github
diff --git a/‎…ikely Typos/UsingStrcpyInConditional.cpp‎ ‎…gs/Likely Typos/UsingStrcpyAsBoolean.cpp‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.cpp renamed to cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.cpp b/‎…ikely Typos/UsingStrcpyInConditional.cpp‎ ‎…gs/Likely Typos/UsingStrcpyAsBoolean.cpp‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.cpp renamed to cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.cpp
diff --git a/‎…ely Typos/UsingStrcpyInConditional.qhelp‎ ‎…/Likely Typos/UsingStrcpyAsBoolean.qhelp‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.qhelp renamed to cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.qhelp
Lines changed: 14 additions & 13 deletions b/‎…ely Typos/UsingStrcpyInConditional.qhelp‎ ‎…/Likely Typos/UsingStrcpyAsBoolean.qhelp‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.qhelp renamed to cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.qhelp
Lines changed: 14 additions & 13 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql‎
Lines changed: 92 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.ql‎
Lines changed: 0 additions & 45 deletions b/‎cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyInConditional.ql‎
Lines changed: 0 additions & 45 deletions
diff --git a/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected‎
Lines changed: 34 additions & 0 deletions b/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref‎
Lines changed: 1 addition & 0 deletions b/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.qlref‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎…ly Typos/UsingStrcpyInConditional/test.c‎ ‎…Likely Typos/UsingStrcpyAsBoolean/test.c‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/test.c renamed to cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c
Lines changed: 4 additions & 0 deletions b/‎…ly Typos/UsingStrcpyInConditional/test.c‎ ‎…Likely Typos/UsingStrcpyAsBoolean/test.c‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/test.c renamed to cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c
Lines changed: 4 additions & 0 deletions
diff --git a/‎… Typos/UsingStrcpyInConditional/test.cpp‎ ‎…kely Typos/UsingStrcpyAsBoolean/test.cpp‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/test.cpp renamed to cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp
Lines changed: 5 additions & 0 deletions b/‎… Typos/UsingStrcpyInConditional/test.cpp‎ ‎…kely Typos/UsingStrcpyAsBoolean/test.cpp‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/test.cpp renamed to cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp
Lines changed: 5 additions & 0 deletions
diff --git a/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/UsingStrcpyInConditional.expected‎
Lines changed: 0 additions & 18 deletions b/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/UsingStrcpyInConditional.expected‎
Lines changed: 0 additions & 18 deletions
diff --git a/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/UsingStrcpyInConditional.qlref‎
Lines changed: 0 additions & 1 deletion b/‎cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyInConditional/UsingStrcpyInConditional.qlref‎
Lines changed: 0 additions & 1 deletion
@@ -9,18 +9,19 @@ and that do not have a return value reserved to indicate an error.</p>
 
 <p>The rule flags occurrences using such string copy functions as the conditional of an <code>if</code> statement, either directly, as part of an equality operator or a logical operator.</p>
 
-<p>The string copy functions that the rule takes into consideration are: 
-<li>strcpy</li>
-<li>wcscpy</li>
-<li>_mbscpy</li>
-<li>strncpy</li>
-<li>_strncpy_l</li>
-<li>wcsncpy</li>
-<li>_wcsncpy_l</li>
-<li>_mbsncpy</li>
-<li>_mbsncpy_l</li>
-</p>
-
+<p>The string copy functions that the rule takes into consideration are: </p>
+<ul>
+  <li>strcpy</li>
+  <li>wcscpy</li>
+  <li>_mbscpy</li>
+  <li>strncpy</li>
+  <li>_strncpy_l</li>
+  <li>wcsncpy</li>
+  <li>_wcsncpy_l</li>
+  <li>_mbsncpy</li>
+  <li>_mbsncpy_l</li>
+</ul>
+  
 <p>NOTE: It is highly recommended to consider using a more secure version of string manipulation functions suchas as <code>strcpy_s</code>.</p>
 
 </overview>
@@ -30,7 +31,7 @@ and that do not have a return value reserved to indicate an error.</p>
   <p>If a string copy is really intended, very likely a secure version of the string copy function such as <code>strcpy_s</code> was intended instead of the insecure version of the string copy function.</p>
 
 </recommendation>
-<example><sample src="UsingStrcpyInConditional.cpp" />
+<example><sample src="UsingStrcpyAsBoolean.cpp" />
 </example>
 
 <references>
 
@@ -0,0 +1,92 @@
+/**
+ * @name Using the return value of a strcpy or related string copy function as a boolean operator
+ * @description The return value for strcpy, strncpy, or related string copy functions have no reserved return value to indicate an error.
+ *              Using the return values of these functions as boolean function .
+ *              Either the intent was to use a more secure version of a string copy function (such as strcpy_s), or a string compare function (such as strcmp).
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/string-copy-return-value-as-boolean
+ * @tags external/microsoft/C6324
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+predicate isStringComparisonFunction(string functionName) {
+  functionName = "strcpy"
+  or functionName = "wcscpy"
+  or functionName = "_mbscpy"
+  or functionName = "strncpy"
+  or functionName = "_strncpy_l"
+  or functionName = "wcsncpy"
+  or functionName = "_wcsncpy_l"
+  or functionName = "_mbsncpy"
+  or functionName = "_mbsncpy_l"
+}
+
+predicate isBoolean( Expr e1 )
+{
+  exists ( Type t1 |
+    t1 = e1.getType() and
+    (t1.hasName("bool") or t1.hasName("BOOL") or t1.hasName("_Bool"))
+  )
+}
+
+class StringCopyToBooleanConfiguration extends DataFlow::Configuration {
+  StringCopyToBooleanConfiguration() {
+    this = "StringCopyToBooleanConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists( FunctionCall func |
+      func = source.asExpr()
+      and isStringComparisonFunction( func.getTarget().getQualifiedName())
+    )
+  }
+ 
+  override predicate isSink(DataFlow::Node sink) {
+    exists( Expr expr1 |
+      expr1 = sink.asExpr()
+      and isBoolean( expr1.getConversion*())
+    )
+  }
+}
+
+predicate isStringCopyCastedAsBoolean( FunctionCall func, Expr expr1, string msg ) {
+  exists( StringCopyToBooleanConfiguration modeConfig |
+    modeConfig.hasFlow(DataFlow::exprNode(func), DataFlow::exprNode(expr1))
+    and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used as boolean."
+  )
+}
+
+predicate isStringCopyUsedInCondition( FunctionCall func, Expr expr1, string msg ) {
+  exists( ConditionalStmt condstmt |
+    condstmt.getAChild() = expr1 |
+    isStringComparisonFunction( func.getTarget().getQualifiedName() )
+    and ( 
+      // The string copy function is used directly as the conditional expression
+      func = condstmt.getChild(0)
+      // ... or it is being used in an equality or logical operation 
+      or exists( EqualityOperation eop |
+        eop = expr1
+        and func = eop.getAChild()
+      )
+      or exists( UnaryLogicalOperation ule |
+        expr1 = ule
+        and func = ule.getAChild()
+      )
+      or exists( BinaryLogicalOperation ble |
+        expr1 = ble
+        and func = ble.getAChild()
+      )
+    )
+    and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used in a conditional."
+  )
+}
+
+from FunctionCall func, Expr expr1, string msg
+where 
+  isStringCopyCastedAsBoolean(func, expr1, msg)
+  or isStringCopyUsedInCondition(func, expr1, msg)
+select expr1, msg
@@ -0,0 +1,34 @@
+| test.c:33:9:33:14 | call to strcpy | Return Value of strcpy used in a conditional. |
+| test.c:37:9:37:31 | ! ... | Return Value of strcpy used in a conditional. |
+| test.c:41:9:41:35 | ... == ... | Return Value of strcpy used in a conditional. |
+| test.c:45:9:45:48 | ... && ... | Return Value of strcpy used in a conditional. |
+| test.c:49:9:49:15 | call to strncpy | Return Value of strncpy used in a conditional. |
+| test.c:53:6:53:34 | ! ... | Return Value of strncpy used in a conditional. |
+| test.cpp:75:9:75:14 | call to strcpy | Return Value of strcpy used as boolean. |
+| test.cpp:75:9:75:14 | call to strcpy | Return Value of strcpy used in a conditional. |
+| test.cpp:79:9:79:31 | ! ... | Return Value of strcpy used in a conditional. |
+| test.cpp:79:10:79:15 | call to strcpy | Return Value of strcpy used as boolean. |
+| test.cpp:83:9:83:35 | ... == ... | Return Value of strcpy used in a conditional. |
+| test.cpp:87:9:87:48 | ... && ... | Return Value of strcpy used in a conditional. |
+| test.cpp:87:27:87:32 | call to strcpy | Return Value of strcpy used as boolean. |
+| test.cpp:91:9:91:37 | call to wcscpy | Return Value of wcscpy used as boolean. |
+| test.cpp:91:9:91:37 | call to wcscpy | Return Value of wcscpy used in a conditional. |
+| test.cpp:95:9:95:14 | call to wcscpy | Return Value of wcscpy used as boolean. |
+| test.cpp:95:9:95:14 | call to wcscpy | Return Value of wcscpy used in a conditional. |
+| test.cpp:99:9:99:15 | call to _mbscpy | Return Value of _mbscpy used as boolean. |
+| test.cpp:99:9:99:15 | call to _mbscpy | Return Value of _mbscpy used in a conditional. |
+| test.cpp:103:9:103:15 | call to strncpy | Return Value of strncpy used as boolean. |
+| test.cpp:103:9:103:15 | call to strncpy | Return Value of strncpy used in a conditional. |
+| test.cpp:107:9:107:15 | call to wcsncpy | Return Value of wcsncpy used as boolean. |
+| test.cpp:107:9:107:15 | call to wcsncpy | Return Value of wcsncpy used in a conditional. |
+| test.cpp:111:9:111:16 | call to _mbsncpy | Return Value of _mbsncpy used as boolean. |
+| test.cpp:111:9:111:16 | call to _mbsncpy | Return Value of _mbsncpy used in a conditional. |
+| test.cpp:115:9:115:18 | call to _strncpy_l | Return Value of _strncpy_l used as boolean. |
+| test.cpp:115:9:115:18 | call to _strncpy_l | Return Value of _strncpy_l used in a conditional. |
+| test.cpp:119:9:119:18 | call to _wcsncpy_l | Return Value of _wcsncpy_l used as boolean. |
+| test.cpp:119:9:119:18 | call to _wcsncpy_l | Return Value of _wcsncpy_l used in a conditional. |
+| test.cpp:123:9:123:18 | call to _mbsncpy_l | Return Value of _mbsncpy_l used as boolean. |
+| test.cpp:123:9:123:18 | call to _mbsncpy_l | Return Value of _mbsncpy_l used in a conditional. |
+| test.cpp:127:6:127:34 | ! ... | Return Value of strncpy used in a conditional. |
+| test.cpp:127:7:127:13 | call to strncpy | Return Value of strncpy used as boolean. |
+| test.cpp:131:11:131:17 | call to strncpy | Return Value of strncpy used as boolean. |
@@ -0,0 +1 @@
+Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
@@ -49,6 +49,10 @@ void PositiveCases()
     if (strncpy(szbuf1, "test", 100))  // Bug
     {
     }
+
+	if (!strncpy(szbuf1, "test", 100))  // Bug
+	{
+	}
 }
 
 void NegativeCases()
 
@@ -124,6 +124,11 @@ void PositiveCases()
     {
     }
 
+	if (!strncpy(szbuf1, "test", 100))  // Bug
+	{
+	}
+
+	bool b = strncpy(szbuf1, "test", 100);
 }
 
 void NegativeCases()
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,10 @@ void PositiveCases()`
`49`	`49`	`if (strncpy(szbuf1, "test", 100)) // Bug`
`50`	`50`	`{`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ if (!strncpy(szbuf1, "test", 100)) // Bug`
	`54`	`+ {`
	`55`	`+ }`
`52`	`56`	`}`
`53`	`57`
`54`	`58`	`void NegativeCases()`
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,11 @@ void PositiveCases()`
`124`	`124`	`{`
`125`	`125`	`}`
`126`	`126`
	`127`	`+ if (!strncpy(szbuf1, "test", 100)) // Bug`
	`128`	`+ {`
	`129`	`+ }`
	`130`	`+`
	`131`	`+ bool b = strncpy(szbuf1, "test", 100);`
`127`	`132`	`}`
`128`	`133`
`129`	`134`	`void NegativeCases()`