forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathLateCheckOfFunctionArgument.ql
More file actions
66 lines (61 loc) · 2.23 KB
/
LateCheckOfFunctionArgument.ql
File metadata and controls
66 lines (61 loc) · 2.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/**
* @name Late Check Of Function Argument
* @description --Checking the function argument after calling the function itself.
* --This situation looks suspicious and requires the attention of the developer.
* --It may be necessary to add validation before calling the function.
* @kind problem
* @id cpp/late-check-of-function-argument
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* experimental
* external/cwe/cwe-020
*/
import cpp
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/** Holds for a function `f` that has an argument at index `apos` used for positioning in a buffer. */
predicate numberArgument(Function f, int apos) {
f.hasGlobalOrStdName("write") and apos = 2
or
f.hasGlobalOrStdName("read") and apos = 2
or
f.hasGlobalOrStdName("lseek") and apos = 1
or
f.hasGlobalOrStdName("memmove") and apos = 2
or
f.hasGlobalOrStdName("memset") and apos = 2
or
f.hasGlobalOrStdName("memcpy") and apos = 2
or
f.hasGlobalOrStdName("memcmp") and apos = 2
or
f.hasGlobalOrStdName("strncat") and apos = 2
or
f.hasGlobalOrStdName("strncpy") and apos = 2
or
f.hasGlobalOrStdName("strncmp") and apos = 2
or
f.hasGlobalOrStdName("snprintf") and apos = 1
or
f.hasGlobalOrStdName("strndup") and apos = 2
}
class IfCompareWithZero extends IfStmt {
IfCompareWithZero() { this.getCondition().(RelationalOperation).getAChild().getValue() = "0" }
Expr noZerroOperand() {
if this.getCondition().(RelationalOperation).getGreaterOperand().getValue() = "0"
then result = this.getCondition().(RelationalOperation).getLesserOperand()
else result = this.getCondition().(RelationalOperation).getGreaterOperand()
}
}
from FunctionCall fc, IfCompareWithZero ifc, int na
where
numberArgument(fc.getTarget(), na) and
globalValueNumber(fc.getArgument(na)) = globalValueNumber(ifc.noZerroOperand()) and
dominates(fc, ifc) and
not exists(IfStmt ifc1 |
dominates(ifc1, fc) and
globalValueNumber(fc.getArgument(na)) = globalValueNumber(ifc1.getCondition().getAChild*())
)
select fc, "The value of argument $@ appears to be checked after the call, rather than before it.",
fc.getArgument(na), fc.getArgument(na).toString()