Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt

2026-05-01 03:35:13 +02:00 · 2021-03-26 09:11:12 +01:00
parent d09458a486 208d5157fa
commit 983b64a05f
824 changed files with 19318 additions and 9855 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -47,6 +47,18 @@ edges
 | test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
 | test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
 | test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data indirection |
+| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | (const char *)... |
+| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
+| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer indirection |
+| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | (const char *)... |
+| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
+| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
+| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | (const char *)... |
+| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
+| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer indirection |
+| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | (const char *)... |
+| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
+| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
 nodes
 | test.cpp:24:30:24:36 | *command | semmle.label | *command |
 | test.cpp:24:30:24:36 | command | semmle.label | command |
@@ -94,6 +106,20 @@ nodes
 | test.cpp:79:10:79:13 | data | semmle.label | data |
 | test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
 | test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
+| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
+| test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
+| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
+| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
+| test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
+| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
+| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
 #select
 | test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
 | test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
@@ -101,3 +127,5 @@ nodes
 | test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
 | test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
 | test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
+| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:98:17:98:22 | buffer | buffer |
+| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:106:17:106:22 | buffer | buffer |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp
@@ -81,3 +81,29 @@ void testReferencePointer2()
 		system(data2); // BAD [NOT DETECTED]
 	}
 }
+
+// ---
+
+typedef unsigned long size_t;
+
+void accept(int arg, char *buf, size_t *bufSize);
+void recv(int arg, char *buf, size_t bufSize);
+void LoadLibrary(const char *arg);
+
+void testAcceptRecv(int socket1, int socket2)
+{
+	{
+		char buffer[1024];
+
+		recv(socket1, buffer, 1024);
+		LoadLibrary(buffer); // BAD: using data from recv
+	}
+	
+	{
+		char buffer[1024];
+
+		accept(socket2, 0, 0);
+		recv(socket2, buffer, 1024);
+		LoadLibrary(buffer); // BAD: using data from recv
+	}
+}
--- a/cpp/ql/test/query-tests/Summary/LinesOfCode.expected
+++ b/cpp/ql/test/query-tests/Summary/LinesOfCode.expected
@@ -0,0 +1 @@
+| 93 |
--- a/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref
+++ b/cpp/ql/test/query-tests/Summary/LinesOfCode.qlref
@@ -0,0 +1 @@
+Summary/LinesOfCode.ql
--- a/cpp/ql/test/query-tests/Summary/empty-file.cpp
+++ b/cpp/ql/test/query-tests/Summary/empty-file.cpp
@@ -0,0 +1 @@
+
--- a/cpp/ql/test/query-tests/Summary/large-file.cpp
+++ b/cpp/ql/test/query-tests/Summary/large-file.cpp
@@ -0,0 +1,123 @@
+int a00(float x) {
+    return (int)x;
+}
+
+int a01(float x) {
+    return (int)x;
+}
+
+int a02(float x) {
+    return (int)x;
+}
+
+int a03(float x) {
+    return (int)x;
+}
+
+int a04(float x) {
+    return (int)x;
+}
+
+int a05(float x) {
+    return (int)x;
+}
+
+int a06(float x) {
+    return (int)x;
+}
+
+/**
+ * This is a multi-line comment
+ */
+int a07(float x) {
+    return (int)x;
+}
+
+// this is a single-line comment
+int a08(float x) {
+    return (int)x;
+}
+
+int a09(float x) {
+    return (int)x;
+}
+
+int a10(float x) {
+    return (int)x;
+}
+
+int a11(float x) {
+    return (int)x;
+}
+
+int a12(float x) {
+    return (int)x;
+}
+
+int a13(float x) {
+    return (int)x;
+}
+
+int a14(float x) {
+    return (int)x;
+}
+
+int a15(float x) {
+    return (int)x;
+}
+
+int a16(float x) {
+    return (int)x;
+}
+
+int a17(float x) {
+    return (int)x;
+}
+
+int a18(float x) {
+    return (int)x;
+}
+
+int a19(float x) {
+    return (int)x;
+}
+
+int a20(float x) {
+    return (int)x;
+}
+
+int a21(float x) {
+    return (int)x;
+}
+
+int a22(float x) {
+    return (int)x;
+}
+
+int a23(float x) {
+    return (int)x;
+}
+
+int a24(float x) {
+    return (int)x;
+}
+
+int a25(float x) {
+    return (int)x;
+}
+
+int a26(float x) {
+    return (int)x;
+}
+
+int a27(float x) {
+    return (int)x;
+}
+
+int a28(float x) {
+    return (int)x;
+}
+
+int a29(float x) {
+    return (int)x;
+}
--- a/cpp/ql/test/query-tests/Summary/short-file.cpp
+++ b/cpp/ql/test/query-tests/Summary/short-file.cpp
@@ -0,0 +1,3 @@
+int g(float x) {
+    return (int)x;
+}