C++: Add a test case with a tainted integer.

2026-05-02 12:15:17 +02:00 · 2021-01-04 15:33:10 +00:00
parent 7a3f9c7895
commit 01b204ea30
2 changed files with 27 additions and 10 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
@@ -1,13 +1,23 @@
 edges
-| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | (const char *)... |
-| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | (const char *)... |
-| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 |
-| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 |
+| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
+| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
+| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
+| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
+| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | (const char *)... |
+| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | (const char *)... |
+| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 |
+| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 |
 nodes
-| test.c:14:20:14:23 | argv | semmle.label | argv |
-| test.c:14:20:14:23 | argv | semmle.label | argv |
-| test.c:19:18:19:23 | (const char *)... | semmle.label | (const char *)... |
-| test.c:19:18:19:23 | (const char *)... | semmle.label | (const char *)... |
-| test.c:19:18:19:23 | query1 | semmle.label | query1 |
+| test.c:15:20:15:23 | argv | semmle.label | argv |
+| test.c:15:20:15:23 | argv | semmle.label | argv |
+| test.c:16:25:16:28 | argv | semmle.label | argv |
+| test.c:16:25:16:28 | argv | semmle.label | argv |
+| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
+| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
+| test.c:21:18:21:23 | query1 | semmle.label | query1 |
+| test.c:33:18:33:23 | (const char *)... | semmle.label | (const char *)... |
+| test.c:33:18:33:23 | (const char *)... | semmle.label | (const char *)... |
+| test.c:33:18:33:23 | query3 | semmle.label | query3 |
 #select
-| test.c:19:18:19:23 | query1 | test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:14:20:14:23 | argv | user input (argv) |
+| test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
+| test.c:33:18:33:23 | query3 | test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:16:25:16:28 | argv | user input (argv) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
@@ -7,11 +7,13 @@ typedef unsigned long size_t;
 int snprintf(char *s, size_t n, const char *format, ...);
 void sanitizeString(char *stringOut, size_t len, const char *strIn);
 int mysql_query(int arg1, const char *sqlArg);
+int atoi(const char *nptr);

 ///// Test code /////

 int main(int argc, char** argv) {
  char *userName = argv[2];
+  int userNumber = atoi(argv[3]);

  // a string from the user is injected directly into an SQL query.
  char query1[1000] = {0};
@@ -24,4 +26,9 @@ int main(int argc, char** argv) {
  char query2[1000] = {0};
  snprintf(query2, 1000, "SELECT UID FROM USERS where name = \"%s\"", userNameSanitized);
  mysql_query(0, query2); // GOOD
+
+  // an integer from the user is injected into an SQL query.
+  char query3[1000] = {0};
+  snprintf(query3, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);
+  mysql_query(0, query3); // BAD [FALSE POSITIVE]
 }