C++: Expand tests.

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected

@@ -1,2 +1,12 @@
-| tests2.cpp:27:12:27:12 | call to operator<< | This operation exposes system data from $@. | tests2.cpp:27:15:27:20 | call to getenv | call to getenv |
-| tests2.cpp:28:25:28:25 | call to operator<< | This operation exposes system data from $@. | tests2.cpp:28:28:28:33 | call to getenv | call to getenv |
+| tests2.cpp:58:12:58:12 | call to operator<< | This operation exposes system data from $@. | tests2.cpp:58:15:58:20 | call to getenv | call to getenv |
+| tests2.cpp:59:25:59:25 | call to operator<< | This operation exposes system data from $@. | tests2.cpp:59:28:59:33 | call to getenv | call to getenv |
+| tests2.cpp:63:2:63:5 | call to send | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
+| tests2.cpp:64:2:64:5 | call to send | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
+| tests2.cpp:65:2:65:5 | call to send | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
+| tests2.cpp:66:2:66:5 | call to send | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv | call to getenv |
+| tests2.cpp:78:3:78:6 | call to send | This operation exposes system data from $@. | tests2.cpp:78:14:78:34 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:80:3:80:6 | call to send | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:91:3:91:6 | call to send | This operation exposes system data from $@. | tests2.cpp:89:3:89:20 | call to mysql_real_connect | call to mysql_real_connect |
+| tests2.cpp:100:3:100:6 | call to send | This operation exposes system data from $@. | tests2.cpp:99:8:99:15 | call to getpwuid | call to getpwuid |
+| tests2.cpp:109:3:109:6 | call to send | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |
+| tests2.cpp:110:3:110:6 | call to send | This operation exposes system data from $@. | tests2.cpp:107:12:107:17 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/OutputWrite.expected

@@ -1,5 +1,5 @@
-| tests2.cpp:27:12:27:12 | call to operator<< | tests2.cpp:27:15:27:20 | call to getenv |
-| tests2.cpp:28:12:28:12 | call to operator<< | tests2.cpp:28:15:28:23 | PATH =  |
-| tests2.cpp:28:25:28:25 | call to operator<< | tests2.cpp:28:28:28:33 | call to getenv |
-| tests2.cpp:28:43:28:43 | call to operator<< | tests2.cpp:28:46:28:48 | . |
-| tests2.cpp:29:12:29:12 | call to operator<< | tests2.cpp:29:15:29:28 | PATHPATHPATH |
+| tests2.cpp:58:12:58:12 | call to operator<< | tests2.cpp:58:15:58:20 | call to getenv |
+| tests2.cpp:59:12:59:12 | call to operator<< | tests2.cpp:59:15:59:23 | PATH =  |
+| tests2.cpp:59:25:59:25 | call to operator<< | tests2.cpp:59:28:59:33 | call to getenv |
+| tests2.cpp:59:43:59:43 | call to operator<< | tests2.cpp:59:46:59:48 | . |
+| tests2.cpp:60:12:60:12 | call to operator<< | tests2.cpp:60:15:60:28 | PATHPATHPATH |

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp

@@ -3,6 +3,7 @@
 // library functions etc
 
 char *getenv(const char *name);
+char *strcpy(char *s1, const char *s2);
 
 namespace std
 {
@@ -20,11 +21,92 @@ namespace std
 	extern ostream cout;
 }
 
+int socket(int p1, int p2, int p3);
+void send(int sock, const char *buffer, int p3, int p4);
+
+const char *mysql_get_client_info();
+void mysql_real_connect(int p1, int p2, int p3, const char *password, int p5, int p6, int p7, int p8);
+
+struct container
+{
+	char *ptr;
+};
+
+struct passwd
+{
+	// ...
+
+	char *pw_passwd;
+
+	// ...
+};
+
+passwd *getpwuid(int uid);
+
+int val();
+
 // test cases
 
+const char *global1 = mysql_get_client_info();
+const char *global2 = "abc";
+
 void test1()
 {
+	int sock = socket(val(), val(), val());
+
+	// tests for a strict implementation of CWE-497
 	std::cout << getenv("HOME"); // BAD: outputs HOME environment variable
 	std::cout << "PATH = " << getenv("PATH") << "."; // BAD: outputs PATH environment variable
 	std::cout << "PATHPATHPATH"; // GOOD: not system data
+
+	// tests for a more pragmatic implementation of CWE-497
+	send(sock, getenv("HOME"), val(), val()); // BAD
+	send(sock, getenv("PATH"), val(), val()); // BAD
+	send(sock, getenv("USERNAME"), val(), val()); // BAD
+	send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information [FALSE POSITIVE]
+	send(sock, "HOME", val(), val()); // GOOD: not system data
+	send(sock, "PATH", val(), val()); // GOOD: not system data
+	send(sock, "USERNAME", val(), val()); // GOOD: not system data
+	send(sock, "HARMLESS", val(), val()); // GOOD: not system data
+
+	// tests for `mysql_get_client_info`, including via a global
+	{
+		char buffer[256];
+
+		strcpy(buffer, mysql_get_client_info());
+
+		send(sock, mysql_get_client_info(), val(), val()); // BAD
+		send(sock, buffer, val(), val()); // BAD [NOT DETECTED]
+		send(sock, global1, val(), val()); // BAD
+		send(sock, global2, val(), val()); // GOOD: not system data
+	}
+
+	// tests for `mysql_real_connect`
+	{
+		const char *str1 = "123456";
+		const char *str2 = "abcdef";
+
+		mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val());
+
+		send(sock, str1, val(), val()); // BAD
+		send(sock, str2, val(), val()); // GOOD: not system data
+	}
+
+	// tests for `getpwuid`
+	{
+		passwd *pw;
+
+		pw = getpwuid(val());
+		send(sock, pw->pw_passwd, val(), val()); // BAD
+	}
+
+	// tests for containers
+	{
+		container c1, c2;
+
+		c1.ptr = getenv("MY_SECRET_TOKEN");
+		c2.ptr = "";
+		send(sock, c1.ptr, val(), val()); // BAD
+		send(sock, c2.ptr, val(), val()); // GOOD: not system data [FALSE POSITIVE]
+	}
 }