Merge branch 'main' into patch-1

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/WrongTypeFormatArguments.expected

@@ -10,6 +10,8 @@
 | printf1.h:44:18:44:20 | ull | This format specifier for type 'int' does not match the argument type 'unsigned long long'. |
 | printf1.h:45:18:45:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
 | printf1.h:46:18:46:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
+| printf1.h:62:19:62:20 | ul | This format specifier for type 'size_t' does not match the argument type 'unsigned long'. |
+| printf1.h:68:19:68:21 | sst | This format specifier for type 'size_t' does not match the argument type 'long'. |
 | printf1.h:71:19:71:20 | st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:72:19:72:20 | ST | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:73:19:73:22 | c_st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft/printf1.h

@@ -59,13 +59,13 @@ void g()
     const SIZE_T C_ST = sizeof(st);
     ssize_t sst;
 
-    printf("%zu", ul); // ok (dubious, e.g. on 64-bit Windows `long` is 4 bytes but `size_t` is 8)
+    printf("%zu", ul); // not ok
     printf("%zu", st); // ok
     printf("%zu", ST); // ok
     printf("%zu", c_st); // ok
     printf("%zu", C_ST); // ok
     printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED]
+    printf("%zu", sst); // not ok
 
     printf("%zd", ul); // not ok [NOT DETECTED]
     printf("%zd", st); // not ok

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/WrongTypeFormatArguments.expected

@@ -10,6 +10,8 @@
 | printf1.h:44:18:44:20 | ull | This format specifier for type 'int' does not match the argument type 'unsigned long long'. |
 | printf1.h:45:18:45:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
 | printf1.h:46:18:46:20 | ull | This format specifier for type 'unsigned int' does not match the argument type 'unsigned long long'. |
+| printf1.h:62:19:62:20 | ul | This format specifier for type 'size_t' does not match the argument type 'unsigned long'. |
+| printf1.h:68:19:68:21 | sst | This format specifier for type 'size_t' does not match the argument type 'long'. |
 | printf1.h:71:19:71:20 | st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:72:19:72:20 | ST | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |
 | printf1.h:73:19:73:22 | c_st | This format specifier for type 'ssize_t' does not match the argument type 'unsigned long long'. |

cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Microsoft_no_wchar/printf1.h

@@ -59,13 +59,13 @@ void g()
     const SIZE_T C_ST = sizeof(st);
     ssize_t sst;
 
-    printf("%zu", ul); // ok (dubious, e.g. on 64-bit Windows `long` is 4 bytes but `size_t` is 8)
+    printf("%zu", ul); // not ok
     printf("%zu", st); // ok
     printf("%zu", ST); // ok
     printf("%zu", c_st); // ok
     printf("%zu", C_ST); // ok
     printf("%zu", sizeof(ul)); // ok
-    printf("%zu", sst); // not ok [NOT DETECTED]
+    printf("%zu", sst); // not ok
 
     printf("%zd", ul); // not ok [NOT DETECTED]
     printf("%zd", st); // not ok

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -1,3 +1,11 @@
+#select
+| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
+| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.c:106:24:106:29 | query1 | test.c:101:8:101:16 | gets output argument | test.c:106:24:106:29 | *query1 | This argument to a SQL query function is derived from $@. | test.c:101:8:101:16 | gets output argument | user input (string read by gets) |
+| test.c:107:28:107:33 | query1 | test.c:101:8:101:16 | gets output argument | test.c:107:28:107:33 | *query1 | This argument to a SQL query function is derived from $@. | test.c:101:8:101:16 | gets output argument | user input (string read by gets) |
+| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
 edges
 | test.c:14:27:14:30 | **argv | test.c:15:20:15:26 | *access to array | provenance |  |
 | test.c:15:20:15:26 | *access to array | test.c:21:18:21:23 | *query1 | provenance | TaintFunction |
@@ -9,7 +17,12 @@ edges
 | test.c:48:20:48:33 | *globalUsername | test.c:51:18:51:23 | *query1 | provenance | TaintFunction |
 | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | provenance |  |
 | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | provenance |  |
+| test.c:101:8:101:16 | gets output argument | test.c:106:24:106:29 | *query1 | provenance | TaintFunction Sink:MaD:2 |
+| test.c:101:8:101:16 | gets output argument | test.c:107:28:107:33 | *query1 | provenance | TaintFunction Sink:MaD:1 |
 | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | provenance |  |
+models
+| 1 | Sink: ; ; false; OCIStmtPrepare2; ; ; Argument[*3]; sql-injection; manual |
+| 2 | Sink: ; ; false; OCIStmtPrepare; ; ; Argument[*2]; sql-injection; manual |
 nodes
 | test.c:14:27:14:30 | **argv | semmle.label | **argv |
 | test.c:15:20:15:26 | *access to array | semmle.label | *access to array |
@@ -23,12 +36,9 @@ nodes
 | test.c:75:8:75:16 | gets output argument | semmle.label | gets output argument |
 | test.c:76:17:76:25 | *userInput | semmle.label | *userInput |
 | test.c:77:20:77:28 | *userInput | semmle.label | *userInput |
+| test.c:101:8:101:16 | gets output argument | semmle.label | gets output argument |
+| test.c:106:24:106:29 | *query1 | semmle.label | *query1 |
+| test.c:107:28:107:33 | *query1 | semmle.label | *query1 |
 | test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
 | test.cpp:43:27:43:33 | *access to array | semmle.label | *access to array |
 subpaths
-#select
-| test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
-| test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
-| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.qlref

@@ -1 +1,5 @@
-Security/CWE/CWE-089/SqlTainted.ql
+query: Security/CWE/CWE-089/SqlTainted.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
+ 

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c

@@ -11,14 +11,14 @@ int atoi(const char *nptr);
 void exit(int i);
 ///// Test code /////
 
-int main(int argc, char** argv) {
+int main(int argc, char** argv) { // $ Source
   char *userName = argv[2];
   int userNumber = atoi(argv[3]);
 
   // a string from the user is injected directly into an SQL query.
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
-  mysql_query(0, query1); // BAD
+  mysql_query(0, query1); // $ Alert
   
   // the user string is encoded by a library routine.
   char userNameSanitized[1000] = {0};
@@ -48,7 +48,7 @@ void badFunc() {
   char *userName = globalUsername;
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
-  mysql_query(0, query1); // BAD
+  mysql_query(0, query1); // $ Alert
 }
 
 //ODBC Library Rountines
@@ -72,7 +72,44 @@ SQLRETURN SQLPrepare(
 
 void ODBCTests(){
   char userInput[100];
-  gets(userInput);
-  SQLPrepare(0, userInput, 100); // BAD
-  SQLExecDirect(0, userInput, 100); // BAD
+  gets(userInput); // $ Source
+  SQLPrepare(0, userInput, 100); // $ Alert
+  SQLExecDirect(0, userInput, 100); // $ Alert
+}
+
+// Oracle Call Interface (OCI) Routines
+int OCIStmtPrepare(
+      void *arg0,
+      void *arg1,
+      const unsigned char *sql,
+      unsigned int arg3,
+      unsigned int arg4,
+      unsigned int arg5);
+int OCIStmtPrepare2(
+      void *arg0,
+      void **arg1,
+      void *arg2,
+      const unsigned char *sql,
+      unsigned int arg4,
+      const unsigned char *arg5,
+      unsigned int arg6,
+      unsigned int arg7,
+      unsigned int arg8);
+
+void OCITests(){
+  char userInput[100];
+  gets(userInput); // $ Source
+
+  // a string from the user is injected directly into an SQL query.
+  char query1[1000] = {0};
+  snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userInput);
+  OCIStmtPrepare(0, 0, query1, 0, 0, 0); // $ Alert
+  OCIStmtPrepare2(0, 0, 0, query1, 0, 0, 0, 0, 0); // $ Alert
+
+  // an integer from the user is injected into an SQL query.
+  int userNumber = atoi(userInput);
+  char query2[1000] = {0};
+  snprintf(query2, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);
+  OCIStmtPrepare(0, 0, query2, 0, 0, 0); // GOOD
+  OCIStmtPrepare2(0, 0, 0, query2, 0, 0, 0, 0, 0); // GOOD
 }

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.cpp

@@ -36,11 +36,11 @@ namespace pqxx {
     };
 }
 
-int main(int argc, char** argv) {
+int main(int argc, char** argv) { // $ Source
     pqxx::connection c;
     pqxx::work w(c);
     
-    pqxx::row r = w.exec1(argv[1]); // BAD
+    pqxx::row r = w.exec1(argv[1]); // $ Alert
     
     pqxx::result r2 = w.exec(w.quote(argv[1])); // GOOD