C++: Add scanf_s models.

MathiasVP · MathiasVP · commit fb1b2935618c · 2026-05-15T11:07:00.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
@@ -34,6 +34,7 @@ class Scanf extends ScanfFunction instanceof TopLevelFunction {
   Scanf() {
     this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
     this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
+    this.hasGlobalOrStdOrBslName("scanf_s") or // scanf_s(format, args...)
     this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
     this.hasGlobalName("_wscanf_l")
   }
@@ -50,6 +51,7 @@ class Fscanf extends ScanfFunction instanceof TopLevelFunction {
   Fscanf() {
     this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
+    this.hasGlobalOrStdOrBslName("fscanf_s") or // fscanf_s(src_stream, format, args...)
     this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
     this.hasGlobalName("_fwscanf_l")
   }
@@ -66,8 +68,12 @@ class Sscanf extends ScanfFunction instanceof TopLevelFunction {
   Sscanf() {
     this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
+    this.hasGlobalOrStdOrBslName("sscanf_s") or // sscanf_s(src, format, args...)
+    this.hasGlobalOrStdOrBslName("swscanf_s") or // swscanf_s(src, format, args...)
     this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_l")
+    this.hasGlobalName("_swscanf_l") or // _swscanf_l(src, format, locale, args...)
+    this.hasGlobalName("_sscanf_s_l") or // _sscanf_s_l(src, format, locale, args...)
+    this.hasGlobalName("_swscanf_s_l") // _swscanf_s_l(src, format, locale, args...)
   }
 
   override int getInputParameterIndex() { result = 0 }
diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp b/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp
@@ -140,32 +140,32 @@ void test_scanf_s(FILE *stream) {
   int n1, n2;
   scanf_s(
     "%d",
-    &n1, // $ MISSING: local_source
-    &n2); // $ MISSING: local_source
+    &n1, // $ local_source
+    &n2); // $ local_source
   }
 
   {
   int n;
-  fscanf_s(stream, "%d", &n); // $ MISSING: remote_source
+  fscanf_s(stream, "%d", &n); // $ remote_source
   }
 
   {
   int n1, n2;
   char buf[256];
   scanf_s("%d %s",
-    &n1, // $ MISSING: local_source
-    buf, // $ MISSING: local_source
+    &n1, // $ local_source
+    buf, // $ local_source
     256,
-    &n2); // $ MISSING: local_source
+    &n2); // $ local_source
   }
 
   {
   int n1, n2;
   char buf[256];
   fscanf_s(stream, "%d %s",
-    &n1, // $ MISSING: remote_source
-    buf, // $ MISSING: remote_source
+    &n1, // $ remote_source
+    buf, // $ remote_source
     256,
-    &n2); // $ MISSING: remote_source
+    &n2); // $ remote_source
   }
 }
diff --git a/cpp/ql/test/library-tests/scanf/scanfFormatLiteral.expected b/cpp/ql/test/library-tests/scanf/scanfFormatLiteral.expected
@@ -3,3 +3,6 @@
 | test.c:20:2:20:7 | call to fscanf | 1 | i | 0 | 0 |
 | test.c:21:2:21:7 | call to sscanf | 0 | s | 0 | 0 |
 | test.c:22:2:22:8 | call to swscanf | 0 | s | 10 | 10 |
+| test.c:23:2:23:8 | call to scanf_s | 0 | d | 0 | 0 |
+| test.c:23:2:23:8 | call to scanf_s | 1 | s | 0 | 0 |
+| test.c:23:2:23:8 | call to scanf_s | 2 | d | 0 | 0 |
diff --git a/cpp/ql/test/library-tests/scanf/scanfFunctionCall.expected b/cpp/ql/test/library-tests/scanf/scanfFunctionCall.expected
@@ -3,3 +3,4 @@
 | test.c:20:2:20:7 | call to fscanf | 0 | 1 | test.c:20:15:20:23 | %10s %i | non-wide |
 | test.c:21:2:21:7 | call to sscanf | 0 | 1 | test.c:21:19:21:28 | %*i%s%*s | non-wide |
 | test.c:22:2:22:8 | call to swscanf | 0 | 1 | test.c:22:21:22:26 | %10s | wide |
+| test.c:23:2:23:8 | call to scanf_s | 0 | 0 | test.c:23:10:23:19 | %d %s %d | non-wide |
diff --git a/cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.expected b/cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.expected
@@ -4,3 +4,7 @@
 | test.c:20:2:20:7 | call to fscanf | test.c:20:34:20:34 | i | 1 |
 | test.c:21:2:21:7 | call to sscanf | test.c:21:31:21:36 | buffer | 0 |
 | test.c:22:2:22:8 | call to swscanf | test.c:22:29:22:35 | wbuffer | 0 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:22:23:23 | & ... | 0 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:26:23:31 | buffer | 1 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:34:23:35 | 10 | 2 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:38:23:40 | & ... | 3 |

Original file line number	Diff line number	Diff line change
`@@ -140,32 +140,32 @@ void test_scanf_s(FILE *stream) {`
`140`	`140`	`int n1, n2;`
`141`	`141`	`scanf_s(`
`142`	`142`	`"%d",`
`143`		`- &n1, // $ MISSING: local_source`
`144`		`- &n2); // $ MISSING: local_source`
	`143`	`+ &n1, // $ local_source`
	`144`	`+ &n2); // $ local_source`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`{`
`148`	`148`	`int n;`
`149`		`- fscanf_s(stream, "%d", &n); // $ MISSING: remote_source`
	`149`	`+ fscanf_s(stream, "%d", &n); // $ remote_source`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`{`
`153`	`153`	`int n1, n2;`
`154`	`154`	`char buf[256];`
`155`	`155`	`scanf_s("%d %s",`
`156`		`- &n1, // $ MISSING: local_source`
`157`		`- buf, // $ MISSING: local_source`
	`156`	`+ &n1, // $ local_source`
	`157`	`+ buf, // $ local_source`
`158`	`158`	`256,`
`159`		`- &n2); // $ MISSING: local_source`
	`159`	`+ &n2); // $ local_source`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	`{`
`163`	`163`	`int n1, n2;`
`164`	`164`	`char buf[256];`
`165`	`165`	`fscanf_s(stream, "%d %s",`
`166`		`- &n1, // $ MISSING: remote_source`
`167`		`- buf, // $ MISSING: remote_source`
	`166`	`+ &n1, // $ remote_source`
	`167`	`+ buf, // $ remote_source`
`168`	`168`	`256,`
`169`		`- &n2); // $ MISSING: remote_source`
	`169`	`+ &n2); // $ remote_source`
`170`	`170`	`}`
`171`	`171`	`}`