Add files via upload

Author: ihsinme

cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.c

@@ -0,0 +1,4 @@
+if(len>0 & memset(buf,0,len)) return 1; // BAD: `memset` will be called regardless of the value of the `len` variable. moreover, one cannot be sure that it will happen after verification
+...
+if(len>0 && memset(buf,0,len)) return 1; // GOOD: `memset` will be called after the `len` variable has been checked.
+...

cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Using bitwise operations can be a mistake in some situations. For example, if parameters are evaluated in an expression and the function should be called only upon certain test results. These bitwise operations look suspicious and require developer attention.</p>
+
+
+</overview>
+<recommendation>
+
+<p>We recommend that you evaluate the correctness of using the specified bit operations.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates the erroneous and fixed use of bit and logical operations.</p>
+<sample src="InsufficientControlFlowManagementWhenUsingBitOperations.c" />
+
+</example>
+<references>
+
+<li>
+  CWE Common Weakness Enumeration:
+  <a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql

@@ -0,0 +1,80 @@
+/**
+ * @name Errors When Using Bit Operations
+ * @description --Using bitwise operations can be a mistake in some situations.
+ *              --For example, if parameters are evaluated in an expression and the function should be called only upon certain test results.
+ *              --These bitwise operations look suspicious and require developer attention.
+ * @kind problem
+ * @id cpp/errors-when-using-bit-operations
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-691
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * Dangerous uses of bit operations.
+ * For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
+ * In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
+ */
+class DangerousBitOperations extends Expr {
+  FunctionCall bfc;
+
+  /**
+   * The assignment indicates the conscious use of the bit operator.
+   * Use in comparison, conversion, or return value indicates conscious use of the bit operator.
+   * The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
+   */
+  DangerousBitOperations() {
+    bfc = this.(BinaryBitwiseOperation).getRightOperand() and
+    not this.getParent*() instanceof AssignExpr and
+    not this.getParent*() instanceof Initializer and
+    not this.getParent*() instanceof ReturnStmt and
+    not this.getParent*() instanceof EqualityOperation and
+    not this.getParent*() instanceof UnaryLogicalOperation and
+    not this.getParent*() instanceof BinaryLogicalOperation and
+    not this.(BinaryBitwiseOperation).getAChild*() instanceof BitwiseXorExpr and
+    not this.(BinaryBitwiseOperation).getAChild*() instanceof LShiftExpr and
+    not this.(BinaryBitwiseOperation).getAChild*() instanceof RShiftExpr
+  }
+
+  /** Holds when part of a bit expression is used in a logical operation. */
+  predicate useInLogicalOperations() {
+    exists(BinaryLogicalOperation blop, Expr exp |
+      blop.getAChild*() = exp and
+      exp.(FunctionCall).getTarget() = bfc.getTarget() and
+      not exp.getParent() instanceof ComparisonOperation and
+      not exp.getParent() instanceof BinaryBitwiseOperation
+    )
+  }
+
+  /** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */
+  predicate useInOtherCalls() {
+    bfc.hasQualifier() or
+    bfc.getTarget() instanceof Operator or
+    exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or
+    bfc.getTarget() instanceof BuiltInFunction
+  }
+
+  /** Holds when the bit expression contains both arguments and a function call. */
+  predicate dangerousArgumentChecking() {
+    not this.(BinaryBitwiseOperation).getLeftOperand() instanceof Call and
+    globalValueNumber(this.(BinaryBitwiseOperation).getLeftOperand().getAChild*()) =
+      globalValueNumber(bfc.getAnArgument())
+  }
+
+  /** Holds when function calls are present in the bit expression. */
+  predicate functionCallsInBitsExpression() {
+    this.(BinaryBitwiseOperation).getLeftOperand().getAChild*() instanceof FunctionCall
+  }
+}
+
+from DangerousBitOperations dbo
+where
+  not dbo.useInOtherCalls() and
+  dbo.useInLogicalOperations() and
+  (not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
+select dbo, "this bit expression needs your attention"