Merge pull request github#6141 from ihsinme/ihsinme-patch-276

geoffw0 · web-flow · commit 23ba7dcf9c1d · 2021-08-03T14:46:39.000+01:00
CPP: Add a query to find incorrectly used exceptions. 2
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.cpp
@@ -0,0 +1,9 @@
+...
+throw ("my exception!",546); // BAD
+...
+throw errorFunc("my exception!",546); // GOOD 
+...
+std::runtime_error("msg error"); // BAD
+...
+throw std::runtime_error("msg error"); // GOOD
+...
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.qhelp
@@ -0,0 +1,23 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Finding places for the dangerous use of exceptions.</p>
+
+</overview>
+
+<example>
+<p>The following example demonstrates erroneous and fixed methods for using exceptions.</p>
+<sample src="FindIncorrectlyUsedExceptions.cpp" />
+
+</example>
+<references>
+
+<li>
+  CERT CPP Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/DCL57-CPP.+Do+not+let+exceptions+escape+from+destructors+or+deallocation+functions">DCL57-CPP. Do not let exceptions escape from destructors or deallocation functions</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql b/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
@@ -0,0 +1,50 @@
+/**
+ * @name Operator Find Incorrectly Used Exceptions
+ * @description --Finding places for the dangerous use of exceptions.
+ * @kind problem
+ * @id cpp/operator-find-incorrectly-used-exceptions
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-703
+ *       external/cwe/cwe-248
+ *       external/cwe/cwe-390
+ */
+
+import cpp
+
+from FunctionCall fc, string msg
+where
+  exists(ThrowExpr texp |
+    texp.getEnclosingFunction() = fc.getTarget() and
+    (
+      fc.getTarget().hasGlobalOrStdName("DllMain") and
+      not exists(TryStmt ts |
+        texp.getEnclosingStmt().getParentStmt*() = ts.getStmt() and
+        not ts.getACatchClause().isEmpty()
+      ) and
+      msg = "DllMain contains an exeption not wrapped in a try..catch block."
+      or
+      texp.getExpr().isParenthesised() and
+      texp.getExpr().(CommaExpr).getLeftOperand().isConstant() and
+      texp.getExpr().(CommaExpr).getRightOperand().isConstant() and
+      msg = "There is an exception in the function that requires your attention."
+    )
+  )
+  or
+  fc.getTarget() instanceof Constructor and
+  (
+    fc.getTargetType().(Class).getABaseClass+().hasGlobalOrStdName("exception") or
+    fc.getTargetType().(Class).getABaseClass+().hasGlobalOrStdName("CException")
+  ) and
+  not fc.isInMacroExpansion() and
+  not exists(ThrowExpr texp | fc.getEnclosingStmt() = texp.getEnclosingStmt()) and
+  not exists(FunctionCall fctmp | fctmp.getAnArgument() = fc) and
+  not fc instanceof ConstructorDirectInit and
+  not fc.getEnclosingStmt() instanceof DeclStmt and
+  not fc instanceof ConstructorDelegationInit and
+  not fc.getParent() instanceof Initializer and
+  not fc.getParent() instanceof AllocationExpr and
+  msg = "This object does not generate an exception."
+select fc, msg
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.expected
@@ -0,0 +1,3 @@
+| test.cpp:35:3:35:33 | call to runtime_error | This object does not generate an exception. |
+| test.cpp:41:3:41:11 | call to funcTest1 | There is an exception in the function that requires your attention. |
+| test.cpp:42:3:42:9 | call to DllMain | DllMain contains an exeption not wrapped in a try..catch block. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/FindIncorrectlyUsedExceptions.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-703/semmle/tests/test.cpp
@@ -0,0 +1,44 @@
+namespace std
+{
+	class exception {
+	};
+
+	class runtime_error : public exception {
+	public:
+		runtime_error(const char *msg);
+	};
+}
+
+typedef unsigned int size_t;
+void clean();
+
+
+void funcTest1()
+{
+   throw ("my exception!",546);  // BAD
+}
+
+void DllMain()
+{
+  try { throw "my exception!"; } // BAD
+  catch (...) {  }
+}
+
+void funcTest2()
+{
+  try { throw "my exception!"; } // GOOD
+  catch (...) { clean(); }
+}
+
+void funcTest3()
+{
+  std::runtime_error("msg error"); // BAD
+  throw std::runtime_error("msg error"); // GOOD
+}
+
+void TestFunc()
+{
+  funcTest1();
+  DllMain();
+  funcTest2();
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| test.cpp:35:3:35:33 \| call to runtime_error \| This object does not generate an exception. \|`
	`2`	`+\| test.cpp:41:3:41:11 \| call to funcTest1 \| There is an exception in the function that requires your attention. \|`
	`3`	`+\| test.cpp:42:3:42:9 \| call to DllMain \| DllMain contains an exeption not wrapped in a try..catch block. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql`