codeql-coding-standards/c/cert/src/rules/FIO47-C/UseValidSpecifiers.ql at a23743d5879320fe895703292feeae664293dcd4 · github/codeql-coding-standards · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
/**
 * @id c/cert/use-valid-specifiers
 * @name FIO47-C: Use valid format strings
 * @description Invalid conversion specifiers leads to undefined behavior.
 * @kind problem
 * @precision high
 * @problem.severity error
 * @tags external/cert/id/fio47-c
 *       correctness
 *       security
 *       external/cert/severity/high
 *       external/cert/likelihood/unlikely
 *       external/cert/remediation-cost/medium
 *       external/cert/priority/p6
 *       external/cert/level/l2
 *       external/cert/obligation/rule
 *       coding-standards/baseline/safety
 */

import cpp
import codingstandards.c.cert

string getInvalidFlag(string specChar) {
  specChar = ["d", "i", "u"] and result = ["#"]
  or
  specChar = ["o", "x", "X", "e", "E"] and result = ["'"]
  or
  specChar = ["c", "s", "p", "C", "S", "%"] and result = ["'", "#", "0"]
  or
  specChar = ["n"] and result = ["'", "-", "+", " ", "#", "0"]
}

string getInvalidLength(string specChar) {
  specChar = ["d", "i", "o", "u", "x", "X", "n"] and result = ["L"]
  or
  specChar = ["f", "F", "e", "E", "g", "G", "a", "A"] and result = ["h", "hh", "j", "z", "t"]
  or
  specChar = ["c", "s"] and result = ["h", "hh", "ll", "j", "z", "t", "L"]
  or
  specChar = ["p", "C", "S", "%"] and result = ["h", "hh", "l", "ll", "j", "z", "t", "L"]
}

from FormatLiteral x, string message
where
  not isExcluded(x, IO4Package::useValidSpecifiersQuery()) and
  message = "The conversion specifier '" + x + "' is not valid." and
  not x.specsAreKnown()
  or
  exists(string compatible, string specChar, int n |
    message =
      "The conversion specifier '" + specChar + "' is not compatible with flags '" + compatible +
        "'" and
    compatible = x.getFlags(n) and
    specChar = x.getConversionChar(n) and
    compatible.matches("%" + getInvalidFlag(specChar) + "%")
    or
    message =
      "The conversion specifier '" + specChar + "' is not compatible with length '" + compatible +
        "'" and
    compatible = x.getLength(n) and
    specChar = x.getConversionChar(n) and
    compatible.matches("%" + getInvalidLength(specChar) + "%")
  )
select x, message