Merge branch 'main' into python-add-typetrackingnode

Author: tausbn

cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md

@@ -0,0 +1,2 @@
+lgtm
+* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.

cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql

@@ -7,10 +7,6 @@
 
 import cpp
 
-class AnonymousCompilation extends Compilation {
-  override string toString() { result = "<compilation>" }
-}
-
 string describe(Compilation c) {
   if c.getArgument(1) = "--mimic"
   then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
@@ -19,4 +15,4 @@ string describe(Compilation c) {
 
 from Compilation c
 where not c.normalTermination()
-select c, "Extraction aborted for " + describe(c), 2
+select "Extraction aborted for " + describe(c)

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -15,38 +15,61 @@
 import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.TaintTracking
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import DataFlow::PathGraph
 import Bounded
 
-predicate isUnboundedRandCall(FunctionCall fc) {
-  exists(Function func | func = fc.getTarget() |
-    func.hasGlobalOrStdOrBslName("rand") and
-    not bounded(fc) and
-    func.getNumberOfParameters() = 0
-  )
+/**
+ * A function that outputs random data such as `std::rand`.
+ */
+abstract class RandomFunction extends Function {
+  /**
+   * Gets the `FunctionOutput` that describes how this function returns the random data.
+   */
+  FunctionOutput getFunctionOutput() { result.isReturnValue() }
+}
+
+/**
+ * The standard function `std::rand`.
+ */
+private class StdRand extends RandomFunction {
+  StdRand() {
+    this.hasGlobalOrStdOrBslName("rand") and
+    this.getNumberOfParameters() = 0
+  }
 }
 
-predicate isUnboundedRandCallOrParent(Expr e) {
-  isUnboundedRandCall(e)
-  or
-  isUnboundedRandCallOrParent(e.getAChild())
+/**
+ * The Unix function `rand_r`.
+ */
+private class RandR extends RandomFunction {
+  RandR() {
+    this.hasGlobalName("rand_r") and
+    this.getNumberOfParameters() = 1
+  }
 }
 
-predicate isUnboundedRandValue(Expr e) {
-  isUnboundedRandCall(e)
-  or
-  exists(MacroInvocation mi |
-    e = mi.getExpr() and
-    isUnboundedRandCallOrParent(e)
-  )
+/**
+ * The Unix function `random`.
+ */
+private class Random extends RandomFunction {
+  Random() {
+    this.hasGlobalName("random") and
+    this.getNumberOfParameters() = 1
+  }
 }
 
-class SecurityOptionsArith extends SecurityOptions {
-  override predicate isUserInput(Expr expr, string cause) {
-    isUnboundedRandValue(expr) and
-    cause = "rand"
+/**
+ * The Windows `rand_s` function.
+ */
+private class RandS extends RandomFunction {
+  RandS() {
+    this.hasGlobalName("rand_s") and
+    this.getNumberOfParameters() = 1
   }
+
+  override FunctionOutput getFunctionOutput() { result.isParameterDeref(0) }
 }
 
 predicate missingGuard(VariableAccess va, string effect) {
@@ -57,16 +80,47 @@ predicate missingGuard(VariableAccess va, string effect) {
   )
 }
 
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element e) { missingGuard(e, _) }
+class UncontrolledArithConfiguration extends TaintTracking::Configuration {
+  UncontrolledArithConfiguration() { this = "UncontrolledArithConfiguration" }
 
-  override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
+  override predicate isSource(DataFlow::Node source) {
+    exists(RandomFunction rand, Call call | call.getTarget() = rand |
+      rand.getFunctionOutput().isReturnValue() and
+      source.asExpr() = call
+      or
+      exists(int n |
+        source.asDefiningArgument() = call.getArgument(n) and
+        rand.getFunctionOutput().isParameterDeref(n)
+      )
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    bounded(node.asExpr())
+    or
+    // If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
+    // only used as a bit pattern.
+    node.asExpr() =
+      any(Operation op |
+        op instanceof BitwiseOrExpr or
+        op instanceof BitwiseAndExpr or
+        op instanceof ComplementExpr
+      ).getAnOperand*()
+  }
 }
 
-from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
+/** Gets the expression that corresponds to `node`, if any. */
+Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
+
+from
+  UncontrolledArithConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  VariableAccess va, string effect
 where
-  taintedWithPath(origin, va, sourceNode, sinkNode) and
+  config.hasFlowPath(source, sink) and
+  sink.getNode().asExpr() = va and
   missingGuard(va, effect)
-select va, sourceNode, sinkNode,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
-  "Uncontrolled value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
+  getExpr(source.getNode()), "Uncontrolled value"

cpp/ql/src/Security/CWE/CWE-190/Bounded.qll

@@ -7,25 +7,6 @@ private import cpp
 private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 
-/**
- * An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
- * a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
- */
-pragma[inline]
-private predicate boundedDiv(Expr e, Expr left) { e = left }
-
-/**
- * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
- * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
- * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
- * allowed by the result type of `rem`.
- */
-pragma[inline]
-private predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
-  e = left and
-  upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
-}
-
 /**
  * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
  * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
@@ -50,19 +31,10 @@ predicate bounded(Expr e) {
   ) and
   not convertedExprMightOverflow(e)
   or
-  //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
-  //  maximum possible value of the result type of the operation.
-  //  For example, the function call `rand()` is considered bounded in the following program:
-  //  ```
-  //  int i = rand() % (UINT8_MAX + 1);
-  //  ```
-  //  but not in:
-  //  ```
-  //  unsigned char uc = rand() % (UINT8_MAX + 1);
-  //  ```
-  exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
+  // Optimitically assume that a remainder expression always yields a much smaller value.
+  e = any(RemExpr rem).getLeftOperand()
   or
-  exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
+  e = any(AssignRemExpr rem).getLValue()
   or
   exists(BitwiseAndExpr andExpr |
     boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
@@ -73,11 +45,11 @@ predicate bounded(Expr e) {
   )
   or
   // Optimitically assume that a division always yields a much smaller value.
-  boundedDiv(e, any(DivExpr div).getLeftOperand())
+  e = any(DivExpr div).getLeftOperand()
   or
-  boundedDiv(e, any(AssignDivExpr div).getLValue())
+  e = any(AssignDivExpr div).getLValue()
   or
-  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
+  e = any(RShiftExpr shift).getLeftOperand()
   or
-  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
+  e = any(AssignRShiftExpr div).getLValue()
 }

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected

@@ -1,97 +1,60 @@
 edges
 | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
-| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
-| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
-| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
-| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
-| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
-| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
 | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
 | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
-| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
-| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
-| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
-| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
-| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
-| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
-| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
-| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
-| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
-| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
+| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
+| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
+| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
+| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
-| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
 | test.cpp:13:2:13:15 | Chi [[]] | test.cpp:30:13:30:14 | get_rand2 output argument [[]] |
 | test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [[]] |
-| test.cpp:13:10:13:13 | call to rand | test.cpp:13:2:13:15 | Chi [[]] |
 | test.cpp:18:2:18:14 | Chi [[]] | test.cpp:36:13:36:13 | get_rand3 output argument [[]] |
 | test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [[]] |
-| test.cpp:18:9:18:12 | call to rand | test.cpp:18:2:18:14 | Chi [[]] |
-| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
 | test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
 | test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
-| test.cpp:30:13:30:14 | Chi | test.cpp:31:7:31:7 | r |
 | test.cpp:30:13:30:14 | get_rand2 output argument [[]] | test.cpp:30:13:30:14 | Chi |
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
-| test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | get_rand3 output argument [[]] | test.cpp:36:13:36:13 | Chi |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
-| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
-| test.c:21:17:21:17 | r | semmle.label | r |
-| test.c:21:17:21:17 | r | semmle.label | r |
 | test.c:21:17:21:17 | r | semmle.label | r |
 | test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
-| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
-| test.c:35:5:35:5 | r | semmle.label | r |
-| test.c:35:5:35:5 | r | semmle.label | r |
 | test.c:35:5:35:5 | r | semmle.label | r |
 | test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
-| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
-| test.c:45:5:45:5 | r | semmle.label | r |
 | test.c:45:5:45:5 | r | semmle.label | r |
-| test.c:45:5:45:5 | r | semmle.label | r |
-| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
-| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
-| test.c:77:9:77:9 | r | semmle.label | r |
-| test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
+| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
 | test.c:77:9:77:9 | r | semmle.label | r |
+| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
+| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
+| test.c:83:9:83:9 | r | semmle.label | r |
 | test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
-| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
-| test.c:100:5:100:5 | r | semmle.label | r |
-| test.c:100:5:100:5 | r | semmle.label | r |
 | test.c:100:5:100:5 | r | semmle.label | r |
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
 | test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
-| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
 | test.cpp:13:2:13:15 | Chi [[]] | semmle.label | Chi [[]] |
-| test.cpp:13:2:13:15 | ChiPartial | semmle.label | ChiPartial |
-| test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
 | test.cpp:13:10:13:13 | call to rand | semmle.label | call to rand |
 | test.cpp:18:2:18:14 | Chi [[]] | semmle.label | Chi [[]] |
-| test.cpp:18:2:18:14 | ChiPartial | semmle.label | ChiPartial |
-| test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:18:9:18:12 | call to rand | semmle.label | call to rand |
 | test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
 | test.cpp:25:7:25:7 | r | semmle.label | r |
-| test.cpp:25:7:25:7 | r | semmle.label | r |
-| test.cpp:25:7:25:7 | r | semmle.label | r |
 | test.cpp:30:13:30:14 | Chi | semmle.label | Chi |
 | test.cpp:30:13:30:14 | get_rand2 output argument [[]] | semmle.label | get_rand2 output argument [[]] |
 | test.cpp:31:7:31:7 | r | semmle.label | r |
-| test.cpp:31:7:31:7 | r | semmle.label | r |
-| test.cpp:31:7:31:7 | r | semmle.label | r |
 | test.cpp:36:13:36:13 | Chi | semmle.label | Chi |
 | test.cpp:36:13:36:13 | get_rand3 output argument [[]] | semmle.label | get_rand3 output argument [[]] |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
-| test.cpp:37:7:37:7 | r | semmle.label | r |
-| test.cpp:37:7:37:7 | r | semmle.label | r |
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
 | test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
+| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
+| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
+| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c

@@ -80,7 +80,7 @@ void randomTester() {
   {
     int r = (rand() ^ rand());
 
-    r = r - 100; // BAD [NOT DETECTED]
+    r = r - 100; // BAD
   }
 
   {
@@ -109,4 +109,13 @@ void randomTester() {
 
 void add_100(int r) {
   r += 100; // GOOD
-}
+}
+
+void randomTester2(int bound, int min, int max) {
+  int r1 = rand() % bound;
+  r1 += 100; // GOOD (`bound` may possibly be MAX_INT in which case this could
+             //       still overflow, but it's most likely fine)
+
+  int r2 = (rand() % (max - min + 1)) + min;
+  r2 += 100; // GOOD (This is a common way to clamp the random value between [min, max])
+}

csharp/extractor/Semmle.Extraction.CSharp.Standalone/BuildAnalysis.cs

@@ -108,7 +108,10 @@ public BuildAnalysis(Options options, IProgressMonitor progress)
                         new[] { options.SolutionFile } :
                         sourceDir.GetFiles("*.sln", SearchOption.AllDirectories).Select(d => d.FullName);
 
-                RestoreSolutions(solutions);
+                if (options.UseNuGet)
+                {
+                    RestoreSolutions(solutions);
+                }
                 dllDirNames.Add(packageDirectory.DirInfo.FullName);
                 assemblyCache = new BuildAnalyser.AssemblyCache(dllDirNames, progress);
                 AnalyseSolutions(solutions);
@@ -324,7 +327,16 @@ private void AnalyseProject(FileInfo project)
 
         private void Restore(string projectOrSolution)
         {
-            var exit = DotNet.RestoreToDirectory(projectOrSolution, packageDirectory.DirInfo.FullName);
+            int exit;
+            try
+            {
+                exit = DotNet.RestoreToDirectory(projectOrSolution, packageDirectory.DirInfo.FullName);
+            }
+            catch (FileNotFoundException)
+            {
+                exit = 2;
+            }
+
             switch (exit)
             {
                 case 0: