C++ : cpp/incorrect-string-type-conversion

Cast between semantically different string types: char* from/to wchar_t* NOTE: Please let me know if you want to use a different CWE than CWE-704
2018-10-01 10:25:49 -07:00 · 2018-10-01 10:25:49 -07:00 · 253b8d1287
--- a/.gitignore
+++ b/.gitignore
@ -13,3 +13,4 @@
 /.vs/ql/v15/Browse.VC.db
 /.vs/ProjectSettings.json
 /.vs/ql/v15/.suo
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.cpp
@ -0,0 +1,3 @@
 LPWSTR pSrc;
 pSrc = (LPWSTR)"a";
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.qhelp
@ -0,0 +1,25 @@
 <!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
 <qhelp>
 <overview>
  <p>This rule indicates a potentially incorrect cast from/to an ANSI string (<code>char *</code>) to/from a Unicode string (<code>wchar_t *</code>).</p>
  <p>This cast might yield strings that are not correctly terminated; including potential buffer overruns when using such strings with some dangerous APIs.</p>
 </overview>
 <recommendation>
  <p>Do not explicitly casting ANSI strings to/from Unicode strings.</p>
 </recommendation>
 <example>
 <p>In the following example, an ANSI string literal (<code>"a"</code>) is casted as a Unicode string.</p>
 <sample src="WcharCharConversion.cpp" />
 <p>To fix this issue, prepend the literal with the letter "L" (<code>L"a"</code>) to define it as a Unicode string.</p>
 </example>
 <references>
 </references>
 </qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@ -0,0 +1,38 @@
 /**
 * @name Cast between semantically different string types: char* from/to wchar_t*
 * @description This rule indicates a potentially incorrect cast from/to an ANSI string (char *) to/from a Unicode string (wchar_t *). 
 *              This cast might yield strings that are not correctly terminated; 
 *              including potential buffer overruns when using such strings with some dangerous APIs.
 * @kind problem
 * @id cpp/incorrect-string-type-conversion
 * @problem.severity error
 * @precision high
 * @tags security
 *       external/cwe/cwe-704
 *       external/microsoft/c/c6276
 */
 import cpp
 class WideCharPointerType extends PointerType {
  WideCharPointerType() { 
    this.getBaseType() instanceof WideCharType 
  }
 }
 from Expr e1, Cast e2
 where 
  e2 = e1.getConversion() 
  and
  (
    exists( WideCharPointerType w, CharPointerType c  | 
      w = e1.getType().getUnspecifiedType().(PointerType)
      and c = e2.getType().getUnspecifiedType().(PointerType)
    )
    or exists
    ( 
      WideCharPointerType w, CharPointerType c | 
      w = e2.getType().getUnspecifiedType().(PointerType)
      and c = e1.getType().getUnspecifiedType().(PointerType)
    )
  )
 select e1, "Conversion from " + e1.getType().toString() + " to " +  e2.getType().toString() + ". Use of invalid string can lead to undefined behavior."
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp
@ -0,0 +1,40 @@
 #define NULL 0
 #define CONST               const
 typedef wchar_t WCHAR;    // wc,   16-bit UNICODE character
 typedef char CHAR;
 typedef WCHAR *LPWSTR;
 typedef CONST WCHAR *LPCWSTR;
 typedef CHAR *LPSTR;
 typedef CONST CHAR *LPCSTR;
 void fconstChar(LPCSTR p) {}
 void fChar(LPSTR p) {}
 void fconstWChar(LPCWSTR p) {}
 void fWChar(LPWSTR p) {}
 void Test()
 {
    char *lpChar = NULL;
    wchar_t *lpWchar = NULL;
    lpChar = (LPSTR)L"a";   // BUG
    lpWchar = (LPWSTR)"a";  // BUG
    lpChar = (char*)lpWchar;    // BUG
    lpWchar = (wchar_t*)lpChar; // BUG
    fconstChar((LPCSTR)lpWchar);    // BUG
    fChar((LPSTR)lpWchar);          // BUG
    fconstWChar((LPCWSTR)lpChar);   // BUG
    fWChar((LPWSTR)lpChar);         // BUG
    lpChar = (LPSTR)"a";    // Valid
    lpWchar = (LPWSTR)L"a"; // Valid
    fconstChar((LPCSTR)lpChar);     // Valid
    fChar(lpChar);                  // Valid
    fconstWChar((LPCWSTR)lpWchar);  // Valid
    fWChar(lpWchar);                // Valid
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected
@ -0,0 +1,8 @@
 | WcharCharConversion.cpp:22:18:22:21 | array to pointer conversion | Conversion from const wchar_t * to LPSTR. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:23:20:23:22 | array to pointer conversion | Conversion from const char * to LPWSTR. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:25:18:25:24 | lpWchar | Conversion from wchar_t * to char *. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:26:22:26:27 | lpChar | Conversion from char * to wchar_t *. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:28:21:28:27 | lpWchar | Conversion from wchar_t * to LPCSTR. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:29:15:29:21 | lpWchar | Conversion from wchar_t * to LPSTR. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:30:23:30:28 | lpChar | Conversion from char * to LPCWSTR. Use of invalid string can lead to undefined behavior. |
 | WcharCharConversion.cpp:31:17:31:22 | lpChar | Conversion from char * to LPWSTR. Use of invalid string can lead to undefined behavior. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref
@ -0,0 +1 @@
 Security/CWE/CWE-704/WcharCharConversion.ql