Merge branch 'main' into add-return-value-deref-to-model-util

2026-05-04 13:15:21 +02:00 · 2021-10-01 22:02:06 +02:00
parent 0679142607 62aa7b75bd
commit cca77ed65c
171 changed files with 2886 additions and 423 deletions
--- a/cpp/ql/test/include/iterator.h
+++ b/cpp/ql/test/include/iterator.h
@@ -0,0 +1,97 @@
+#if !defined(CODEQL_ITERATOR_H)
+#define CODEQL_ITERATOR_H
+
+typedef unsigned long size_t;
+
+#include "type_traits.h"
+
+namespace std {
+	struct ptrdiff_t;
+
+	template<class I> struct iterator_traits;
+
+	template <class Category,
+			  class value_type,
+			  class difference_type = ptrdiff_t,
+			  class pointer_type = value_type*,
+			  class reference_type = value_type&>
+	struct iterator {
+		typedef Category iterator_category;
+
+		iterator();
+		iterator(iterator<Category, remove_const_t<value_type> > const &other); // non-const -> const conversion constructor
+
+		iterator &operator++();
+		iterator operator++(int);
+		iterator &operator--();
+		iterator operator--(int);
+		bool operator==(iterator other) const;
+		bool operator!=(iterator other) const;
+		reference_type operator*() const;
+		pointer_type operator->() const;
+		iterator operator+(int);
+		iterator operator-(int);
+		iterator &operator+=(int);
+		iterator &operator-=(int);
+		int operator-(iterator);
+		reference_type operator[](int);
+	};
+
+	struct input_iterator_tag {};
+	struct forward_iterator_tag : public input_iterator_tag {};
+	struct bidirectional_iterator_tag : public forward_iterator_tag {};
+	struct random_access_iterator_tag : public bidirectional_iterator_tag {};
+
+	struct output_iterator_tag {};
+
+	template<class Container>
+	class back_insert_iterator {
+	protected:
+		Container* container = nullptr;
+	public:
+		using iterator_category = output_iterator_tag;
+		using value_type = void;
+		using difference_type = ptrdiff_t;
+		using pointer = void;
+		using reference = void;
+		using container_type = Container;
+		constexpr back_insert_iterator() noexcept = default;
+		constexpr explicit back_insert_iterator(Container& x);
+		back_insert_iterator& operator=(const typename Container::value_type& value);
+		back_insert_iterator& operator=(typename Container::value_type&& value);
+		back_insert_iterator& operator*();
+		back_insert_iterator& operator++();
+		back_insert_iterator operator++(int);
+	};
+
+	template<class Container>
+	constexpr back_insert_iterator<Container> back_inserter(Container& x) {
+		return back_insert_iterator<Container>(x);
+	}
+
+	template<class Container>
+	class front_insert_iterator {
+	protected:
+		Container* container = nullptr;
+	public:
+		using iterator_category = output_iterator_tag;
+		using value_type = void;
+		using difference_type = ptrdiff_t;
+		using pointer = void;
+		using reference = void;
+		using container_type = Container;
+		constexpr front_insert_iterator() noexcept = default;
+		constexpr explicit front_insert_iterator(Container& x);
+		constexpr front_insert_iterator& operator=(const typename Container::value_type& value);
+		constexpr front_insert_iterator& operator=(typename Container::value_type&& value);
+		constexpr front_insert_iterator& operator*();
+		constexpr front_insert_iterator& operator++();
+		constexpr front_insert_iterator operator++(int);
+	};
+	template<class Container>
+	constexpr front_insert_iterator<Container> front_inserter(Container& x) {
+		return front_insert_iterator<Container>(x);
+	}
+}
+
+#endif
--- a/cpp/ql/test/include/string.h
+++ b/cpp/ql/test/include/string.h
@@ -0,0 +1,85 @@
+#if !defined(CODEQL_STRING_H)
+#define CODEQL_STRING_H
+
+#include "iterator.h"
+
+namespace std
+{
+	template<class charT> struct char_traits;
+
+	typedef size_t streamsize;
+
+	template <class T> class allocator {
+	public:
+		allocator() throw();
+		typedef size_t size_type;
+	};
+
+	template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
+	class basic_string {
+	public:
+		using value_type = charT;
+		using reference = value_type&;
+		using const_reference = const value_type&;
+		typedef typename Allocator::size_type size_type;
+		static const size_type npos = -1;
+
+		explicit basic_string(const Allocator& a = Allocator());
+		basic_string(const charT* s, const Allocator& a = Allocator());
+		template<class InputIterator> basic_string(InputIterator begin, InputIterator end, const Allocator& a = Allocator());
+
+		const charT* c_str() const;
+		charT* data() noexcept;
+		size_t length() const;
+
+		typedef std::iterator<random_access_iterator_tag, charT> iterator;
+		typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
+
+		iterator begin();
+		iterator end();
+		const_iterator begin() const;
+		const_iterator end() const;
+		const_iterator cbegin() const;
+		const_iterator cend() const;
+
+		void push_back(charT c);
+
+		const charT& front() const;
+		charT& front();
+		const charT& back() const;
+		charT& back();
+
+		const_reference operator[](size_type pos) const;
+		reference operator[](size_type pos);
+		const_reference at(size_type n) const;
+		reference at(size_type n);
+		template<class T> basic_string& operator+=(const T& t);
+		basic_string& operator+=(const charT* s);
+		basic_string& append(const basic_string& str);
+		basic_string& append(const charT* s);
+		basic_string& append(size_type n, charT c);
+		template<class InputIterator> basic_string& append(InputIterator first, InputIterator last); 
+		basic_string& assign(const basic_string& str);
+		basic_string& assign(size_type n, charT c);
+		template<class InputIterator> basic_string& assign(InputIterator first, InputIterator last);
+		basic_string& insert(size_type pos, const basic_string& str);
+		basic_string& insert(size_type pos, size_type n, charT c);
+		basic_string& insert(size_type pos, const charT* s);
+		iterator insert(const_iterator p, size_type n, charT c);
+		template<class InputIterator> iterator insert(const_iterator p, InputIterator first, InputIterator last); 
+		basic_string& replace(size_type pos1, size_type n1, const basic_string& str);
+		basic_string& replace(size_type pos1, size_type n1, size_type n2, charT c);
+		size_type copy(charT* s, size_type n, size_type pos = 0) const;
+		void clear() noexcept;
+		basic_string substr(size_type pos = 0, size_type n = npos) const;
+		void swap(basic_string& s) noexcept/*(allocator_traits<Allocator>::propagate_on_container_swap::value || allocator_traits<Allocator>::is_always_equal::value)*/;
+	};
+
+	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);
+	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const charT* rhs);
+	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const charT* lhs, const basic_string<charT, traits, Allocator>& rhs);
+
+	typedef basic_string<char> string;
+}
+
+#endif
--- a/cpp/ql/test/include/type_traits.h
+++ b/cpp/ql/test/include/type_traits.h
@@ -1,21 +1,44 @@
 #if !defined(CODEQL_TYPE_TRAITS_H)
 #define CODEQL_TYPE_TRAITS_H

+typedef unsigned long size_t;
+
 namespace std {
-    template<typename T>
-    struct remove_reference {
+    template<class T>
+    struct remove_const { typedef T type; };
+
+    template<class T>
+    struct remove_const<const T> { typedef T type; };
+
+    // `remove_const_t<T>` removes any `const` specifier from `T`
+    template<class T>
+    using remove_const_t = typename remove_const<T>::type;
+
+    template<class T>
+    struct remove_reference { typedef T type; };
+
+    template<class T>
+    struct remove_reference<T &> { typedef T type; };
+
+    template<class T>
+    struct remove_reference<T &&> { typedef T type; };
+
+    // `remove_reference_t<T>` removes any `&` from `T`
+    template<class T>
+    using remove_reference_t = typename remove_reference<T>::type;
+
+    template<class T>
+    struct decay_impl {
        typedef T type;
    };

-    template<typename T>
-    struct remove_reference<T&> {
-        typedef T type;
+    template<class T, size_t t_size>
+    struct decay_impl<T[t_size]> {
+        typedef T* type;
    };

-    template<typename T>
-    struct remove_reference<T&&> {
-        typedef T type;
-    };
+    template<class T>
+    using decay_t = typename decay_impl<remove_reference_t<T>>::type;
 }

 #endif
--- a/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected
+++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/OverflowStatic.expected
@@ -5,14 +5,10 @@
 | test2.c:33:26:33:27 | 46 | Potential buffer-overflow: 'buffer' has size 40 not 46. |
 | test2.c:34:22:34:23 | 47 | Potential buffer-overflow: 'buffer' has size 40 not 47. |
 | test2.c:35:23:35:24 | 48 | Potential buffer-overflow: 'buffer' has size 40 not 48. |
-| test.c:14:9:14:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[5]' is accessed here. |
-| test.c:15:9:15:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[6]' is accessed here. |
-| test.c:20:9:20:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[5]' is accessed here. |
-| test.c:21:9:21:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[6]' is accessed here. |
-| test.c:47:3:47:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
-| test.c:54:3:54:26 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
-| test.c:61:3:61:18 | access to array | Potential buffer-overflow: 'ptr' has size 8 but 'ptr[8]' is accessed here. |
-| test.c:72:3:72:11 | access to array | Potential buffer-overflow: 'buf' has size 1 but 'buf[1]' is accessed here. |
+| test.c:14:9:14:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[5]' may be accessed here. |
+| test.c:15:9:15:13 | access to array | Potential buffer-overflow: 'xs' has size 5 but 'xs[6]' may be accessed here. |
+| test.c:20:9:20:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[5]' may be accessed here. |
+| test.c:21:9:21:18 | access to array | Potential buffer-overflow: 'ys' has size 5 but 'ys[6]' may be accessed here. |
 | test.cpp:19:3:19:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer1' has 3 elements. |
 | test.cpp:20:3:20:12 | access to array | Potential buffer-overflow: counter 'i' <= 3 but 'buffer2' has 3 elements. |
 | test.cpp:24:27:24:27 | 4 | Potential buffer-overflow: 'buffer1' has size 3 not 4. |
--- a/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c
+++ b/cpp/ql/test/query-tests/Critical/OverflowStatic/test.c
@@ -44,21 +44,21 @@ void union_test() {
  union u u;
  u.ptr[0] = 0; // GOOD
  u.ptr[sizeof(u)-1] = 0; // GOOD
-  u.ptr[sizeof(u)] = 0; // BAD
+  u.ptr[sizeof(u)] = 0; // BAD [NOT DETECTED]
 }

 void test_struct_union() {
  struct { union u u; } v;
  v.u.ptr[0] = 0; // GOOD
  v.u.ptr[sizeof(union u)-1] = 0; // GOOD
-  v.u.ptr[sizeof(union u)] = 0; // BAD
+  v.u.ptr[sizeof(union u)] = 0; // BAD [NOT DETECTED]
 }

 void union_test2() {
  union { char ptr[1]; unsigned long value; } u;
  u.ptr[0] = 0; // GOOD
  u.ptr[sizeof(u)-1] = 0; // GOOD
-  u.ptr[sizeof(u)] = 0; // BAD
+  u.ptr[sizeof(u)] = 0; // BAD [NOT DETECTED]
 }

 typedef struct {
@@ -69,5 +69,5 @@ typedef struct {
 void test_alloc() {
  // Special case of taking sizeof without any addition or multiplications
  var_buf *b = malloc(sizeof(var_buf));
-  b->buf[1] = 0; // BAD
+  b->buf[1] = 0; // BAD [NOT DETECTED]
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected
@@ -1 +1,17 @@
-| tests.cpp:53:16:53:19 | data | This argument to an OS command is derived from $@ and then passed to system(string) | tests.cpp:33:34:33:39 | call to getenv | user input (getenv) |
+edges
+| tests.cpp:33:34:33:39 | call to getenv | tests.cpp:38:39:38:49 | environment indirection |
+| tests.cpp:38:25:38:36 | strncat output argument | tests.cpp:42:5:42:16 | Phi |
+| tests.cpp:38:39:38:49 | environment indirection | tests.cpp:38:25:38:36 | strncat output argument |
+| tests.cpp:38:39:38:49 | environment indirection | tests.cpp:38:25:38:36 | strncat output argument |
+| tests.cpp:42:5:42:16 | Phi | tests.cpp:51:22:51:25 | badSource output argument |
+| tests.cpp:51:22:51:25 | badSource output argument | tests.cpp:53:16:53:19 | data indirection |
+nodes
+| tests.cpp:33:34:33:39 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:38:25:38:36 | strncat output argument | semmle.label | strncat output argument |
+| tests.cpp:38:39:38:49 | environment indirection | semmle.label | environment indirection |
+| tests.cpp:42:5:42:16 | Phi | semmle.label | Phi |
+| tests.cpp:51:22:51:25 | badSource output argument | semmle.label | badSource output argument |
+| tests.cpp:53:16:53:19 | data indirection | semmle.label | data indirection |
+subpaths
+#select
+| tests.cpp:53:16:53:19 | data | tests.cpp:33:34:33:39 | call to getenv | tests.cpp:53:16:53:19 | data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | tests.cpp:33:34:33:39 | call to getenv | user input (an environment variable) | tests.cpp:38:25:38:36 | strncat output argument | strncat output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected
@@ -1 +1,67 @@
-| test.c:21:12:21:19 | command1 | This argument to an OS command is derived from $@ and then passed to system(string) | test.c:14:20:14:23 | argv | user input (argv) |
+edges
+| test.cpp:16:20:16:23 | argv | test.cpp:22:45:22:52 | userName indirection |
+| test.cpp:22:13:22:20 | sprintf output argument | test.cpp:23:12:23:19 | command1 indirection |
+| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
+| test.cpp:22:45:22:52 | userName indirection | test.cpp:22:13:22:20 | sprintf output argument |
+| test.cpp:47:21:47:26 | call to getenv | test.cpp:50:35:50:43 | envCflags indirection |
+| test.cpp:50:11:50:17 | sprintf output argument | test.cpp:51:10:51:16 | command indirection |
+| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
+| test.cpp:50:35:50:43 | envCflags indirection | test.cpp:50:11:50:17 | sprintf output argument |
+| test.cpp:62:9:62:16 | fread output argument | test.cpp:64:20:64:27 | filename indirection |
+| test.cpp:64:11:64:17 | strncat output argument | test.cpp:65:10:65:16 | command indirection |
+| test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |
+| test.cpp:64:20:64:27 | filename indirection | test.cpp:64:11:64:17 | strncat output argument |
+| test.cpp:82:9:82:16 | fread output argument | test.cpp:84:20:84:27 | filename indirection |
+| test.cpp:84:11:84:17 | strncat output argument | test.cpp:85:32:85:38 | command indirection |
+| test.cpp:84:20:84:27 | filename indirection | test.cpp:84:11:84:17 | strncat output argument |
+| test.cpp:84:20:84:27 | filename indirection | test.cpp:84:11:84:17 | strncat output argument |
+| test.cpp:91:9:91:16 | fread output argument | test.cpp:93:17:93:24 | filename indirection |
+| test.cpp:93:11:93:14 | strncat output argument | test.cpp:94:45:94:48 | path indirection |
+| test.cpp:93:17:93:24 | filename indirection | test.cpp:93:11:93:14 | strncat output argument |
+| test.cpp:93:17:93:24 | filename indirection | test.cpp:93:11:93:14 | strncat output argument |
+| test.cpp:106:20:106:25 | call to getenv | test.cpp:107:33:107:36 | path indirection |
+| test.cpp:113:20:113:25 | call to getenv | test.cpp:114:19:114:22 | path indirection |
+| test.cpp:119:20:119:25 | call to getenv | test.cpp:120:19:120:22 | path indirection |
+| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | str indirection |
+| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | command indirection |
+| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
+| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
+nodes
+| test.cpp:16:20:16:23 | argv | semmle.label | argv |
+| test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:22:45:22:52 | userName indirection | semmle.label | userName indirection |
+| test.cpp:23:12:23:19 | command1 indirection | semmle.label | command1 indirection |
+| test.cpp:47:21:47:26 | call to getenv | semmle.label | call to getenv |
+| test.cpp:50:11:50:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:50:35:50:43 | envCflags indirection | semmle.label | envCflags indirection |
+| test.cpp:51:10:51:16 | command indirection | semmle.label | command indirection |
+| test.cpp:62:9:62:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:64:11:64:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:64:20:64:27 | filename indirection | semmle.label | filename indirection |
+| test.cpp:65:10:65:16 | command indirection | semmle.label | command indirection |
+| test.cpp:82:9:82:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:84:11:84:17 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:84:20:84:27 | filename indirection | semmle.label | filename indirection |
+| test.cpp:85:32:85:38 | command indirection | semmle.label | command indirection |
+| test.cpp:91:9:91:16 | fread output argument | semmle.label | fread output argument |
+| test.cpp:93:11:93:14 | strncat output argument | semmle.label | strncat output argument |
+| test.cpp:93:17:93:24 | filename indirection | semmle.label | filename indirection |
+| test.cpp:94:45:94:48 | path indirection | semmle.label | path indirection |
+| test.cpp:106:20:106:25 | call to getenv | semmle.label | call to getenv |
+| test.cpp:107:33:107:36 | path indirection | semmle.label | path indirection |
+| test.cpp:113:20:113:25 | call to getenv | semmle.label | call to getenv |
+| test.cpp:114:19:114:22 | path indirection | semmle.label | path indirection |
+| test.cpp:119:20:119:25 | call to getenv | semmle.label | call to getenv |
+| test.cpp:120:19:120:22 | path indirection | semmle.label | path indirection |
+| test.cpp:140:9:140:11 | fread output argument | semmle.label | fread output argument |
+| test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
+| test.cpp:142:31:142:33 | str indirection | semmle.label | str indirection |
+| test.cpp:143:10:143:16 | command indirection | semmle.label | command indirection |
+subpaths
+#select
+| test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
+| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:47:21:47:26 | call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
+| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:62:9:62:16 | fread output argument | user input (String read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
+| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:82:9:82:16 | fread output argument | user input (String read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
+| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:91:9:91:16 | fread output argument | user input (String read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
+| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:140:9:140:11 | fread output argument | user input (String read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.c
@@ -1,33 +0,0 @@
-// Semmle test case for rule ExecTainted.ql (Uncontrolled data used in OS command)
-// Associated with CWE-078: OS Command Injection. http://cwe.mitre.org/data/definitions/78.html
-
-///// Library routines /////
-
-int sprintf(char *s, const char *format, ...);
-int system(const char *string);
-
-extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
-
-///// Test code /////
-
-int main(int argc, char** argv) {
-  char *userName = argv[2];
-  
-  {
-    // BAD: a string from the user is injected directly into
-    // a command.
-    char command1[1000] = {0};
-    sprintf(command1, "userinfo -v \"%s\"", userName);
-    system(command1);
-  }
-
-  {  
-    // GOOD: the user string is encoded by a library routine.
-    char userNameQuoted[1000] = {0};
-    encodeShellString(userNameQuoted, 1000, userName); 
-    char command2[1000] = {0};
-    sprintf(command2, "userinfo -v %s", userNameQuoted);
-    system(command2);
-  }
-}
-
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp
@@ -0,0 +1,174 @@
+// Semmle test case for rule ExecTainted.ql (Uncontrolled data used in OS command)
+// Associated with CWE-078: OS Command Injection. http://cwe.mitre.org/data/definitions/78.html
+
+///// Library routines /////
+
+int sprintf(char *s, const char *format, ...);
+int system(const char *string);
+
+char *getenv(char *var);
+
+extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
+#include "../../../../../../include/string.h"
+///// Test code /////
+
+int main(int argc, char** argv) {
+  char *userName = argv[2];
+  
+  {
+    // BAD: a string from the user is injected directly into
+    // a command.
+    char command1[1000] = {0};
+    sprintf(command1, "userinfo -v \"%s\"", userName);
+    system(command1);
+  }
+
+  {  
+    // GOOD: the user string is encoded by a library routine.
+    char userNameQuoted[1000] = {0};
+    encodeShellString(userNameQuoted, 1000, userName); 
+    char command2[1000] = {0};
+    sprintf(command2, "userinfo -v %s", userNameQuoted);
+    system(command2);
+  }
+}
+
+void test2(char* arg2) {
+  // GOOD?: the user string is the *first* part of the command, like $CC in many environments
+  char *envCC = getenv("CC");
+  
+  char command[1000];
+  sprintf("%s %s", envCC, arg2);
+  system(command);
+}
+
+void test3(char* arg1) {
+  // GOOD?: the user string is a `$CFLAGS` environment variable
+  char *envCflags = getenv("CFLAGS");
+  
+  char command[1000];
+  sprintf(command, "%s %s", arg1, envCflags);
+  system(command);
+}
+
+typedef unsigned long size_t;
+typedef void FILE;
+size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
+char *strncat(char *s1, const char *s2, size_t n);
+
+void test4(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  strncat(command, filename, 1000);
+  system(command);
+}
+
+void test5(FILE *f) {
+  // GOOD?: the user string is the start of a command
+  char command[1000], filename[1000] = " test.txt";
+  fread(command, 1, 1000, f);
+
+  strncat(command, filename, 1000);
+  system(command);
+}
+
+int execl(char *path, char *arg1, ...);
+
+void test6(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  strncat(command, filename, 1000);
+  execl("/bin/sh", "sh", "-c", command);
+}
+
+void test7(FILE *f) {
+  // GOOD [FALSE POSITIVE]: the user string is a positional argument to a shell script
+  char path[1000] = "/home/me/", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  strncat(path, filename, 1000);
+  execl("/bin/sh", "sh", "-c", "script.sh", path);
+}
+
+void test8(char *arg2) {
+  // GOOD?: the user string is the *first* part of the command, like $CC in many environments
+  std::string envCC(getenv("CC"));
+  std::string command = envCC + arg2;
+  system(command.c_str());
+}
+
+void test9(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  std::string path(getenv("something"));
+  std::string command = "mv " + path;
+  system(command.c_str());
+}
+
+void test10(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  std::string path(getenv("something"));
+  system(("mv " + path).c_str());
+}
+
+void test11(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  std::string path(getenv("something"));
+  system(("mv " + path).data());
+}
+
+int atoi(char *);
+
+void test12(FILE *f) {
+  char temp[10];
+  char command[1000];
+
+  fread(temp, 1, 10, f);
+
+  int x = atoi(temp);
+  sprintf(command, "tail -n %d foo.log", x);
+  system(command); // GOOD: the user string was converted to an integer and back
+}
+
+void test13(FILE *f) {
+  char str[1000];
+  char command[1000];
+
+  fread(str, 1, 1000, f);
+
+  sprintf(command, "echo %s", str);
+  system(command); // BAD: the user string was printed into the command with the %s specifier
+}
+
+void test14(FILE *f) {
+  char str[1000];
+  char command[1000];
+
+  fread(str, 1, 1000, f);
+
+  sprintf(command, "echo %p", str);
+  system(command); // GOOD: the user string's address was printed into the command with the %p specifier
+}
+
+void test15(FILE *f) {
+  char temp[10];
+  char command[1000];
+
+  fread(temp, 1, 10, f);
+
+  int x = atoi(temp);
+  
+  char temp2[10];
+  sprintf(temp2, "%d", x);
+    sprintf(command, "tail -n %s foo.log", temp2);
+
+  system(command); // GOOD: the user string was converted to an integer and back
+}
+
+
+// TODO: test for call context sensitivity at concatenation site
+
+// open question: do we want to report certain sources even when they're the start of the string?
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
@@ -72,12 +72,9 @@
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
 | unions.cpp:34:2:34:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:16:7:16:11 | large | destination buffer |
 | unions.cpp:34:2:34:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:34:14:34:18 | large | destination buffer |
-| var_size_struct.cpp:54:5:54:14 | access to array | This array indexing operation accesses byte offset 1 but the $@ is only 1 byte. | var_size_struct.cpp:32:8:32:10 | str | array |
-| var_size_struct.cpp:55:5:55:14 | access to array | This array indexing operation accesses byte offset 1 but the $@ is only 1 byte. | var_size_struct.cpp:38:8:38:10 | str | array |
 | var_size_struct.cpp:71:3:71:8 | call to memset | This 'memset' operation accesses 1025 bytes but the $@ is only 1024 bytes. | var_size_struct.cpp:63:8:63:11 | data | destination buffer |
 | var_size_struct.cpp:73:3:73:9 | call to strncpy | This 'strncpy' operation may access 1025 bytes but the $@ is only 1024 bytes. | var_size_struct.cpp:63:8:63:11 | data | destination buffer |
 | var_size_struct.cpp:87:3:87:19 | access to array | This array indexing operation accesses byte offset 67 but the $@ is only 64 bytes. | var_size_struct.cpp:78:7:78:14 | elements | array |
 | var_size_struct.cpp:99:3:99:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
 | var_size_struct.cpp:101:3:101:8 | call to memset | This 'memset' operation accesses 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
 | var_size_struct.cpp:103:3:103:9 | call to strncpy | This 'strncpy' operation may access 129 bytes but the $@ is only 128 bytes. | var_size_struct.cpp:92:8:92:10 | str | destination buffer |
-| var_size_struct.cpp:169:3:169:8 | call to memset | This 'memset' operation accesses 100 bytes but the $@ is only 1 byte. | var_size_struct.cpp:125:17:125:19 | arr | destination buffer |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
@@ -3,8 +3,6 @@
 | tests.cpp:163:3:163:11 | access to array | Potential buffer-overflow: counter 'k' <= 100 but 'buffer' has 100 elements. |
 | tests.cpp:164:8:164:16 | access to array | Potential buffer-overflow: counter 'k' <= 100 but 'buffer' has 100 elements. |
 | tests.cpp:245:42:245:42 | 6 | Potential buffer-overflow: 'global_array_5' has size 5 not 6. |
-| tests.cpp:349:2:349:14 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' is accessed here. |
-| tests.cpp:350:17:350:29 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' is accessed here. |
-| var_size_struct.cpp:54:5:54:14 | access to array | Potential buffer-overflow: 'str' has size 1 but 'str[1]' is accessed here. |
-| var_size_struct.cpp:55:5:55:14 | access to array | Potential buffer-overflow: 'str' has size 1 but 'str[1]' is accessed here. |
+| tests.cpp:349:2:349:14 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' may be accessed here. |
+| tests.cpp:350:17:350:29 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' may be accessed here. |
 | var_size_struct.cpp:103:39:103:41 | 129 | Potential buffer-overflow: 'str' has size 128 not 129. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/var_size_struct.cpp
@@ -51,8 +51,8 @@ void testVarString(int n) {
    s1->str[1] = '?'; // GOOD
    s2->str[1] = '?'; // GOOD
    s3->str[1] = '?'; // GOOD
-    s4->str[1] = '?'; // BAD
-    s5->str[1] = '?'; // BAD
+    s4->str[1] = '?'; // BAD [NOT DETECTED]
+    s5->str[1] = '?'; // BAD [NOT DETECTED]
  }
 }

@@ -166,7 +166,7 @@ void useVarStruct34(varStruct5 *vs5) {

 void testVarStruct34(varStruct3 *vs3, varStruct4 *vs4, varStruct5 *vs5, varStruct6 *vs6, varStruct7 *vs7, varStruct8 *vs8, varStruct9 *vs9) {
  memset(vs3->arr, 'x', 100); // GOOD: it's variable size, we don't know how big so shouldn't flag
-  memset(vs4->arr, 'x', 100); // BAD: it's not variable size, so this is a buffer overflow
+  memset(vs4->arr, 'x', 100); // BAD: [NOT DETECTED] it's not variable size, so this is a buffer overflow
  memset(vs5->arr, 'x', 100); // GOOD: it's variable size, we don't know how big so shouldn't flag
  memset(vs6->arr, 'x', 100); // GOOD: it's variable size, we don't know how big so shouldn't flag
  memset(vs7->arr, 'x', 100); // GOOD: it's variable size, we don't know how big so shouldn't flag
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/varsize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/varsize.expected
@@ -1,12 +1,17 @@
 | var_size_struct.cpp:13:8:13:17 | VarString1 | var_size_struct.cpp:15:8:15:10 | str |
 | var_size_struct.cpp:18:8:18:17 | VarString2 | var_size_struct.cpp:20:8:20:10 | str |
 | var_size_struct.cpp:24:8:24:17 | VarString3 | var_size_struct.cpp:26:8:26:10 | str |
+| var_size_struct.cpp:30:8:30:17 | VarString4 | var_size_struct.cpp:32:8:32:10 | str |
+| var_size_struct.cpp:36:8:36:17 | VarString5 | var_size_struct.cpp:38:8:38:10 | str |
 | var_size_struct.cpp:36:8:36:17 | VarString5 | var_size_struct.cpp:39:8:39:11 | str2 |
 | var_size_struct.cpp:61:8:61:17 | varStruct1 | var_size_struct.cpp:63:8:63:11 | data |
 | var_size_struct.cpp:76:8:76:17 | varStruct2 | var_size_struct.cpp:78:7:78:14 | elements |
+| var_size_struct.cpp:106:8:106:20 | notVarStruct2 | var_size_struct.cpp:107:8:107:10 | str |
 | var_size_struct.cpp:119:8:119:17 | varStruct3 | var_size_struct.cpp:121:17:121:19 | arr |
+| var_size_struct.cpp:123:8:123:17 | varStruct4 | var_size_struct.cpp:125:17:125:19 | arr |
 | var_size_struct.cpp:127:8:127:17 | varStruct5 | var_size_struct.cpp:129:17:129:19 | arr |
 | var_size_struct.cpp:131:8:131:17 | varStruct6 | var_size_struct.cpp:133:17:133:19 | arr |
 | var_size_struct.cpp:135:8:135:17 | varStruct7 | var_size_struct.cpp:137:17:137:19 | arr |
 | var_size_struct.cpp:139:8:139:17 | varStruct8 | var_size_struct.cpp:141:9:141:11 | arr |
 | var_size_struct.cpp:143:8:143:17 | varStruct9 | var_size_struct.cpp:145:17:145:19 | arr |
+| var_size_struct.cpp:181:8:181:18 | PseudoUnion | var_size_struct.cpp:183:7:183:10 | data |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
@@ -0,0 +1,49 @@
+edges
+| test3.cpp:68:21:68:29 | password1 | test3.cpp:70:15:70:17 | ptr |
+| test3.cpp:75:15:75:22 | password | test3.cpp:77:15:77:17 | ptr |
+| test3.cpp:106:20:106:25 | buffer | test3.cpp:108:14:108:19 | buffer |
+| test3.cpp:111:28:111:33 | buffer | test3.cpp:113:9:113:14 | buffer |
+| test3.cpp:120:9:120:23 | global_password | test3.cpp:138:16:138:29 | call to get_global_str |
+| test3.cpp:128:11:128:18 | password | test3.cpp:106:20:106:25 | buffer |
+| test3.cpp:132:21:132:22 | call to id | test3.cpp:134:15:134:17 | ptr |
+| test3.cpp:132:24:132:32 | password1 | test3.cpp:111:28:111:33 | buffer |
+| test3.cpp:132:24:132:32 | password1 | test3.cpp:132:21:132:22 | call to id |
+| test3.cpp:138:16:138:29 | call to get_global_str | test3.cpp:140:15:140:18 | data |
+| test3.cpp:151:19:151:26 | password | test3.cpp:153:15:153:20 | buffer |
+nodes
+| test3.cpp:20:15:20:23 | password1 | semmle.label | password1 |
+| test3.cpp:24:15:24:23 | password2 | semmle.label | password2 |
+| test3.cpp:41:15:41:22 | password | semmle.label | password |
+| test3.cpp:49:15:49:22 | password | semmle.label | password |
+| test3.cpp:68:21:68:29 | password1 | semmle.label | password1 |
+| test3.cpp:70:15:70:17 | ptr | semmle.label | ptr |
+| test3.cpp:75:15:75:22 | password | semmle.label | password |
+| test3.cpp:77:15:77:17 | ptr | semmle.label | ptr |
+| test3.cpp:95:12:95:19 | password | semmle.label | password |
+| test3.cpp:106:20:106:25 | buffer | semmle.label | buffer |
+| test3.cpp:108:14:108:19 | buffer | semmle.label | buffer |
+| test3.cpp:111:28:111:33 | buffer | semmle.label | buffer |
+| test3.cpp:113:9:113:14 | buffer | semmle.label | buffer |
+| test3.cpp:120:9:120:23 | global_password | semmle.label | global_password |
+| test3.cpp:128:11:128:18 | password | semmle.label | password |
+| test3.cpp:132:21:132:22 | call to id | semmle.label | call to id |
+| test3.cpp:132:24:132:32 | password1 | semmle.label | password1 |
+| test3.cpp:134:15:134:17 | ptr | semmle.label | ptr |
+| test3.cpp:138:16:138:29 | call to get_global_str | semmle.label | call to get_global_str |
+| test3.cpp:140:15:140:18 | data | semmle.label | data |
+| test3.cpp:151:19:151:26 | password | semmle.label | password |
+| test3.cpp:153:15:153:20 | buffer | semmle.label | buffer |
+subpaths
+| test3.cpp:132:24:132:32 | password1 | test3.cpp:111:28:111:33 | buffer | test3.cpp:113:9:113:14 | buffer | test3.cpp:132:21:132:22 | call to id |
+#select
+| test3.cpp:20:3:20:6 | call to send | test3.cpp:20:15:20:23 | password1 | test3.cpp:20:15:20:23 | password1 | This operation transmits 'password1', which may contain unencrypted sensitive data from $@ | test3.cpp:20:15:20:23 | password1 | password1 |
+| test3.cpp:24:3:24:6 | call to send | test3.cpp:24:15:24:23 | password2 | test3.cpp:24:15:24:23 | password2 | This operation transmits 'password2', which may contain unencrypted sensitive data from $@ | test3.cpp:24:15:24:23 | password2 | password2 |
+| test3.cpp:41:3:41:6 | call to recv | test3.cpp:41:15:41:22 | password | test3.cpp:41:15:41:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:41:15:41:22 | password | password |
+| test3.cpp:49:3:49:6 | call to recv | test3.cpp:49:15:49:22 | password | test3.cpp:49:15:49:22 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:49:15:49:22 | password | password |
+| test3.cpp:70:3:70:6 | call to send | test3.cpp:68:21:68:29 | password1 | test3.cpp:70:15:70:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:68:21:68:29 | password1 | password1 |
+| test3.cpp:77:3:77:6 | call to recv | test3.cpp:75:15:75:22 | password | test3.cpp:77:15:77:17 | ptr | This operation receives into 'ptr', which may put unencrypted sensitive data into $@ | test3.cpp:75:15:75:22 | password | password |
+| test3.cpp:95:3:95:6 | call to read | test3.cpp:95:12:95:19 | password | test3.cpp:95:12:95:19 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@ | test3.cpp:95:12:95:19 | password | password |
+| test3.cpp:108:2:108:5 | call to recv | test3.cpp:128:11:128:18 | password | test3.cpp:108:14:108:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@ | test3.cpp:128:11:128:18 | password | password |
+| test3.cpp:134:3:134:6 | call to send | test3.cpp:132:24:132:32 | password1 | test3.cpp:134:15:134:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@ | test3.cpp:132:24:132:32 | password1 | password1 |
+| test3.cpp:140:3:140:6 | call to send | test3.cpp:120:9:120:23 | global_password | test3.cpp:140:15:140:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@ | test3.cpp:120:9:120:23 | global_password | global_password |
+| test3.cpp:153:3:153:6 | call to send | test3.cpp:151:19:151:26 | password | test3.cpp:153:15:153:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@ | test3.cpp:151:19:151:26 | password | password |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-311/CleartextTransmission.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp
@@ -0,0 +1,155 @@
+
+typedef unsigned long size_t;
+#define STDIN_FILENO (0)
+
+size_t strlen(const char *s);
+
+void send(int fd, const void *buf, size_t bufLen, int d);
+void recv(int fd, void *buf, size_t bufLen, int d);
+void read(int fd, void *buf, size_t bufLen);
+
+void LogonUserA(int a, int b, const char *password, int d, int e, int f);
+
+int val();
+
+void test_send(const char *password1, const char *password2, const char *password_hash, const char *message)
+{
+	{
+		LogonUserA(val(), val(), password1, val(), val(), val()); // proof `password1` is plaintext
+
+		send(val(), password1, strlen(password1), val()); // BAD: `password1` is sent plaintext (certainly)
+	}
+
+	{
+		send(val(), password2, strlen(password2), val()); // BAD: `password2` is sent plaintext (probably)
+	}
+
+	{
+		send(val(), password_hash, strlen(password_hash), val()); // GOOD: `password_hash` is sent encrypted
+	}
+
+	{
+		send(val(), message, strlen(message), val()); // GOOD: `message` is not a password
+	}
+}
+
+void test_receive()
+{
+	{
+		char password[256];
+
+		recv(val(), password, 256, val()); // BAD: `password` is received plaintext (certainly)
+
+		LogonUserA(val(), val(), password, val(), val(), val()); // (proof `password` is plaintext)
+	}
+
+	{
+		char password[256];
+
+		recv(val(), password, 256, val()); // BAD: `password` is received plaintext (probably)
+	}
+
+	{
+		char password_hash[256];
+
+		recv(val(), password_hash, 256, val()); // GOOD: `password` is received encrypted
+	}
+
+	{
+		char message[256];
+
+		recv(val(), message, 256, val()); // GOOD: `message` is not a password
+	}
+}
+
+void test_dataflow(const char *password1)
+{
+	{
+		const char *ptr = password1;
+
+		send(val(), ptr, strlen(ptr), val()); // BAD: `password` is sent plaintext
+	}
+
+	{
+		char password[256];
+		char *ptr = password;
+
+		recv(val(), ptr, 256, val()); // BAD: `password` is received plaintext
+	}
+
+	{
+		char buffer[256];
+
+		recv(val(), buffer, 256, val()); // BAD: `password` is received plaintext [NOT DETECTED]
+
+		char *password = buffer;
+	}
+}
+
+void test_read()
+{
+	{
+		char password[256];
+		int fd = val();
+
+		read(fd, password, 256); // BAD: `password` is received plaintext
+	}
+
+	{
+		char password[256];
+		int fd = STDIN_FILENO;
+
+		read(fd, password, 256); // GOOD: `password` is received from stdin, not a network socket
+	}
+}
+
+void my_recv(char *buffer, size_t bufferSize)
+{
+	recv(val(), buffer, bufferSize, val());
+}
+
+const char *id(const char *buffer)
+{
+	return buffer;
+}
+
+char *global_password;
+
+char *get_global_str()
+{
+	return global_password;
+}
+
+void test_interprocedural(const char *password1)
+{
+	{
+		char password[256];
+
+		my_recv(password, 256); // BAD: `password` is received plaintext [detected on line 108]
+	}
+
+	{
+		const char *ptr = id(password1);
+
+		send(val(), ptr, strlen(ptr), val()); // BAD: `password1` is sent plaintext
+	}
+
+	{
+		char *data = get_global_str();
+
+		send(val(), data, strlen(data), val()); // BAD: `global_password` is sent plaintext
+	}
+}
+
+char *strncpy(char *s1, const char *s2, size_t n);
+
+void test_taint(const char *password)
+{
+	{
+		char buffer[16];
+
+		strncpy(buffer, password, 16);
+		buffer[15] = 0;
+		send(val(), buffer, 16, val()); // BAD: `password` is (partially) sent plaintext
+	}
+}
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-311/CleartextTransmission.ql`