-
Notifications
You must be signed in to change notification settings - Fork 20
feat(cpp): Add Insecure Functions query #134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR introduces a new CodeQL query to detect insecure C-style functions in C++ code and provides corresponding documentation and examples.
- Add
InsecureFunctions.ql
to identify uses of functions likestrcpy
,sprintf
, andscanf
. - Add
InsecureFunctions.md
with descriptions, vulnerable and secure usage examples, and best practices.
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
File | Description |
---|---|
cpp/src/security/CWE-242/InsecureFunctions.ql | New CodeQL query to flag insecure functions. |
cpp/src/security/CWE-242/InsecureFunctions.md | Documentation with examples and recommended alternatives. |
Comments suppressed due to low confidence (1)
cpp/src/security/CWE-242/InsecureFunctions.ql:1
- No tests were added for this new query. Add positive and negative CodeQL tests to verify that insecure calls are flagged and safe patterns (e.g., strncpy, snprintf) are not.
/**
*/ | ||
|
||
import cpp | ||
import ghsl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The import 'ghsl' isn't used in this query. You can remove it to keep the imports minimal and avoid confusion.
import ghsl |
Copilot uses AI. Check for mistakes.
functionName in ["strcpy", "strcat", "sprintf", "gets", "scanf", "sscanf"] | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Flagging all 'scanf' and 'sscanf' calls will generate false positives for safe uses with width specifiers (e.g., "%19s"). Refine the predicate to exclude calls where the format string includes a field width.
functionName in ["strcpy", "strcat", "sprintf", "gets", "scanf", "sscanf"] | |
} | |
functionName in ["strcpy", "strcat", "sprintf", "gets", "scanf", "sscanf"] and | |
not (functionName in ["scanf", "sscanf"] and hasWidthSpecifier(call)) | |
} | |
/** Checks if the format string of a function call contains a width specifier (e.g., "%19s"). */ | |
predicate hasWidthSpecifier(FunctionCall call) { | |
exists(string formatString | | |
call.getArgument(0).getValue().toString() = formatString and | |
formatString.regexpMatch("%[0-9]+s") | |
) | |
} |
Copilot uses AI. Check for mistakes.
No description provided.