Merge pull request #739 from jbj/strcpy-fixups

geoffw0 · web-flow · commit 45476f304796 · 2019-01-24T17:50:40.000Z
C++: Clean up "Use of string copy function in a condition" query
diff --git a/change-notes/1.20/analysis-cpp.md b/change-notes/1.20/analysis-cpp.md
@@ -8,6 +8,7 @@
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
+| Use of string copy function in a condition (`cpp/string-copy-return-value-as-boolean`) | correctness | This query identifies calls to string copy functions used in conditions, where it's likely that a different function was intended to be called. |
 | Lossy function result cast (`cpp/lossy-function-result-cast`) | correctness | Finds function calls whose result type is a floating point type, which are implicitly cast to an integral type.  Newly available but not displayed by default on LGTM. |
 
 ## Changes to existing queries
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.qhelp b/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.qhelp
@@ -4,25 +4,27 @@
 <qhelp>
 
 <overview>
-<p>This rule finds uses of the string copy function calls that return the <code>destination</code> parameter, 
-and that do not have a return value reserved to indicate an error.</p>
+<p>This query identifies calls to string copy functions used in conditions, either
+directly or as part of an equality operator or logical operator. The most
+common string copy functions always return their <code>destination</code>
+parameter and do not have a return value reserved to indicate an error.
+Therefore, such a function call always evaluates to true in a Boolean
+context.</p>
 
-<p>The rule flags occurrences using such string copy functions as the conditional of an <code>if</code> statement, either directly, as part of an equality operator or a logical operator.</p>
-  
-<p>The string copy functions that the rule takes into consideration are: </p>
+<p>The string copy functions that the rule takes into consideration are:</p>
 <ul>
-  <li>strcpy</li>
-  <li>wcscpy</li>
-  <li>_mbscpy</li>
-  <li>strncpy</li>
-  <li>_strncpy_l</li>
-  <li>wcsncpy</li>
-  <li>_wcsncpy_l</li>
-  <li>_mbsncpy</li>
-  <li>_mbsncpy_l</li>
+  <li><code>strcpy</code></li>
+  <li><code>wcscpy</code></li>
+  <li><code>_mbscpy</code></li>
+  <li><code>strncpy</code></li>
+  <li><code>_strncpy_l</code></li>
+  <li><code>wcsncpy</code></li>
+  <li><code>_wcsncpy_l</code></li>
+  <li><code>_mbsncpy</code></li>
+  <li><code>_mbsncpy_l</code></li>
 </ul>
-  
-<p>NOTE: It is highly recommended to consider using a more secure version of string manipulation functions suchas as <code>strcpy_s</code>.</p>
+
+<p>NOTE: It is highly recommended to consider using a more secure version of string manipulation functions such as as <code>strcpy_s</code>.</p>
 
 </overview>
 <recommendation>
@@ -35,9 +37,9 @@ and that do not have a return value reserved to indicate an error.</p>
 </example>
 
 <references>
-<li>Microsoft Books on Line: <a href="https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/ccf4h9w8(v=vs.110)">C6324</a></li>
-<li>Microsoft Books on Line: <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strcpy-wcscpy-mbscpy?view=vs-2017">strcpy, wcscpy, _mbscpy</a></li>
-<li>US-CERT: <a href="https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/strcpy_s-and-strcat_s">strncpy_s() and strncat_s()</a></li>
+<li>Microsoft Code Analysis for C/C++ Warnings: <a href="https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-studio-2012/ccf4h9w8(v=vs.110)">C6324</a></li>
+<li>Microsoft C library reference: <a href="https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/strcpy-wcscpy-mbscpy">strcpy, wcscpy, _mbscpy</a></li>
+<li>US-CERT: <a href="https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/strcpy_s-and-strcat_s">strcpy_s() and strcat_s()</a></li>
 
 </references>
 </qhelp>
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql b/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
@@ -1,77 +1,90 @@
 /**
- * @name Using the return value of a strcpy or related string copy function as a boolean operator
- * @description The return value for strcpy, strncpy, or related string copy functions have no reserved return value to indicate an error.
- *              Using the return values of these functions as boolean function .
- *              Either the intent was to use a more secure version of a string copy function (such as strcpy_s), or a string compare function (such as strcmp).
+ * @name Use of string copy function in a condition
+ * @description The return value for strcpy, strncpy, or related string copy
+ *              functions have no reserved return value to indicate an error.
+ *              Using them in a condition is likely to be a logic error.
  * @kind problem
  * @problem.severity error
  * @precision high
  * @id cpp/string-copy-return-value-as-boolean
  * @tags external/microsoft/C6324
+ *       correctness
  */
 
 import cpp
 import semmle.code.cpp.dataflow.DataFlow
 
 predicate isStringComparisonFunction(string functionName) {
-  functionName = "strcpy"
-  or functionName = "wcscpy"
-  or functionName = "_mbscpy"
-  or functionName = "strncpy"
-  or functionName = "_strncpy_l"
-  or functionName = "wcsncpy"
-  or functionName = "_wcsncpy_l"
-  or functionName = "_mbsncpy"
-  or functionName = "_mbsncpy_l"
+  functionName = "strcpy" or
+  functionName = "wcscpy" or
+  functionName = "_mbscpy" or
+  functionName = "strncpy" or
+  functionName = "_strncpy_l" or
+  functionName = "wcsncpy" or
+  functionName = "_wcsncpy_l" or
+  functionName = "_mbsncpy" or
+  functionName = "_mbsncpy_l"
 }
 
-predicate isBoolean( Expr e1 )
-{
-  exists ( Type t1 |
+predicate isBoolean(Expr e1) {
+  exists(Type t1 |
     t1 = e1.getType() and
     (t1.hasName("bool") or t1.hasName("BOOL") or t1.hasName("_Bool"))
   )
 }
 
-predicate isStringCopyCastedAsBoolean( FunctionCall func, Expr expr1, string msg ) {
-  DataFlow::localFlow(DataFlow::exprNode(func), DataFlow::exprNode(expr1))
-  and isBoolean( expr1.getConversion*())
-  and isStringComparisonFunction( func.getTarget().getQualifiedName())
-  and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used as boolean."
+predicate isStringCopyCastedAsBoolean(FunctionCall func, Expr expr1, string msg) {
+  DataFlow::localFlow(DataFlow::exprNode(func), DataFlow::exprNode(expr1)) and
+  isBoolean(expr1.getConversion*()) and
+  isStringComparisonFunction(func.getTarget().getName()) and
+  msg = "Return value of " + func.getTarget().getName() + " used as a Boolean."
 }
 
-predicate isStringCopyUsedInLogicalOperationOrCondition( FunctionCall func, Expr expr1, string msg ) {
-    isStringComparisonFunction( func.getTarget().getQualifiedName() )
-    and ((( 
-      // it is being used in an equality or logical operation 
-      exists( EqualityOperation eop |
-        eop = expr1
-        and func = eop.getAChild()
+predicate isStringCopyUsedInLogicalOperationOrCondition(FunctionCall func, Expr expr1, string msg) {
+  isStringComparisonFunction(func.getTarget().getName()) and
+  (
+    (
+      // it is being used in an equality or logical operation
+      exists(EqualityOperation eop |
+        eop = expr1 and
+        func = eop.getAnOperand()
       )
-      or exists( UnaryLogicalOperation ule |
-        expr1 = ule
-        and func = ule.getAChild()
+      or
+      exists(UnaryLogicalOperation ule |
+        expr1 = ule and
+        func = ule.getOperand()
       )
-      or exists( BinaryLogicalOperation ble |
-        expr1 = ble
-        and func = ble.getAChild()
+      or
+      exists(BinaryLogicalOperation ble |
+        expr1 = ble and
+        func = ble.getAnOperand()
       )
-    )
-    and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used in a logical operation."
-    )
+    ) and
+    msg = "Return value of " + func.getTarget().getName() + " used in a logical operation."
     or
-      exists( ConditionalStmt condstmt |
-      condstmt.getAChild() = expr1 |
-      // or the string copy function is used directly as the conditional expression
-      func = condstmt.getChild(0)
-      and msg = "Return Value of " + func.getTarget().getQualifiedName() + " used directly in a conditional expression."
-    ))
+    // or the string copy function is used directly as the conditional expression
+    (
+      exists(ConditionalStmt condstmt |
+        func = condstmt.getControllingExpr() and
+        expr1 = func
+      )
+      or
+      exists(ConditionalExpr ce |
+        expr1 = ce and
+        func = ce.getCondition()
+      )
+    ) and
+    msg = "Return value of " + func.getTarget().getName() +
+        " used directly in a conditional expression."
+  )
 }
 
 from FunctionCall func, Expr expr1, string msg
-where 
-  ( isStringCopyCastedAsBoolean(func, expr1, msg) and 
-    not isStringCopyUsedInLogicalOperationOrCondition(func, expr1, _)
+where
+  (
+    isStringCopyCastedAsBoolean(func, expr1, msg) and
+    not isStringCopyUsedInLogicalOperationOrCondition(func, _, _)
   )
-  or isStringCopyUsedInLogicalOperationOrCondition(func, expr1, msg)
+  or
+  isStringCopyUsedInLogicalOperationOrCondition(func, expr1, msg)
 select expr1, msg
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/UsingStrcpyAsBoolean.expected
@@ -1,34 +1,31 @@
-| test.c:34:9:34:14 | call to strcpy | Return Value of strcpy used directly in a conditional expression. |
-| test.c:38:9:38:31 | ! ... | Return Value of strcpy used in a logical operation. |
-| test.c:42:9:42:35 | ... == ... | Return Value of strcpy used in a logical operation. |
-| test.c:46:9:46:48 | ... && ... | Return Value of strcpy used in a logical operation. |
-| test.c:50:9:50:15 | call to strncpy | Return Value of strncpy used directly in a conditional expression. |
-| test.c:54:6:54:34 | ! ... | Return Value of strncpy used in a logical operation. |
-| test.c:58:11:58:39 | ! ... | Return Value of strncpy used in a logical operation. |
-| test.c:60:11:60:37 | ... && ... | Return Value of strcpy used in a logical operation. |
-| test.c:62:11:62:37 | ... == ... | Return Value of strcpy used in a logical operation. |
-| test.c:64:11:64:37 | ... != ... | Return Value of strcpy used in a logical operation. |
-| test.cpp:75:9:75:14 | call to strcpy | Return Value of strcpy used directly in a conditional expression. |
-| test.cpp:79:9:79:31 | ! ... | Return Value of strcpy used in a logical operation. |
-| test.cpp:79:10:79:15 | call to strcpy | Return Value of strcpy used as boolean. |
-| test.cpp:83:9:83:35 | ... == ... | Return Value of strcpy used in a logical operation. |
-| test.cpp:87:9:87:48 | ... && ... | Return Value of strcpy used in a logical operation. |
-| test.cpp:87:27:87:32 | call to strcpy | Return Value of strcpy used as boolean. |
-| test.cpp:91:9:91:37 | call to wcscpy | Return Value of wcscpy used directly in a conditional expression. |
-| test.cpp:95:9:95:14 | call to wcscpy | Return Value of wcscpy used directly in a conditional expression. |
-| test.cpp:99:9:99:15 | call to _mbscpy | Return Value of _mbscpy used directly in a conditional expression. |
-| test.cpp:103:9:103:15 | call to strncpy | Return Value of strncpy used directly in a conditional expression. |
-| test.cpp:107:9:107:15 | call to wcsncpy | Return Value of wcsncpy used directly in a conditional expression. |
-| test.cpp:111:9:111:16 | call to _mbsncpy | Return Value of _mbsncpy used directly in a conditional expression. |
-| test.cpp:115:9:115:18 | call to _strncpy_l | Return Value of _strncpy_l used directly in a conditional expression. |
-| test.cpp:119:9:119:18 | call to _wcsncpy_l | Return Value of _wcsncpy_l used directly in a conditional expression. |
-| test.cpp:123:9:123:18 | call to _mbsncpy_l | Return Value of _mbsncpy_l used directly in a conditional expression. |
-| test.cpp:127:6:127:34 | ! ... | Return Value of strncpy used in a logical operation. |
-| test.cpp:127:7:127:13 | call to strncpy | Return Value of strncpy used as boolean. |
-| test.cpp:131:11:131:17 | call to strncpy | Return Value of strncpy used as boolean. |
-| test.cpp:133:16:133:44 | ! ... | Return Value of strncpy used in a logical operation. |
-| test.cpp:133:17:133:23 | call to strncpy | Return Value of strncpy used as boolean. |
-| test.cpp:135:11:135:16 | call to strcpy | Return Value of strcpy used as boolean. |
-| test.cpp:135:11:135:37 | ... && ... | Return Value of strcpy used in a logical operation. |
-| test.cpp:137:11:137:37 | ... == ... | Return Value of strcpy used in a logical operation. |
-| test.cpp:139:11:139:37 | ... != ... | Return Value of strcpy used in a logical operation. |
+| test.c:34:9:34:14 | call to strcpy | Return value of strcpy used directly in a conditional expression. |
+| test.c:38:9:38:31 | ! ... | Return value of strcpy used in a logical operation. |
+| test.c:42:9:42:35 | ... == ... | Return value of strcpy used in a logical operation. |
+| test.c:46:9:46:48 | ... && ... | Return value of strcpy used in a logical operation. |
+| test.c:50:9:50:15 | call to strncpy | Return value of strncpy used directly in a conditional expression. |
+| test.c:54:9:54:37 | ! ... | Return value of strncpy used in a logical operation. |
+| test.c:58:14:58:42 | ! ... | Return value of strncpy used in a logical operation. |
+| test.c:59:14:59:43 | ... ? ... : ... | Return value of strcpy used directly in a conditional expression. |
+| test.c:60:14:60:40 | ... && ... | Return value of strcpy used in a logical operation. |
+| test.c:62:14:62:40 | ... == ... | Return value of strcpy used in a logical operation. |
+| test.c:64:14:64:40 | ... != ... | Return value of strcpy used in a logical operation. |
+| test.cpp:75:9:75:14 | call to strcpy | Return value of strcpy used directly in a conditional expression. |
+| test.cpp:79:9:79:31 | ! ... | Return value of strcpy used in a logical operation. |
+| test.cpp:83:9:83:35 | ... == ... | Return value of strcpy used in a logical operation. |
+| test.cpp:87:9:87:48 | ... && ... | Return value of strcpy used in a logical operation. |
+| test.cpp:91:9:91:37 | call to wcscpy | Return value of wcscpy used directly in a conditional expression. |
+| test.cpp:95:9:95:14 | call to wcscpy | Return value of wcscpy used directly in a conditional expression. |
+| test.cpp:99:9:99:15 | call to _mbscpy | Return value of _mbscpy used directly in a conditional expression. |
+| test.cpp:103:9:103:15 | call to strncpy | Return value of strncpy used directly in a conditional expression. |
+| test.cpp:107:9:107:15 | call to wcsncpy | Return value of wcsncpy used directly in a conditional expression. |
+| test.cpp:111:9:111:16 | call to _mbsncpy | Return value of _mbsncpy used directly in a conditional expression. |
+| test.cpp:115:9:115:18 | call to _strncpy_l | Return value of _strncpy_l used directly in a conditional expression. |
+| test.cpp:119:9:119:18 | call to _wcsncpy_l | Return value of _wcsncpy_l used directly in a conditional expression. |
+| test.cpp:123:9:123:18 | call to _mbsncpy_l | Return value of _mbsncpy_l used directly in a conditional expression. |
+| test.cpp:127:9:127:37 | ! ... | Return value of strncpy used in a logical operation. |
+| test.cpp:131:14:131:20 | call to strncpy | Return value of strncpy used as a Boolean. |
+| test.cpp:133:19:133:47 | ! ... | Return value of strncpy used in a logical operation. |
+| test.cpp:134:14:134:43 | ... ? ... : ... | Return value of strcpy used directly in a conditional expression. |
+| test.cpp:135:14:135:40 | ... && ... | Return value of strcpy used in a logical operation. |
+| test.cpp:137:14:137:40 | ... == ... | Return value of strcpy used in a logical operation. |
+| test.cpp:139:14:139:40 | ... != ... | Return value of strcpy used in a logical operation. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.c
@@ -29,7 +29,7 @@ void PositiveCases()
 {
     char szbuf1[100];
     char szbuf2[100];
-	int result;
+    int result;
 
     if (strcpy(szbuf1, "test")) // Bug, direct usage
     {
@@ -51,17 +51,17 @@ void PositiveCases()
     {
     }
 
-	if (!strncpy(szbuf1, "test", 100))  // Bug
-	{
-	}
-
-	result = !strncpy(szbuf1, "test", 100);
+    if (!strncpy(szbuf1, "test", 100))  // Bug
+    {
+    }
 
-	result = strcpy(szbuf1, "test") && 1;
+    result = !strncpy(szbuf1, "test", 100); // Bug
+    result = strcpy(szbuf1, "test") ? 1 : 0; // Bug
+    result = strcpy(szbuf1, "test") && 1; // Bug
 
-	result = strcpy(szbuf1, "test") == 0;
+    result = strcpy(szbuf1, "test") == 0; // Bug
 
-	result = strcpy(szbuf1, "test") != 0;
+    result = strcpy(szbuf1, "test") != 0; // Bug
 }
 
 void NegativeCases()
@@ -80,4 +80,4 @@ void NegativeCases()
     {
     }
 
-}
+}
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean/test.cpp
@@ -124,19 +124,19 @@ void PositiveCases()
     {
     }
 
-	if (!strncpy(szbuf1, "test", 100))  // Bug
-	{
-	}
-
-	bool b = strncpy(szbuf1, "test", 100);
+    if (!strncpy(szbuf1, "test", 100))  // Bug
+    {
+    }
 
-	bool result = !strncpy(szbuf1, "test", 100);
+    bool b = strncpy(szbuf1, "test", 100); // Bug
 
-	result = strcpy(szbuf1, "test") && 1;
+    bool result = !strncpy(szbuf1, "test", 100); // Bug
+    result = strcpy(szbuf1, "test") ? 1 : 0; // Bug
+    result = strcpy(szbuf1, "test") && 1; // Bug
 
-	result = strcpy(szbuf1, "test") == 0;
+    result = strcpy(szbuf1, "test") == 0; // Bug
 
-	result = strcpy(szbuf1, "test") != 0;
+    result = strcpy(szbuf1, "test") != 0; // Bug
 
 }
 
@@ -160,4 +160,4 @@ void NegativeCases()
     {
     }
 
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ void PositiveCases()`
`29`	`29`	`{`
`30`	`30`	`char szbuf1[100];`
`31`	`31`	`char szbuf2[100];`
`32`		`- int result;`
	`32`	`+ int result;`
`33`	`33`
`34`	`34`	`if (strcpy(szbuf1, "test")) // Bug, direct usage`
`35`	`35`	`{`
`@@ -51,17 +51,17 @@ void PositiveCases()`
`51`	`51`	`{`
`52`	`52`	`}`
`53`	`53`
`54`		`- if (!strncpy(szbuf1, "test", 100)) // Bug`
`55`		`- {`
`56`		`- }`
`57`		`-`
`58`		`- result = !strncpy(szbuf1, "test", 100);`
	`54`	`+ if (!strncpy(szbuf1, "test", 100)) // Bug`
	`55`	`+ {`
	`56`	`+ }`
`59`	`57`
`60`		`- result = strcpy(szbuf1, "test") && 1;`
	`58`	`+ result = !strncpy(szbuf1, "test", 100); // Bug`
	`59`	`+ result = strcpy(szbuf1, "test") ? 1 : 0; // Bug`
	`60`	`+ result = strcpy(szbuf1, "test") && 1; // Bug`
`61`	`61`
`62`		`- result = strcpy(szbuf1, "test") == 0;`
	`62`	`+ result = strcpy(szbuf1, "test") == 0; // Bug`
`63`	`63`
`64`		`- result = strcpy(szbuf1, "test") != 0;`
	`64`	`+ result = strcpy(szbuf1, "test") != 0; // Bug`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`void NegativeCases()`
`@@ -80,4 +80,4 @@ void NegativeCases()`
`80`	`80`	`{`
`81`	`81`	`}`
`82`	`82`
`83`		`-}`
	`83`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -124,19 +124,19 @@ void PositiveCases()`
`124`	`124`	`{`
`125`	`125`	`}`
`126`	`126`
`127`		`- if (!strncpy(szbuf1, "test", 100)) // Bug`
`128`		`- {`
`129`		`- }`
`130`		`-`
`131`		`- bool b = strncpy(szbuf1, "test", 100);`
	`127`	`+ if (!strncpy(szbuf1, "test", 100)) // Bug`
	`128`	`+ {`
	`129`	`+ }`
`132`	`130`
`133`		`- bool result = !strncpy(szbuf1, "test", 100);`
	`131`	`+ bool b = strncpy(szbuf1, "test", 100); // Bug`
`134`	`132`
`135`		`- result = strcpy(szbuf1, "test") && 1;`
	`133`	`+ bool result = !strncpy(szbuf1, "test", 100); // Bug`
	`134`	`+ result = strcpy(szbuf1, "test") ? 1 : 0; // Bug`
	`135`	`+ result = strcpy(szbuf1, "test") && 1; // Bug`
`136`	`136`
`137`		`- result = strcpy(szbuf1, "test") == 0;`
	`137`	`+ result = strcpy(szbuf1, "test") == 0; // Bug`
`138`	`138`
`139`		`- result = strcpy(szbuf1, "test") != 0;`
	`139`	`+ result = strcpy(szbuf1, "test") != 0; // Bug`
`140`	`140`
`141`	`141`	`}`
`142`	`142`
`@@ -160,4 +160,4 @@ void NegativeCases()`
`160`	`160`	`{`
`161`	`161`	`}`
`162`	`162`
`163`		`-}`
	`163`	`+}`