sqc 0.4.13

Software Code Quality - CERT C compliance checker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

//! STR11-C: Do not specify the bound of a character array initialized with a string literal
//!
//! This rule detects when a character array is declared with an explicit bound that doesn't
//! provide enough space for the null terminator of its string literal initializer.
//!
//! ## Problem
//! When you declare a character array with an explicit bound matching the character count
//! of a string literal, there's no room for the null terminator. This creates arrays that
//! are not properly null-terminated strings, leading to potential vulnerabilities.
//!
//! ## Examples
//!
//! **Non-compliant:**
//! ```c
//! const char s[3] = "abc";  // VIOLATION: 3 elements but "abc" needs 4 (including '\0')
//! char str[5] = "hello";    // VIOLATION: 5 elements but "hello" needs 6
//! ```
//!
//! **Compliant:**
//! ```c
//! const char s[] = "abc";      // OK: compiler sizes to 4 elements
//! char str[10] = "hello";      // OK: 10 > 6, sufficient space
//! char s[3] = {'a', 'b', 'c'}; // OK: explicit element notation (not a string)
//! ```
//!
//! ## Detection Strategy
//! - Find character array declarations (char or const char)
//! - Check if they have an explicit array size bound
//! - Check if they're initialized with a string literal (not explicit element notation)
//! - Calculate if bound is too small: bound <= string_length (needs bound > string_length)
//! - Report violation if insufficient space for null terminator

use crate::manifest::{RuleCategory, Severity};
use crate::prelude::RuleViolation;
use crate::rules::cert_c::CertRule;
use crate::utility::cert_c::ast_utils::get_node_text;
use tree_sitter::Node;

pub struct Str11C;

impl CertRule for Str11C {
    fn rule_id(&self) -> &'static str {
        "STR11-C"
    }

    fn cert_id(&self) -> &'static str {
        "STR11"
    }

    fn description(&self) -> &'static str {
        "Do not specify the bound of a character array initialized with a string literal"
    }

    fn severity(&self) -> Severity {
        Severity::Low
    }

    fn category(&self) -> RuleCategory {
        RuleCategory::Rule
    }

    fn check(&self, node: &Node, source: &str) -> Vec<RuleViolation> {
        let mut violations = Vec::new();
        self.check_declarations(node, source, &mut violations);
        violations
    }
}

impl Str11C {
    fn check_declarations(&self, node: &Node, source: &str, violations: &mut Vec<RuleViolation>) {
        // Look for declarations
        if node.kind() == "declaration" {
            self.check_declaration_node(node, source, violations);
        }

        // Recurse through children
        let mut cursor = node.walk();
        for child in node.children(&mut cursor) {
            self.check_declarations(&child, source, violations);
        }
    }

    fn check_declaration_node(
        &self,
        node: &Node,
        source: &str,
        violations: &mut Vec<RuleViolation>,
    ) {
        // Get the type specifier to check if it's a char type
        if let Some(type_node) = node.child_by_field_name("type") {
            let type_text = get_node_text(&type_node, source).trim();

            // Check if it's a character type (char or const char)
            if !type_text.contains("char") {
                return;
            }

            // Check each declarator in the declaration
            let mut cursor = node.walk();
            for child in node.children(&mut cursor) {
                if child.kind() == "init_declarator" {
                    self.check_init_declarator(&child, source, violations);
                }
            }
        }
    }

    fn check_init_declarator(
        &self,
        node: &Node,
        source: &str,
        violations: &mut Vec<RuleViolation>,
    ) {
        // Get the declarator (which may be an array_declarator)
        if let Some(declarator) = node.child_by_field_name("declarator") {
            // Check if this is an array declarator with explicit size
            if declarator.kind() == "array_declarator" {
                // Get the array size
                if let Some(size_node) = declarator.child_by_field_name("size") {
                    let size_text = get_node_text(&size_node, source).trim();

                    // Try to parse the size as an integer
                    if let Ok(array_size) = size_text.parse::<usize>() {
                        // Get the initializer value
                        if let Some(value) = node.child_by_field_name("value") {
                            // Check if it's a string literal (not an initializer_list)
                            if value.kind() == "string_literal" {
                                let literal_text = get_node_text(&value, source).trim();

                                // Calculate string length (excluding quotes)
                                let string_length = self.get_string_literal_length(literal_text);

                                // Check if array size is too small
                                // Array needs to be > string_length to hold null terminator
                                if array_size <= string_length {
                                    let start_point = node.start_position();

                                    violations.push(RuleViolation {
                                        rule_id: self.rule_id().to_string(),
                                        severity: Severity::Low,
                                        message: format!(
                                            "Character array bound [{}] is too small for string literal {} (needs {} for null terminator). \
                                            Omit the array bound to let the compiler allocate sufficient storage.",
                                            array_size,
                                            literal_text,
                                            string_length + 1
                                        ),
                                        file_path: String::new(),
                                        line: start_point.row + 1,
                                        column: start_point.column + 1,
                                        suggestion: Some(
                                            "Remove the array bound (use []) to let the compiler automatically size the array, \
                                            or specify a bound larger than the string length to accommodate the null terminator."
                                                .to_string(),
                                        ),
                                        ..Default::default()
                                    });
                                }
                            }
                        }
                    }
                }
            }
        }
    }

    fn get_string_literal_length(&self, literal: &str) -> usize {
        // Remove surrounding quotes
        let content = literal.trim_matches('"');

        // Count actual characters, handling escape sequences
        let mut length = 0;
        let mut chars = content.chars();

        while let Some(ch) = chars.next() {
            if ch == '\\' {
                // Handle escape sequence
                if let Some(next_ch) = chars.next() {
                    match next_ch {
                        'n' | 't' | 'r' | '\\' | '"' | '\'' | '0' => {
                            // Single character escape sequences
                            length += 1;
                        }
                        'x' => {
                            // Hex escape: \xHH
                            chars.next(); // Skip first hex digit
                            chars.next(); // Skip second hex digit
                            length += 1;
                        }
                        _ => {
                            // Other escape sequences count as one character
                            length += 1;
                        }
                    }
                }
            } else {
                length += 1;
            }
        }

        length
    }
}