Merge branch 'main' into javascript/ssrf

Author: valeria-meli

config/identical-files.json

@@ -6,6 +6,7 @@
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",

cpp/change-notes/2021-07-27-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* Improvements made to the (`cpp/uncontrolled-arithmetic`) query, reducing the frequency of false positive results.

cpp/change-notes/2021-07-29-virtual-function-declaration-specifiers.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Virtual function specifiers are now accessible via the new predicates on `Function` (`.isDeclaredVirtual`, `.isOverride`, and `.isFinal`).

cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql

@@ -29,11 +29,19 @@ class ImproperNullTerminationReachability extends StackVariableReachabilityWithR
   override predicate isSourceActual(ControlFlowNode node, StackVariable v) {
     node = declWithNoInit(v)
     or
-    exists(Call c, VariableAccess va |
+    exists(Call c, int bufferArg, int sizeArg |
       c = node and
-      c.getTarget().hasName("readlink") and
-      c.getArgument(1) = va and
-      va.getTarget() = v
+      (
+        c.getTarget().hasName("readlink") and bufferArg = 1 and sizeArg = 2
+        or
+        c.getTarget().hasName("readlinkat") and bufferArg = 2 and sizeArg = 3
+      ) and
+      c.getArgument(bufferArg).(VariableAccess).getTarget() = v and
+      (
+        // buffer size parameter likely matches the full buffer size
+        c.getArgument(sizeArg) instanceof SizeofOperator or
+        c.getArgument(sizeArg).getValue().toInt() = v.getType().getSize()
+      )
     )
   }
 

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -74,8 +74,15 @@ private class RandS extends RandomFunction {
 
 predicate missingGuard(VariableAccess va, string effect) {
   exists(Operation op | op.getAnOperand() = va |
-    missingGuardAgainstUnderflow(op, va) and effect = "underflow"
+    // underflow - random numbers are usually non-negative, so underflow is
+    // only likely if the type is unsigned. Multiplication is also unlikely to
+    // cause underflow of a non-negative number.
+    missingGuardAgainstUnderflow(op, va) and
+    effect = "underflow" and
+    op.getUnspecifiedType().(IntegralType).isUnsigned() and
+    not op instanceof MulExpr
     or
+    // overflow
     missingGuardAgainstOverflow(op, va) and effect = "overflow"
   )
 }
@@ -108,6 +115,9 @@ class UncontrolledArithConfiguration extends TaintTracking::Configuration {
         op instanceof BitwiseAndExpr or
         op instanceof ComplementExpr
       ).getAnOperand*()
+    or
+    // block unintended flow to pointers
+    node.asExpr().getUnspecifiedType() instanceof PointerType
   }
 }
 

cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.c

@@ -0,0 +1,34 @@
+...
+  int i1;
+  char c1;
+...
+  if((c1<50)&&(c>10))
+  switch(c1){
+    case 300: // BAD: the code will not be executed
+...  
+  if((i1<5)&&(i1>0))
+  switch(i1){ // BAD
+    case 21: // BAD: the code will not be executed
+...
+  switch(c1){
+...
+  dafault: // BAD: maybe it will be right `default`
+...
+  }
+
+...
+  switch(c1){ 
+      i1=c1*2; // BAD: the code will not be executed
+    case 12:
+...
+  switch(c1){ // GOOD
+    case 12:
+      break;
+    case 10:
+      break;
+    case 9:
+      break;
+    default:
+      break;
+  }
+...

cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.qhelp

@@ -0,0 +1,24 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>A mismatch between conditionals and <code>switch</code> cases can lead to control-flow violations (CWE-691) where the developer either does not handle all combinations of conditions or unintentionally created dead code (CWE-561).</p>
+
+
+</overview>
+
+<example>
+<p>The following example demonstrates fallacious and fixed ways of using a <code>switch</code> statement.</p>
+<sample src="FindIncorrectlyUsedSwitch.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/MSC12-C.+Detect+and+remove+code+that+has+no+effect+or+is+never+executed">MSC12-C. Detect and remove code that has no effect or is never executed</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql

@@ -0,0 +1,153 @@
+/**
+ * @name Incorrect switch statement
+ * @description --Finding places the dangerous use of a switch.
+ *              --For example, when the range of values for a condition does not cover all of the selection values..
+ * @kind problem
+ * @id cpp/operator-find-incorrectly-used-switch
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-561
+ *       external/cwe/cwe-691
+ *       external/cwe/cwe-478
+ */
+
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+/** Holds if the range contains no boundary values. */
+predicate isRealRange(Expr exp) {
+  upperBound(exp).toString() != "18446744073709551616" and
+  upperBound(exp).toString() != "9223372036854775807" and
+  upperBound(exp).toString() != "4294967295" and
+  upperBound(exp).toString() != "Infinity" and
+  upperBound(exp).toString() != "NaN" and
+  lowerBound(exp).toString() != "-9223372036854775808" and
+  lowerBound(exp).toString() != "-4294967296" and
+  lowerBound(exp).toString() != "-Infinity" and
+  lowerBound(exp).toString() != "NaN" and
+  upperBound(exp) != 2147483647 and
+  upperBound(exp) != 268435455 and
+  upperBound(exp) != 33554431 and
+  upperBound(exp) != 8388607 and
+  upperBound(exp) != 65535 and
+  upperBound(exp) != 32767 and
+  upperBound(exp) != 255 and
+  upperBound(exp) != 127 and
+  upperBound(exp) != 63 and
+  upperBound(exp) != 31 and
+  upperBound(exp) != 15 and
+  upperBound(exp) != 7 and
+  lowerBound(exp) != -2147483648 and
+  lowerBound(exp) != -268435456 and
+  lowerBound(exp) != -33554432 and
+  lowerBound(exp) != -8388608 and
+  lowerBound(exp) != -65536 and
+  lowerBound(exp) != -32768 and
+  lowerBound(exp) != -128
+}
+
+/** Holds if the range of values for the condition is less than the choices. */
+predicate isNotAllSelected(SwitchStmt swtmp) {
+  not swtmp.getExpr().isConstant() and
+  exists(int i |
+    i != 0 and
+    (
+      i = lowerBound(swtmp.getASwitchCase().getExpr()) and
+      upperBound(swtmp.getExpr()) < i
+      or
+      (
+        i = upperBound(swtmp.getASwitchCase().getExpr()) or
+        i = upperBound(swtmp.getASwitchCase().getEndExpr())
+      ) and
+      lowerBound(swtmp.getExpr()) > i
+    )
+  )
+}
+
+/** Holds if the range of values for the condition is greater than the selection. */
+predicate isConditionBig(SwitchStmt swtmp) {
+  not swtmp.hasDefaultCase() and
+  not exists(int iu, int il |
+    (
+      iu = upperBound(swtmp.getASwitchCase().getExpr()) or
+      iu = upperBound(swtmp.getASwitchCase().getEndExpr())
+    ) and
+    upperBound(swtmp.getExpr()) = iu and
+    (
+      il = lowerBound(swtmp.getASwitchCase().getExpr()) or
+      il = lowerBound(swtmp.getASwitchCase().getEndExpr())
+    ) and
+    lowerBound(swtmp.getExpr()) = il
+  )
+}
+
+/** Holds if there are labels inside the block with names similar to `default` or `case`. */
+predicate isWrongLableName(SwitchStmt swtmp) {
+  not swtmp.hasDefaultCase() and
+  exists(LabelStmt lb |
+    (
+      (
+        lb.getName().charAt(0) = "d" or
+        lb.getName().charAt(0) = "c"
+      ) and
+      (
+        lb.getName().charAt(1) = "e" or
+        lb.getName().charAt(1) = "a"
+      ) and
+      (
+        lb.getName().charAt(2) = "f" or
+        lb.getName().charAt(2) = "s"
+      )
+    ) and
+    lb.getEnclosingStmt().getParentStmt*() = swtmp.getStmt() and
+    not exists(GotoStmt gs | gs.getName() = lb.getName())
+  )
+}
+
+/** Holds if the block contains code before the first `case`. */
+predicate isCodeBeforeCase(SwitchStmt swtmp) {
+  exists(Expr exp |
+    exp.getEnclosingStmt().getParentStmt*() = swtmp.getStmt() and
+    not exists(Loop lp |
+      exp.getEnclosingStmt().getParentStmt*() = lp and
+      lp.getEnclosingStmt().getParentStmt*() = swtmp.getStmt()
+    ) and
+    not exists(Stmt sttmp, SwitchCase sctmp |
+      sttmp = swtmp.getASwitchCase().getAStmt() and
+      sctmp = swtmp.getASwitchCase() and
+      (
+        exp.getEnclosingStmt().getParentStmt*() = sttmp or
+        exp.getEnclosingStmt() = sctmp
+      )
+    )
+  )
+}
+
+from SwitchStmt sw, string msg
+where
+  isRealRange(sw.getExpr()) and
+  lowerBound(sw.getExpr()) != upperBound(sw.getExpr()) and
+  lowerBound(sw.getExpr()) != 0 and
+  not exists(Expr cexp |
+    cexp = sw.getASwitchCase().getExpr() and not isRealRange(cexp)
+    or
+    cexp = sw.getASwitchCase().getEndExpr() and not isRealRange(cexp)
+  ) and
+  not exists(Expr exptmp |
+    exptmp = sw.getExpr().getAChild*() and
+    not exptmp.isConstant() and
+    not isRealRange(exptmp)
+  ) and
+  (sw.getASwitchCase().terminatesInBreakStmt() or sw.getASwitchCase().terminatesInReturnStmt()) and
+  (
+    isNotAllSelected(sw) and msg = "The range of condition values is less than the selection."
+    or
+    isConditionBig(sw) and msg = "The range of condition values is wider than the choices."
+  )
+  or
+  isWrongLableName(sw) and msg = "Possibly erroneous label name."
+  or
+  isCodeBeforeCase(sw) and msg = "Code before case will not be executed."
+select sw, msg

cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.cpp

@@ -0,0 +1,9 @@
+...
+throw ("my exception!",546); // BAD
+...
+throw errorFunc("my exception!",546); // GOOD 
+...
+std::runtime_error("msg error"); // BAD
+...
+throw std::runtime_error("msg error"); // GOOD
+...

cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.qhelp

@@ -0,0 +1,23 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Finding places for the dangerous use of exceptions.</p>
+
+</overview>
+
+<example>
+<p>The following example demonstrates erroneous and fixed methods for using exceptions.</p>
+<sample src="FindIncorrectlyUsedExceptions.cpp" />
+
+</example>
+<references>
+
+<li>
+  CERT CPP Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/DCL57-CPP.+Do+not+let+exceptions+escape+from+destructors+or+deallocation+functions">DCL57-CPP. Do not let exceptions escape from destructors or deallocation functions</a>.
+</li>
+
+</references>
+</qhelp>