add fallback if I can't easily determine the variable

erik-krogh · erik-krogh · commit ca4f66705339 · 2024-04-08T07:14:48.000+02:00
diff --git a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
@@ -27,17 +27,23 @@ class DangerousAssignOpExpr extends AssignOp {
 
 predicate problematicCasting(Type t, Expr e) { e.getType().(NumType).widerThan(t) }
 
-Variable getVariable(DangerousAssignOpExpr a) {
-  result = a.getDest().(VarAccess).getVariable()
+Variable getVariable(Expr dest) {
+  result = dest.(VarAccess).getVariable()
   or
-  result = a.getDest().(ArrayAccess).getArray().(VarAccess).getVariable()
+  result = dest.(ArrayAccess).getArray().(VarAccess).getVariable()
 }
 
-from DangerousAssignOpExpr a, Expr e, Variable v
+from DangerousAssignOpExpr a, Expr e, Top v
 where
   e = a.getSource() and
   problematicCasting(a.getDest().getType(), e) and
-  v = getVariable(a)
+  (
+    v = getVariable(a.getDest())
+    or
+    // fallback, in case we can't easily determine the variable
+    not exists(getVariable(a.getDest())) and
+    v = a.getDest()
+  )
 select a,
-  "Implicit cast of source $@ to narrower destination type " + a.getDest().getType().getName() + ".",
-  v, "type " + e.getType().getName()
+  "Implicit cast of $@ to narrower destination type " + a.getDest().getType().getName() + ".",
+  v, "source type " + e.getType().getName()
diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.expected b/java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.expected
@@ -1,3 +1,4 @@
-| Test.java:68:5:68:25 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:64:4:64:13 | int i | type long |
-| Test.java:87:4:87:9 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:81:4:81:13 | int i | type long |
-| Test.java:289:5:289:30 | ...+=... | Implicit cast of source $@ to narrower destination type int. | Test.java:285:4:285:27 | int[] arr | type long |
+| Test.java:68:5:68:25 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:64:4:64:13 | int i | source type long |
+| Test.java:87:4:87:9 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:81:4:81:13 | int i | source type long |
+| Test.java:289:5:289:30 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:285:4:285:27 | int[] arr | source type long |
+| Test.java:293:7:293:44 | ...+=... | Implicit cast of $@ to narrower destination type int. | Test.java:293:7:293:24 | ...[...] | source type long |
diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java
@@ -288,13 +288,20 @@ public static void main(String[] args) {
 				// which will result in overflows if it is large
 				arr[2] += getLargeNumber();
 			}
+
+      // BAD.
+      getAnIntArray()[0] += getLargeNumber();
 		}
 	}
 
 	public static long getLargeNumber() {
 		return Long.MAX_VALUE / 2;
 	}
 
+  public static int[] getAnIntArray() {
+    return new int[10];
+  }
+
 	public static boolean properlyBounded(int i) {
 		return i < Integer.MAX_VALUE;
 	}

Original file line number	Diff line number	Diff line change
`@@ -288,13 +288,20 @@ public static void main(String[] args) {`
`288`	`288`	`// which will result in overflows if it is large`
`289`	`289`	`arr[2] += getLargeNumber();`
`290`	`290`	`}`
	`291`	`+`
	`292`	`+ // BAD.`
	`293`	`+ getAnIntArray()[0] += getLargeNumber();`
`291`	`294`	`}`
`292`	`295`	`}`
`293`	`296`
`294`	`297`	`public static long getLargeNumber() {`
`295`	`298`	`return Long.MAX_VALUE / 2;`
`296`	`299`	`}`
`297`	`300`
	`301`	`+ public static int[] getAnIntArray() {`
	`302`	`+ return new int[10];`
	`303`	`+ }`
	`304`	`+`
`298`	`305`	`public static boolean properlyBounded(int i) {`
`299`	`306`	`return i < Integer.MAX_VALUE;`
`300`	`307`	`}`