C++: Put paths in the remaining LGTM-suite queries

2026-04-26 17:25:19 +02:00 · 2020-04-03 08:35:42 +02:00
parent 3ec1f691c2
commit 5822cd7b84
14 changed files with 319 additions and 76 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
@@ -1,2 +1,30 @@
-| search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
-| search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+edges
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | (const char *)... |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:14:24:14:28 | query | search.c:17:8:17:12 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:45:17:45:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:41:21:41:26 | call to getenv | search.c:47:17:47:25 | raw_query |
+| search.c:45:17:45:25 | raw_query | search.c:14:24:14:28 | query |
+| search.c:47:17:47:25 | raw_query | search.c:22:24:22:28 | query |
+nodes
+| search.c:14:24:14:28 | query | semmle.label | query |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | (const char *)... | semmle.label | (const char *)... |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:17:8:17:12 | query | semmle.label | query |
+| search.c:22:24:22:28 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:23:39:23:43 | query | semmle.label | query |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
+| search.c:45:17:45:25 | raw_query | semmle.label | raw_query |
+| search.c:47:17:47:25 | raw_query | semmle.label | raw_query |
+#select
+| search.c:17:8:17:12 | query | search.c:41:21:41:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+| search.c:23:39:23:43 | query | search.c:41:21:41:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -1,2 +1,25 @@
-| test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
-| test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
+edges
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
+| test.cpp:42:18:42:23 | call to getenv | test.cpp:24:30:24:36 | command |
+| test.cpp:42:18:42:34 | (const char *)... | test.cpp:24:30:24:36 | command |
+| test.cpp:43:18:43:23 | call to getenv | test.cpp:29:30:29:36 | command |
+| test.cpp:43:18:43:34 | (const char *)... | test.cpp:29:30:29:36 | command |
+nodes
+| test.cpp:24:30:24:36 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:26:10:26:16 | command | semmle.label | command |
+| test.cpp:29:30:29:36 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:31:10:31:16 | command | semmle.label | command |
+| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:42:18:42:34 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:43:18:43:34 | (const char *)... | semmle.label | (const char *)... |
+#select
+| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
+| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
@@ -0,0 +1,3 @@
+edges
+nodes
+#select
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
@@ -1,5 +1,53 @@
-| tests.c:28:3:28:9 | call to sprintf | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
-| tests.c:29:3:29:9 | call to sprintf | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
-| tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
-| tests.c:34:25:34:33 | buffer100 | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
+edges
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | (const char *)... |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | (const char *)... |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+| tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
+nodes
+| tests.c:28:22:28:25 | argv | semmle.label | argv |
+| tests.c:28:22:28:25 | argv | semmle.label | argv |
+| tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:28:22:28:28 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:28:22:28:28 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:31 | argv | semmle.label | argv |
+| tests.c:29:28:29:31 | argv | semmle.label | argv |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:29:28:29:34 | access to array | semmle.label | access to array |
+| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
+| tests.c:34:10:34:13 | argv | semmle.label | argv |
+| tests.c:34:10:34:13 | argv | semmle.label | argv |
+| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+| tests.c:34:10:34:16 | access to array | semmle.label | access to array |
+#select
+| tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
+| tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
+| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
+| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
+| tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected
@@ -1,3 +1,33 @@
-| test.cpp:20:7:20:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
-| test.cpp:31:7:31:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
-| test.cpp:42:7:42:12 | call to strcmp | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |
+edges
+| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
+| test.cpp:16:25:16:42 | (const char *)... | test.cpp:20:14:20:20 | address |
+| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
+| test.cpp:27:25:27:42 | (const char *)... | test.cpp:31:14:31:20 | address |
+| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
+| test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
+nodes
+| test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:16:25:16:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:20:14:20:20 | address | semmle.label | address |
+| test.cpp:27:25:27:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:27:25:27:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:31:14:31:20 | address | semmle.label | address |
+| test.cpp:38:25:38:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:38:25:38:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+| test.cpp:42:14:42:20 | address | semmle.label | address |
+#select
+| test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
+| test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
+| test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
@@ -1 +1,13 @@
-| test.cpp:58:3:58:9 | call to sprintf | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
+edges
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input |
+nodes
+| test.cpp:54:17:54:20 | argv | semmle.label | argv |
+| test.cpp:54:17:54:20 | argv | semmle.label | argv |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+| test.cpp:58:25:58:29 | input | semmle.label | input |
+#select
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@ | test.cpp:54:17:54:20 | argv | user input (argv) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-807/semmle/TaintedCondition/TaintedCondition.expected
@@ -1,2 +1,37 @@
-| test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
-| test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |
+edges
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:34 | call to getenv | test.cpp:41:11:41:38 | (bool)... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:16 | call to strcmp |
+| test.cpp:20:29:20:47 | (const char *)... | test.cpp:41:11:41:38 | (bool)... |
+| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:10:24:35 | ! ... |
+| test.cpp:24:11:24:16 | call to strcmp | test.cpp:24:11:24:35 | (bool)... |
+| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:10:41:38 | ! ... |
+| test.cpp:41:11:41:16 | call to strcmp | test.cpp:41:11:41:38 | (bool)... |
+nodes
+| test.cpp:20:29:20:34 | call to getenv | semmle.label | call to getenv |
+| test.cpp:20:29:20:47 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:24:10:24:35 | ! ... | semmle.label | ! ... |
+| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:24:11:24:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
+| test.cpp:24:11:24:35 | (bool)... | semmle.label | (bool)... |
+| test.cpp:41:10:41:38 | ! ... | semmle.label | ! ... |
+| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:41:11:41:16 | call to strcmp | semmle.label | call to strcmp |
+| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
+| test.cpp:41:11:41:38 | (bool)... | semmle.label | (bool)... |
+#select
+| test.cpp:24:10:24:35 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:24:10:24:35 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:25:9:25:27 | ... = ... | ... = ... |
+| test.cpp:41:10:41:38 | ! ... | test.cpp:20:29:20:34 | call to getenv | test.cpp:41:10:41:38 | ! ... | Reliance on untrusted input $@ to raise privilege at $@ | test.cpp:20:29:20:34 | call to getenv | call to getenv | test.cpp:42:8:42:26 | ... = ... | ... = ... |