
||||
if (c>a+b) a = c-b; // BAD
|
||||
if (c>a+b) { a = c-b; } // BAD
|
||||
if (c>b+a) a = c-b; // BAD
|
||||
if (c>b+a) { a = c-b; } // BAD
|
||||
if (a+b>c) a = c-b; // $ Alert // BAD
|
||||
if (a+b>c) { a = c-b; } // $ Alert // BAD
|
||||
if (b+a>c) a = c-b; // $ Alert // BAD
|
||||
if (b+a>c) { a = c-b; } // $ Alert // BAD
|
||||
if (c>a+b) a = c-b; // $ Alert // BAD
|
||||
if (c>a+b) { a = c-b; } // $ Alert // BAD
|
||||
if (c>b+a) a = c-b; // $ Alert // BAD
|
||||
if (c>b+a) { a = c-b; } // $ Alert // BAD
|
||||
|
||||
if (a+b>=c) a = c-b; // BAD
|
||||
if (a+b>=c) { a = c-b; } // BAD
|
||||
if (b+a>=c) a = c-b; // BAD
|
||||
if (b+a>=c) { a = c-b; } // BAD
|
||||
if (c>=a+b) a = c-b; // BAD
|
||||
if (c>=a+b) { a = c-b; } // BAD
|
||||
if (c>=b+a) a = c-b; // BAD
|
||||
if (c>=b+a) { a = c-b; } // BAD
|
||||
if (a+b>=c) a = c-b; // $ Alert // BAD
|
||||
if (a+b>=c) { a = c-b; } // $ Alert // BAD
|
||||
if (b+a>=c) a = c-b; // $ Alert // BAD
|
||||
if (b+a>=c) { a = c-b; } // $ Alert // BAD
|
||||
if (c>=a+b) a = c-b; // $ Alert // BAD
|
||||
if (c>=a+b) { a = c-b; } // $ Alert // BAD
|
||||
if (c>=b+a) a = c-b; // $ Alert // BAD
|
||||
if (c>=b+a) { a = c-b; } // $ Alert // BAD
|
||||
|
||||
if (a+b<c) a = c-b; // BAD
|
||||
if (a+b<c) { a = c-b; } // BAD
|
||||
if (b+a<c) a = c-b; // BAD
|
||||
if (b+a<c) { a = c-b; } // BAD
|
||||
if (c<a+b) a = c-b; // BAD
|
||||
if (c<a+b) { a = c-b; } // BAD
|
||||
if (c<b+a) a = c-b; // BAD
|
||||
if (c<b+a) { a = c-b; } // BAD
|
||||
if (a+b<c) a = c-b; // $ Alert // BAD
|
||||
if (a+b<c) { a = c-b; } // $ Alert // BAD
|
||||
if (b+a<c) a = c-b; // $ Alert // BAD
|
||||
if (b+a<c) { a = c-b; } // $ Alert // BAD
|
||||
if (c<a+b) a = c-b; // $ Alert // BAD
|
||||
if (c<a+b) { a = c-b; } // $ Alert // BAD
|
||||
if (c<b+a) a = c-b; // $ Alert // BAD
|
||||
if (c<b+a) { a = c-b; } // $ Alert // BAD
|
||||
|
||||
if (a+b<=c) a = c-b; // BAD
|
||||
if (a+b<=c) { a = c-b; } // BAD
|
||||
if (b+a<=c) a = c-b; // BAD
|
||||
if (b+a<=c) { a = c-b; } // BAD
|
||||
if (c<=a+b) a = c-b; // BAD
|
||||
if (c<=a+b) { a = c-b; } // BAD
|
||||
if (c<=b+a) a = c-b; // BAD
|
||||
if (c<=b+a) { a = c-b; } // BAD
|
||||
if (a+b<=c) a = c-b; // $ Alert // BAD
|
||||
if (a+b<=c) { a = c-b; } // $ Alert // BAD
|
||||
if (b+a<=c) a = c-b; // $ Alert // BAD
|
||||
if (b+a<=c) { a = c-b; } // $ Alert // BAD
|
||||
if (c<=a+b) a = c-b; // $ Alert // BAD
|
||||
if (c<=a+b) { a = c-b; } // $ Alert // BAD
|
||||
if (c<=b+a) a = c-b; // $ Alert // BAD
|
||||
if (c<=b+a) { a = c-b; } // $ Alert // BAD
|
||||
|
||||
if (a+b>d) a = d-b; // BAD
|
||||
if (a+b>d) a = d-b; // $ Alert // BAD
|
||||
if (a+(double)b>c) a = c-b; // GOOD
|
||||
if (a+(-x)>c) a = c-(-y); // GOOD
|
||||
if (a+b>c) { b++; a = c-b; } // GOOD
|
||||
if (a+d>c) a = c-d; // GOOD
|
||||
if (a1+b1>c1) a1 = c1-b1; // GOOD
|
||||
|
||||
if (a+b<=c) { /* ... */ } else { a = c-b; } // BAD
|
||||
if (a+b<=c) { return; } a = c-b; // BAD
|
||||
|
||||
if (a+b<=c) { /* ... */ } else { a = c-b; } // $ Alert // BAD
|
||||
if (a+b<=c) { return; } a = c-b; // $ Alert // BAD
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Likely Bugs/ArrayAccessProductFlow.ql
|
||||
query: experimental/Likely Bugs/ArrayAccessProductFlow.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1,13 +1,13 @@
|
||||
char *malloc(int size);
|
||||
|
||||
void test1(int size) {
|
||||
char *arr = malloc(size);
|
||||
char *arr = malloc(size); // $ Source
|
||||
for (int i = 0; i < size; i++) {
|
||||
arr[i] = 0; // GOOD
|
||||
}
|
||||
|
||||
for (int i = 0; i <= size; i++) {
|
||||
arr[i] = i; // BAD
|
||||
arr[i] = i; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,7 +18,7 @@ typedef struct {
|
||||
|
||||
array_t mk_array(int size) {
|
||||
array_t arr;
|
||||
arr.p = malloc(size);
|
||||
arr.p = malloc(size); // $ Source
|
||||
arr.size = size;
|
||||
|
||||
return arr;
|
||||
@@ -32,7 +32,7 @@ void test2(int size) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr.size; i++) {
|
||||
arr.p[i] = i; // BAD
|
||||
arr.p[i] = i; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
@@ -42,7 +42,7 @@ void test3_callee(array_t arr) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr.size; i++) {
|
||||
arr.p[i] = i; // BAD
|
||||
arr.p[i] = i; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
@@ -52,7 +52,7 @@ void test3(int size) {
|
||||
|
||||
void test4(int size) {
|
||||
array_t arr;
|
||||
arr.p = malloc(size);
|
||||
arr.p = malloc(size); // $ Source
|
||||
arr.size = size;
|
||||
|
||||
for (int i = 0; i < arr.size; i++) {
|
||||
@@ -60,13 +60,13 @@ void test4(int size) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr.size; i++) {
|
||||
arr.p[i] = i; // BAD
|
||||
arr.p[i] = i; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
array_t *mk_array_p(int size) {
|
||||
array_t *arr = (array_t*) malloc(sizeof(array_t));
|
||||
arr->p = malloc(size);
|
||||
arr->p = malloc(size); // $ Source
|
||||
arr->size = size;
|
||||
|
||||
return arr;
|
||||
@@ -80,7 +80,7 @@ void test5(int size) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr->size; i++) {
|
||||
arr->p[i] = i; // BAD
|
||||
arr->p[i] = i; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
@@ -90,7 +90,7 @@ void test6_callee(array_t *arr) {
|
||||
}
|
||||
|
||||
for (int i = 0; i <= arr->size; i++) {
|
||||
arr->p[i] = i; // BAD
|
||||
arr->p[i] = i; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
@@ -105,6 +105,6 @@ void test7(int size) {
|
||||
}
|
||||
|
||||
for (char *p = arr; p <= arr + size; p++) {
|
||||
*p = 0; // BAD [NOT DETECTED]
|
||||
*p = 0; // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
|
||||
query: experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -32,60 +32,60 @@ void testOneArray(OneArray *arr) {
|
||||
|
||||
void testBig(BigArray *arr) {
|
||||
arr->buf[MAX_SIZE-1] = 0; // GOOD
|
||||
arr->buf[MAX_SIZE] = 0; // BAD
|
||||
arr->buf[MAX_SIZE+1] = 0; // BAD
|
||||
arr->buf[MAX_SIZE] = 0; // $ Alert // BAD
|
||||
arr->buf[MAX_SIZE+1] = 0; // $ Alert // BAD
|
||||
|
||||
for(int i = 0; i < MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // GOOD
|
||||
}
|
||||
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // BAD
|
||||
arr->buf[i] = 0; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
void testFields(ArrayAndFields *arr) {
|
||||
arr->buf[MAX_SIZE-1] = 0; // GOOD
|
||||
arr->buf[MAX_SIZE] = 0; // BAD?
|
||||
arr->buf[MAX_SIZE+1] = 0; // BAD?
|
||||
arr->buf[MAX_SIZE] = 0; // $ Alert // BAD?
|
||||
arr->buf[MAX_SIZE+1] = 0; // $ Alert // BAD?
|
||||
|
||||
for(int i = 0; i < MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // GOOD
|
||||
}
|
||||
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
arr->buf[i] = 0; // BAD?
|
||||
arr->buf[i] = 0; // $ Alert // BAD?
|
||||
}
|
||||
|
||||
for(int i = 0; i < MAX_SIZE+2; i++) {
|
||||
arr->buf[i] = 0; // BAD?
|
||||
arr->buf[i] = 0; // $ Alert // BAD?
|
||||
}
|
||||
// is this different if it's a memcpy?
|
||||
}
|
||||
|
||||
void assignThroughPointer(int *p) {
|
||||
void assignThroughPointer(int *p) { // $ Sink
|
||||
*p = 0; // ??? should the result go at a flow source?
|
||||
}
|
||||
|
||||
void addToPointerAndAssign(int *p) {
|
||||
p[MAX_SIZE-1] = 0; // GOOD
|
||||
p[MAX_SIZE] = 0; // BAD
|
||||
p[MAX_SIZE] = 0; // $ Alert // BAD
|
||||
}
|
||||
|
||||
void testInterproc(BigArray *arr) {
|
||||
assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
|
||||
assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
|
||||
assignThroughPointer(&arr->buf[MAX_SIZE]); // $ Alert // BAD
|
||||
|
||||
addToPointerAndAssign(arr->buf);
|
||||
addToPointerAndAssign(arr->buf); // $ Source
|
||||
}
|
||||
|
||||
#define MAX_SIZE_BYTES 4096
|
||||
|
||||
void testCharIndex(BigArray *arr) {
|
||||
char *charBuf = (char*) arr->buf;
|
||||
char *charBuf = (char*) arr->buf; // $ Source
|
||||
|
||||
charBuf[MAX_SIZE_BYTES - 1] = 0; // GOOD
|
||||
charBuf[MAX_SIZE_BYTES] = 0; // BAD
|
||||
charBuf[MAX_SIZE_BYTES] = 0; // $ Alert // BAD
|
||||
}
|
||||
|
||||
void testEqRefinement() {
|
||||
@@ -125,7 +125,7 @@ void testStackAllocated() {
|
||||
char *arr[MAX_SIZE];
|
||||
|
||||
for(int i = 0; i <= MAX_SIZE; i++) {
|
||||
arr[i] = 0; // BAD
|
||||
arr[i] = 0; // $ Alert // BAD
|
||||
}
|
||||
}
|
||||
|
||||
@@ -133,18 +133,18 @@ int strncmp(const char*, const char*, int);
|
||||
|
||||
char testStrncmp2(char *arr) {
|
||||
if(strncmp(arr, "<test>", 6) == 0) {
|
||||
arr += 6;
|
||||
arr += 6; // $ Alert
|
||||
}
|
||||
return *arr; // GOOD [FALSE POSITIVE]
|
||||
return *arr; // $ SPURIOUS: Sink // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
|
||||
void testStrncmp1() {
|
||||
char asdf[5];
|
||||
testStrncmp2(asdf);
|
||||
testStrncmp2(asdf); // $ Source
|
||||
}
|
||||
|
||||
void countdownBuf1(int **p) {
|
||||
*--(*p) = 1; // GOOD [FALSE POSITIVE]
|
||||
*--(*p) = 1; // $ SPURIOUS: Sink // GOOD [FALSE POSITIVE]
|
||||
*--(*p) = 2; // GOOD
|
||||
*--(*p) = 3; // GOOD
|
||||
*--(*p) = 4; // GOOD
|
||||
@@ -153,7 +153,7 @@ void countdownBuf1(int **p) {
|
||||
void countdownBuf2() {
|
||||
int buf[4];
|
||||
|
||||
int *x = buf + 4;
|
||||
int *x = buf + 4; // $ Alert
|
||||
|
||||
countdownBuf1(&x);
|
||||
}
|
||||
@@ -182,7 +182,7 @@ int countdownLength1(int *p, int len) {
|
||||
}
|
||||
|
||||
int callCountdownLength() {
|
||||
|
||||
|
||||
int buf[6];
|
||||
|
||||
return countdownLength1(buf, 6);
|
||||
@@ -192,7 +192,7 @@ int countdownLength2() {
|
||||
int buf[6];
|
||||
int len = 6;
|
||||
int *p = buf;
|
||||
|
||||
|
||||
if(len % 8) {
|
||||
return -1;
|
||||
}
|
||||
@@ -215,10 +215,10 @@ int countdownLength2() {
|
||||
|
||||
void pointer_size_larger_than_array_element_size() {
|
||||
unsigned char buffer[100]; // getByteSize() = 100
|
||||
int *ptr = (int *)buffer; // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
|
||||
int *ptr = (int *)buffer; // $ Source // pai.getElementSize() will be sizeof(int) = 4 -> size = 25
|
||||
|
||||
ptr[24] = 0; // GOOD: writes bytes 96, 97, 98, 99
|
||||
ptr[25] = 0; // BAD: writes bytes 100, 101, 102, 103
|
||||
ptr[25] = 0; // $ Alert // BAD: writes bytes 100, 101, 102, 103
|
||||
}
|
||||
|
||||
struct vec2 { int x, y; };
|
||||
@@ -226,10 +226,10 @@ struct vec3 { int x, y, z; };
|
||||
|
||||
void pointer_size_smaller_than_array_element_size_but_does_not_divide_it() {
|
||||
vec3 array[3]; // getByteSize() = 9 * sizeof(int)
|
||||
vec2 *ptr = (vec2 *)array; // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
|
||||
vec2 *ptr = (vec2 *)array; // $ Source // pai.getElementSize() will be 2 * sizeof(int) -> size = 4
|
||||
|
||||
ptr[3] = vec2{}; // GOOD: writes ints 6, 7
|
||||
ptr[4] = vec2{}; // BAD: writes ints 8, 9
|
||||
ptr[4] = vec2{}; // $ Alert // BAD: writes ints 8, 9
|
||||
}
|
||||
|
||||
void pointer_size_larger_than_array_element_size_and_does_not_divide_it() {
|
||||
@@ -258,7 +258,7 @@ void call_use(unsigned char* p, int n) {
|
||||
if(n == 3) {
|
||||
unsigned char x = p[0];
|
||||
unsigned char y = p[1];
|
||||
unsigned char z = p[2]; // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
|
||||
unsigned char z = p[2]; // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE]: `call_use(buffer2, 2)` won't reach this point.
|
||||
use(x, y, z);
|
||||
}
|
||||
}
|
||||
@@ -283,7 +283,7 @@ void test_call_use2() {
|
||||
call_call_use(buffer1,1);
|
||||
|
||||
unsigned char buffer2[2];
|
||||
call_call_use(buffer2,2);
|
||||
call_call_use(buffer2,2); // $ Source
|
||||
|
||||
unsigned char buffer3[3];
|
||||
call_call_use(buffer3,3);
|
||||
@@ -296,7 +296,7 @@ int guardingCallee(int *arr, int size) {
|
||||
|
||||
int sum;
|
||||
for (int i = 0; i < size; i++) {
|
||||
sum += arr[i]; // GOOD [FALSE POSITIVE] - guarded by size
|
||||
sum += arr[i]; // $ SPURIOUS: Alert // GOOD [FALSE POSITIVE] - guarded by size
|
||||
}
|
||||
return sum;
|
||||
}
|
||||
@@ -304,9 +304,9 @@ int guardingCallee(int *arr, int size) {
|
||||
int guardingCaller() {
|
||||
int arr1[MAX_SIZE];
|
||||
guardingCallee(arr1, MAX_SIZE);
|
||||
|
||||
|
||||
int arr2[10];
|
||||
guardingCallee(arr2, 10);
|
||||
guardingCallee(arr2, 10); // $ Source
|
||||
}
|
||||
|
||||
// simplified md5 padding
|
||||
@@ -319,10 +319,10 @@ void correlatedCondition(int num) {
|
||||
end = temp + 56;
|
||||
}
|
||||
else if (num < 64) {
|
||||
end = temp + 64; // GOOD [FALSE POSITVE]
|
||||
end = temp + 64; // $ SPURIOUS: Alert // GOOD [FALSE POSITVE]
|
||||
}
|
||||
char *temp2 = temp + num;
|
||||
while(temp2 != end) {
|
||||
while(temp2 != end) { // $ Sink
|
||||
*temp2 = 0;
|
||||
temp2++;
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,7 +9,7 @@ int main(int argc, char *argv[])
|
||||
{
|
||||
//umask(0022);
|
||||
FILE *fp;
|
||||
fp = fopen("myFile.txt","w"); // BAD
|
||||
fp = fopen("myFile.txt","w"); // $ Alert // BAD
|
||||
//chmod("myFile.txt",0644);
|
||||
fprintf(fp,"%s\n","data to file");
|
||||
fclose(fp);
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
query: experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -10,8 +10,8 @@ int main(int argc, char *argv[])
|
||||
{
|
||||
FILE *fp;
|
||||
char buf[128];
|
||||
fp = fopen("myFile.txt","r+"); // BAD [NOT DETECTED]
|
||||
fgets(buf,128,fp);
|
||||
fp = fopen("myFile.txt","r+"); // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
fgets(buf,128,fp);
|
||||
fprintf(fp,"%s\n","data to file");
|
||||
fclose(fp);
|
||||
return 0;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
|
||||
query: experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -9,13 +9,13 @@ int chdir(char *path);
|
||||
void exit(int status);
|
||||
|
||||
int funTest1(){
|
||||
if (chroot("/myFold/myTmp") == -1) { // BAD
|
||||
if (chroot("/myFold/myTmp") == -1) { // $ Alert // BAD
|
||||
exit(-1);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int funTest2(){
|
||||
int funTest2(){
|
||||
if (chdir("/myFold/myTmp") == -1) { // GOOD
|
||||
exit(-1);
|
||||
}
|
||||
@@ -25,8 +25,8 @@ int funTest2(){
|
||||
return 0;
|
||||
}
|
||||
|
||||
int funTest3(){
|
||||
chdir("/myFold/myTmp"); // BAD
|
||||
int funTest3(){
|
||||
chdir("/myFold/myTmp"); // $ Alert // BAD
|
||||
return 0;
|
||||
}
|
||||
int main(int argc, char *argv[])
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
query: experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -6,7 +6,7 @@ int fclose(FILE *stream);
|
||||
|
||||
void funcTest1()
|
||||
{
|
||||
umask(0666); // BAD
|
||||
umask(0666); // $ Alert // BAD
|
||||
FILE *fe;
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
fclose(fe);
|
||||
@@ -27,7 +27,7 @@ void funcTest2(int mode)
|
||||
FILE *fe;
|
||||
fe = fopen("myFile.txt", "wt");
|
||||
fclose(fe);
|
||||
chmod("myFile.txt",0555-mode); // BAD
|
||||
chmod("myFile.txt",0555-mode); // $ Alert // BAD
|
||||
}
|
||||
|
||||
void funcTest2g(int mode)
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-285/PamAuthorization.ql
|
||||
query: experimental/Security/CWE/CWE-285/PamAuthorization.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -26,7 +26,7 @@ bool PamAuthBad(const std::string &username_in,
|
||||
return false;
|
||||
}
|
||||
|
||||
err = pam_authenticate(pamh, 0);
|
||||
err = pam_authenticate(pamh, 0); // $ Alert
|
||||
if (err != PAM_SUCCESS)
|
||||
return err;
|
||||
|
||||
|
||||
@@ -7,7 +7,7 @@ namespace std{
|
||||
CURLOPT_URL,
|
||||
CURLOPT_SSL_VERIFYHOST,
|
||||
CURLOPT_SSL_VERIFYPEER
|
||||
};
|
||||
};
|
||||
|
||||
CURL *curl_easy_init();
|
||||
void curl_easy_cleanup(CURL *handle);
|
||||
@@ -22,8 +22,8 @@ char host[] = "codeql.com";
|
||||
|
||||
void bad(void) {
|
||||
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0);
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0);
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 0); // $ Alert
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 0); // $ Alert
|
||||
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
|
||||
curl_easy_perform(curl.get());
|
||||
}
|
||||
@@ -31,7 +31,7 @@ void bad(void) {
|
||||
void good(void) {
|
||||
std::unique_ptr<CURL> curl = std::unique_ptr<CURL>(curl_easy_init());
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYPEER, 2);
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);
|
||||
curl_easy_setopt(curl.get(), CURLOPT_SSL_VERIFYHOST, 2);
|
||||
curl_easy_setopt(curl.get(), CURLOPT_URL, host);
|
||||
curl_easy_perform(curl.get());
|
||||
}
|
||||
@@ -40,4 +40,3 @@ int main(int c, char** argv){
|
||||
bad();
|
||||
good();
|
||||
}
|
||||
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-295/CurlSSL.ql
|
||||
query: experimental/Security/CWE/CWE-295/CurlSSL.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
|
||||
query: experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -54,7 +54,7 @@ void file()
|
||||
FILE *file;
|
||||
|
||||
// BAD: write zipcode to file in cleartext
|
||||
fputs(theZipcode, file);
|
||||
fputs(theZipcode, file); // $ Alert
|
||||
|
||||
// GOOD: encrypt first
|
||||
char *encrypted = encrypt(theZipcode);
|
||||
@@ -71,15 +71,15 @@ int main(int argc, char **argv)
|
||||
char *buff4;
|
||||
|
||||
// BAD: write medical to buffer in cleartext
|
||||
sprintf(buff1, "%s", medical);
|
||||
sprintf(buff1, "%s", medical); // $ Alert Source
|
||||
|
||||
// BAD: write medical to buffer in cleartext
|
||||
char *temp = medical;
|
||||
sprintf(buff2, "%s", temp);
|
||||
char *temp = medical; // $ Source
|
||||
sprintf(buff2, "%s", temp); // $ Alert
|
||||
|
||||
// BAD: write medical to buffer in cleartext
|
||||
char *buff5 = func(medical);
|
||||
sprintf(buff3, "%s", buff5);
|
||||
char *buff5 = func(medical); // $ Source
|
||||
sprintf(buff3, "%s", buff5); // $ Alert
|
||||
|
||||
char *buff6 = encrypt(medical);
|
||||
// GOOD: encrypt first
|
||||
@@ -93,10 +93,10 @@ void stream()
|
||||
ofstream mystream;
|
||||
|
||||
// BAD: write zipcode to file in cleartext
|
||||
mystream << "the zipcode is: " << theZipcode;
|
||||
mystream << "the zipcode is: " << theZipcode; // $ Alert Source
|
||||
|
||||
// BAD: write zipcode to file in cleartext
|
||||
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode));
|
||||
(mystream << "the zipcode is: ").write(theZipcode, strlen(theZipcode)); // $ Alert
|
||||
|
||||
// GOOD: encrypt first
|
||||
char *encrypted = encrypt(theZipcode);
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
|
||||
query: experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -44,13 +44,13 @@ int getSize2(int type) {
|
||||
|
||||
int badTestf1(int type, int met) {
|
||||
int is = getSize(type);
|
||||
if (met == 1) return 123 / is; // BAD
|
||||
else return 123 / getSize2(type); // BAD
|
||||
if (met == 1) return 123 / is; // $ Alert // BAD
|
||||
else return 123 / getSize2(type); // $ Alert // BAD
|
||||
}
|
||||
int badTestf2(int type) {
|
||||
int is;
|
||||
is = getSize(type);
|
||||
return 123 / is; // BAD
|
||||
return 123 / is; // $ Alert // BAD
|
||||
}
|
||||
|
||||
int badTestf3(int type, int met) {
|
||||
@@ -58,31 +58,31 @@ int badTestf3(int type, int met) {
|
||||
is = getSize(type);
|
||||
switch (met) {
|
||||
case 1:
|
||||
if (is >= 0) return 123 / is; // BAD [NOT DETECTED]
|
||||
if (is >= 0) return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
case 2:
|
||||
if (0 == is) return 123 / is; // BAD [NOT DETECTED]
|
||||
if (0 == is) return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
case 3:
|
||||
if (!is & 123 / is) // BAD
|
||||
if (!is & 123 / is) // $ Alert // BAD
|
||||
return 123;
|
||||
case 4:
|
||||
if (!is | 123 / is) // BAD
|
||||
if (!is | 123 / is) // $ Alert // BAD
|
||||
return 123;
|
||||
case 5:
|
||||
if (123 / is || !is) // BAD
|
||||
if (123 / is || !is) // $ Alert // BAD
|
||||
return 123;
|
||||
case 6:
|
||||
if (123 / is && !is) // BAD
|
||||
if (123 / is && !is) // $ Alert // BAD
|
||||
return 123;
|
||||
case 7:
|
||||
if (!is) return 123 / is; // BAD
|
||||
if (!is) return 123 / is; // $ Alert // BAD
|
||||
case 8:
|
||||
if (is > -1) return 123 / is; // BAD
|
||||
if (is > -1) return 123 / is; // $ Alert // BAD
|
||||
case 9:
|
||||
if (is < 2) return 123 / is; // BAD
|
||||
if (is < 2) return 123 / is; // $ Alert // BAD
|
||||
}
|
||||
if (is != 0) return -1;
|
||||
if (is == 0) type += 1;
|
||||
return 123 / is; // BAD [NOT DETECTED]
|
||||
return 123 / is; // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
}
|
||||
|
||||
int goodTestf3(int type, int met) {
|
||||
@@ -92,7 +92,7 @@ int goodTestf3(int type, int met) {
|
||||
case 1:
|
||||
if (is < 0) return 123 / is; // GOOD
|
||||
case 2:
|
||||
if (!is && 123 / is) // GOOD
|
||||
if (!is && 123 / is) // GOOD
|
||||
return 123;
|
||||
case 3:
|
||||
if (!is || 123 / is) // GOOD
|
||||
@@ -112,10 +112,10 @@ int goodTestf3a(int type, int met) {
|
||||
if (is < 0)
|
||||
return 123 / is; // GOOD
|
||||
case 2:
|
||||
if (!is && 123 / is) // GOOD
|
||||
if (!is && 123 / is) // GOOD
|
||||
return 123;
|
||||
case 3:
|
||||
if (!is || 123 / is) // GOOD
|
||||
if (!is || 123 / is) // GOOD
|
||||
return 123;
|
||||
}
|
||||
return 1;
|
||||
@@ -125,20 +125,20 @@ int badTestf4(int type) {
|
||||
int is = getSize(type);
|
||||
int d;
|
||||
d = type * is;
|
||||
return 123 / d; // BAD
|
||||
return 123 / d; // $ Alert // BAD
|
||||
}
|
||||
|
||||
int badTestf5(int type) {
|
||||
int is = getSize(type);
|
||||
int d;
|
||||
d = is / type;
|
||||
return 123 / d; // BAD
|
||||
return 123 / d; // $ Alert // BAD
|
||||
}
|
||||
int badTestf6(int type) {
|
||||
int is = getSize(type);
|
||||
int d;
|
||||
d = is / type;
|
||||
return type * 123 / d; // BAD
|
||||
return type * 123 / d; // $ Alert // BAD
|
||||
}
|
||||
|
||||
int badTestf7(int type, int met) {
|
||||
@@ -150,7 +150,7 @@ int badTestf7(int type, int met) {
|
||||
return 123 / is; // GOOD
|
||||
}
|
||||
quit:
|
||||
return 123 / is; // BAD
|
||||
return 123 / is; // $ Alert // BAD
|
||||
}
|
||||
|
||||
int goodTestf7(int type, int met) {
|
||||
@@ -169,8 +169,8 @@ int goodTestf7(int type, int met) {
|
||||
|
||||
int badTestf8(int type) {
|
||||
int is = getSize(type);
|
||||
type /= is; // BAD
|
||||
type %= is; // BAD
|
||||
type /= is; // $ Alert // BAD
|
||||
type %= is; // $ Alert // BAD
|
||||
return type;
|
||||
}
|
||||
|
||||
@@ -184,7 +184,7 @@ float getSizeFloat(float type) {
|
||||
}
|
||||
float badTestf9(float type) {
|
||||
float is = getSizeFloat(type);
|
||||
return 123 / is; // BAD
|
||||
return 123 / is; // $ Alert // BAD
|
||||
}
|
||||
float goodTestf9(float type) {
|
||||
float is = getSizeFloat(type);
|
||||
@@ -196,18 +196,18 @@ int badTestf10(int type) {
|
||||
int out = type;
|
||||
int is = getSize(type);
|
||||
if (is > -2) {
|
||||
out /= 123 / (is + 1); // BAD
|
||||
out /= 123 / (is + 1); // $ Alert // BAD
|
||||
}
|
||||
if (is > 0) {
|
||||
return 123 / (is - 1); // BAD
|
||||
return 123 / (is - 1); // $ Alert // BAD
|
||||
}
|
||||
if (is <= 0) return 0;
|
||||
return 123 / (is - 1); // BAD
|
||||
return 123 / (is - 1); // $ Alert // BAD
|
||||
return 0;
|
||||
}
|
||||
int badTestf11(int type) {
|
||||
int is = getSize(type);
|
||||
return 123 / (is - 3); // BAD
|
||||
return 123 / (is - 3); // $ Alert // BAD
|
||||
}
|
||||
|
||||
int goodTestf11(int type) {
|
||||
@@ -223,7 +223,7 @@ int badTestf12(FILE * f) {
|
||||
int a;
|
||||
int ret = -1;
|
||||
a = getc(f);
|
||||
if (a == 0) ret = 123 / a; // BAD [NOT DETECTED]
|
||||
if (a == 0) ret = 123 / a; // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -255,14 +255,14 @@ int badMySubDiv(int type, int is) {
|
||||
|
||||
void badTestf13(int type) {
|
||||
int is = getSize(type);
|
||||
badMyDiv(type, is); // BAD
|
||||
badMyDiv(type, is - 2); // BAD
|
||||
badMySubDiv(type, is); // BAD
|
||||
badMyDiv(type, is); // $ Alert // BAD
|
||||
badMyDiv(type, is - 2); // $ Alert // BAD
|
||||
badMySubDiv(type, is); // $ Alert // BAD
|
||||
goodMyDiv(type, is); // GOOD
|
||||
if (is < 5)
|
||||
badMySubDiv(type, is); // BAD
|
||||
badMySubDiv(type, is); // $ Alert // BAD
|
||||
if (is < 0)
|
||||
badMySubDiv(type, is); // BAD [NOT DETECTED]
|
||||
badMySubDiv(type, is); // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
if (is > 5)
|
||||
badMySubDiv(type, is); // GOOD
|
||||
if (is == 0)
|
||||
@@ -270,9 +270,9 @@ void badTestf13(int type) {
|
||||
if (is > 0)
|
||||
badMyDiv(type, is); // GOOD
|
||||
if (is < 5)
|
||||
badMyDiv(type, is - 3); // BAD
|
||||
badMyDiv(type, is - 3); // $ Alert // BAD
|
||||
if (is < 0)
|
||||
badMyDiv(type, is + 1); // BAD
|
||||
badMyDiv(type, is + 1); // $ Alert // BAD
|
||||
if (is > 5)
|
||||
badMyDiv(type, is - 3); // GOOD
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
|
||||
query: experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -13,7 +13,7 @@ int fclose(FILE *stream);
|
||||
int funcTest1()
|
||||
{
|
||||
FILE *fp;
|
||||
char *filename = tmpnam(NULL); // BAD
|
||||
char *filename = tmpnam(NULL); // $ Alert // BAD
|
||||
fp = fopen(filename,"w");
|
||||
fprintf(fp,"%s\n","data to file");
|
||||
fclose(fp);
|
||||
@@ -39,7 +39,7 @@ int funcTest3()
|
||||
FILE *fp;
|
||||
char filename[80];
|
||||
strcat(filename, "/tmp/tmp.name");
|
||||
fp = fopen(filename,"w"); // BAD [NOT DETECTED]
|
||||
fp = fopen(filename,"w"); // $ MISSING: Alert // BAD [NOT DETECTED]
|
||||
fprintf(fp,"%s\n","data to file");
|
||||
fclose(fp);
|
||||
return 0;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
|
||||
query: experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -31,7 +31,7 @@ unsigned char * badResize_0(unsigned char * buffer,size_t currentSize,size_t new
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
return buffer;
|
||||
}
|
||||
@@ -60,7 +60,7 @@ unsigned char * badResize_1_0(unsigned char * buffer,size_t currentSize,size_t n
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
return buffer;
|
||||
}
|
||||
@@ -136,7 +136,7 @@ unsigned char * badResize_1_1(unsigned char * buffer,size_t currentSize,size_t n
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
if(!buffer)
|
||||
aFakeFailed_1(1, 1);
|
||||
@@ -183,7 +183,7 @@ unsigned char * badResize_2_0(unsigned char * buffer,size_t currentSize,size_t n
|
||||
assert(buffer!=0);
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
return buffer;
|
||||
}
|
||||
@@ -279,7 +279,7 @@ unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t
|
||||
unsigned char *tmp = buffer;
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
if (buffer == NULL)
|
||||
{
|
||||
free(tmp);
|
||||
@@ -296,7 +296,7 @@ unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t
|
||||
unsigned char *tmp = buffer;
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
tmp = (unsigned char *)realloc(tmp, newSize);
|
||||
tmp = (unsigned char *)realloc(tmp, newSize); // $ Alert
|
||||
if (tmp != 0)
|
||||
{
|
||||
buffer = tmp;
|
||||
@@ -325,7 +325,7 @@ unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
}
|
||||
if (cond)
|
||||
{
|
||||
@@ -339,7 +339,7 @@ unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t
|
||||
// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
|
||||
if (currentSize < newSize)
|
||||
{
|
||||
buffer = (unsigned char *)realloc(buffer, newSize);
|
||||
buffer = (unsigned char *)realloc(buffer, newSize); // $ Alert
|
||||
assert(cond); // irrelevant
|
||||
}
|
||||
return buffer;
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-409/DecompressionBombs.ql
|
||||
query: experimental/Security/CWE/CWE-409/DecompressionBombs.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -15,12 +15,12 @@ BrotliDecoderResult BrotliDecoderDecompressStream(
|
||||
void brotli_test(int argc, const char **argv) {
|
||||
uint8_t output[1024];
|
||||
size_t output_size = sizeof(output);
|
||||
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // BAD
|
||||
BrotliDecoderDecompress(1024, (uint8_t *) argv[2], &output_size, output); // $ Alert // BAD
|
||||
|
||||
size_t input_size = 1024;
|
||||
const uint8_t *input_p = (const uint8_t*)argv[2];
|
||||
uint8_t *output_p = output;
|
||||
size_t out_size;
|
||||
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // BAD
|
||||
BrotliDecoderDecompressStream(0, &input_size, &input_p, &output_size, // $ Alert // BAD
|
||||
&output_p, &out_size);
|
||||
}
|
||||
|
||||
@@ -19,7 +19,7 @@ static int read_data(archive *ar) {
|
||||
size_t size;
|
||||
la_int64_t offset;
|
||||
|
||||
int r = archive_read_data_block(ar, &buff, &size, &offset); // BAD
|
||||
int r = archive_read_data_block(ar, &buff, &size, &offset); // $ Alert // BAD
|
||||
if (r == ARCHIVE_EOF)
|
||||
return ARCHIVE_OK;
|
||||
if (r < ARCHIVE_OK)
|
||||
|
||||
@@ -4,7 +4,7 @@ void minizip_test(int argc, const char **argv);
|
||||
void zlib_test(int argc, const char **argv);
|
||||
void zstd_test(int argc, const char **argv);
|
||||
|
||||
int main(int argc, const char **argv) {
|
||||
int main(int argc, const char **argv) { // $ Source
|
||||
brotli_test(argc, argv);
|
||||
libarchive_test(argc, argv);
|
||||
minizip_test(argc, argv);
|
||||
|
||||
@@ -14,7 +14,7 @@ void minizip_test(int argc, const char **argv) {
|
||||
int32_t bytes_read;
|
||||
char buf[4096];
|
||||
while(true) {
|
||||
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
|
||||
bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // $ Alert // BAD
|
||||
if (bytes_read <= 0) {
|
||||
break;
|
||||
}
|
||||
@@ -23,7 +23,7 @@ void minizip_test(int argc, const char **argv) {
|
||||
void *zip_reader = mz_zip_reader_create();
|
||||
mz_zip_reader_open_file(zip_reader, argv[1]);
|
||||
mz_zip_reader_goto_first_entry(zip_reader);
|
||||
mz_zip_reader_entry_save(zip_reader, 0, 0); // BAD
|
||||
mz_zip_reader_entry_save(zip_reader, 0, 0); // $ Alert // BAD
|
||||
|
||||
UnzOpen(argv[3]); // BAD
|
||||
UnzOpen(argv[3]); // $ Alert // BAD
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ void UnsafeInflate(char *input) {
|
||||
infstream.next_out = output; // output char array
|
||||
|
||||
inflateInit(&infstream);
|
||||
inflate(&infstream, 0); // BAD
|
||||
inflate(&infstream, 0); // $ Alert // BAD
|
||||
}
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ void UnsafeGzread(char *fileName) {
|
||||
gzFile inFileZ = gzopen(fileName, "rb");
|
||||
unsigned char unzipBuffer[8192];
|
||||
while (true) {
|
||||
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // BAD
|
||||
if (gzread(inFileZ, unzipBuffer, 8192) <= 0) { // $ Alert // BAD
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -48,7 +48,7 @@ void UnsafeGzfread(char *fileName) {
|
||||
gzFile inFileZ = gzopen(fileName, "rb");
|
||||
while (true) {
|
||||
char buffer[1000];
|
||||
if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
|
||||
if (!gzfread(buffer, 999, 1, inFileZ)) { // $ Alert // BAD
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -59,7 +59,7 @@ void UnsafeGzgets(char *fileName) {
|
||||
char *buffer = new char[4000000000];
|
||||
char *result;
|
||||
while (true) {
|
||||
result = gzgets(inFileZ, buffer, 1000000000); // BAD
|
||||
result = gzgets(inFileZ, buffer, 1000000000); // $ Alert // BAD
|
||||
if (result == nullptr) {
|
||||
break;
|
||||
}
|
||||
@@ -74,7 +74,7 @@ void InflateString(char *input) {
|
||||
uLong source_length = 500;
|
||||
uLong destination_length = sizeof(output);
|
||||
|
||||
uncompress(output, &destination_length, (Bytef *) input, source_length); // BAD
|
||||
uncompress(output, &destination_length, (Bytef *) input, source_length); // $ Alert // BAD
|
||||
}
|
||||
|
||||
void zlib_test(int argc, char **argv) {
|
||||
|
||||
@@ -36,7 +36,7 @@ void zstd_test(int argc, const char **argv) {
|
||||
ZSTD_inBuffer input = {buffIn, read, 0};
|
||||
while (input.pos < input.size) {
|
||||
ZSTD_outBuffer output = {buffOut, buffOutSize, 0};
|
||||
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // BAD
|
||||
size_t const ret = ZSTD_decompressStream(dctx, &output, &input); // $ Alert // BAD
|
||||
CHECK_ZSTD(ret);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1 +1,2 @@
|
||||
experimental/Security/CWE/CWE-415/DoubleFree.ql
|
||||
query: experimental/Security/CWE/CWE-415/DoubleFree.ql
|
||||
postprocess: utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user