Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5767 from ihsinme/ihsinme-patch-268
CPP: Add query for CWE-1126: Declaration of Variable with Unnecessarily Wide Scope
- Loading branch information
Showing
6 changed files
with
161 additions
and
0 deletions.
There are no files selected for viewing
14 changes: 14 additions & 0 deletions
14
.../src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
while(intIndex > 2) | ||
{ | ||
... | ||
intIndex--; | ||
... | ||
} // GOOD: correct cycle | ||
... | ||
while(intIndex > 2) | ||
{ | ||
... | ||
int intIndex; | ||
intIndex--; | ||
... | ||
} // BAD: the variable used in the condition does not change. |
26 changes: 26 additions & 0 deletions
26
.../experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
<!DOCTYPE qhelp PUBLIC | ||
"-//Semmle//qhelp//EN" | ||
"qhelp.dtd"> | ||
<qhelp> | ||
<overview> | ||
<p>Using variables with the same name is dangerous. However, such a situation inside the while loop can create an infinite loop exhausting resources. Requires the attention of developers.</p> | ||
|
||
</overview> | ||
<recommendation> | ||
<p>We recommend not to use local variables inside a loop if their names are the same as the variables in the condition of this loop.</p> | ||
|
||
</recommendation> | ||
<example> | ||
<p>The following example demonstrates an erroneous and corrected use of a local variable within a loop.</p> | ||
<sample src="DeclarationOfVariableWithUnnecessarilyWideScope.c" /> | ||
|
||
</example> | ||
<references> | ||
|
||
<li> | ||
CERT C Coding Standard: | ||
<a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL01-C.+Do+not+reuse+variable+names+in+subscopes">DCL01-C. Do not reuse variable names in subscopes</a>. | ||
</li> | ||
|
||
</references> | ||
</qhelp> |
60 changes: 60 additions & 0 deletions
60
...src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/** | ||
* @name Errors When Using Variable Declaration Inside Loop | ||
* @description Using variables with the same name is dangerous. | ||
* However, such a situation inside the while loop can create an infinite loop exhausting resources. | ||
* Requires the attention of developers. | ||
* @kind problem | ||
* @id cpp/errors-when-using-variable-declaration-inside-loop | ||
* @problem.severity warning | ||
* @precision medium | ||
* @tags correctness | ||
* security | ||
* external/cwe/cwe-1126 | ||
*/ | ||
|
||
import cpp | ||
|
||
/** | ||
* Errors when using a variable declaration inside a loop. | ||
*/ | ||
class DangerousWhileLoop extends WhileStmt { | ||
Expr exp; | ||
Declaration dl; | ||
|
||
DangerousWhileLoop() { | ||
this = dl.getParentScope().(BlockStmt).getParent*() and | ||
exp = this.getCondition().getAChild*() and | ||
not exp instanceof PointerFieldAccess and | ||
not exp instanceof ValueFieldAccess and | ||
exp.(VariableAccess).getTarget().getName() = dl.getName() and | ||
not exp.getParent*() instanceof FunctionCall | ||
} | ||
|
||
Declaration getDeclaration() { result = dl } | ||
|
||
/** Holds when there are changes to the variables involved in the condition. */ | ||
predicate isUseThisVariable() { | ||
exists(Variable v | | ||
this.getCondition().getAChild*().(VariableAccess).getTarget() = v and | ||
( | ||
exists(Assignment aexp | | ||
this = aexp.getEnclosingStmt().getParentStmt*() and | ||
( | ||
aexp.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v | ||
or | ||
aexp.getLValue().(VariableAccess).getTarget() = v | ||
) | ||
) | ||
or | ||
exists(CrementOperation crm | | ||
this = crm.getEnclosingStmt().getParentStmt*() and | ||
crm.getOperand().(VariableAccess).getTarget() = v | ||
) | ||
) | ||
) | ||
} | ||
} | ||
|
||
from DangerousWhileLoop lp | ||
where not lp.isUseThisVariable() | ||
select lp.getDeclaration(), "A variable with this name is used in the $@ condition.", lp, "loop" |
1 change: 1 addition & 0 deletions
1
...curity/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
| test.c:14:9:14:16 | intIndex | A variable with this name is used in the $@ condition. | test.c:11:3:16:3 | while (...) ... | loop | |
1 change: 1 addition & 0 deletions
1
.../Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql |
59 changes: 59 additions & 0 deletions
59
cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
void workFunction_0(char *s) { | ||
int intIndex = 10; | ||
int intGuard; | ||
char buf[80]; | ||
while(intIndex > 2) // GOOD | ||
{ | ||
buf[intIndex] = 1; | ||
intIndex--; | ||
} | ||
intIndex = 10; | ||
while(intIndex > 2) | ||
{ | ||
buf[intIndex] = 1; | ||
int intIndex; // BAD | ||
intIndex--; | ||
} | ||
intIndex = 10; | ||
intGuard = 20; | ||
while(intIndex < intGuard--) // GOOD | ||
{ | ||
buf[intIndex] = 1; | ||
int intIndex; | ||
intIndex--; | ||
} | ||
intIndex = 10; | ||
intGuard = 20; | ||
while(intIndex < intGuard) // GOOD | ||
{ | ||
buf[intIndex] = 1; | ||
int intIndex; | ||
intIndex++; | ||
intGuard--; | ||
} | ||
intIndex = 10; | ||
intGuard = 20; | ||
while(intIndex < intGuard) // GOOD | ||
{ | ||
buf[intIndex] = 1; | ||
int intIndex; | ||
intIndex--; | ||
intGuard -= 4; | ||
} | ||
intIndex = 10; | ||
while(intIndex > 2) // GOOD | ||
{ | ||
buf[intIndex] = 1; | ||
intIndex -= 2; | ||
int intIndex; | ||
intIndex--; | ||
} | ||
intIndex = 10; | ||
while(intIndex > 2) // GOOD | ||
{ | ||
buf[intIndex] = 1; | ||
--intIndex; | ||
int intIndex; | ||
intIndex--; | ||
} | ||
} |