All remaining leap year ql and qhelp files.

Author: bdrodes

cpp/ql/src/Microsoft/Leap Year/AntiPattern5InvalidLeapYearCheck.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Leap Year Invalid Check (AntiPattern 5)
+ * @description An expression is used to check a year is presumably a leap year, but the conditions used are insufficient.
+ * @kind problem
+ * @problem.severity error
+ * @id cpp/leap-year/invalid-leap-year-check
+ * @precision medium
+ * @tags leap-year
+ *       correctness
+ *       security
+ */
+
+import cpp
+import LeapYear
+
+from Mod4CheckedExpr exprMod4
+where not exists(ExprCheckLeapYear lyCheck | lyCheck.getAChild*() = exprMod4)
+select exprMod4, "Possible Insufficient Leap Year check (AntiPattern 5)"

cpp/ql/src/Microsoft/Leap Year/LeapYear.inc.qhelp

@@ -0,0 +1,10 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<fragment>
+  <p>The leap year rule for the Gregorian calendar, which has become the internationally accepted civil calendar, is: every year that is exactly divisible by four is a leap year, except for years that are exactly divisible by 100, but these centurial years are leap years if they are exactly divisible by 400.</p>
+  <p>A leap year bug occurs when software (in any language) is written without consideration of leap year logic, or with flawed logic to calculate leap years; which typically results in incorrect results.</p>
+  <p>The impact of these bugs may range from almost unnoticeable bugs such as an incorrect date, to severe bugs that affect reliability, availability or even the security of the affected system.</p>
+</fragment>
+</qhelp>

cpp/ql/src/Microsoft/Leap Year/LeapYearConditionalLogic.qhelp

@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+  <include src="LeapYear.inc.qhelp" />  
+  <p>This anti-pattern occurs when a developer uses conditional logic to execute a different path of code for a leap year than for a common year, without fully testing both code paths.</p>
+  <p>Though using a framework or library's leap year function is better than manually calculating the leap year (as described in anti-pattern 5), it can still be a source of errors if the result is used to execute a different code path. The bug is especially easy to be masked if the year is derived from the current time of the system clock. See Prevention Measures for techniques to avoid this bug.</p>
+</overview>
+<recommendation>
+  <ul>
+  <li>Avoid using conditional logic that creates a separate branch in your code for leap year.</li>
+  <li>Ensure your code is testable, and test how it will behave when presented with leap year dates of February 29th and December 31st as inputs.</li>
+  </ul>
+</recommendation>
+<example>
+<p>Note in the following examples, that year, month, and day might instead be .wYear, .wMonth, and .wDay fields of a SYSTEMTIME structure, or might be .tm_year, .tm_mon, and .tm_mday fields of a struct tm.</p>
+<sample src="LeapYearConditionalLogicBad.c" />
+</example>
+
+<references>
+  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
+  <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
+</references>
+</qhelp>

cpp/ql/src/Microsoft/Leap Year/LeapYearConditionalLogic.ql

@@ -0,0 +1,29 @@
+/**
+ * @name Leap Year Conditional Logic (AntiPattern 7)
+ * @description Conditional logic is present for leap years and common years, potentially leading to untested code pathways.
+ * @kind problem
+ * @problem.severity error
+ * @id cpp/leap-year/conditional-logic-branches
+ * @precision medium
+ * @tags leap-year
+ *       correctness
+ *       security
+ */
+
+import cpp
+import LeapYear
+import semmle.code.cpp.dataflow.new.DataFlow
+
+class IfStmtLeapYearCheck extends IfStmt {
+  IfStmtLeapYearCheck() {
+    this.hasElse() and
+    exists(ExprCheckLeapYear lyCheck, DataFlow::Node source, DataFlow::Node sink |
+      source.asExpr() = lyCheck and
+      sink.asExpr() = this.getCondition() and
+      DataFlow::localFlow(source, sink)
+    )
+  }
+}
+
+from IfStmtLeapYearCheck lyCheckIf
+select lyCheckIf, "Leap Year conditional statement may have untested code paths"

cpp/ql/src/Microsoft/Leap Year/UncheckedLeapYearAfterYearModification.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+  <include src="LeapYear.inc.qhelp" />
+  
+<p>When performing arithmetic operations on a variable that represents a year, it is important to consider that the resulting value may not be a valid date.</p>
+<p>The typical example is doing simple year arithmetic (i.e. <code>date.year++</code>) without considering if the resulting value will be a valid date or not.</p>
+
+</overview>
+<recommendation>
+<p>When modifying a year field on a date structure, verify if the resulting year is a leap year.</p>
+
+</recommendation>
+<example>
+<p>In this example, we are adding 1 year to the current date. This may work most of the time, but on any given February 29th, the resulting value will be invalid.</p>
+<sample src="examples/UncheckedLeapYearAfterYearModificationBad.c" />
+
+<p>To fix this bug, check the result for leap year.</p>
+<sample src="examples/UncheckedLeapYearAfterYearModificationGood.c" />
+</example>
+
+<references>
+  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
+  <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
+</references>
+</qhelp>

cpp/ql/src/Microsoft/Leap Year/UncheckedLeapYearAfterYearModification.ql

@@ -0,0 +1,142 @@
+/**
+ * @name Year field changed using an arithmetic operation without checking for leap year (AntiPattern 1)
+ * @description A field that represents a year is being modified by an arithmetic operation, but no proper check for leap years can be detected afterwards.
+ * @kind problem
+ * @problem.severity error
+ * @id cpp/leap-year/unchecked-after-arithmetic-year-modification
+ * @precision medium
+ * @tags leap-year
+ *       correctness
+ *       security
+ */
+
+import cpp
+import LeapYear
+
+/**
+ * Holds if there is no known leap-year verification for the given `YearWriteOp`.
+ * Binds the `var` argument to the qualifier of the `ywo` argument.
+ */
+bindingset[ywo]
+predicate isYearModifedWithoutExplicitLeapYearCheck(Variable var, YearWriteOp ywo) {
+  exists(VariableAccess va, YearFieldAccess yfa |
+    yfa = ywo.getYearAccess() and
+    yfa.getQualifier() = va and
+    var.getAnAccess() = va and
+    // Avoid false positives
+    not (
+      // If there is a local check for leap year after the modification
+      exists(LeapYearFieldAccess yfacheck |
+        yfacheck.getQualifier() = var.getAnAccess() and
+        yfacheck.isUsedInCorrectLeapYearCheck() and
+        yfacheck.getBasicBlock() = yfa.getBasicBlock().getASuccessor*()
+      )
+      or
+      // If there is a data flow from the variable that was modified to a function that seems to check for leap year
+      exists(VariableAccess source, ChecksForLeapYearFunctionCall fc |
+        source = var.getAnAccess() and
+        LeapYearCheckFlow::flow(DataFlow::exprNode(source), DataFlow::exprNode(fc.getAnArgument()))
+      )
+      or
+      // If there is a data flow from the field that was modified to a function that seems to check for leap year
+      exists(VariableAccess vacheck, YearFieldAccess yfacheck, ChecksForLeapYearFunctionCall fc |
+        vacheck = var.getAnAccess() and
+        yfacheck.getQualifier() = vacheck and
+        LeapYearCheckFlow::flow(DataFlow::exprNode(yfacheck), DataFlow::exprNode(fc.getAnArgument()))
+      )
+      or
+      // If there is a successor or predecessor that sets the month or day to a fixed value
+      exists(FieldAccess mfa, AssignExpr ae, int val |
+        mfa instanceof MonthFieldAccess or mfa instanceof DayFieldAccess
+      |
+        mfa.getQualifier() = var.getAnAccess() and
+        mfa.isModified() and
+        (
+          mfa.getBasicBlock() = yfa.getBasicBlock().getASuccessor*() or
+          yfa.getBasicBlock() = mfa.getBasicBlock().getASuccessor+()
+        ) and
+        ae = mfa.getEnclosingElement() and
+        ae.getAnOperand().getValue().toInt() = val
+      )
+    )
+  )
+}
+
+/**
+ * The set of all write operations to the Year field of a date struct.
+ */
+abstract class YearWriteOp extends Operation {
+  /** Extracts the access to the Year field */
+  abstract YearFieldAccess getYearAccess();
+
+  /** Get the expression which represents the new value. */
+  abstract Expr getMutationExpr();
+}
+
+/**
+ * A unary operation (Crement) performed on a Year field.
+ */
+class YearWriteOpUnary extends YearWriteOp, UnaryOperation {
+  YearWriteOpUnary() { this.getOperand() instanceof YearFieldAccess }
+
+  override YearFieldAccess getYearAccess() { result = this.getOperand() }
+
+  override Expr getMutationExpr() { result = this }
+}
+
+/**
+ * An assignment operation or mutation on the Year field of a date object.
+ */
+class YearWriteOpAssignment extends YearWriteOp, Assignment {
+  YearWriteOpAssignment() { this.getLValue() instanceof YearFieldAccess }
+
+  override YearFieldAccess getYearAccess() { result = this.getLValue() }
+
+  override Expr getMutationExpr() {
+    // Note: may need to use DF analysis to pull out the original value,
+    // if there is excessive false positives.
+    if this.getOperator() = "="
+    then
+      exists(DataFlow::Node source, DataFlow::Node sink |
+        sink.asExpr() = this.getRValue() and
+        OperationToYearAssignmentFlow::flow(source, sink) and
+        result = source.asExpr()
+      )
+    else result = this
+  }
+}
+
+/**
+ * A DataFlow configuration for identifying flows from some non trivial access or literal
+ * to the Year field of a date object.
+ */
+module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) {
+    not n.asExpr() instanceof Access and
+    not n.asExpr() instanceof Literal
+  }
+
+  predicate isSink(DataFlow::Node n) {
+    exists(Assignment a |
+      a.getLValue() instanceof YearFieldAccess and
+      a.getRValue() = n.asExpr()
+    )
+  }
+}
+
+module OperationToYearAssignmentFlow = DataFlow::Global<OperationToYearAssignmentConfig>;
+
+from Variable var, YearWriteOp ywo, Expr mutationExpr
+where
+  mutationExpr = ywo.getMutationExpr() and
+  isYearModifedWithoutExplicitLeapYearCheck(var, ywo) and
+  not isNormalizationOperation(mutationExpr) and
+  not ywo instanceof AddressOfExpr and
+  not exists(Call c, TimeConversionFunction f | f.getACallToThisFunction() = c |
+    c.getAnArgument().getAChild*() = var.getAnAccess() and
+    ywo.getASuccessor*() = c
+  )
+select ywo,
+  "$@: Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found.",
+  ywo.getEnclosingFunction(), ywo.getEnclosingFunction().toString(),
+  ywo.getYearAccess().getTarget(), ywo.getYearAccess().getTarget().toString(), var, var.toString()

cpp/ql/src/Microsoft/Leap Year/UncheckedReturnValueForTimeFunctions.qhelp

@@ -0,0 +1,41 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+  <include src="LeapYear.inc.qhelp" />
+  
+<p>When using a function that transforms a date structure, and the year on the input argument for the API has been manipulated, it is important to check for the return value of the function to make sure it succeeded.</p>
+<p>Otherwise, the function may have failed, and the output parameter may contain invalid data that can cause any number of problems on the affected system.</p>
+<p>The following is a list of the functions that this query covers:</p>
+<ul>
+  <li><code>FileTimeToSystemTime</code></li>
+  <li><code>SystemTimeToFileTime</code></li>
+  <li><code>SystemTimeToTzSpecificLocalTime</code></li>
+  <li><code>SystemTimeToTzSpecificLocalTimeEx</code></li>
+  <li><code>TzSpecificLocalTimeToSystemTime</code></li>
+  <li><code>TzSpecificLocalTimeToSystemTimeEx</code></li>
+  <li><code>RtlLocalTimeToSystemTime</code></li>
+  <li><code>RtlTimeToSecondsSince1970</code></li>
+  <li><code>_mkgmtime</code></li>
+</ul>
+
+</overview>
+<recommendation>
+<p>When calling an API that transforms a date variable that was manipulated, always check for the return value to verify that the API call succeeded.</p>
+
+</recommendation>
+<example>
+<p>In this example, we are adding 1 year to the current date. This may work most of the time, but on any given February 29th, the resulting value will be invalid.</p>
+<sample src="examples/UncheckedLeapYearAfterYearModificationBad.c" />
+
+<p>To fix this bug, you must verify the return value for <code>SystemTimeToFileTime</code> and handle any potential error accordingly.</p>
+<sample src="examples/UncheckedLeapYearAfterYearModificationGood.c" />
+</example>
+
+<references>
+  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a> </li>
+  <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
+</references>
+</qhelp>

cpp/ql/src/Microsoft/Leap Year/UncheckedReturnValueForTimeFunctions.ql

@@ -0,0 +1,65 @@
+/**
+ * @name Unchecked return value for time conversion function (AntiPattern 6)
+ * @description When the return value of a fallible time conversion function is
+ *              not checked for failure, its output parameters may contain
+ *              invalid dates.
+ * @kind problem
+ * @problem.severity error
+ * @id cpp/leap-year/unchecked-return-value-for-time-conversion-function
+ * @precision medium
+ * @tags leap-year
+ *       correctness
+ *       security
+ */
+
+import cpp
+import LeapYear
+
+from FunctionCall fcall, TimeConversionFunction trf, Variable var
+where
+  fcall = trf.getACallToThisFunction() and
+  fcall instanceof ExprInVoidContext and
+  var.getUnderlyingType() instanceof UnpackedTimeType and
+  (
+    exists(AddressOfExpr aoe |
+      aoe = fcall.getAnArgument() and
+      aoe.getAddressable() = var
+    )
+    or
+    exists(VariableAccess va |
+      fcall.getAnArgument() = va and
+      var.getAnAccess() = va
+    )
+  ) and
+  exists(DateStructModifiedFieldAccess dsmfa, VariableAccess modifiedVarAccess |
+    modifiedVarAccess = var.getAnAccess() and
+    modifiedVarAccess = dsmfa.getQualifier() and
+    modifiedVarAccess = fcall.getAPredecessor*()
+  ) and
+  // Remove false positives
+  not (
+    // Remove any instance where the predecessor is a SafeTimeGatheringFunction and no change to the data happened in between
+    exists(FunctionCall pred |
+      pred = fcall.getAPredecessor*() and
+      exists(SafeTimeGatheringFunction stgf | pred = stgf.getACallToThisFunction()) and
+      not exists(DateStructModifiedFieldAccess dsmfa, VariableAccess modifiedVarAccess |
+        modifiedVarAccess = var.getAnAccess() and
+        modifiedVarAccess = dsmfa.getQualifier() and
+        modifiedVarAccess = fcall.getAPredecessor*() and
+        modifiedVarAccess = pred.getASuccessor*()
+      )
+    )
+    or
+    // Remove any instance where the year is changed, but the month is set to 1 (year wrapping)
+    exists(MonthFieldAccess mfa, AssignExpr ae |
+      mfa.getQualifier() = var.getAnAccess() and
+      mfa.isModified() and
+      mfa = fcall.getAPredecessor*() and
+      ae = mfa.getEnclosingElement() and
+      ae.getAnOperand().getValue().toInt() = 1
+    )
+  )
+select fcall,
+  "$@: Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe.",
+  fcall.getEnclosingFunction(), fcall.getEnclosingFunction().toString(), trf,
+  trf.getQualifiedName().toString(), var, var.getName()

cpp/ql/src/Microsoft/Leap Year/UnsafeArrayForDaysOfYear.qhelp

@@ -0,0 +1,30 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+  <include src="LeapYear.inc.qhelp" />
+
+<p>This query helps to detect when a developer allocates an array or other fixed-length data structure such as <code>std::vector</code> with 365 elements – one for each day of the year.</p>
+<p>Since leap years have 366 days, there will be no allocated element on December 31st at the end of a leap year; which will lead to a buffer overflow on a leap year.</p>
+
+</overview>
+<recommendation>
+<p>When allocating memory for storing elements for each day of the year, ensure that the correct number of elements are allocated.</p>
+<p>It is also highly recommended to compile the code with array-bounds checking enabled whenever possible.</p>
+
+</recommendation>
+<example>
+<p>In this example, we are allocating 365 integers, one for each day of the year. This code will fail on a leap year, when there are 366 days.</p>
+<sample src="examples/UnsafeArrayForDaysOfYearBad.c" />
+
+<p>When using arrays, allocate the correct number of elements to match the year.</p>
+<sample src="examples/UnsafeArrayForDaysOfYearGood.c" />
+</example>
+
+<references>
+  <li>NASA / Goddard Space Flight Center - <a href="https://eclipse.gsfc.nasa.gov/SEhelp/calendars.html">Calendars</a></li>
+  <li>Wikipedia - <a href="https://en.wikipedia.org/wiki/Leap_year_bug"> Leap year bug</a></li>
+  <li>Microsoft Azure blog - <a href="https://azure.microsoft.com/en-us/blog/is-your-code-ready-for-the-leap-year/"> Is your code ready for the leap year?</a> </li>
+</references>
+</qhelp>