C++: Add various new test cases.

2026-04-29 02:35:15 +02:00 · 2021-10-07 14:46:03 +01:00
parent 2d4a2e0d44
commit b82425a35c
2 changed files with 109 additions and 5 deletions
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
@@ -13,6 +13,7 @@ edges
 nodes
 | test3.cpp:22:15:22:23 | password1 | semmle.label | password1 |
 | test3.cpp:26:15:26:23 | password2 | semmle.label | password2 |
+| test3.cpp:38:23:38:31 | password2 | semmle.label | password2 |
 | test3.cpp:47:15:47:22 | password | semmle.label | password |
 | test3.cpp:55:15:55:22 | password | semmle.label | password |
 | test3.cpp:74:21:74:29 | password1 | semmle.label | password1 |
@@ -33,11 +34,22 @@ nodes
 | test3.cpp:146:15:146:18 | data | semmle.label | data |
 | test3.cpp:157:19:157:26 | password | semmle.label | password |
 | test3.cpp:159:15:159:20 | buffer | semmle.label | buffer |
+| test3.cpp:173:15:173:22 | password | semmle.label | password |
+| test3.cpp:181:15:181:22 | password | semmle.label | password |
+| test3.cpp:191:15:191:22 | password | semmle.label | password |
+| test3.cpp:201:15:201:22 | password | semmle.label | password |
+| test3.cpp:210:15:210:22 | password | semmle.label | password |
+| test3.cpp:219:15:219:26 | password_ptr | semmle.label | password_ptr |
+| test3.cpp:227:22:227:29 | password | semmle.label | password |
+| test3.cpp:228:26:228:33 | password | semmle.label | password |
+| test3.cpp:241:8:241:15 | password | semmle.label | password |
+| test3.cpp:242:8:242:15 | password | semmle.label | password |
 subpaths
 | test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer | test3.cpp:119:9:119:14 | buffer | test3.cpp:138:21:138:22 | call to id |
 #select
 | test3.cpp:22:3:22:6 | call to send | test3.cpp:22:15:22:23 | password1 | test3.cpp:22:15:22:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@ | test3.cpp:22:15:22:23 | password1 | password1 |
 | test3.cpp:26:3:26:6 | call to send | test3.cpp:26:15:26:23 | password2 | test3.cpp:26:15:26:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@ | test3.cpp:26:15:26:23 | password2 | password2 |
+| test3.cpp:38:3:38:6 | call to send | test3.cpp:38:23:38:31 | password2 | test3.cpp:38:23:38:31 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@ | test3.cpp:38:23:38:31 | password2 | password2 |
 | test3.cpp:47:3:47:6 | call to recv | test3.cpp:47:15:47:22 | password | test3.cpp:47:15:47:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:47:15:47:22 | password | password |
 | test3.cpp:55:3:55:6 | call to recv | test3.cpp:55:15:55:22 | password | test3.cpp:55:15:55:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:55:15:55:22 | password | password |
 | test3.cpp:76:3:76:6 | call to send | test3.cpp:74:21:74:29 | password1 | test3.cpp:76:15:76:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:74:21:74:29 | password1 | password1 |
@@ -47,3 +59,13 @@ subpaths
 | test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:138:24:138:32 | password1 | password1 |
 | test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:126:9:126:23 | global_password | global_password |
 | test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:157:19:157:26 | password | password |
+| test3.cpp:173:3:173:6 | call to recv | test3.cpp:173:15:173:22 | password | test3.cpp:173:15:173:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:173:15:173:22 | password | password |
+| test3.cpp:181:3:181:6 | call to recv | test3.cpp:181:15:181:22 | password | test3.cpp:181:15:181:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:181:15:181:22 | password | password |
+| test3.cpp:191:3:191:6 | call to recv | test3.cpp:191:15:191:22 | password | test3.cpp:191:15:191:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:191:15:191:22 | password | password |
+| test3.cpp:201:3:201:6 | call to send | test3.cpp:201:15:201:22 | password | test3.cpp:201:15:201:22 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:201:15:201:22 | password | password |
+| test3.cpp:210:3:210:6 | call to send | test3.cpp:210:15:210:22 | password | test3.cpp:210:15:210:22 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:210:15:210:22 | password | password |
+| test3.cpp:219:3:219:6 | call to send | test3.cpp:219:15:219:26 | password_ptr | test3.cpp:219:15:219:26 | password_ptr | This operation transmits 'password_ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:219:15:219:26 | password_ptr | password_ptr |
+| test3.cpp:227:2:227:5 | call to send | test3.cpp:227:22:227:29 | password | test3.cpp:227:22:227:29 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:227:22:227:29 | password | password |
+| test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@ | test3.cpp:228:26:228:33 | password | password |
+| test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:241:8:241:15 | password | password |
+| test3.cpp:242:2:242:6 | call to fgets | test3.cpp:242:8:242:15 | password | test3.cpp:242:8:242:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:242:8:242:15 | password | password |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
@@ -1,8 +1,8 @@

 typedef unsigned long size_t;
 #define STDIN_FILENO (0)
-
-
+#define STDOUT_FILENO (1)
+int stdout_fileno = STDOUT_FILENO;

 size_t strlen(const char *s);

@@ -34,9 +34,9 @@ void test_send(const char *password1, const char *password2, const char *passwor
 		send(val(), message, strlen(message), val()); // GOOD: `message` is not a password
 	}

-
-
-
+	{
+		send(stdout_fileno, password2, strlen(password2), val()); // GOOD: `password2` is sent to stdout, not a network socket (this may be an issue but is not within the scope of the `cpp/cleartext-transmission` query) [FALSE POSITIVE]
+	}
 }

 void test_receive()
@@ -159,3 +159,85 @@ void test_taint(const char *password)
 		send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext
 	}
 }
+
+void encrypt_inplace(char *buffer);
+void decrypt_inplace(char *buffer);
+char *rtn_encrypt(const char *buffer);
+char *rtn_decrypt(const char *buffer);
+
+void test_decrypt()
+{
+	{
+		char password[256];
+
+		recv(val(), password, 256, val()); // GOOD: password is encrypted [FALSE POSITIVE]
+
+		decrypt_inplace(password); // proof that `password` was in fact encrypted
+	}
+
+	{
+		char password[256];
+
+		recv(val(), password, 256, val()); // GOOD: password is encrypted [FALSE POSITIVE]
+		password[255] = 0;
+
+		decrypt_inplace(password); // proof that `password` was in fact encrypted
+	}
+
+	{
+		char password[256];
+		char *password_ptr;
+
+		recv(val(), password, 256, val()); // GOOD: password is encrypted [FALSE POSITIVE]
+
+		password_ptr = rtn_decrypt(password); // proof that `password` was in fact encrypted
+	}
+
+	{
+		char password[256];
+
+		encrypt_inplace(password); // proof that `password` is in fact encrypted
+
+		send(val(), password, strlen(password), val()); // GOOD: password is encrypted [FALSE POSITIVE]
+	}
+
+	{
+		char password[256];
+
+		encrypt_inplace(password); // proof that `password` is in fact encrypted
+		password[255] = 0;
+
+		send(val(), password, strlen(password), val()); // GOOD: password is encrypted [FALSE POSITIVE]
+	}
+
+	{
+		char password[256];
+		char *password_ptr;
+
+		password_ptr = rtn_encrypt(password); // proof that `password` is in fact encrypted
+
+		send(val(), password_ptr, strlen(password_ptr), val()); // GOOD: password is encrypted [FALSE POSITIVE]
+	}
+}
+
+int get_socket(int from);
+
+void test_more_stdio(const char *password)
+{
+	send(get_socket(1), password, 128, val()); // GOOD: `getsocket(1)` is probably standard output [FALSE POSITIVE]
+	send(get_socket(val()), password, 128, val()); // BAD
+}
+
+typedef struct {} FILE;
+char *fgets(char *s, int n, FILE *stream);
+
+FILE *get_stdstream(int index);
+#define STDIN_STREAM (get_stdstream(0))
+
+void test_fgets(FILE *stream)
+{
+	char password[128];
+
+	fgets(password, 128, stream); // BAD
+	fgets(password, 128, STDIN_STREAM); // GOOD: `STDIN_STREAM` is probably standard input [FALSE POSITIVE]
+}