Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 93c4f1e

Browse files
geoffw0geoffw0
committed
CPP: Autoformat.
1 parent 8ebc0b9 commit 93c4f1e

6 files changed

Lines changed: 152 additions & 132 deletions

cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,10 @@
1010
*/
1111

1212
import cpp
13+
1314
from Call cc, int i
14-
where cc.getArgument(i).getValue().toInt() = 1989 and
15-
cc.getArgument(i+1).getValue().toInt() = 1 and
16-
cc.getArgument(i+2).getValue().toInt() = 8
17-
select cc, "Call that appears to have hard-coded Japanese era start date as parameter."
15+
where
16+
cc.getArgument(i).getValue().toInt() = 1989 and
17+
cc.getArgument(i + 1).getValue().toInt() = 1 and
18+
cc.getArgument(i + 2).getValue().toInt() = 8
19+
select cc, "Call that appears to have hard-coded Japanese era start date as parameter."

cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,19 @@
1010
*/
1111

1212
import cpp
13-
1413
import semmle.code.cpp.commons.DateTime
1514

16-
from StructLikeClass s, YearFieldAccess year, MonthFieldAccess month, DayFieldAccess day, Operation yearAssignment, Operation monthAssignment, Operation dayAssignment
17-
where s.getAField().getAnAccess () = year and yearAssignment.getAnOperand() = year and yearAssignment.getAnOperand().getValue().toInt() = 1989 and
18-
s.getAField().getAnAccess () = month and monthAssignment.getAnOperand() = month and monthAssignment.getAnOperand().getValue().toInt() = 1 and
19-
s.getAField().getAnAccess () = day and dayAssignment.getAnOperand() = day and dayAssignment.getAnOperand().getValue().toInt() = 8
15+
from
16+
StructLikeClass s, YearFieldAccess year, MonthFieldAccess month, DayFieldAccess day,
17+
Operation yearAssignment, Operation monthAssignment, Operation dayAssignment
18+
where
19+
s.getAField().getAnAccess() = year and
20+
yearAssignment.getAnOperand() = year and
21+
yearAssignment.getAnOperand().getValue().toInt() = 1989 and
22+
s.getAField().getAnAccess() = month and
23+
monthAssignment.getAnOperand() = month and
24+
monthAssignment.getAnOperand().getValue().toInt() = 1 and
25+
s.getAField().getAnAccess() = day and
26+
dayAssignment.getAnOperand() = day and
27+
dayAssignment.getAnOperand().getValue().toInt() = 8
2028
select year, "A time struct that is initialized with exact Japanese calendar era start date."

cpp/ql/src/Likely Bugs/Leap Year/Adding365daysPerYear.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,6 @@ import semmle.code.cpp.dataflow.DataFlow
1515

1616
from Expr source, Expr sink, PossibleYearArithmeticOperationCheckConfiguration config
1717
where config.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink))
18-
select sink, "This arithmetic operation $@ uses a constant value of 365 ends up modifying the date/time located at $@, without considering leap year scenarios."
19-
, source, source.toString()
20-
, sink, sink.toString()
18+
select sink,
19+
"This arithmetic operation $@ uses a constant value of 365 ends up modifying the date/time located at $@, without considering leap year scenarios.",
20+
source, source.toString(), sink, sink.toString()

cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql

Lines changed: 49 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -12,47 +12,53 @@
1212
import cpp
1313
import LeapYear
1414

15-
from Variable var, LeapYearFieldAccess yfa
15+
from Variable var, LeapYearFieldAccess yfa
1616
where
17-
exists(VariableAccess va |
18-
yfa.getQualifier() = va
19-
and var.getAnAccess() = va
20-
// The year is modified with an arithmetic operation. Avoid values that are likely false positives
21-
and yfa.isModifiedByArithmeticOperationNotForNormalization()
22-
// Avoid false positives
23-
and not (
24-
// If there is a local check for leap year after the modification
25-
exists( LeapYearFieldAccess yfacheck |
26-
yfacheck.getQualifier() = var.getAnAccess()
27-
and yfacheck.isUsedInCorrectLeapYearCheck()
28-
and yfacheck = yfa.getASuccessor*()
29-
)
30-
// If there is a data flow from the variable that was modified to a function that seems to check for leap year
31-
or exists(VariableAccess source,
32-
ChecksForLeapYearFunctionCall fc,
33-
LeapYearCheckConfiguration config |
34-
source = var.getAnAccess()
35-
and config.hasFlow( DataFlow::exprNode(source), DataFlow::exprNode(fc.getAnArgument()))
36-
)
37-
// If there is a data flow from the field that was modified to a function that seems to check for leap year
38-
or exists(VariableAccess vacheck,
39-
YearFieldAccess yfacheck,
40-
ChecksForLeapYearFunctionCall fc,
41-
LeapYearCheckConfiguration config |
42-
vacheck = var.getAnAccess()
43-
and yfacheck.getQualifier() = vacheck
44-
and config.hasFlow( DataFlow::exprNode(yfacheck), DataFlow::exprNode(fc.getAnArgument()))
45-
)
46-
// If there is a successor or predecessor that sets the month = 1
47-
or exists(MonthFieldAccess mfa, AssignExpr ae |
48-
mfa.getQualifier() = var.getAnAccess()
49-
and mfa.isModified()
50-
and (mfa = yfa.getASuccessor*()
51-
or yfa = mfa.getASuccessor*())
52-
and ae = mfa.getEnclosingElement()
53-
and ae.getAnOperand().getValue().toInt() = 1
54-
)
55-
)
56-
)
57-
select yfa
58-
, "Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found.", yfa.getTarget(), yfa.getTarget().toString(), var, var.toString()
17+
exists(VariableAccess va |
18+
yfa.getQualifier() = va and
19+
var.getAnAccess() = va and
20+
// The year is modified with an arithmetic operation. Avoid values that are likely false positives
21+
yfa.isModifiedByArithmeticOperationNotForNormalization() and
22+
// Avoid false positives
23+
not (
24+
// If there is a local check for leap year after the modification
25+
exists(LeapYearFieldAccess yfacheck |
26+
yfacheck.getQualifier() = var.getAnAccess() and
27+
yfacheck.isUsedInCorrectLeapYearCheck() and
28+
yfacheck = yfa.getASuccessor*()
29+
)
30+
or
31+
// If there is a data flow from the variable that was modified to a function that seems to check for leap year
32+
exists(
33+
VariableAccess source, ChecksForLeapYearFunctionCall fc, LeapYearCheckConfiguration config
34+
|
35+
source = var.getAnAccess() and
36+
config.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(fc.getAnArgument()))
37+
)
38+
or
39+
// If there is a data flow from the field that was modified to a function that seems to check for leap year
40+
exists(
41+
VariableAccess vacheck, YearFieldAccess yfacheck, ChecksForLeapYearFunctionCall fc,
42+
LeapYearCheckConfiguration config
43+
|
44+
vacheck = var.getAnAccess() and
45+
yfacheck.getQualifier() = vacheck and
46+
config.hasFlow(DataFlow::exprNode(yfacheck), DataFlow::exprNode(fc.getAnArgument()))
47+
)
48+
or
49+
// If there is a successor or predecessor that sets the month = 1
50+
exists(MonthFieldAccess mfa, AssignExpr ae |
51+
mfa.getQualifier() = var.getAnAccess() and
52+
mfa.isModified() and
53+
(
54+
mfa = yfa.getASuccessor*() or
55+
yfa = mfa.getASuccessor*()
56+
) and
57+
ae = mfa.getEnclosingElement() and
58+
ae.getAnOperand().getValue().toInt() = 1
59+
)
60+
)
61+
)
62+
select yfa,
63+
"Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found.",
64+
yfa.getTarget(), yfa.getTarget().toString(), var, var.toString()

cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql

Lines changed: 61 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -14,23 +14,22 @@ import LeapYear
1414

1515
/**
1616
* A YearFieldAccess that is modifying the year by any arithmetic operation
17-
*
17+
*
1818
* NOTE:
1919
* To change this class to work for general purpose date transformations that do not check the return value,
2020
* make the following changes:
21-
* -> extends FieldAccess (line 27)
21+
* -> extends FieldAccess (line 27)
2222
* -> this.isModified (line 33)
2323
* Expect a lower precision for a general purpose version.
2424
*/
25-
2625
class DateStructModifiedFieldAccess extends LeapYearFieldAccess {
27-
DateStructModifiedFieldAccess() {
28-
exists( Field f, StructLikeClass struct |
29-
f.getAnAccess() = this
30-
and struct.getAField() = f
31-
and struct.getUnderlyingType() instanceof DateDataStruct
32-
and this.isModifiedByArithmeticOperation()
33-
)
26+
DateStructModifiedFieldAccess() {
27+
exists(Field f, StructLikeClass struct |
28+
f.getAnAccess() = this and
29+
struct.getAField() = f and
30+
struct.getUnderlyingType() instanceof DateDataStruct and
31+
this.isModifiedByArithmeticOperation()
32+
)
3433
}
3534
}
3635

@@ -39,9 +38,9 @@ class DateStructModifiedFieldAccess extends LeapYearFieldAccess {
3938
*/
4039
class SafeTimeGatheringFunction extends Function {
4140
SafeTimeGatheringFunction() {
42-
this.getQualifiedName().matches("GetFileTime")
43-
or this.getQualifiedName().matches("GetSystemTime")
44-
or this.getQualifiedName().matches("NtQuerySystemTime")
41+
this.getQualifiedName().matches("GetFileTime") or
42+
this.getQualifiedName().matches("GetSystemTime") or
43+
this.getQualifiedName().matches("NtQuerySystemTime")
4544
}
4645
}
4746

@@ -50,58 +49,62 @@ class SafeTimeGatheringFunction extends Function {
5049
*/
5150
class TimeConversionFunction extends Function {
5251
TimeConversionFunction() {
53-
this.getQualifiedName().matches("FileTimeToSystemTime")
54-
or this.getQualifiedName().matches("SystemTimeToFileTime")
55-
or this.getQualifiedName().matches("SystemTimeToTzSpecificLocalTime")
56-
or this.getQualifiedName().matches("SystemTimeToTzSpecificLocalTimeEx")
57-
or this.getQualifiedName().matches("TzSpecificLocalTimeToSystemTime")
58-
or this.getQualifiedName().matches("TzSpecificLocalTimeToSystemTimeEx")
59-
or this.getQualifiedName().matches("RtlLocalTimeToSystemTime")
60-
or this.getQualifiedName().matches("RtlTimeToSecondsSince1970")
61-
or this.getQualifiedName().matches("_mkgmtime")
52+
this.getQualifiedName().matches("FileTimeToSystemTime") or
53+
this.getQualifiedName().matches("SystemTimeToFileTime") or
54+
this.getQualifiedName().matches("SystemTimeToTzSpecificLocalTime") or
55+
this.getQualifiedName().matches("SystemTimeToTzSpecificLocalTimeEx") or
56+
this.getQualifiedName().matches("TzSpecificLocalTimeToSystemTime") or
57+
this.getQualifiedName().matches("TzSpecificLocalTimeToSystemTimeEx") or
58+
this.getQualifiedName().matches("RtlLocalTimeToSystemTime") or
59+
this.getQualifiedName().matches("RtlTimeToSecondsSince1970") or
60+
this.getQualifiedName().matches("_mkgmtime")
6261
}
6362
}
6463

65-
from FunctionCall fcall, TimeConversionFunction trf
66-
, Variable var
67-
where fcall = trf.getACallToThisFunction()
68-
and fcall instanceof ExprInVoidContext
69-
and var.getUnderlyingType() instanceof DateDataStruct
70-
and (exists(AddressOfExpr aoe |
71-
aoe = fcall.getAnArgument()
72-
and aoe.getAddressable() = var
73-
) or exists(VariableAccess va |
74-
fcall.getAnArgument() = va
75-
and var.getAnAccess() = va
64+
from FunctionCall fcall, TimeConversionFunction trf, Variable var
65+
where
66+
fcall = trf.getACallToThisFunction() and
67+
fcall instanceof ExprInVoidContext and
68+
var.getUnderlyingType() instanceof DateDataStruct and
69+
(
70+
exists(AddressOfExpr aoe |
71+
aoe = fcall.getAnArgument() and
72+
aoe.getAddressable() = var
7673
)
77-
)
78-
and exists(DateStructModifiedFieldAccess dsmfa, VariableAccess modifiedVarAccess |
79-
modifiedVarAccess = var.getAnAccess()
80-
and modifiedVarAccess = dsmfa.getQualifier()
81-
and modifiedVarAccess = fcall.getAPredecessor*()
82-
)
74+
or
75+
exists(VariableAccess va |
76+
fcall.getAnArgument() = va and
77+
var.getAnAccess() = va
78+
)
79+
) and
80+
exists(DateStructModifiedFieldAccess dsmfa, VariableAccess modifiedVarAccess |
81+
modifiedVarAccess = var.getAnAccess() and
82+
modifiedVarAccess = dsmfa.getQualifier() and
83+
modifiedVarAccess = fcall.getAPredecessor*()
84+
) and
8385
// Remove false positives
84-
and not (
86+
not (
8587
// Remove any instance where the predecessor is a SafeTimeGatheringFunction and no change to the data happened in between
8688
exists(FunctionCall pred |
87-
pred = fcall.getAPredecessor*()
88-
and exists( SafeTimeGatheringFunction stgf |
89-
pred = stgf.getACallToThisFunction()
89+
pred = fcall.getAPredecessor*() and
90+
exists(SafeTimeGatheringFunction stgf | pred = stgf.getACallToThisFunction()) and
91+
not exists(DateStructModifiedFieldAccess dsmfa, VariableAccess modifiedVarAccess |
92+
modifiedVarAccess = var.getAnAccess() and
93+
modifiedVarAccess = dsmfa.getQualifier() and
94+
modifiedVarAccess = fcall.getAPredecessor*() and
95+
modifiedVarAccess = pred.getASuccessor*()
96+
)
9097
)
91-
and not exists(DateStructModifiedFieldAccess dsmfa, VariableAccess modifiedVarAccess |
92-
modifiedVarAccess = var.getAnAccess()
93-
and modifiedVarAccess = dsmfa.getQualifier()
94-
and modifiedVarAccess = fcall.getAPredecessor*()
95-
and modifiedVarAccess = pred.getASuccessor*()
98+
or
99+
// Remove any instance where the year is changed, but the month is set to 1 (year wrapping)
100+
exists(MonthFieldAccess mfa, AssignExpr ae |
101+
mfa.getQualifier() = var.getAnAccess() and
102+
mfa.isModified() and
103+
mfa = fcall.getAPredecessor*() and
104+
ae = mfa.getEnclosingElement() and
105+
ae.getAnOperand().getValue().toInt() = 1
96106
)
97107
)
98-
// Remove any instance where the year is changed, but the month is set to 1 (year wrapping)
99-
or exists(MonthFieldAccess mfa, AssignExpr ae |
100-
mfa.getQualifier() = var.getAnAccess()
101-
and mfa.isModified()
102-
and mfa = fcall.getAPredecessor*()
103-
and ae = mfa.getEnclosingElement()
104-
and ae.getAnOperand().getValue().toInt() = 1
105-
)
106-
)
107-
select fcall, "Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe.", trf, trf.getQualifiedName().toString(), var, var.getName()
108+
select fcall,
109+
"Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe.",
110+
trf, trf.getQualifiedName().toString(), var, var.getName()

cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
/**
2-
* @name Unsafe array for days of the year
3-
* @description An array of 365 items typically indicates one entry per day of the year, but without considering leap years, which would be 366 days.
2+
* @name Unsafe array for days of the year
3+
* @description An array of 365 items typically indicates one entry per day of the year, but without considering leap years, which would be 366 days.
44
* An access on a leap year could result in buffer overflow bugs.
55
* @kind problem
66
* @problem.severity error
@@ -13,24 +13,25 @@
1313
import cpp
1414

1515
class LeapYearUnsafeDaysOfTheYearArrayType extends ArrayType {
16-
LeapYearUnsafeDaysOfTheYearArrayType() {
17-
this.getArraySize() = 365
18-
}
16+
LeapYearUnsafeDaysOfTheYearArrayType() { this.getArraySize() = 365 }
1917
}
2018

2119
from Element element
2220
where
23-
exists( NewArrayExpr nae |
24-
element = nae
25-
and nae.getAllocatedType() instanceof LeapYearUnsafeDaysOfTheYearArrayType
26-
)
27-
or exists( Variable var |
28-
var = element
29-
and var.getType() instanceof LeapYearUnsafeDaysOfTheYearArrayType
30-
)
31-
or exists( ConstructorCall cc |
32-
element = cc
33-
and cc.getTarget().hasName("vector")
34-
and cc.getArgument(0).getValue().toInt() = 365
35-
)
36-
select element, "There is an array or std::vector allocation with a hard-coded set of 365 elements, which may indicate the number of days in a year without considering leap year scenarios."
21+
exists(NewArrayExpr nae |
22+
element = nae and
23+
nae.getAllocatedType() instanceof LeapYearUnsafeDaysOfTheYearArrayType
24+
)
25+
or
26+
exists(Variable var |
27+
var = element and
28+
var.getType() instanceof LeapYearUnsafeDaysOfTheYearArrayType
29+
)
30+
or
31+
exists(ConstructorCall cc |
32+
element = cc and
33+
cc.getTarget().hasName("vector") and
34+
cc.getArgument(0).getValue().toInt() = 365
35+
)
36+
select element,
37+
"There is an array or std::vector allocation with a hard-coded set of 365 elements, which may indicate the number of days in a year without considering leap year scenarios."

0 commit comments

Comments
 (0)