Merge pull request github#16662 from jketema/gets

jketema · web-flow · commit ff46e2c627da · 2024-06-05T11:50:04.000+02:00
C++: Ignore `gets`'es with incorrect parameter counts
diff --git a/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql b/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
@@ -17,5 +17,6 @@ import cpp
 from FunctionCall call, Function target
 where
   call.getTarget() = target and
-  target.hasGlobalOrStdName("gets")
+  target.hasGlobalOrStdName("gets") and
+  target.getNumberOfParameters() = 1
 select call, "'gets' does not guard against buffer overflow."
diff --git a/cpp/ql/src/change-notes/2014-06-05-gets-parameter.md b/cpp/ql/src/change-notes/2014-06-05-gets-parameter.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `cpp/dangerous-function-overflow` no longer produces a false positive alert when the `gets` function does not have exactly one parameter.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c
@@ -36,7 +36,7 @@ char *gets(char *s);
 
 void testGets() {
 	char buf1[1024];
-	char buf2 = malloc(1024);
+	char *buf2 = malloc(1024);
 	char *s;
 
 	gets(buf1); // BAD: use of gets
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp
@@ -0,0 +1,7 @@
+char *gets();
+
+void testOtherGets() {
+	char *s;
+
+	s = gets(); // GOOD: this is not the gets from stdio.h
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The `cpp/dangerous-function-overflow` no longer produces a false positive alert when the `gets` function does not have exactly one parameter.