Skip to content

CPP: Add query for CWE-1126: Declaration of Variable with Unnecessarily Wide Scope #5767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
geoffw0 merged 11 commits into from
May 11, 2021
Merged

CPP: Add query for CWE-1126: Declaration of Variable with Unnecessarily Wide Scope #5767

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
50c63a8
Add files via upload
ihsinme Apr 25, 2021
98f7f70
Add files via upload
ihsinme Apr 25, 2021
8c3980d
Update cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVar…
ihsinme May 2, 2021
0935c5a
Update DeclarationOfVariableWithUnnecessarilyWideScope.ql
ihsinme May 2, 2021
21f4325
Update DeclarationOfVariableWithUnnecessarilyWideScope.expected
ihsinme May 2, 2021
bb97507
Update test.c
ihsinme May 2, 2021
b277082
Update DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
ihsinme May 5, 2021
976ccda
Update DeclarationOfVariableWithUnnecessarilyWideScope.ql
ihsinme May 5, 2021
c8f2937
Update DeclarationOfVariableWithUnnecessarilyWideScope.ql
ihsinme May 10, 2021
d3c6093
Update test.c
ihsinme May 10, 2021
9e5a38d
Update DeclarationOfVariableWithUnnecessarilyWideScope.expected
ihsinme May 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .../src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
while(intIndex > 2)
{
...
intIndex--;
...
} // GOOD: correct cycle
...
while(intIndex > 2)
{
...
int intIndex;
intIndex--;
...
} // BAD: the variable used in the condition does not change.
26 changes: 26 additions & 0 deletions .../experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Using variables with the same name is dangerous. However, such a situation inside the while loop can create an infinite loop exhausting resources. Requires the attention of developers.</p>

</overview>
<recommendation>
<p>We recommend not to use local variables inside a loop if their names are the same as the variables in the condition of this loop.</p>

</recommendation>
<example>
<p>The following example demonstrates an erroneous and corrected use of a local variable within a loop.</p>
<sample src="DeclarationOfVariableWithUnnecessarilyWideScope.c" />

</example>
<references>

<li>
CERT C Coding Standard:
<a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL01-C.+Do+not+reuse+variable+names+in+subscopes">DCL01-C. Do not reuse variable names in subscopes</a>.
</li>

</references>
</qhelp>
60 changes: 60 additions & 0 deletions ...src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
/**
* @name Errors When Using Variable Declaration Inside Loop
* @description Using variables with the same name is dangerous.
* However, such a situation inside the while loop can create an infinite loop exhausting resources.
* Requires the attention of developers.
* @kind problem
* @id cpp/errors-when-using-variable-declaration-inside-loop
* @problem.severity warning
* @precision medium
* @tags correctness
* security
* external/cwe/cwe-1126
Comment thread
ihsinme marked this conversation as resolved.
*/

import cpp

/**
* Errors when using a variable declaration inside a loop.
*/
class DangerousWhileLoop extends WhileStmt {
Comment thread
geoffw0 marked this conversation as resolved.
Expr exp;
Declaration dl;

DangerousWhileLoop() {
this = dl.getParentScope().(BlockStmt).getParent*() and
exp = this.getCondition().getAChild*() and
not exp instanceof PointerFieldAccess and
not exp instanceof ValueFieldAccess and
exp.(VariableAccess).getTarget().getName() = dl.getName() and
not exp.getParent*() instanceof FunctionCall
}

Declaration getDeclaration() { result = dl }

/** Holds when there are changes to the variables involved in the condition. */
Comment thread
ihsinme marked this conversation as resolved.
predicate isUseThisVariable() {
exists(Variable v |
this.getCondition().getAChild*().(VariableAccess).getTarget() = v and
Comment thread
ihsinme marked this conversation as resolved.
(
exists(Assignment aexp |
this = aexp.getEnclosingStmt().getParentStmt*() and
(
aexp.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
or
aexp.getLValue().(VariableAccess).getTarget() = v
)
)
or
exists(CrementOperation crm |
this = crm.getEnclosingStmt().getParentStmt*() and
crm.getOperand().(VariableAccess).getTarget() = v
)
)
)
}
}

from DangerousWhileLoop lp
where not lp.isUseThisVariable()
select lp.getDeclaration(), "A variable with this name is used in the $@ condition.", lp, "loop"
1 change: 1 addition & 0 deletions ...curity/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
| test.c:14:9:14:16 | intIndex | A variable with this name is used in the $@ condition. | test.c:11:3:16:3 | while (...) ... | loop |
1 change: 1 addition & 0 deletions .../Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
59 changes: 59 additions & 0 deletions cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
void workFunction_0(char *s) {
int intIndex = 10;
int intGuard;
char buf[80];
while(intIndex > 2) // GOOD
{
buf[intIndex] = 1;
intIndex--;
}
intIndex = 10;
while(intIndex > 2)
Comment thread
ihsinme marked this conversation as resolved.
{
buf[intIndex] = 1;
int intIndex; // BAD
intIndex--;
}
intIndex = 10;
intGuard = 20;
while(intIndex < intGuard--) // GOOD
{
buf[intIndex] = 1;
int intIndex;
intIndex--;
}
intIndex = 10;
intGuard = 20;
while(intIndex < intGuard) // GOOD
{
buf[intIndex] = 1;
int intIndex;
intIndex++;
intGuard--;
}
intIndex = 10;
intGuard = 20;
while(intIndex < intGuard) // GOOD
{
buf[intIndex] = 1;
int intIndex;
intIndex--;
intGuard -= 4;
}
intIndex = 10;
while(intIndex > 2) // GOOD
{
buf[intIndex] = 1;
intIndex -= 2;
int intIndex;
intIndex--;
}
intIndex = 10;
while(intIndex > 2) // GOOD
{
buf[intIndex] = 1;
--intIndex;
int intIndex;
intIndex--;
}
}