Skip to content

Bring in additional rules from internal repo (both experimental and recommended.)#216

Open
NateD-MSFT wants to merge 3 commits intodevelopmentfrom
user/nated-msft/2603/stl-rule-expansion
Open

Bring in additional rules from internal repo (both experimental and recommended.)#216
NateD-MSFT wants to merge 3 commits intodevelopmentfrom
user/nated-msft/2603/stl-rule-expansion

Conversation

@NateD-MSFT
Copy link
Copy Markdown
Collaborator

@NateD-MSFT NateD-MSFT commented Mar 27, 2026
edited
Loading

This change adds the following queries from our internal CodeQL repo:

Recommended rules: these should be applicable to drivers as-is, but may have room for improvement; they have a low false positive rate in testing.

  • NonConstantFormat.ql: Detects printf-like function calls where the format string argument does not originate from a string literal, which could lead to format string vulnerabilities.
  • ImproperNullTermination.ql: Detects uses of strings that may not be null-terminated being passed to string functions, which can cause buffer overflows or over-reads.
  • StrncpyFlippedArgs.ql: Detects calls to strncpy where the size argument is based on the source buffer size instead of the destination, potentially causing buffer overflows.
  • UnsafeUseOfStrcat.ql: Detects uses of strcat where the source string size is not checked before concatenation, which may result in buffer overflow.
  • ArithmeticUncontrolled.ql: Detects arithmetic operations on data from random number generators that lack validation, potentially causing integer overflows.
  • ArithmeticWithExtremeValues.ql: Detects arithmetic operations on variables assigned extreme values (INT_MAX, INT_MIN, etc.) that could cause overflow or underflow.

Experimental rules: these need additional work to be correctly applicable to drivers and currently have a high false positive rate. They are not part of our recommended set but are included to indicate future opportunities.

  • TaintedPath.ql: Detects file access operations where the path argument is derived from user-controlled input, enabling potential path traversal attacks.
  • ArithmeticTainted.ql: Detects arithmetic operations on user-controlled data that is not validated, which could cause integer overflows or underflows.
  • IntegerOverflowTainted.ql: Detects user-controlled integer arithmetic expressions that might overflow based on range analysis.
  • TaintedAllocationSize.ql: Detects memory allocations where the size is derived from user-controlled input, potentially allowing arbitrary memory allocation.
  • IncorrectPointerScalingChar.ql: Detects pointer arithmetic where implicit scaling may cause buffer overflow due to mismatched pointer types.
  • TaintedCondition.ql: Detects security-sensitive conditional statements (privilege escalation) that rely on untrusted user input.

@NateD-MSFT NateD-MSFT requested review from Copilot and jacob-ronstadt and removed request for jacob-ronstadt March 27, 2026 21:12
@NateD-MSFT NateD-MSFT marked this pull request as ready for review March 27, 2026 21:12
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds additional CodeQL rules (recommended + experimental) from an internal repository into the Windows driver suite, along with accompanying query help and examples.

Changes:

  • Extend src/windows-driver-suites/recommended.qls to include new recommended queries.
  • Add new experimental security queries (taint/path/overflow/pointer-scaling) and shared QL libraries.
  • Add query help (.qhelp/.md) and example source files (.c/.cpp) for the added rules.

Reviewed changes

Copilot reviewed 60 out of 60 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/windows-driver-suites/recommended.qls Adds newly imported recommended rules to the Windows driver “recommended” suite.
src/microsoft/experimental/Security/CWE-807/TaintedCondition.ql New experimental taint query for untrusted conditions used in privilege-raising decisions.
src/microsoft/experimental/Security/CWE-807/TaintedCondition.qhelp Help text for the CWE-807 experimental query.
src/microsoft/experimental/Security/CWE-807/TaintedCondition.md Markdown documentation for the CWE-807 experimental query.
src/microsoft/experimental/Security/CWE-807/TaintedCondition.c Example code referenced by the CWE-807 help/docs.
src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingCommon.qll Shared utilities for CWE-468 pointer scaling queries.
src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingChar.ql New experimental query detecting suspicious pointer scaling to char*.
src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingChar.qhelp Help text for the CWE-468 char scaling query.
src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingChar.md Markdown documentation for the CWE-468 char scaling query.
src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingChar.cpp Example code referenced by CWE-468 docs.
src/microsoft/experimental/Security/CWE-190/TaintedAllocationSize.ql New experimental taint query for user-controlled allocation sizes.
src/microsoft/experimental/Security/CWE-190/TaintedAllocationSize.qhelp Help text for tainted allocation size.
src/microsoft/experimental/Security/CWE-190/TaintedAllocationSize.md Markdown documentation for tainted allocation size.
src/microsoft/experimental/Security/CWE-190/TaintedAllocationSize.c Example code for tainted allocation size.
src/microsoft/experimental/Security/CWE-190/IntegerOverflowTainted.ql New experimental query for possible overflow in tainted arithmetic expressions.
src/microsoft/experimental/Security/CWE-190/IntegerOverflowTainted.qhelp Help text for tainted integer overflow query.
src/microsoft/experimental/Security/CWE-190/IntegerOverflowTainted.md Markdown documentation for tainted integer overflow query.
src/microsoft/experimental/Security/CWE-190/Bounded.qll Adds a shared “bounded arithmetic” predicate used by multiple CWE-190 experimental queries.
src/microsoft/experimental/Security/CWE-190/ArithmeticTainted.ql New experimental path query for user-controlled operands in arithmetic operations.
src/microsoft/experimental/Security/CWE-190/ArithmeticTainted.qhelp Help text for arithmetic taint query.
src/microsoft/experimental/Security/CWE-190/ArithmeticTainted.md Markdown documentation for arithmetic taint query.
src/microsoft/experimental/Security/CWE-190/ArithmeticTainted.c Example code for arithmetic taint query.
src/microsoft/experimental/Security/CWE-022/examples/TaintedPathNormalize.c Example showing path component validation for CWE-022.
src/microsoft/experimental/Security/CWE-022/examples/TaintedPathFolder.c Example showing folder containment validation for CWE-022.
src/microsoft/experimental/Security/CWE-022/examples/TaintedPath.c Example of vulnerable path construction for CWE-022.
src/microsoft/experimental/Security/CWE-022/TaintedPath.ql New experimental taint query for file path injection/path traversal sinks.
src/microsoft/experimental/Security/CWE-022/TaintedPath.qhelp Help text for experimental tainted path query.
src/microsoft/experimental/Security/CWE-022/TaintedPath.md Markdown documentation for experimental tainted path query.
src/microsoft/Security/CWE/CWE-190/Bounded.qll Adds shared “bounded arithmetic” predicate for public CWE-190 rules.
src/microsoft/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql New recommended query: extreme values flowing into arithmetic ops with missing guards.
src/microsoft/Security/CWE/CWE-190/ArithmeticWithExtremeValues.qhelp Help text for extreme-values arithmetic query.
src/microsoft/Security/CWE/CWE-190/ArithmeticWithExtremeValues.md Markdown documentation for extreme-values arithmetic query.
src/microsoft/Security/CWE/CWE-190/ArithmeticWithExtremeValues.c Example code for extreme-values arithmetic query.
src/microsoft/Security/CWE/CWE-190/ArithmeticUncontrolled.ql New recommended query: uncontrolled (RNG) values flowing into risky arithmetic.
src/microsoft/Security/CWE/CWE-190/ArithmeticUncontrolled.qhelp Help text for uncontrolled arithmetic query.
src/microsoft/Security/CWE/CWE-190/ArithmeticUncontrolled.md Markdown documentation for uncontrolled arithmetic query.
src/microsoft/Security/CWE/CWE-190/ArithmeticUncontrolled.c Example code for uncontrolled arithmetic query.
src/microsoft/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql New recommended query detecting missing source-size checks before strcat.
src/microsoft/Likely Bugs/Memory Management/UnsafeUseOfStrcat.qhelp Help text for unsafe strcat usage.
src/microsoft/Likely Bugs/Memory Management/UnsafeUseOfStrcat.md Markdown documentation for unsafe strcat usage.
src/microsoft/Likely Bugs/Memory Management/UnsafeUseOfStrcat.cpp Example code for unsafe strcat usage.
src/microsoft/Likely Bugs/Memory Management/StrncpyFlippedArgsGood.cpp “Good” example for flipped strncpy size argument.
src/microsoft/Likely Bugs/Memory Management/StrncpyFlippedArgsBad.cpp “Bad” example for flipped strncpy size argument.
src/microsoft/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql New recommended query detecting misuse of source buffer size as strncpy limit.
src/microsoft/Likely Bugs/Memory Management/StrncpyFlippedArgs.qhelp Help text for flipped strncpy args query.
src/microsoft/Likely Bugs/Memory Management/StrncpyFlippedArgs.md Markdown documentation for flipped strncpy args query.
src/microsoft/Likely Bugs/Memory Management/ImproperNullTerminationGood.cpp “Good” example for null-termination before string function usage.
src/microsoft/Likely Bugs/Memory Management/ImproperNullTerminationBad.cpp “Bad” example for improper/null termination before string function usage.
src/microsoft/Likely Bugs/Memory Management/ImproperNullTermination.ql New recommended query detecting potentially unterminated strings reaching C string sinks.
src/microsoft/Likely Bugs/Memory Management/ImproperNullTermination.qhelp Help text for improper null termination query.
src/microsoft/Likely Bugs/Memory Management/ImproperNullTermination.md Markdown documentation for improper null termination query.
src/microsoft/Likely Bugs/Memory Management/Buffer.qll Shared helper for buffer-size expressions used by multiple likely-bugs queries.
src/microsoft/Likely Bugs/Format/NonConstantFormat.ql New recommended query: non-literal format strings flowing into printf-like APIs.
src/microsoft/Likely Bugs/Format/NonConstantFormat.qhelp Help text for non-constant format string query.
src/microsoft/Likely Bugs/Format/NonConstantFormat.md Markdown documentation for non-constant format string query.
src/microsoft/Likely Bugs/Format/NonConstantFormat-2-ok.c Example: safer logging variant (constant format string to printf).
src/microsoft/Likely Bugs/Format/NonConstantFormat-2-good.c Example: redesign to vprintf with varargs.
src/microsoft/Likely Bugs/Format/NonConstantFormat-2-bad.c Example: vulnerable logging function passing non-constant format to printf.
src/microsoft/Likely Bugs/Format/NonConstantFormat-1-good.c Example: safe echoing using "%s".
src/microsoft/Likely Bugs/Format/NonConstantFormat-1-bad.c Example: vulnerable echoing using user-controlled format string.
Comments suppressed due to low confidence (8)

src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingChar.ql:1

  • pointerArithmeticParent is defined as a function in IncorrectPointerScalingCommon.qll, but this query uses it as though it were a predicate (via exists(pointerArithmeticParent(dest))) and also applies transitive closure (pointerArithmeticParent+) which only works on predicates. This is likely a compilation error. Consider changing pointerArithmeticParent into a predicate like predicate pointerArithmeticParent(Expr child, Expr parent) and then update these uses to exists(Expr p | pointerArithmeticParent(dest, p)) and parent = pointerArithmeticParent+(dest) (or replace the closure with an explicit recursive predicate).
    src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingChar.ql:1
  • pointerArithmeticParent is defined as a function in IncorrectPointerScalingCommon.qll, but this query uses it as though it were a predicate (via exists(pointerArithmeticParent(dest))) and also applies transitive closure (pointerArithmeticParent+) which only works on predicates. This is likely a compilation error. Consider changing pointerArithmeticParent into a predicate like predicate pointerArithmeticParent(Expr child, Expr parent) and then update these uses to exists(Expr p | pointerArithmeticParent(dest, p)) and parent = pointerArithmeticParent+(dest) (or replace the closure with an explicit recursive predicate).
    src/microsoft/experimental/Security/CWE-022/TaintedPath.ql:1
  • Call.getTarget() returns a callable/function, not an expression, so calling getUnspecifiedType() on it is invalid and will likely prevent the query from compiling. If the intent is to treat certain call results as barriers based on the call expression type, use the call expression's type (for example, node.asExpr().(Call).getUnspecifiedType()) or otherwise restructure the barrier condition around the correct AST node whose type you want to test.
    src/microsoft/experimental/Security/CWE-190/ArithmeticTainted.ql:1
  • The helper isSource is typed to FS::FlowSource, but Config.isSource passes a DataFlow::Node. Unless the QL type system can implicitly downcast here (typically it cannot), this will be a type error at compile time. A robust fix is to redefine the helper to accept DataFlow::Node and explicitly cast inside (or implement Config.isSource as source instanceof FS::FlowSource). The same pattern appears in other new queries (for example IntegerOverflowTainted.ql, TaintedAllocationSize.ql, TaintedCondition.ql).
    src/microsoft/experimental/Security/CWE-190/ArithmeticTainted.ql:1
  • The helper isSource is typed to FS::FlowSource, but Config.isSource passes a DataFlow::Node. Unless the QL type system can implicitly downcast here (typically it cannot), this will be a type error at compile time. A robust fix is to redefine the helper to accept DataFlow::Node and explicitly cast inside (or implement Config.isSource as source instanceof FS::FlowSource). The same pattern appears in other new queries (for example IntegerOverflowTainted.ql, TaintedAllocationSize.ql, TaintedCondition.ql).
    src/microsoft/experimental/Security/CWE-807/TaintedCondition.c:1
  • tHost is declared as char*, so sizeof(tHost) is the size of the pointer (typically 4 or 8), not the string length. As an example in docs/help, this is misleading and could teach an incorrect pattern. Prefer strlen(tHost) (with appropriate null checks) or declare tHost as char tHost[] = \"...\"; so sizeof(tHost) reflects the array length.
    src/microsoft/experimental/Security/CWE-022/examples/TaintedPath.c:1
  • This example won’t compile as a standalone C file: it uses PATH_MAX, snprintf, and fopen without including headers that define them (and PATH_MAX is not guaranteed to be defined unless the appropriate headers are included). Consider adding the minimal includes (for example <stdio.h> and a header that defines PATH_MAX on your supported platforms, plus any others needed) so the sample is buildable and consistent with other CodeQL examples.
    src/microsoft/experimental/Security/CWE-468/IncorrectPointerScalingCommon.qll:1
  • Correct typo: 'ths' → 'this'.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@NateD-MSFT
Fix double word typo in comment
ac2278d 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jacob-ronstadt jacob-ronstadt Awaiting requested review from jacob-ronstadt

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NateD-MSFT