C++ : cpp/incorrect-string-type-conversion

Cast between semantically different string types: char* from/to wchar_t*
NOTE: Please let me know if you want to use a different CWE than CWE-704

Author: raulgarciamsft

.gitignore

@@ -13,3 +13,4 @@
 /.vs/ql/v15/Browse.VC.db
 /.vs/ProjectSettings.json
 
+/.vs/ql/v15/.suo

cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.cpp

@@ -0,0 +1,3 @@
+LPWSTR pSrc;
+
+pSrc = (LPWSTR)"a";

cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.qhelp

@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>This rule indicates a potentially incorrect cast from/to an ANSI string (<code>char *</code>) to/from a Unicode string (<code>wchar_t *</code>).</p>
+  <p>This cast might yield strings that are not correctly terminated; including potential buffer overruns when using such strings with some dangerous APIs.</p>
+</overview>
+
+<recommendation>
+  <p>Do not explicitly casting ANSI strings to/from Unicode strings.</p>
+</recommendation>
+
+<example>
+<p>In the following example, an ANSI string literal (<code>"a"</code>) is casted as a Unicode string.</p>
+<sample src="WcharCharConversion.cpp" />
+
+<p>To fix this issue, prepend the literal with the letter "L" (<code>L"a"</code>) to define it as a Unicode string.</p>
+</example>
+
+<references>
+</references>
+
+</qhelp>

cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Cast between semantically different string types: char* from/to wchar_t*
+ * @description This rule indicates a potentially incorrect cast from/to an ANSI string (char *) to/from a Unicode string (wchar_t *). 
+ *              This cast might yield strings that are not correctly terminated; 
+ *              including potential buffer overruns when using such strings with some dangerous APIs.
+ * @kind problem
+ * @id cpp/incorrect-string-type-conversion
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-704
+ *       external/microsoft/c/c6276
+ */
+import cpp
+
+class WideCharPointerType extends PointerType {
+  WideCharPointerType() { 
+    this.getBaseType() instanceof WideCharType 
+  }
+}
+
+from Expr e1, Cast e2
+where 
+  e2 = e1.getConversion() 
+  and
+  (
+    exists( WideCharPointerType w, CharPointerType c  | 
+      w = e1.getType().getUnspecifiedType().(PointerType)
+      and c = e2.getType().getUnspecifiedType().(PointerType)
+    )
+    or exists
+    ( 
+      WideCharPointerType w, CharPointerType c | 
+      w = e2.getType().getUnspecifiedType().(PointerType)
+      and c = e1.getType().getUnspecifiedType().(PointerType)
+    )
+  )
+select e1, "Conversion from " + e1.getType().toString() + " to " +  e2.getType().toString() + ". Use of invalid string can lead to undefined behavior."

cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.cpp

@@ -0,0 +1,40 @@
+#define NULL 0
+#define CONST               const
+typedef wchar_t WCHAR;    // wc,   16-bit UNICODE character
+typedef char CHAR;
+
+typedef WCHAR *LPWSTR;
+typedef CONST WCHAR *LPCWSTR;
+
+typedef CHAR *LPSTR;
+typedef CONST CHAR *LPCSTR;
+
+void fconstChar(LPCSTR p) {}
+void fChar(LPSTR p) {}
+void fconstWChar(LPCWSTR p) {}
+void fWChar(LPWSTR p) {}
+
+void Test()
+{
+    char *lpChar = NULL;
+    wchar_t *lpWchar = NULL;
+
+    lpChar = (LPSTR)L"a";   // BUG
+    lpWchar = (LPWSTR)"a";  // BUG
+
+    lpChar = (char*)lpWchar;    // BUG
+    lpWchar = (wchar_t*)lpChar; // BUG
+
+    fconstChar((LPCSTR)lpWchar);    // BUG
+    fChar((LPSTR)lpWchar);          // BUG
+    fconstWChar((LPCWSTR)lpChar);   // BUG
+    fWChar((LPWSTR)lpChar);         // BUG
+
+    lpChar = (LPSTR)"a";    // Valid
+    lpWchar = (LPWSTR)L"a"; // Valid
+
+    fconstChar((LPCSTR)lpChar);     // Valid
+    fChar(lpChar);                  // Valid
+    fconstWChar((LPCWSTR)lpWchar);  // Valid
+    fWChar(lpWchar);                // Valid
+}

cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.expected

@@ -0,0 +1,8 @@
+| WcharCharConversion.cpp:22:18:22:21 | array to pointer conversion | Conversion from const wchar_t * to LPSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:23:20:23:22 | array to pointer conversion | Conversion from const char * to LPWSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:25:18:25:24 | lpWchar | Conversion from wchar_t * to char *. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:26:22:26:27 | lpChar | Conversion from char * to wchar_t *. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:28:21:28:27 | lpWchar | Conversion from wchar_t * to LPCSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:29:15:29:21 | lpWchar | Conversion from wchar_t * to LPSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:30:23:30:28 | lpChar | Conversion from char * to LPCWSTR. Use of invalid string can lead to undefined behavior. |
+| WcharCharConversion.cpp:31:17:31:22 | lpChar | Conversion from char * to LPWSTR. Use of invalid string can lead to undefined behavior. |

cpp/ql/test/query-tests/Security/CWE/CWE-704/WcharCharConversion.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-704/WcharCharConversion.ql