Skip to content

Commit c2db5f4

Browse files
MathiasVPMathiasVP
committed
C++: Add more FNs and FPs to show examples of where the 'successor typing' strategy fails.
1 parent cd57cd0 commit c2db5f4

File tree

2 files changed

+33
-0
lines changed

2 files changed

+33
-0
lines changed

cpp/ql/test/query-tests/Security/CWE/CWE-843/TypeConfusion.expected

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ edges
55
| test.cpp:85:9:85:15 | new | test.cpp:88:14:88:33 | a | provenance | |
66
| test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | provenance | |
77
| test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | provenance | |
8+
| test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | provenance | |
9+
| test.cpp:168:9:168:15 | new | test.cpp:171:14:171:33 | a | provenance | |
810
nodes
911
| test.cpp:27:13:27:18 | new | semmle.label | new |
1012
| test.cpp:28:25:28:55 | p | semmle.label | p |
@@ -18,10 +20,15 @@ nodes
1820
| test.cpp:128:24:128:59 | s2 | semmle.label | s2 |
1921
| test.cpp:143:14:143:19 | new | semmle.label | new |
2022
| test.cpp:145:28:145:68 | s1_2 | semmle.label | s1_2 |
23+
| test.cpp:153:9:153:15 | new | semmle.label | new |
24+
| test.cpp:159:14:159:33 | a | semmle.label | a |
25+
| test.cpp:168:9:168:15 | new | semmle.label | new |
26+
| test.cpp:171:14:171:33 | a | semmle.label | a |
2127
subpaths
2228
#select
2329
| test.cpp:28:25:28:55 | p | test.cpp:27:13:27:18 | new | test.cpp:28:25:28:55 | p | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper |
2430
| test.cpp:33:12:33:30 | p | test.cpp:32:13:32:30 | new | test.cpp:33:12:33:30 | p | Conversion from $@ to $@ is invalid. | test.cpp:11:8:11:21 | Not_S1_wrapper | Not_S1_wrapper | test.cpp:1:8:1:9 | S1 | S1 |
2531
| test.cpp:67:12:67:31 | a | test.cpp:66:15:66:21 | new | test.cpp:67:12:67:31 | a | Conversion from $@ to $@ is invalid. | test.cpp:55:8:55:10 | Cat | Cat | test.cpp:60:8:60:10 | Dog | Dog |
2632
| test.cpp:128:24:128:59 | s2 | test.cpp:127:12:127:17 | new | test.cpp:128:24:128:59 | s2 | Conversion from $@ to $@ is invalid. | test.cpp:102:8:102:9 | S2 | S2 | test.cpp:119:8:119:20 | Not_S2_prefix | Not_S2_prefix |
2733
| test.cpp:145:28:145:68 | s1_2 | test.cpp:143:14:143:19 | new | test.cpp:145:28:145:68 | s1_2 | Conversion from $@ to $@ is invalid. | test.cpp:1:8:1:9 | S1 | S1 | test.cpp:131:8:131:23 | HasSomeBitFields | HasSomeBitFields |
34+
| test.cpp:159:14:159:33 | a | test.cpp:153:9:153:15 | new | test.cpp:159:14:159:33 | a | Conversion from $@ to $@ is invalid. | test.cpp:60:8:60:10 | Dog | Dog | test.cpp:55:8:55:10 | Cat | Cat |

cpp/ql/test/query-tests/Security/CWE/CWE-843/test.cpp

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -145,3 +145,29 @@ void test12() {
145145
HasSomeBitFields* hbf2 = reinterpret_cast<HasSomeBitFields*>(s1_2); // BAD
146146
}
147147

148+
void test13(bool b, Cat* c) {
149+
Animal* a;
150+
if(b) {
151+
a = c;
152+
} else {
153+
a = new Dog;
154+
}
155+
// This FP happens despite the `not GoodFlow::flowTo(sinkNode)` condition in the query
156+
// because we don't find a flow path from `a = c` to `static_cast<Cat*>(a)` because
157+
// the "source" (i.e., `a = c`) doesn't have an allocation.
158+
if(b) {
159+
Cat* d = static_cast<Cat*>(a); // GOOD [FALSE POSITIVE]
160+
}
161+
}
162+
163+
void test14(bool b) {
164+
Animal* a;
165+
if(b) {
166+
a = new Cat;
167+
} else {
168+
a = new Dog;
169+
}
170+
if(!b) {
171+
Cat* d = static_cast<Cat*>(a); // BAD [NOT DETECTED]
172+
}
173+
}

0 commit comments

Comments
 (0)