Update DeclarationOfVariableWithUnnecessarilyWideScope.ql

ihsinme · web-flow · commit c8f2937df9bd · 2021-05-10T14:16:11.000+03:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -27,8 +27,6 @@ class DangerousWhileLoop extends WhileStmt {
     not exp instanceof PointerFieldAccess and
     not exp instanceof ValueFieldAccess and
     exp.(VariableAccess).getTarget().getName() = dl.getName() and
-    not exp.getParent*() instanceof CrementOperation and
-    not exp.getParent*() instanceof Assignment and
     not exp.getParent*() instanceof FunctionCall
   }
 
@@ -37,10 +35,10 @@ class DangerousWhileLoop extends WhileStmt {
   /** Holds when there are changes to the variables involved in the condition. */
   predicate isUseThisVariable() {
     exists(Variable v |
-      exp.(VariableAccess).getTarget() = v and
+      this.getCondition().getAChild*().(VariableAccess).getTarget() = v and
       (
         exists(Assignment aexp |
-          aexp = this.getStmt().getAChild*() and
+          this = aexp.getEnclosingStmt().getParentStmt*() and
           (
             aexp.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
             or
@@ -49,7 +47,7 @@ class DangerousWhileLoop extends WhileStmt {
         )
         or
         exists(CrementOperation crm |
-          crm = this.getStmt().getAChild*() and
+          this = crm.getEnclosingStmt().getParentStmt*() and
           crm.getOperand().(VariableAccess).getTarget() = v
         )
       )
@@ -59,4 +57,4 @@ class DangerousWhileLoop extends WhileStmt {
 
 from DangerousWhileLoop lp
 where not lp.isUseThisVariable()
-select lp.getDeclaration(), "A variable with this name is used in the loop condition."
+select lp.getDeclaration(), "A variable with this name is used in the $@ condition.", lp, "loop"

Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,6 @@ class DangerousWhileLoop extends WhileStmt {`
`27`	`27`	`not exp instanceof PointerFieldAccess and`
`28`	`28`	`not exp instanceof ValueFieldAccess and`
`29`	`29`	`exp.(VariableAccess).getTarget().getName() = dl.getName() and`
`30`		`- not exp.getParent*() instanceof CrementOperation and`
`31`		`- not exp.getParent*() instanceof Assignment and`
`32`	`30`	`not exp.getParent*() instanceof FunctionCall`
`33`	`31`	`}`
`34`	`32`
`@@ -37,10 +35,10 @@ class DangerousWhileLoop extends WhileStmt {`
`37`	`35`	`/** Holds when there are changes to the variables involved in the condition. */`
`38`	`36`	`predicate isUseThisVariable() {`
`39`	`37`	`exists(Variable v \|`
`40`		`- exp.(VariableAccess).getTarget() = v and`
	`38`	`+ this.getCondition().getAChild*().(VariableAccess).getTarget() = v and`
`41`	`39`	`(`
`42`	`40`	`exists(Assignment aexp \|`
`43`		`- aexp = this.getStmt().getAChild*() and`
	`41`	`+ this = aexp.getEnclosingStmt().getParentStmt*() and`
`44`	`42`	`(`
`45`	`43`	`aexp.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v`
`46`	`44`	`or`
`@@ -49,7 +47,7 @@ class DangerousWhileLoop extends WhileStmt {`
`49`	`47`	`)`
`50`	`48`	`or`
`51`	`49`	`exists(CrementOperation crm \|`
`52`		`- crm = this.getStmt().getAChild*() and`
	`50`	`+ this = crm.getEnclosingStmt().getParentStmt*() and`
`53`	`51`	`crm.getOperand().(VariableAccess).getTarget() = v`
`54`	`52`	`)`
`55`	`53`	`)`
`@@ -59,4 +57,4 @@ class DangerousWhileLoop extends WhileStmt {`
`59`	`57`
`60`	`58`	`from DangerousWhileLoop lp`
`61`	`59`	`where not lp.isUseThisVariable()`
`62`		`-select lp.getDeclaration(), "A variable with this name is used in the loop condition."`
	`60`	`+select lp.getDeclaration(), "A variable with this name is used in the $@ condition.", lp, "loop"`