зеркало из https://github.com/github/codeql.git
Merge pull request #1585 from rdmarsh2/rdmarsh/cpp/hasGlobalOrStdName
C++: add Declaration.hasGlobalOrStdName()
This commit is contained in:
Dave Bartolomeo
GitHub
Коммит
5b33255e44
|
|
@ -53,6 +53,8 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
|
|||
clarity (e.g. `isOutReturnPointer()` to `isReturnValueDeref()`). The existing member predicates
|
||||
have been deprecated, and will be removed in a future release. Code that uses the old member
|
||||
predicates should be updated to use the corresponding new member predicate.
|
||||
* The predicates `Declaration.hasStdName()` and `Declaration.hasGlobalOrStdName`
|
||||
have been added, simplifying handling of C++ standard library functions.
|
||||
* The control-flow graph is now computed in QL, not in the extractor. This can
|
||||
lead to regressions (or improvements) in how queries are optimized because
|
||||
optimization in QL relies on static size estimates, and the control-flow edge
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
|
|||
import Negativity
|
||||
|
||||
predicate closeCall(FunctionCall fc, Variable v) {
|
||||
fc.getTarget().hasGlobalName("close") and v.getAnAccess() = fc.getArgument(0)
|
||||
fc.getTarget().hasGlobalOrStdName("close") and v.getAnAccess() = fc.getArgument(0)
|
||||
or
|
||||
exists(FunctionCall midcall, Function mid, int arg |
|
||||
fc.getArgument(arg) = v.getAnAccess() and
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import semmle.code.cpp.pointsto.PointsTo
|
|||
|
||||
predicate closed(Expr e) {
|
||||
exists(FunctionCall fc |
|
||||
fc.getTarget().hasGlobalName("close") and
|
||||
fc.getTarget().hasGlobalOrStdName("close") and
|
||||
fc.getArgument(0) = e
|
||||
)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ predicate allocCallOrIndirect(Expr e) {
|
|||
* can cause memory leaks.
|
||||
*/
|
||||
predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode verified) {
|
||||
reallocCall.getTarget().hasGlobalName("realloc") and
|
||||
reallocCall.getTarget().hasGlobalOrStdName("realloc") and
|
||||
reallocCall.getArgument(0) = v.getAnAccess() and
|
||||
(
|
||||
exists(Variable newV, ControlFlowNode node |
|
||||
|
|
@ -79,7 +79,7 @@ predicate verifiedRealloc(FunctionCall reallocCall, Variable v, ControlFlowNode
|
|||
predicate freeCallOrIndirect(ControlFlowNode n, Variable v) {
|
||||
// direct free call
|
||||
freeCall(n, v.getAnAccess()) and
|
||||
not n.(FunctionCall).getTarget().hasGlobalName("realloc")
|
||||
not n.(FunctionCall).getTarget().hasGlobalOrStdName("realloc")
|
||||
or
|
||||
// verified realloc call
|
||||
verifiedRealloc(_, v, n)
|
||||
|
|
|
|||
|
|
@ -13,10 +13,7 @@
|
|||
import cpp
|
||||
|
||||
class MallocCall extends FunctionCall {
|
||||
MallocCall() {
|
||||
this.getTarget().hasGlobalName("malloc") or
|
||||
this.getTarget().hasQualifiedName("std", "malloc")
|
||||
}
|
||||
MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
|
||||
|
||||
Expr getAllocatedSize() {
|
||||
if this.getArgument(0) instanceof VariableAccess
|
||||
|
|
@ -36,12 +33,12 @@ predicate spaceProblem(FunctionCall append, string msg) {
|
|||
malloc.getAllocatedSize() = add and
|
||||
buffer.getAnAccess() = strlen.getStringExpr() and
|
||||
(
|
||||
insert.getTarget().hasGlobalName("strcpy") or
|
||||
insert.getTarget().hasGlobalName("strncpy")
|
||||
insert.getTarget().hasGlobalOrStdName("strcpy") or
|
||||
insert.getTarget().hasGlobalOrStdName("strncpy")
|
||||
) and
|
||||
(
|
||||
append.getTarget().hasGlobalName("strcat") or
|
||||
append.getTarget().hasGlobalName("strncat")
|
||||
append.getTarget().hasGlobalOrStdName("strcat") or
|
||||
append.getTarget().hasGlobalOrStdName("strncat")
|
||||
) and
|
||||
malloc.getASuccessor+() = insert and
|
||||
insert.getArgument(1) = buffer.getAnAccess() and
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import semmle.code.cpp.security.TaintTracking
|
|||
predicate sourceSized(FunctionCall fc, Expr src) {
|
||||
exists(string name |
|
||||
(name = "strncpy" or name = "strncat" or name = "memcpy" or name = "memmove") and
|
||||
fc.getTarget().hasGlobalName(name)
|
||||
fc.getTarget().hasGlobalOrStdName(name)
|
||||
) and
|
||||
exists(Expr dest, Expr size, Variable v |
|
||||
fc.getArgument(0) = dest and
|
||||
|
|
|
|||
|
|
@ -60,19 +60,19 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
|
|||
predicate bufferAndSizeFunction(Function f, int buf, int size) {
|
||||
f.hasGlobalName("read") and buf = 1 and size = 2
|
||||
or
|
||||
f.hasGlobalName("fgets") and buf = 0 and size = 1
|
||||
f.hasGlobalOrStdName("fgets") and buf = 0 and size = 1
|
||||
or
|
||||
f.hasGlobalName("strncpy") and buf = 0 and size = 2
|
||||
f.hasGlobalOrStdName("strncpy") and buf = 0 and size = 2
|
||||
or
|
||||
f.hasGlobalName("strncat") and buf = 0 and size = 2
|
||||
f.hasGlobalOrStdName("strncat") and buf = 0 and size = 2
|
||||
or
|
||||
f.hasGlobalName("memcpy") and buf = 0 and size = 2
|
||||
f.hasGlobalOrStdName("memcpy") and buf = 0 and size = 2
|
||||
or
|
||||
f.hasGlobalName("memmove") and buf = 0 and size = 2
|
||||
f.hasGlobalOrStdName("memmove") and buf = 0 and size = 2
|
||||
or
|
||||
f.hasGlobalName("snprintf") and buf = 0 and size = 1
|
||||
f.hasGlobalOrStdName("snprintf") and buf = 0 and size = 1
|
||||
or
|
||||
f.hasGlobalName("vsnprintf") and buf = 0 and size = 1
|
||||
f.hasGlobalOrStdName("vsnprintf") and buf = 0 and size = 1
|
||||
}
|
||||
|
||||
class CallWithBufferSize extends FunctionCall {
|
||||
|
|
|
|||
|
|
@ -17,12 +17,12 @@ import cpp
|
|||
class Allocation extends FunctionCall {
|
||||
Allocation() {
|
||||
exists(string name |
|
||||
this.getTarget().hasGlobalName(name) and
|
||||
this.getTarget().hasGlobalOrStdName(name) and
|
||||
(name = "malloc" or name = "calloc" or name = "realloc")
|
||||
)
|
||||
}
|
||||
|
||||
private string getName() { this.getTarget().hasGlobalName(result) }
|
||||
private string getName() { this.getTarget().hasGlobalOrStdName(result) }
|
||||
|
||||
int getSize() {
|
||||
this.getName() = "malloc" and
|
||||
|
|
|
|||
|
|
@ -17,12 +17,12 @@ import cpp
|
|||
class Allocation extends FunctionCall {
|
||||
Allocation() {
|
||||
exists(string name |
|
||||
this.getTarget().hasGlobalName(name) and
|
||||
this.getTarget().hasGlobalOrStdName(name) and
|
||||
(name = "malloc" or name = "calloc" or name = "realloc")
|
||||
)
|
||||
}
|
||||
|
||||
private string getName() { this.getTarget().hasGlobalName(result) }
|
||||
private string getName() { this.getTarget().hasGlobalOrStdName(result) }
|
||||
|
||||
int getSize() {
|
||||
this.getName() = "malloc" and
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ import semmle.code.cpp.controlflow.LocalScopeVariableReachability
|
|||
predicate isFreeExpr(Expr e, LocalScopeVariable v) {
|
||||
exists(VariableAccess va | va.getTarget() = v |
|
||||
exists(FunctionCall fc | fc = e |
|
||||
fc.getTarget().hasGlobalName("free") and
|
||||
fc.getTarget().hasGlobalOrStdName("free") and
|
||||
va = fc.getArgument(0)
|
||||
)
|
||||
or
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ class Options extends string {
|
|||
predicate exits(Function f) {
|
||||
f.getAnAttribute().hasName("noreturn")
|
||||
or
|
||||
exists(string name | f.hasGlobalName(name) |
|
||||
exists(string name | f.hasGlobalOrStdName(name) |
|
||||
name = "exit" or
|
||||
name = "_exit" or
|
||||
name = "abort" or
|
||||
|
|
@ -91,7 +91,7 @@ class Options extends string {
|
|||
* By default holds only for `fgets`.
|
||||
*/
|
||||
predicate alwaysCheckReturnValue(Function f) {
|
||||
f.hasGlobalName("fgets") or
|
||||
f.hasGlobalOrStdName("fgets") or
|
||||
CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,8 +34,10 @@ class FileFunction extends FunctionWithWrappers {
|
|||
nme.matches("CreateFile%")
|
||||
)
|
||||
or
|
||||
this.hasQualifiedName("std", "fopen")
|
||||
or
|
||||
// on any of the fstream classes, or filebuf
|
||||
exists(string nme | this.getDeclaringType().getSimpleName() = nme |
|
||||
exists(string nme | this.getDeclaringType().hasQualifiedName("std", nme) |
|
||||
nme = "basic_fstream" or
|
||||
nme = "basic_ifstream" or
|
||||
nme = "basic_ofstream" or
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@ import semmle.code.cpp.security.TaintTracking
|
|||
/** A call that prints its arguments to `stdout`. */
|
||||
class PrintStdoutCall extends FunctionCall {
|
||||
PrintStdoutCall() {
|
||||
getTarget().hasGlobalName("puts") or
|
||||
getTarget().hasGlobalName("printf")
|
||||
getTarget().hasGlobalOrStdName("puts") or
|
||||
getTarget().hasGlobalOrStdName("printf")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -19,10 +19,7 @@ import semmle.code.cpp.dataflow.DataFlow
|
|||
import semmle.code.cpp.models.implementations.Memcpy
|
||||
|
||||
class MallocCall extends FunctionCall {
|
||||
MallocCall() {
|
||||
this.getTarget().hasGlobalName("malloc") or
|
||||
this.getTarget().hasQualifiedName("std", "malloc")
|
||||
}
|
||||
MallocCall() { this.getTarget().hasGlobalOrStdName("malloc") }
|
||||
|
||||
Expr getAllocatedSize() {
|
||||
if this.getArgument(0) instanceof VariableAccess
|
||||
|
|
|
|||
|
|
@ -190,11 +190,11 @@ private predicate windowsSystemInfo(FunctionCall source, Element use) {
|
|||
// void WINAPI GetSystemInfo(_Out_ LPSYSTEM_INFO lpSystemInfo);
|
||||
// void WINAPI GetNativeSystemInfo(_Out_ LPSYSTEM_INFO lpSystemInfo);
|
||||
(
|
||||
source.getTarget().hasName("GetVersionEx") or
|
||||
source.getTarget().hasName("GetVersionExA") or
|
||||
source.getTarget().hasName("GetVersionExW") or
|
||||
source.getTarget().hasName("GetSystemInfo") or
|
||||
source.getTarget().hasName("GetNativeSystemInfo")
|
||||
source.getTarget().hasGlobalName("GetVersionEx") or
|
||||
source.getTarget().hasGlobalName("GetVersionExA") or
|
||||
source.getTarget().hasGlobalName("GetVersionExW") or
|
||||
source.getTarget().hasGlobalName("GetSystemInfo") or
|
||||
source.getTarget().hasGlobalName("GetNativeSystemInfo")
|
||||
) and
|
||||
use = source.getArgument(0)
|
||||
}
|
||||
|
|
@ -216,9 +216,9 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
|
|||
// _In_ BOOL fCreate
|
||||
// );
|
||||
(
|
||||
source.getTarget().hasName("SHGetSpecialFolderPath") or
|
||||
source.getTarget().hasName("SHGetSpecialFolderPathA") or
|
||||
source.getTarget().hasName("SHGetSpecialFolderPathW")
|
||||
source.getTarget().hasGlobalName("SHGetSpecialFolderPath") or
|
||||
source.getTarget().hasGlobalName("SHGetSpecialFolderPathA") or
|
||||
source.getTarget().hasGlobalName("SHGetSpecialFolderPathW")
|
||||
) and
|
||||
use = source.getArgument(1)
|
||||
or
|
||||
|
|
@ -228,7 +228,7 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
|
|||
// _In_opt_ HANDLE hToken,
|
||||
// _Out_ PWSTR *ppszPath
|
||||
// );
|
||||
source.getTarget().hasName("SHGetKnownFolderPath") and
|
||||
source.getTarget().hasGlobalName("SHGetKnownFolderPath") and
|
||||
use = source.getArgument(3)
|
||||
or
|
||||
// HRESULT SHGetFolderPath(
|
||||
|
|
@ -239,9 +239,9 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
|
|||
// _Out_ LPTSTR pszPath
|
||||
// );
|
||||
(
|
||||
source.getTarget().hasName("SHGetFolderPath") or
|
||||
source.getTarget().hasName("SHGetFolderPathA") or
|
||||
source.getTarget().hasName("SHGetFolderPathW")
|
||||
source.getTarget().hasGlobalName("SHGetFolderPath") or
|
||||
source.getTarget().hasGlobalName("SHGetFolderPathA") or
|
||||
source.getTarget().hasGlobalName("SHGetFolderPathW")
|
||||
) and
|
||||
use = source.getArgument(4)
|
||||
or
|
||||
|
|
@ -254,9 +254,9 @@ private predicate windowsFolderPath(FunctionCall source, Element use) {
|
|||
// _Out_ LPTSTR pszPath
|
||||
// );
|
||||
(
|
||||
source.getTarget().hasName("SHGetFolderPathAndSubDir") or
|
||||
source.getTarget().hasName("SHGetFolderPathAndSubDirA") or
|
||||
source.getTarget().hasName("SHGetFolderPathAndSubDirW")
|
||||
source.getTarget().hasGlobalName("SHGetFolderPathAndSubDir") or
|
||||
source.getTarget().hasGlobalName("SHGetFolderPathAndSubDirA") or
|
||||
source.getTarget().hasGlobalName("SHGetFolderPathAndSubDirW")
|
||||
) and
|
||||
use = source.getArgument(5)
|
||||
}
|
||||
|
|
@ -273,9 +273,9 @@ class WindowsFolderPath extends SystemData {
|
|||
|
||||
private predicate logonUser(FunctionCall source, VariableAccess use) {
|
||||
(
|
||||
source.getTarget().hasName("LogonUser") or
|
||||
source.getTarget().hasName("LogonUserW") or
|
||||
source.getTarget().hasName("LogonUserA")
|
||||
source.getTarget().hasGlobalName("LogonUser") or
|
||||
source.getTarget().hasGlobalName("LogonUserW") or
|
||||
source.getTarget().hasGlobalName("LogonUserA")
|
||||
) and
|
||||
use = source.getAnArgument()
|
||||
}
|
||||
|
|
@ -297,9 +297,9 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
|
|||
// _Inout_opt_ PLONG lpcbValue
|
||||
// );
|
||||
(
|
||||
source.getTarget().hasName("RegQueryValue") or
|
||||
source.getTarget().hasName("RegQueryValueA") or
|
||||
source.getTarget().hasName("RegQueryValueW")
|
||||
source.getTarget().hasGlobalName("RegQueryValue") or
|
||||
source.getTarget().hasGlobalName("RegQueryValueA") or
|
||||
source.getTarget().hasGlobalName("RegQueryValueW")
|
||||
) and
|
||||
use = source.getArgument(2)
|
||||
or
|
||||
|
|
@ -311,9 +311,9 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
|
|||
// _Inout_opt_ LPDWORD ldwTotsize
|
||||
// );
|
||||
(
|
||||
source.getTarget().hasName("RegQueryMultipleValues") or
|
||||
source.getTarget().hasName("RegQueryMultipleValuesA") or
|
||||
source.getTarget().hasName("RegQueryMultipleValuesW")
|
||||
source.getTarget().hasGlobalName("RegQueryMultipleValues") or
|
||||
source.getTarget().hasGlobalName("RegQueryMultipleValuesA") or
|
||||
source.getTarget().hasGlobalName("RegQueryMultipleValuesW")
|
||||
) and
|
||||
use = source.getArgument(3)
|
||||
or
|
||||
|
|
@ -326,9 +326,9 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
|
|||
// _Inout_opt_ LPDWORD lpcbData
|
||||
// );
|
||||
(
|
||||
source.getTarget().hasName("RegQueryValueEx") or
|
||||
source.getTarget().hasName("RegQueryValueExA") or
|
||||
source.getTarget().hasName("RegQueryValueExW")
|
||||
source.getTarget().hasGlobalName("RegQueryValueEx") or
|
||||
source.getTarget().hasGlobalName("RegQueryValueExA") or
|
||||
source.getTarget().hasGlobalName("RegQueryValueExW")
|
||||
) and
|
||||
use = source.getArgument(4)
|
||||
or
|
||||
|
|
@ -342,9 +342,9 @@ private predicate regQuery(FunctionCall source, VariableAccess use) {
|
|||
// _Inout_opt_ LPDWORD pcbData
|
||||
// );
|
||||
(
|
||||
source.getTarget().hasName("RegGetValue") or
|
||||
source.getTarget().hasName("RegGetValueA") or
|
||||
source.getTarget().hasName("RegGetValueW")
|
||||
source.getTarget().hasGlobalName("RegGetValue") or
|
||||
source.getTarget().hasGlobalName("RegGetValueA") or
|
||||
source.getTarget().hasGlobalName("RegGetValueW")
|
||||
) and
|
||||
use = source.getArgument(5)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,5 +15,5 @@ import cpp
|
|||
from FunctionCall call, Function target
|
||||
where
|
||||
call.getTarget() = target and
|
||||
target.hasGlobalName("gets")
|
||||
target.hasGlobalOrStdName("gets")
|
||||
select call, "gets does not guard against buffer overflow"
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ predicate acquireExpr(Expr acquire, string kind) {
|
|||
exists(FunctionCall fc, Function f, string name |
|
||||
fc = acquire and
|
||||
f = fc.getTarget() and
|
||||
f.hasGlobalName(name) and
|
||||
f.hasGlobalOrStdName(name) and
|
||||
(
|
||||
name = "fopen" and
|
||||
kind = "file"
|
||||
|
|
@ -46,7 +46,7 @@ predicate releaseExpr(Expr release, Expr resource, string kind) {
|
|||
exists(FunctionCall fc, Function f, string name |
|
||||
fc = release and
|
||||
f = fc.getTarget() and
|
||||
f.hasGlobalName(name) and
|
||||
f.hasGlobalOrStdName(name) and
|
||||
(
|
||||
name = "fclose" and
|
||||
resource = fc.getArgument(0) and
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@ predicate containsArray(Type t) {
|
|||
or
|
||||
containsArray(t.getUnderlyingType()) and
|
||||
not exists(TypedefType allowed | allowed = t |
|
||||
allowed.hasGlobalName("jmp_buf") or
|
||||
allowed.hasGlobalName("va_list")
|
||||
allowed.hasGlobalOrStdName("jmp_buf") or
|
||||
allowed.hasGlobalOrStdName("va_list")
|
||||
)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -123,6 +123,13 @@ abstract class Declaration extends Locatable, @declaration {
|
|||
/** Holds if this declaration has the given name in the global namespace. */
|
||||
predicate hasGlobalName(string name) { this.hasQualifiedName("", "", name) }
|
||||
|
||||
/** Holds if this declaration has the given name in the global namespace or the `std` namespace. */
|
||||
predicate hasGlobalOrStdName(string name) {
|
||||
this.hasGlobalName(name)
|
||||
or
|
||||
this.hasQualifiedName("std", "", name)
|
||||
}
|
||||
|
||||
/** Gets a specifier of this declaration. */
|
||||
abstract Specifier getASpecifier();
|
||||
|
||||
|
|
|
|||
|
|
@ -425,7 +425,7 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
|
|||
// ... and likewise for destructors.
|
||||
this.(Destructor).getADestruction().mayBeGloballyImpure()
|
||||
else
|
||||
not exists(string name | this.hasGlobalName(name) |
|
||||
not exists(string name | this.hasGlobalOrStdName(name) |
|
||||
// Unless it's a function that we know is side-effect-free, it may
|
||||
// have side-effects.
|
||||
name = "strcmp" or
|
||||
|
|
|
|||
|
|
@ -5,13 +5,17 @@ import cpp
|
|||
*/
|
||||
predicate allocationFunction(Function f) {
|
||||
exists(string name |
|
||||
f.hasGlobalName(name) and
|
||||
f.hasGlobalOrStdName(name) and
|
||||
(
|
||||
name = "malloc" or
|
||||
name = "calloc" or
|
||||
name = "realloc" or
|
||||
name = "strdup" or
|
||||
name = "wcsdup" or
|
||||
name = "wcsdup"
|
||||
)
|
||||
or
|
||||
f.hasGlobalName(name) and
|
||||
(
|
||||
name = "_strdup" or
|
||||
name = "_wcsdup" or
|
||||
name = "_mbsdup" or
|
||||
|
|
@ -59,7 +63,7 @@ predicate allocationCall(FunctionCall fc) {
|
|||
allocationFunction(fc.getTarget()) and
|
||||
(
|
||||
// realloc(ptr, 0) only frees the pointer
|
||||
fc.getTarget().hasGlobalName("realloc") implies not fc.getArgument(1).getValue() = "0"
|
||||
fc.getTarget().hasGlobalOrStdName("realloc") implies not fc.getArgument(1).getValue() = "0"
|
||||
)
|
||||
}
|
||||
|
||||
|
|
@ -73,7 +77,10 @@ predicate freeFunction(Function f, int argNum) {
|
|||
name = "free" and argNum = 0
|
||||
or
|
||||
name = "realloc" and argNum = 0
|
||||
or
|
||||
)
|
||||
or
|
||||
f.hasGlobalOrStdName(name) and
|
||||
(
|
||||
name = "ExFreePoolWithTag" and argNum = 0
|
||||
or
|
||||
name = "ExFreeToLookasideListEx" and argNum = 1
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ class EnvironmentRead extends Expr {
|
|||
private predicate readsEnvironment(Expr read, string sourceDescription) {
|
||||
exists(FunctionCall call, string name |
|
||||
read = call and
|
||||
call.getTarget().hasGlobalName(name) and
|
||||
call.getTarget().hasGlobalOrStdName(name) and
|
||||
(name = "getenv" or name = "secure_getenv" or name = "_wgetenv") and
|
||||
sourceDescription = name
|
||||
)
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import cpp
|
|||
*/
|
||||
predicate fopenCall(FunctionCall fc) {
|
||||
exists(Function f | f = fc.getTarget() |
|
||||
f.hasGlobalName("fopen") or
|
||||
f.hasGlobalOrStdName("fopen") or
|
||||
f.hasGlobalName("open") or
|
||||
f.hasGlobalName("_open") or
|
||||
f.hasGlobalName("_wopen") or
|
||||
|
|
@ -23,7 +23,7 @@ predicate fopenCall(FunctionCall fc) {
|
|||
*/
|
||||
predicate fcloseCall(FunctionCall fc, Expr closed) {
|
||||
exists(Function f | f = fc.getTarget() |
|
||||
f.hasGlobalName("fclose") and
|
||||
f.hasGlobalOrStdName("fclose") and
|
||||
closed = fc.getArgument(0)
|
||||
or
|
||||
f.hasGlobalName("close") and
|
||||
|
|
@ -32,7 +32,7 @@ predicate fcloseCall(FunctionCall fc, Expr closed) {
|
|||
f.hasGlobalName("_close") and
|
||||
closed = fc.getArgument(0)
|
||||
or
|
||||
f.hasGlobalName("CloseHandle") and
|
||||
f.hasGlobalOrStdName("CloseHandle") and
|
||||
closed = fc.getArgument(0)
|
||||
)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,8 +53,8 @@ class AnalysedString extends Expr {
|
|||
*/
|
||||
class StrlenCall extends FunctionCall {
|
||||
StrlenCall() {
|
||||
this.getTarget().hasGlobalName("strlen") or
|
||||
this.getTarget().hasGlobalName("wcslen") or
|
||||
this.getTarget().hasGlobalOrStdName("strlen") or
|
||||
this.getTarget().hasGlobalOrStdName("wcslen") or
|
||||
this.getTarget().hasGlobalName("_mbslen") or
|
||||
this.getTarget().hasGlobalName("_mbslen_l") or
|
||||
this.getTarget().hasGlobalName("_mbstrlen") or
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import Nullness
|
|||
*/
|
||||
predicate callDereferences(FunctionCall fc, int i) {
|
||||
exists(string name |
|
||||
fc.getTarget().hasGlobalName(name) and
|
||||
fc.getTarget().hasGlobalOrStdName(name) and
|
||||
(
|
||||
name = "bcopy" and i in [0 .. 1]
|
||||
or
|
||||
|
|
|
|||
|
|
@ -264,9 +264,9 @@ predicate callMayReturnNull(Call call) {
|
|||
* Holds if `f` may, directly or indirectly, return a null literal.
|
||||
*/
|
||||
predicate mayReturnNull(Function f) {
|
||||
f.hasGlobalName("malloc")
|
||||
f.hasGlobalOrStdName("malloc")
|
||||
or
|
||||
f.hasGlobalName("calloc")
|
||||
f.hasGlobalOrStdName("calloc")
|
||||
or
|
||||
// f.hasGlobalName("strchr")
|
||||
// or
|
||||
|
|
|
|||
|
|
@ -7,9 +7,9 @@ class Printf extends FormattingFunction {
|
|||
Printf() {
|
||||
this instanceof TopLevelFunction and
|
||||
(
|
||||
hasGlobalName("printf") or
|
||||
hasGlobalOrStdName("printf") or
|
||||
hasGlobalName("printf_s") or
|
||||
hasGlobalName("wprintf") or
|
||||
hasGlobalOrStdName("wprintf") or
|
||||
hasGlobalName("wprintf_s") or
|
||||
hasGlobalName("g_printf")
|
||||
) and
|
||||
|
|
@ -19,7 +19,7 @@ class Printf extends FormattingFunction {
|
|||
override int getFormatParameterIndex() { result = 0 }
|
||||
|
||||
override predicate isWideCharDefault() {
|
||||
hasGlobalName("wprintf") or
|
||||
hasGlobalOrStdName("wprintf") or
|
||||
hasGlobalName("wprintf_s")
|
||||
}
|
||||
}
|
||||
|
|
@ -31,8 +31,8 @@ class Fprintf extends FormattingFunction {
|
|||
Fprintf() {
|
||||
this instanceof TopLevelFunction and
|
||||
(
|
||||
hasGlobalName("fprintf") or
|
||||
hasGlobalName("fwprintf") or
|
||||
hasGlobalOrStdName("fprintf") or
|
||||
hasGlobalOrStdName("fwprintf") or
|
||||
hasGlobalName("g_fprintf")
|
||||
) and
|
||||
not exists(getDefinition().getFile().getRelativePath())
|
||||
|
|
@ -40,7 +40,7 @@ class Fprintf extends FormattingFunction {
|
|||
|
||||
override int getFormatParameterIndex() { result = 1 }
|
||||
|
||||
override predicate isWideCharDefault() { hasGlobalName("fwprintf") }
|
||||
override predicate isWideCharDefault() { hasGlobalOrStdName("fwprintf") }
|
||||
|
||||
override int getOutputParameterIndex() { result = 0 }
|
||||
}
|
||||
|
|
@ -52,10 +52,10 @@ class Sprintf extends FormattingFunction {
|
|||
Sprintf() {
|
||||
this instanceof TopLevelFunction and
|
||||
(
|
||||
hasGlobalName("sprintf") or
|
||||
hasGlobalOrStdName("sprintf") or
|
||||
hasGlobalName("_sprintf_l") or
|
||||
hasGlobalName("__swprintf_l") or
|
||||
hasGlobalName("wsprintf") or
|
||||
hasGlobalOrStdName("wsprintf") or
|
||||
hasGlobalName("g_strdup_printf") or
|
||||
hasGlobalName("g_sprintf") or
|
||||
hasGlobalName("__builtin___sprintf_chk")
|
||||
|
|
@ -99,8 +99,8 @@ class Snprintf extends FormattingFunction {
|
|||
Snprintf() {
|
||||
this instanceof TopLevelFunction and
|
||||
(
|
||||
hasGlobalName("snprintf") or // C99 defines snprintf
|
||||
hasGlobalName("swprintf") or // The s version of wide-char printf is also always the n version
|
||||
hasGlobalOrStdName("snprintf") or // C99 defines snprintf
|
||||
hasGlobalOrStdName("swprintf") or // The s version of wide-char printf is also always the n version
|
||||
// Microsoft has _snprintf as well as several other variations
|
||||
hasGlobalName("sprintf_s") or
|
||||
hasGlobalName("snprintf_s") or
|
||||
|
|
@ -160,7 +160,7 @@ class Snprintf extends FormattingFunction {
|
|||
*/
|
||||
predicate returnsFullFormatLength() {
|
||||
(
|
||||
hasGlobalName("snprintf") or
|
||||
hasGlobalOrStdName("snprintf") or
|
||||
hasGlobalName("g_snprintf") or
|
||||
hasGlobalName("__builtin___snprintf_chk") or
|
||||
hasGlobalName("snprintf_s")
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import semmle.code.cpp.models.interfaces.SideEffect
|
|||
class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideEffectFunction {
|
||||
PureStrFunction() {
|
||||
exists(string name |
|
||||
hasGlobalName(name) and
|
||||
hasGlobalOrStdName(name) and
|
||||
(
|
||||
name = "atof" or
|
||||
name = "atoi" or
|
||||
|
|
@ -75,7 +75,7 @@ class PureStrFunction extends AliasFunction, ArrayFunction, TaintFunction, SideE
|
|||
class PureFunction extends TaintFunction, SideEffectFunction {
|
||||
PureFunction() {
|
||||
exists(string name |
|
||||
hasGlobalName(name) and
|
||||
hasGlobalOrStdName(name) and
|
||||
(
|
||||
name = "abs" or
|
||||
name = "labs"
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ import semmle.code.cpp.security.FunctionWithWrappers
|
|||
*/
|
||||
class SystemFunction extends FunctionWithWrappers {
|
||||
SystemFunction() {
|
||||
hasGlobalName("system") or
|
||||
hasGlobalOrStdName("system") or
|
||||
hasGlobalName("popen") or
|
||||
// Windows variants
|
||||
hasGlobalName("_popen") or
|
||||
|
|
|
|||
|
|
@ -125,7 +125,7 @@ private predicate fileWrite(Call write, Expr source, Expr dest) {
|
|||
exists(Function f, int s, int d |
|
||||
f = write.getTarget() and source = write.getArgument(s) and dest = write.getArgument(d)
|
||||
|
|
||||
exists(string name | f.hasGlobalName(name) |
|
||||
exists(string name | f.hasGlobalOrStdName(name) |
|
||||
// named functions
|
||||
name = "fwrite" and s = 0 and d = 3
|
||||
or
|
||||
|
|
|
|||
|
|
@ -63,8 +63,8 @@ private predicate outputWrite(Expr write, Expr source) {
|
|||
or
|
||||
// puts, putchar
|
||||
(
|
||||
f.hasGlobalName("puts") or
|
||||
f.hasGlobalName("putchar")
|
||||
f.hasGlobalOrStdName("puts") or
|
||||
f.hasGlobalOrStdName("putchar")
|
||||
) and
|
||||
arg = 0
|
||||
or
|
||||
|
|
|
|||
|
|
@ -70,11 +70,9 @@ class SecurityOptions extends string {
|
|||
*/
|
||||
predicate userInputArgument(FunctionCall functionCall, int arg) {
|
||||
exists(string fname |
|
||||
functionCall.getTarget().hasGlobalName(fname) and
|
||||
functionCall.getTarget().hasGlobalOrStdName(fname) and
|
||||
exists(functionCall.getArgument(arg)) and
|
||||
(
|
||||
fname = "read" and arg = 1
|
||||
or
|
||||
fname = "fread" and arg = 0
|
||||
or
|
||||
fname = "fgets" and arg = 0
|
||||
|
|
@ -83,6 +81,16 @@ class SecurityOptions extends string {
|
|||
or
|
||||
fname = "gets" and arg = 0
|
||||
or
|
||||
fname = "scanf" and arg >= 1
|
||||
or
|
||||
fname = "fscanf" and arg >= 2
|
||||
)
|
||||
or
|
||||
functionCall.getTarget().hasGlobalName(fname) and
|
||||
exists(functionCall.getArgument(arg)) and
|
||||
(
|
||||
fname = "read" and arg = 1
|
||||
or
|
||||
fname = "getaddrinfo" and arg = 3
|
||||
or
|
||||
fname = "recv" and arg = 1
|
||||
|
|
@ -91,10 +99,6 @@ class SecurityOptions extends string {
|
|||
(arg = 1 or arg = 4 or arg = 5)
|
||||
or
|
||||
fname = "recvmsg" and arg = 1
|
||||
or
|
||||
fname = "scanf" and arg >= 1
|
||||
or
|
||||
fname = "fscanf" and arg >= 2
|
||||
)
|
||||
)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -425,41 +425,41 @@ private int maxArgIndex(Function f) {
|
|||
|
||||
/** Functions that copy the value of one argument to another */
|
||||
private predicate copyValueBetweenArguments(Function f, int sourceArg, int destArg) {
|
||||
f.hasGlobalName("memcpy") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("memcpy") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("memmove") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("memmove") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("strcat") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("strcat") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbscat") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcsncat") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("wcscat") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("strncat") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("strncat") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbsncat") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcsncat") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("strcpy") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("strcpy") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbscpy") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcscpy") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("wcscpy") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("strncpy") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("strncpy") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbsncpy") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcsncpy") and sourceArg = 1 and destArg = 0
|
||||
f.hasGlobalOrStdName("wcsncpy") and sourceArg = 1 and destArg = 0
|
||||
or
|
||||
f.hasGlobalName("inet_aton") and sourceArg = 0 and destArg = 1
|
||||
or
|
||||
f.hasGlobalName("inet_pton") and sourceArg = 1 and destArg = 2
|
||||
or
|
||||
f.hasGlobalName("strftime") and sourceArg in [2 .. maxArgIndex(f)] and destArg = 0
|
||||
f.hasGlobalOrStdName("strftime") and sourceArg in [2 .. maxArgIndex(f)] and destArg = 0
|
||||
or
|
||||
exists(FormattingFunction ff | ff = f |
|
||||
sourceArg in [ff.getFormatParameterIndex() .. maxArgIndex(f)] and
|
||||
|
|
@ -473,31 +473,31 @@ private predicate returnArgument(Function f, int sourceArg) {
|
|||
or
|
||||
f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("memmove") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("memmove") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("strcat") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("strcat") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbscat") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcsncat") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("strncat") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("strncat") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbsncat") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcsncat") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("strcpy") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("strcpy") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbscpy") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcscpy") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("wcscpy") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("strncpy") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("strncpy") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("_mbsncpy") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("wcsncpy") and sourceArg = 0
|
||||
f.hasGlobalOrStdName("wcsncpy") and sourceArg = 0
|
||||
or
|
||||
f.hasGlobalName("inet_ntoa") and sourceArg = 0
|
||||
or
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче