C++: Add test annotations

2026-04-23 07:45:17 +02:00 · 2024-09-04 10:23:51 +02:00
parent 751e7e6bfb
commit d8a70d8d58
4 changed files with 11 additions and 11 deletions
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp
@@ -25,13 +25,13 @@ namespace std {

 int brotli_test(int argc, const char **argv) {
    uint8_t *output = nullptr;
-    BrotliDecoderDecompress(1024 * 1024, (uint8_t *) argv[2],
+    BrotliDecoderDecompress(1024 * 1024, (uint8_t *) argv[2], // BAD
                            reinterpret_cast<size_t *>(1024 * 1024 * 1024), output);
    uint8_t **output2 = nullptr;
    const uint8_t **input2 = nullptr;
    std::strncpy(reinterpret_cast<char *>(input2), argv[2], 32);
    BrotliDecoderDecompressStream(0, reinterpret_cast<size_t *>(1024 * 1024),
-                                  input2, reinterpret_cast<size_t *>(1024 * 1024 * 1024),
+                                  input2, reinterpret_cast<size_t *>(1024 * 1024 * 1024), // BAD
                                  output2,
                                  reinterpret_cast<size_t *>(1024 * 1024 * 1024));
    return 0;
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp
@@ -53,7 +53,7 @@ static int copy_data(struct archive *ar, struct archive *aw) {
    la_int64_t offset;

    for (;;) {
-        archive_read_data_block(ar, &buff, &size, &offset);
+        archive_read_data_block(ar, &buff, &size, &offset); // BAD
        if (r == ARCHIVE_EOF)
            return (ARCHIVE_OK);
        if (r < ARCHIVE_OK)
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp
@@ -37,7 +37,7 @@ int minizip_test(int argc, const char **argv) {
    int32_t err;
    char buf[4096];
    do {
-        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf));
+        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
        if (bytes_read < 0) {
            err = bytes_read;
        }
@@ -55,7 +55,7 @@ int minizip_test(int argc, const char **argv) {
    mz_stream_os_open(entry_stream, entry_path, 1);
    int file_stream;
    int mz_stream_os_write;
-    mz_zip_reader_entry_save(zip_reader, file_stream, mz_stream_os_write);
+    mz_zip_reader_entry_save(zip_reader, file_stream, mz_stream_os_write); // BAD
    // the above sink is same as "mz_zip_reader_entry_save", "mz_zip_reader_entry_read", "mz_zip_reader_entry_save_process",
    // "mz_zip_reader_entry_save_file", "mz_zip_reader_entry_save_buffer", "mz_zip_reader_save_all" and "mz_zip_entry_read" functions
    mz_stream_os_close(entry_stream);
@@ -64,7 +64,7 @@ int minizip_test(int argc, const char **argv) {
    mz_zip_reader_delete(&zip_reader);


-    UnzOpen(argv[3]);
+    UnzOpen(argv[3]); // BAD
    return 0;
 }

--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp
@@ -67,7 +67,7 @@ int UnsafeInflate(char *a) {
    // uLong  total_out; /* total number of bytes output so far */
    // the actual DE-compression work.
    inflateInit(&infstream);
-    inflate(&infstream, Z_NO_FLUSH);
+    inflate(&infstream, Z_NO_FLUSH); // BAD
    inflateEnd(&infstream);


@@ -98,7 +98,7 @@ int UnsafeGzread(char *fileName) {
    unsigned char unzipBuffer[8192];
    unsigned int unzippedBytes;
    while (true) {
-        unzippedBytes = gzread(inFileZ, unzipBuffer, 8192);
+        unzippedBytes = gzread(inFileZ, unzipBuffer, 8192); // BAD
        if (unzippedBytes > 0) {
            std::cout << unzippedBytes;
        } else {
@@ -118,7 +118,7 @@ int UnsafeGzfread(char *fileName) {
    }
    while (true) {
        char buffer[1000];
-        if (!gzfread(buffer, 999, 1, inFileZ)) {
+        if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
            break;
        }
    }
@@ -136,7 +136,7 @@ int UnsafeGzgets(char *fileName) {
    char *buffer = new char[4000000000];
    char *result;
    while (true) {
-        result = gzgets(inFileZ, buffer, 1000000000);
+        result = gzgets(inFileZ, buffer, 1000000000); // BAD
        if (result == nullptr) {
            break;
        }
@@ -160,7 +160,7 @@ bool InflateString(const unsigned char *input, const unsigned char *output, size
    destination_length = (uLong) output_length;

    int result = uncompress((Bytef *) output, &destination_length,
-                            (Bytef *) input, source_length);
+                            (Bytef *) input, source_length); // BAD

    return result == Z_OK;
 }