github
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 1 deletion b/‎.gitignore‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎ql_demos/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎ql_demos/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎ql_demos/cpp/.project‎
Lines changed: 12 additions & 0 deletions b/‎ql_demos/cpp/.project‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎ql_demos/cpp/.qlpath‎
Lines changed: 10 additions & 0 deletions b/‎ql_demos/cpp/.qlpath‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎ql_demos/cpp/ChakraCore-bad-overflow-check/BadOverflowCheck.ql‎
Lines changed: 13 additions & 0 deletions b/‎ql_demos/cpp/ChakraCore-bad-overflow-check/BadOverflowCheck.ql‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎ql_demos/cpp/ChakraCore-bad-overflow-check/README.md‎
Lines changed: 3 additions & 0 deletions b/‎ql_demos/cpp/ChakraCore-bad-overflow-check/README.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎ql_demos/cpp/ChakraCore-bad-overflow-check/steps/01_overflow_checks.ql‎
Lines changed: 12 additions & 0 deletions b/‎ql_demos/cpp/ChakraCore-bad-overflow-check/steps/01_overflow_checks.ql‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎ql_demos/cpp/ChakraCore-bad-overflow-check/steps/02_var_size.ql‎
Lines changed: 13 additions & 0 deletions b/‎ql_demos/cpp/ChakraCore-bad-overflow-check/steps/02_var_size.ql‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎ql_demos/cpp/ChakraCore-bad-overflow-check/steps/03_bad_overflow_check.ql‎
Lines changed: 14 additions & 0 deletions b/‎ql_demos/cpp/ChakraCore-bad-overflow-check/steps/03_bad_overflow_check.ql‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎ql_demos/cpp/Facebook_Fizz_CVE-2019-3560/FizzOverflow.ql‎
Lines changed: 57 additions & 0 deletions b/‎ql_demos/cpp/Facebook_Fizz_CVE-2019-3560/FizzOverflow.ql‎
Lines changed: 57 additions & 0 deletions
@@ -1 +1,2 @@
-.DS_Store
+*~
+/.metadata/
@@ -0,0 +1 @@
+*.cache
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>ql-demos-cpp</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+	</buildSpec>
+	<natures>
+		<nature>com.semmle.plugin.qdt.core.qlnature</nature>
+	</natures>
+</projectDescription>
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns2:qlpath xmlns:ns2="https://semmle.com/schemas/qlpath">
+    <librarypath>
+        <path kind="PLUGIN">com.semmle.code.cpp.library</path>
+    </librarypath>
+    <dbscheme kind="PLUGIN">com.semmle.code.cpp.dbscheme</dbscheme>
+    <defaultImports>
+        <defaultImport>cpp</defaultImport>
+    </defaultImports>
+</ns2:qlpath>
@@ -0,0 +1,13 @@
+import cpp
+
+predicate isSmall(Expr e) {
+  e.getType().getSize() < 4
+}
+
+from AddExpr a, Variable v, RelationalOperation cmp
+where a.getAnOperand() = v.getAnAccess()
+  and cmp.getAnOperand() = a
+  and cmp.getAnOperand() = v.getAnAccess()
+  and forall(Expr op | op = a.getAnOperand() | isSmall(op))
+  and not isSmall(a.getExplicitlyConverted())
+select cmp, "Bad overflow check"
@@ -0,0 +1,3 @@
+Use [this snapshot](https://downloads.lgtm.com/snapshots/cpp/microsoft/chakracore/ChakraCore-revision-2017-April-12--18-13-26.zip)
+
+We now also have this query in our default suite: https://lgtm.com/rules/2156560627/
@@ -0,0 +1,12 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
+  compare.getAnOperand() = var.getAnAccess() and
+  compare.getAnOperand() = add and
+  add.getAnOperand() = var.getAnAccess()
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add, _)
+select add, "Overflow check on variable of type " + var.getUnderlyingType()
@@ -0,0 +1,13 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
+  compare.getAnOperand() = var.getAnAccess() and
+  compare.getAnOperand() = add and
+  add.getAnOperand() = var.getAnAccess()
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add, _)
+  and var.getType().getSize() < 4
+select add, "Overflow check on variable of type " + var.getUnderlyingType()
@@ -0,0 +1,14 @@
+import cpp
+
+/** Matches `var < var + ???`. */
+predicate overflowCheck(LocalScopeVariable var, AddExpr add, RelationalOperation compare) {
+  compare.getAnOperand() = var.getAnAccess() and
+  compare.getAnOperand() = add and
+  add.getAnOperand() = var.getAnAccess()
+}
+
+from LocalScopeVariable var, AddExpr add
+where overflowCheck(var, add, _)
+  and var.getType().getSize() < 4
+  and not add.getConversion+().getType().getSize() < 4
+select add, "Bad overflow check on variable of type " + var.getUnderlyingType()
@@ -0,0 +1,57 @@
+/**
+ * @name Fizz Overflow
+ * @description Narrowing conversions on untrusted data could enable
+ *              an attacker to trigger an integer overflow.
+ * @kind path-problem
+ * @problem.severity warning
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.IR
+import DataFlow::PathGraph
+
+/**
+ * The endianness conversion function `Endian::big()`.
+ * It is Folly's replacement for `ntohs` and `ntohl`.
+ */
+class EndianConvert extends Function {
+  EndianConvert() {
+    this.getName() = "big" and
+    this.getDeclaringType().getName().matches("Endian")
+  }
+}
+
+class Cfg extends TaintTracking::Configuration {
+  Cfg() { this = "FizzOverflowIR" }
+
+  /** Holds if `source` is a call to `Endian::big()`. */
+  override predicate isSource(DataFlow::Node source) {
+    source
+        .asInstruction()
+        .(CallInstruction)
+        .getCallTarget()
+        .(FunctionInstruction)
+        .getFunctionSymbol() instanceof EndianConvert
+  }
+
+  /** Holds if `sink` is a narrowing conversion. */
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asInstruction().getResultSize() < sink
+          .asInstruction()
+          .(ConvertInstruction)
+          .getUnary()
+          .getResultSize()
+  }
+}
+
+from
+  Cfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink, ConvertInstruction conv,
+  Type inputType, Type outputType
+where
+  cfg.hasFlowPath(source, sink) and
+  conv = sink.getNode().asInstruction() and
+  inputType = conv.getUnary().getResultType() and
+  outputType = conv.getResultType()
+select sink, source, sink,
+  "Conversion of untrusted data from " + inputType + " to " + outputType + "."
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Use [this snapshot](https://downloads.lgtm.com/snapshots/cpp/microsoft/chakracore/ChakraCore-revision-2017-April-12--18-13-26.zip)`
	`2`	`+`
	`3`	`+We now also have this query in our default suite: https://lgtm.com/rules/2156560627/`