hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into break-bigstep-at-store

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2024-04-16 15:33:21 +01:00
parent 7155af50be 4886bb1116
commit dd656d34be
402 changed files with 5371 additions and 17855 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected Normal file
View File

@@ -0,0 +1,76 @@
| tests.cpp:144:5:144:19 | [summary param] 0 in madArg0ToReturn | ParameterNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:144:5:144:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:145:6:145:28 | [summary param] 0 in madArg0ToReturnIndirect | ParameterNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |
| tests.cpp:145:6:145:28 | [summary] to write: ReturnValue[*] in madArg0ToReturnIndirect | ReturnNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | [summary param] 0 in madArg0ToReturnValueFlow | ParameterNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
| tests.cpp:147:5:147:28 | [summary] to write: ReturnValue in madArg0ToReturnValueFlow | ReturnNode | madArg0ToReturnValueFlow | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | [summary param] 0 indirection in madArg0IndirectToReturn | ParameterNode | madArg0IndirectToReturn | madArg0IndirectToReturn |
| tests.cpp:148:5:148:27 | [summary] to write: ReturnValue in madArg0IndirectToReturn | ReturnNode | madArg0IndirectToReturn | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | [summary param] 0 indirection in madArg0DoubleIndirectToReturn | ParameterNode | madArg0DoubleIndirectToReturn | madArg0DoubleIndirectToReturn |
| tests.cpp:149:5:149:33 | [summary] to write: ReturnValue in madArg0DoubleIndirectToReturn | ReturnNode | madArg0DoubleIndirectToReturn | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | [summary param] 0 in madArg0NotIndirectToReturn | ParameterNode | madArg0NotIndirectToReturn | madArg0NotIndirectToReturn |
| tests.cpp:150:5:150:30 | [summary] to write: ReturnValue in madArg0NotIndirectToReturn | ReturnNode | madArg0NotIndirectToReturn | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | [summary param] 0 in madArg0ToArg1Indirect | ParameterNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
| tests.cpp:151:6:151:26 | [summary param] 1 indirection in madArg0ToArg1Indirect | ParameterNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
| tests.cpp:151:6:151:26 | [summary] to write: Argument[1 indirection] in madArg0ToArg1Indirect | PostUpdateNode | madArg0ToArg1Indirect | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | [summary param] 0 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
| tests.cpp:152:6:152:34 | [summary param] 1 indirection in madArg0IndirectToArg1Indirect | ParameterNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
| tests.cpp:152:6:152:34 | [summary] to write: Argument[1 indirection] in madArg0IndirectToArg1Indirect | PostUpdateNode | madArg0IndirectToArg1Indirect | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | [summary param] 0 indirection in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
| tests.cpp:153:5:153:18 | [summary param] 1 indirection in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
| tests.cpp:153:5:153:18 | [summary param] 2 in madArgsComplex | ParameterNode | madArgsComplex | madArgsComplex |
| tests.cpp:153:5:153:18 | [summary] to write: ReturnValue in madArgsComplex | ReturnNode | madArgsComplex | madArgsComplex |
| tests.cpp:155:5:155:28 | [summary param] 2 in madAndImplementedComplex | ParameterNode | madAndImplementedComplex | madAndImplementedComplex |
| tests.cpp:155:5:155:28 | [summary] to write: ReturnValue in madAndImplementedComplex | ReturnNode | madAndImplementedComplex | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | [summary param] 0 in madArg0FieldToReturn | ParameterNode | madArg0FieldToReturn | madArg0FieldToReturn |
| tests.cpp:160:5:160:24 | [summary] read: Argument[0].Field[value] in madArg0FieldToReturn | | madArg0FieldToReturn | madArg0FieldToReturn |
| tests.cpp:160:5:160:24 | [summary] to write: ReturnValue in madArg0FieldToReturn | ReturnNode | madArg0FieldToReturn | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | [summary param] 0 indirection in madArg0IndirectFieldToReturn | ParameterNode | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
| tests.cpp:161:5:161:32 | [summary] read: Argument[0 indirection].Field[value] in madArg0IndirectFieldToReturn | | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
| tests.cpp:161:5:161:32 | [summary] to write: ReturnValue in madArg0IndirectFieldToReturn | ReturnNode | madArg0IndirectFieldToReturn | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | [summary param] 0 in madArg0FieldIndirectToReturn | ParameterNode | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
| tests.cpp:162:5:162:32 | [summary] read: Argument[0].Field[*ptr] in madArg0FieldIndirectToReturn | | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
| tests.cpp:162:5:162:32 | [summary] to write: ReturnValue in madArg0FieldIndirectToReturn | ReturnNode | madArg0FieldIndirectToReturn | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | [summary param] 0 in madArg0ToReturnField | ParameterNode | madArg0ToReturnField | madArg0ToReturnField |
| tests.cpp:163:13:163:32 | [summary] to write: ReturnValue in madArg0ToReturnField | ReturnNode | madArg0ToReturnField | madArg0ToReturnField |
| tests.cpp:163:13:163:32 | [summary] to write: ReturnValue.Field[value] in madArg0ToReturnField | | madArg0ToReturnField | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | [summary param] 0 in madArg0ToReturnIndirectField | ParameterNode | madArg0ToReturnIndirectField | madArg0ToReturnIndirectField |
| tests.cpp:164:14:164:41 | [summary] to write: ReturnValue[*] in madArg0ToReturnIndirectField | ReturnNode | madArg0ToReturnIndirectField | madArg0ToReturnIndirectField |
| tests.cpp:164:14:164:41 | [summary] to write: ReturnValue[*].Field[value] in madArg0ToReturnIndirectField | | madArg0ToReturnIndirectField | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | [summary param] 0 in madArg0ToReturnFieldIndirect | ParameterNode | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
| tests.cpp:165:13:165:40 | [summary] to write: ReturnValue in madArg0ToReturnFieldIndirect | ReturnNode | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
| tests.cpp:165:13:165:40 | [summary] to write: ReturnValue.Field[*ptr] in madArg0ToReturnFieldIndirect | | madArg0ToReturnFieldIndirect | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | [summary param] 0 in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
| tests.cpp:284:7:284:19 | [summary param] this indirection in madArg0ToSelf | ParameterNode | madArg0ToSelf | madArg0ToSelf |
| tests.cpp:284:7:284:19 | [summary] to write: Argument[this indirection] in madArg0ToSelf | PostUpdateNode | madArg0ToSelf | madArg0ToSelf |
| tests.cpp:285:6:285:20 | [summary param] this indirection in madSelfToReturn | ParameterNode | madSelfToReturn | madSelfToReturn |
| tests.cpp:285:6:285:20 | [summary] to write: ReturnValue in madSelfToReturn | ReturnNode | madSelfToReturn | madSelfToReturn |
| tests.cpp:287:7:287:20 | [summary param] 0 in madArg0ToField | ParameterNode | madArg0ToField | madArg0ToField |
| tests.cpp:287:7:287:20 | [summary param] this indirection in madArg0ToField | ParameterNode | madArg0ToField | madArg0ToField |
| tests.cpp:287:7:287:20 | [summary] to write: Argument[this indirection] in madArg0ToField | PostUpdateNode | madArg0ToField | madArg0ToField |
| tests.cpp:287:7:287:20 | [summary] to write: Argument[this indirection].Field[val] in madArg0ToField | | madArg0ToField | madArg0ToField |
| tests.cpp:288:6:288:21 | [summary param] this indirection in madFieldToReturn | ParameterNode | madFieldToReturn | madFieldToReturn |
| tests.cpp:288:6:288:21 | [summary] read: Argument[this indirection].Field[val] in madFieldToReturn | | madFieldToReturn | madFieldToReturn |
| tests.cpp:288:6:288:21 | [summary] to write: ReturnValue in madFieldToReturn | ReturnNode | madFieldToReturn | madFieldToReturn |
| tests.cpp:313:7:313:30 | [summary param] this indirection in namespaceMadSelfToReturn | ParameterNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
| tests.cpp:313:7:313:30 | [summary] to write: ReturnValue in namespaceMadSelfToReturn | ReturnNode | namespaceMadSelfToReturn | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | [summary param] 0 in madCallArg0ReturnToReturn | ParameterNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
| tests.cpp:434:5:434:29 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | PostUpdateNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
| tests.cpp:434:5:434:29 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturn | OutNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
| tests.cpp:434:5:434:29 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturn | ArgumentNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
| tests.cpp:434:5:434:29 | [summary] to write: ReturnValue in madCallArg0ReturnToReturn | ReturnNode | madCallArg0ReturnToReturn | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | [summary param] 0 in madCallArg0ReturnToReturnFirst | ParameterNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:9:435:38 | [summary] read: Argument[0].Parameter[this] in madCallArg0ReturnToReturnFirst | PostUpdateNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:9:435:38 | [summary] read: Argument[0].ReturnValue in madCallArg0ReturnToReturnFirst | OutNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:9:435:38 | [summary] to write: Argument[0].Parameter[this] in madCallArg0ReturnToReturnFirst | ArgumentNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:9:435:38 | [summary] to write: ReturnValue in madCallArg0ReturnToReturnFirst | ReturnNode | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:9:435:38 | [summary] to write: ReturnValue.Field[first] in madCallArg0ReturnToReturnFirst | | madCallArg0ReturnToReturnFirst | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | [summary param] 0 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
| tests.cpp:436:6:436:25 | [summary param] 1 in madCallArg0WithValue | ParameterNode | madCallArg0WithValue | madCallArg0WithValue |
| tests.cpp:436:6:436:25 | [summary] read: Argument[0].Parameter[0] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
| tests.cpp:436:6:436:25 | [summary] read: Argument[0].Parameter[this] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
| tests.cpp:436:6:436:25 | [summary] to write: Argument[0].Parameter[0] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
| tests.cpp:436:6:436:25 | [summary] to write: Argument[0].Parameter[this] in madCallArg0WithValue | ArgumentNode | madCallArg0WithValue | madCallArg0WithValue |
| tests.cpp:436:6:436:25 | [summary] to write: Argument[1] in madCallArg0WithValue | PostUpdateNode | madCallArg0WithValue | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | [summary param] 1 in madCallReturnValueIgnoreFunction | ParameterNode | madCallReturnValueIgnoreFunction | madCallReturnValueIgnoreFunction |
| tests.cpp:437:5:437:36 | [summary] to write: ReturnValue in madCallReturnValueIgnoreFunction | ReturnNode | madCallReturnValueIgnoreFunction | madCallReturnValueIgnoreFunction |

19
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.ql Normal file
View File

@@ -0,0 +1,19 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
string describe(DataFlow::Node n) {
n instanceof ParameterNode and result = "ParameterNode"
or
n instanceof PostUpdateNode and result = "PostUpdateNode"
or
n instanceof ArgumentNode and result = "ArgumentNode"
or
n instanceof ReturnNode and result = "ReturnNode"
or
n instanceof OutNode and result = "OutNode"
}
from FlowSummaryNode n
select n, concat(describe(n), ", "), concat(n.getSummarizedCallable().toString(), ", "),
concat(n.getEnclosingCallable().toString(), ", ")

220
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.expected Normal file
View File

@@ -0,0 +1,220 @@
summaryCalls
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
summarizedCallables
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
sourceCallables
| tests.cpp:3:5:3:10 | source |
| tests.cpp:4:6:4:14 | sourcePtr |
| tests.cpp:5:6:5:19 | sourceIndirect |
| tests.cpp:6:6:6:9 | sink |
| tests.cpp:6:15:6:17 | val |
| tests.cpp:7:6:7:9 | sink |
| tests.cpp:7:16:7:18 | ptr |
| tests.cpp:11:5:11:18 | localMadSource |
| tests.cpp:12:5:12:19 | remoteMadSource |
| tests.cpp:13:5:13:14 | notASource |
| tests.cpp:14:5:14:22 | localMadSourceVoid |
| tests.cpp:15:5:15:25 | localMadSourceHasBody |
| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
| tests.cpp:18:39:18:39 | x |
| tests.cpp:18:47:18:47 | y |
| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
| tests.cpp:19:39:19:39 | x |
| tests.cpp:19:47:19:47 | y |
| tests.cpp:20:5:20:22 | remoteMadSourceVar |
| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
| tests.cpp:31:6:31:19 | localMadSource |
| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
| tests.cpp:35:6:35:17 | test_sources |
| tests.cpp:50:6:50:6 | v |
| tests.cpp:51:7:51:16 | v_indirect |
| tests.cpp:52:6:52:13 | v_direct |
| tests.cpp:63:6:63:6 | a |
| tests.cpp:63:9:63:9 | b |
| tests.cpp:63:12:63:12 | c |
| tests.cpp:63:15:63:15 | d |
| tests.cpp:75:6:75:6 | e |
| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
| tests.cpp:85:32:85:32 | x |
| tests.cpp:92:6:92:16 | madSinkArg0 |
| tests.cpp:92:22:92:22 | x |
| tests.cpp:93:6:93:13 | notASink |
| tests.cpp:93:19:93:19 | x |
| tests.cpp:94:6:94:16 | madSinkArg1 |
| tests.cpp:94:22:94:22 | x |
| tests.cpp:94:29:94:29 | y |
| tests.cpp:95:6:95:17 | madSinkArg01 |
| tests.cpp:95:23:95:23 | x |
| tests.cpp:95:30:95:30 | y |
| tests.cpp:95:37:95:37 | z |
| tests.cpp:96:6:96:17 | madSinkArg02 |
| tests.cpp:96:23:96:23 | x |
| tests.cpp:96:30:96:30 | y |
| tests.cpp:96:37:96:37 | z |
| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
| tests.cpp:97:31:97:31 | x |
| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
| tests.cpp:98:38:98:38 | x |
| tests.cpp:99:5:99:14 | madSinkVar |
| tests.cpp:100:6:100:23 | madSinkVarIndirect |
| tests.cpp:102:6:102:15 | test_sinks |
| tests.cpp:116:6:116:6 | a |
| tests.cpp:117:7:117:11 | a_ptr |
| tests.cpp:132:6:132:18 | madSinkParam0 |
| tests.cpp:132:24:132:24 | x |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:18 | MyContainer |
| tests.cpp:139:6:139:10 | value |
| tests.cpp:140:6:140:11 | value2 |
| tests.cpp:141:7:141:9 | ptr |
| tests.cpp:144:25:144:25 | x |
| tests.cpp:145:34:145:34 | x |
| tests.cpp:146:5:146:15 | notASummary |
| tests.cpp:146:21:146:21 | x |
| tests.cpp:147:34:147:34 | x |
| tests.cpp:148:34:148:34 | x |
| tests.cpp:149:41:149:41 | x |
| tests.cpp:150:37:150:37 | x |
| tests.cpp:151:32:151:32 | x |
| tests.cpp:151:40:151:40 | y |
| tests.cpp:152:47:152:47 | x |
| tests.cpp:152:55:152:55 | y |
| tests.cpp:153:25:153:25 | a |
| tests.cpp:153:33:153:33 | b |
| tests.cpp:153:40:153:40 | c |
| tests.cpp:153:47:153:47 | d |
| tests.cpp:154:20:154:20 | a |
| tests.cpp:154:28:154:28 | b |
| tests.cpp:155:34:155:34 | a |
| tests.cpp:155:41:155:41 | b |
| tests.cpp:155:48:155:48 | c |
| tests.cpp:160:38:160:39 | mc |
| tests.cpp:161:47:161:48 | mc |
| tests.cpp:162:46:162:47 | mc |
| tests.cpp:163:38:163:38 | x |
| tests.cpp:164:47:164:47 | x |
| tests.cpp:165:46:165:46 | x |
| tests.cpp:167:13:167:30 | madFieldToFieldVar |
| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
| tests.cpp:171:6:171:19 | test_summaries |
| tests.cpp:174:6:174:6 | a |
| tests.cpp:174:9:174:9 | b |
| tests.cpp:174:12:174:12 | c |
| tests.cpp:174:15:174:15 | d |
| tests.cpp:174:18:174:18 | e |
| tests.cpp:175:7:175:11 | a_ptr |
| tests.cpp:218:14:218:16 | mc1 |
| tests.cpp:218:19:218:21 | mc2 |
| tests.cpp:237:15:237:18 | rtn1 |
| tests.cpp:240:14:240:17 | rtn2 |
| tests.cpp:241:7:241:14 | rtn2_ptr |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:13 | MyClass |
| tests.cpp:270:6:270:26 | memberRemoteMadSource |
| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
| tests.cpp:271:46:271:46 | x |
| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
| tests.cpp:273:7:273:21 | qualifierSource |
| tests.cpp:274:7:274:26 | qualifierFieldSource |
| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
| tests.cpp:277:29:277:29 | x |
| tests.cpp:278:6:278:21 | memberMadSinkVar |
| tests.cpp:279:7:279:19 | qualifierSink |
| tests.cpp:280:7:280:23 | qualifierArg0Sink |
| tests.cpp:280:29:280:29 | x |
| tests.cpp:281:7:281:24 | qualifierFieldSink |
| tests.cpp:284:25:284:25 | x |
| tests.cpp:286:6:286:16 | notASummary |
| tests.cpp:287:26:287:26 | x |
| tests.cpp:290:6:290:8 | val |
| tests.cpp:293:7:293:7 | MyDerivedClass |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:20 | MyDerivedClass |
| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
| tests.cpp:296:6:296:21 | subtypeNonSource |
| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
| tests.cpp:300:9:300:15 | source2 |
| tests.cpp:301:6:301:9 | sink |
| tests.cpp:301:19:301:20 | mc |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:14 | MyClass |
| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
| tests.cpp:307:39:307:39 | x |
| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
| tests.cpp:308:52:308:52 | x |
| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
| tests.cpp:317:22:317:28 | source3 |
| tests.cpp:319:6:319:23 | test_class_members |
| tests.cpp:320:10:320:11 | mc |
| tests.cpp:320:14:320:16 | mc2 |
| tests.cpp:320:19:320:21 | mc3 |
| tests.cpp:320:24:320:26 | mc4 |
| tests.cpp:320:29:320:31 | mc5 |
| tests.cpp:320:34:320:36 | mc6 |
| tests.cpp:320:39:320:41 | mc7 |
| tests.cpp:320:44:320:46 | mc8 |
| tests.cpp:320:49:320:51 | mc9 |
| tests.cpp:320:54:320:57 | mc10 |
| tests.cpp:320:60:320:63 | mc11 |
| tests.cpp:321:11:321:13 | ptr |
| tests.cpp:321:17:321:23 | mc4_ptr |
| tests.cpp:322:17:322:19 | mdc |
| tests.cpp:323:23:323:25 | mnc |
| tests.cpp:323:28:323:31 | mnc2 |
| tests.cpp:324:24:324:31 | mnc2_ptr |
| tests.cpp:330:6:330:6 | a |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:14 | intPair |
| tests.cpp:430:6:430:10 | first |
| tests.cpp:431:6:431:11 | second |
| tests.cpp:434:37:434:43 | fun_ptr |
| tests.cpp:435:46:435:52 | fun_ptr |
| tests.cpp:436:34:436:40 | fun_ptr |
| tests.cpp:436:53:436:57 | value |
| tests.cpp:437:45:437:51 | fun_ptr |
| tests.cpp:437:64:437:68 | value |
| tests.cpp:439:5:439:14 | getTainted |
| tests.cpp:440:6:440:13 | useValue |
| tests.cpp:440:19:440:19 | x |
| tests.cpp:441:6:441:17 | dontUseValue |
| tests.cpp:441:23:441:23 | x |
| tests.cpp:443:6:443:27 | test_function_pointers |

9
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.ql Normal file
View File

@@ -0,0 +1,9 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
query predicate summaryCalls(SummaryCall c) { any() }
query predicate summarizedCallables(SummarizedCallable c) { any() }
query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }

2
cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.expected Normal file
View File

@@ -0,0 +1,2 @@
testFailures
failures

18
cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.ql Normal file
View File

@@ -0,0 +1,18 @@
import TestUtilities.InlineExpectationsTest
import testModels
module InterpretElementTest implements TestSig {
string getARelevantTag() { result = "interpretElement" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element e |
e = interpretElement(_, _, _, _, _, _) and
location = e.getLocation() and
element = e.toString() and
tag = "interpretElement" and
value = ""
)
}
}
import MakeTest<InterpretElementTest>

2
cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected Normal file
View File

@@ -0,0 +1,2 @@
testFailures
failures

32
cpp/ql/test/library-tests/dataflow/models-as-data/taint.ql Normal file
View File

@@ -0,0 +1,32 @@
import TestUtilities.dataflow.FlowTestCommon
import testModels
module IRTest {
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.TaintTracking
/** Common data flow configuration to be used by tests. */
module TestAllocationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof FlowSource
or
source.asExpr().(FunctionCall).getTarget().getName() =
["source", "source2", "source3", "sourcePtr"]
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "test-sink")
or
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
}
import MakeTest<IRFlowTest<IRTest::IRFlow>>

103
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll Normal file
View File

@@ -0,0 +1,103 @@
import semmle.code.cpp.security.FlowSources
/**
* Models-as-data source models for this test.
*/
private class TestSources extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;localMadSource;;;ReturnValue;local",
";;false;remoteMadSource;;;ReturnValue;remote",
";;false;localMadSourceVoid;;;ReturnValue;local",
";;false;localMadSourceHasBody;;;ReturnValue;local",
";;false;remoteMadSourceIndirect;;;ReturnValue[*];remote",
";;false;remoteMadSourceDoubleIndirect;;;ReturnValue[**];remote",
";;false;remoteMadSourceIndirectArg0;;;Argument[*0];remote",
";;false;remoteMadSourceIndirectArg1;;;Argument[*1];remote",
";;false;remoteMadSourceVar;;;;remote",
";;false;remoteMadSourceVarIndirect;;;*;remote", // not correctly expressed
";;false;remoteMadSourceParam0;;;Parameter[0];remote",
"MyNamespace;;false;namespaceLocalMadSource;;;ReturnValue;local",
"MyNamespace;;false;namespaceLocalMadSourceVar;;;;local",
"MyNamespace::MyNamespace2;;false;namespace2LocalMadSource;;;ReturnValue;local",
";MyClass;true;memberRemoteMadSource;;;ReturnValue;remote",
";MyClass;true;memberRemoteMadSourceIndirectArg0;;;Argument[*0];remote",
";MyClass;true;memberRemoteMadSourceVar;;;;remote",
";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
";MyClass;true;qualifierSource;;;Argument[-1];remote",
";MyClass;true;qualifierFieldSource;;;Argument[-1].val;remote",
";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
]
}
}
/**
* Models-as-data sink models for this test.
*/
private class TestSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
";;false;madSinkArg0;;;Argument[0];test-sink",
";;false;madSinkArg1;;;Argument[1];test-sink",
";;false;madSinkArg01;;;Argument[0..1];test-sink",
";;false;madSinkArg02;;;Argument[0,2];test-sink",
";;false;madSinkIndirectArg0;;;Argument[*0];test-sink",
";;false;madSinkDoubleIndirectArg0;;;Argument[**0];test-sink",
";;false;madSinkVar;;;;test-sink",
";;false;madSinkVarIndirect;;;*;test-sink", // not correctly expressed
";;false;madSinkParam0;;;Parameter[0];test-sink",
";MyClass;true;memberMadSinkArg0;;;Argument[0];test-sink",
";MyClass;true;memberMadSinkVar;;;;test-sink",
";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
";MyClass;true;qualifierFieldSink;;;Argument[-1].val;test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkVar;;;;test-sink",
]
}
}
/**
* Models-as-data summary models for this test.
*/
private class TestSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
";;false;madArg0ToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToReturnIndirect;;;Argument[0];ReturnValue[*];taint",
";;false;madArg0ToReturnValueFlow;;;Argument[0];ReturnValue;value",
";;false;madArg0IndirectToReturn;;;Argument[*0];ReturnValue;taint",
";;false;madArg0DoubleIndirectToReturn;;;Argument[**0];ReturnValue;taint",
";;false;madArg0NotIndirectToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToArg1Indirect;;;Argument[0];Argument[*1];taint",
";;false;madArg0IndirectToArg1Indirect;;;Argument[*0];Argument[*1];taint",
";;false;madArgsComplex;;;Argument[*0..1,2];ReturnValue;taint",
";;false;madAndImplementedComplex;;;Argument[2];ReturnValue;taint",
";;false;madArgsAny;;;Argument;ReturnValue;taint", // (syntax not supported)
";;false;madArg0FieldToReturn;;;Argument[0].value;ReturnValue;taint",
";;false;madArg0IndirectFieldToReturn;;;Argument[*0].value;ReturnValue;taint",
";;false;madArg0FieldIndirectToReturn;;;Argument[0].ptr[*];ReturnValue;taint",
";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.value;taint",
";;false;madArg0ToReturnIndirectField;;;Argument[0];ReturnValue[*].value;taint",
";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.ptr[*];taint",
";;false;madFieldToFieldVar;;;value;value2;taint",
";;false;madFieldToIndirectFieldVar;;;value;ptr[*];taint",
";;false;madIndirectFieldToFieldVar;;;;value;value2;taint", // not correctly expressed
";MyClass;true;madArg0ToSelf;;;Argument[0];Argument[-1];taint",
";MyClass;true;madSelfToReturn;;;Argument[-1];ReturnValue;taint",
";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].val;taint",
";MyClass;true;madFieldToReturn;;;Argument[-1].val;ReturnValue;taint",
"MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.first;value",
";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
";;false;madCallReturnValueIgnoreFunction;;;Argument[1];ReturnValue;value",
]
}
}

454
cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp Normal file
View File

@@ -0,0 +1,454 @@
// non-MAD sources / sinks
int source();
int *sourcePtr();
int *sourceIndirect();
void sink(int val);
void sink(int *ptr);
// --- global MAD sources ---
int localMadSource(); // $ interpretElement
int remoteMadSource(); // $ interpretElement
int notASource();
int localMadSourceVoid(void); // $ interpretElement
int localMadSourceHasBody() { return 0; } // $ interpretElement
int *remoteMadSourceIndirect(); // $ interpretElement
int **remoteMadSourceDoubleIndirect(); // $ interpretElement
void remoteMadSourceIndirectArg0(int *x, int *y); // $ interpretElement
void remoteMadSourceIndirectArg1(int &x, int &y); // $ interpretElement
int remoteMadSourceVar; // $ interpretElement
int *remoteMadSourceVarIndirect; // $ interpretElement
namespace MyNamespace {
int namespaceLocalMadSource(); // $ interpretElement
int namespaceLocalMadSourceVar; // $ interpretElement
namespace MyNamespace2 {
int namespace2LocalMadSource(); // $ interpretElement
}
int localMadSource(); // (not a source)
}
int namespaceLocalMadSource(); // (not a source)
void test_sources() {
sink(0);
sink(source()); // $ ir
// test sources
sink(localMadSource()); // $ ir
sink(remoteMadSource()); // $ ir
sink(notASource());
sink(localMadSourceVoid()); // $ ir
sink(localMadSourceHasBody()); // $ ir
sink(sourceIndirect());
sink(*sourceIndirect()); // $ ir
int v = localMadSource();
int *v_indirect = &v;
int v_direct = *v_indirect;
sink(v); // $ ir
sink(v_indirect);
sink(*v_indirect); // $ ir
sink(v_direct); // $ ir
sink(remoteMadSourceIndirect());
sink(*remoteMadSourceIndirect()); // $ MISSING: ir
sink(*remoteMadSourceDoubleIndirect());
sink(**remoteMadSourceDoubleIndirect()); // $ MISSING: ir
int a, b, c, d;
remoteMadSourceIndirectArg0(&a, &b);
sink(a); // $ ir
sink(b);
remoteMadSourceIndirectArg1(c, d);
sink(c);
sink(d); // $ ir
sink(remoteMadSourceVar); // $ ir
sink(*remoteMadSourceVarIndirect); // $ MISSING: ir
int e = localMadSource();
sink(e); // $ ir
sink(MyNamespace::namespaceLocalMadSource()); // $: ir
sink(MyNamespace::namespaceLocalMadSourceVar); // $ ir
sink(MyNamespace::MyNamespace2::namespace2LocalMadSource()); // $ ir
sink(MyNamespace::localMadSource()); // $ (the MyNamespace version of this function is not a source)
sink(namespaceLocalMadSource()); // (the global namespace version of this function is not a source)
}
void remoteMadSourceParam0(int x) // $ interpretElement
{
sink(x); // $ ir
}
// --- global MAD sinks ---
void madSinkArg0(int x); // $ interpretElement
void notASink(int x);
void madSinkArg1(int x, int y); // $ interpretElement
void madSinkArg01(int x, int y, int z); // $ interpretElement
void madSinkArg02(int x, int y, int z); // $ interpretElement
void madSinkIndirectArg0(int *x); // $ interpretElement
void madSinkDoubleIndirectArg0(int **x); // $ interpretElement
int madSinkVar; // $ interpretElement
int *madSinkVarIndirect; // $ interpretElement
void test_sinks() {
// test sinks
madSinkArg0(source()); // $ ir
notASink(source());
madSinkArg1(source(), 0);
madSinkArg1(0, source()); // $ ir
madSinkArg01(source(), 0, 0); // $ ir
madSinkArg01(0, source(), 0); // $ ir
madSinkArg01(0, 0, source());
madSinkArg02(source(), 0, 0); // $ ir
madSinkArg02(0, source(), 0);
madSinkArg02(0, 0, source()); // $ ir
int a = source();
int *a_ptr = &a;
madSinkIndirectArg0(&a); // $ ir
madSinkIndirectArg0(a_ptr); // $ ir
madSinkDoubleIndirectArg0(&a_ptr); // $ ir
madSinkVar = source(); // $ ir
// test sources + sinks together
madSinkArg0(localMadSource()); // $ ir
madSinkIndirectArg0(remoteMadSourceIndirect()); // $ MISSING: ir
madSinkVar = remoteMadSourceVar; // $ ir
*madSinkVarIndirect = remoteMadSourceVar; // $ MISSING: ir
}
void madSinkParam0(int x) { // $ interpretElement
x = source(); // $ MISSING: ir
}
// --- global MAD summaries ---
struct MyContainer {
int value;
int value2;
int *ptr;
};
int madArg0ToReturn(int x); // $ interpretElement
int *madArg0ToReturnIndirect(int x); // $ interpretElement
int notASummary(int x);
int madArg0ToReturnValueFlow(int x); // $ interpretElement
int madArg0IndirectToReturn(int *x); // $ interpretElement
int madArg0DoubleIndirectToReturn(int **x); // $ interpretElement
int madArg0NotIndirectToReturn(int *x); // $ interpretElement
void madArg0ToArg1Indirect(int x, int &y); // $ interpretElement
void madArg0IndirectToArg1Indirect(const int *x, int *y); // $ interpretElement
int madArgsComplex(int *a, int *b, int c, int d); // $ interpretElement
int madArgsAny(int a, int *b); // $ interpretElement
int madAndImplementedComplex(int a, int b, int c) { // $ interpretElement
// (`b` can be seen to flow to the return value in code, `c` via the MAD model)
return b;
}
int madArg0FieldToReturn(MyContainer mc); // $ interpretElement
int madArg0IndirectFieldToReturn(MyContainer *mc); // $ interpretElement
int madArg0FieldIndirectToReturn(MyContainer mc); // $ interpretElement
MyContainer madArg0ToReturnField(int x); // $ interpretElement
MyContainer *madArg0ToReturnIndirectField(int x); // $ interpretElement
MyContainer madArg0ToReturnFieldIndirect(int x); // $ interpretElement
MyContainer madFieldToFieldVar; // $ interpretElement
MyContainer madFieldToIndirectFieldVar; // $ interpretElement
MyContainer *madIndirectFieldToFieldVar; // $ interpretElement
void test_summaries() {
// test summaries
int a, b, c, d, e;
int *a_ptr;
sink(madArg0ToReturn(0));
sink(madArg0ToReturn(source())); // $ ir
sink(*madArg0ToReturnIndirect(0));
sink(*madArg0ToReturnIndirect(source())); // $ ir
sink(notASummary(source()));
sink(madArg0ToReturnValueFlow(0));
sink(madArg0ToReturnValueFlow(source())); // $ ir
a = source();
a_ptr = &a;
sink(madArg0IndirectToReturn(&a)); // $ ir
sink(madArg0IndirectToReturn(a_ptr)); // $ ir
sink(madArg0DoubleIndirectToReturn(&a_ptr)); // $ ir
sink(madArg0NotIndirectToReturn(a_ptr));
sink(madArg0NotIndirectToReturn(sourcePtr())); // $ ir
sink(madArg0NotIndirectToReturn(sourceIndirect()));
madArg0ToArg1Indirect(source(), b);
sink(b); // $ ir
madArg0IndirectToArg1Indirect(&a, &c);
sink(c); // $ ir
sink(madArgsComplex(0, 0, 0, 0));
sink(madArgsComplex(sourceIndirect(), 0, 0, 0)); // $ ir
sink(madArgsComplex(0, sourceIndirect(), 0, 0)); // $ ir
sink(madArgsComplex(0, 0, source(), 0)); // $ ir
sink(madArgsComplex(0, 0, 0, source()));
sink(madAndImplementedComplex(0, 0, 0));
sink(madAndImplementedComplex(source(), 0, 0));
sink(madAndImplementedComplex(0, source(), 0)); // $ ir
sink(madAndImplementedComplex(0, 0, source())); // $ ir
sink(madArgsAny(0, 0));
sink(madArgsAny(source(), 0)); // (syntax not supported)
sink(madArgsAny(0, sourcePtr())); // (syntax not supported)
sink(madArgsAny(0, sourceIndirect())); // (syntax not supported)
// test summaries involving structs / fields
MyContainer mc1, mc2;
d = 0;
mc1.value = 0;
mc1.ptr = &d;
sink(madArg0FieldToReturn(mc1));
sink(madArg0IndirectFieldToReturn(&mc1));
sink(madArg0FieldIndirectToReturn(mc1));
e = source();
mc2.value = source();
mc2.ptr = &e;
sink(madArg0FieldToReturn(mc2)); // $ ir
sink(madArg0IndirectFieldToReturn(&mc2)); // $ ir
sink(madArg0FieldIndirectToReturn(mc2)); // $ ir
sink(madArg0ToReturnField(0).value);
sink(madArg0ToReturnField(source()).value); // $ ir
MyContainer *rtn1 = madArg0ToReturnIndirectField(source());
sink(rtn1->value); // $ ir
MyContainer rtn2 = madArg0ToReturnFieldIndirect(source());
int *rtn2_ptr = rtn2.ptr;
sink(*rtn2_ptr); // $ ir
// test global variable summaries
madFieldToFieldVar.value = source();
sink(madFieldToFieldVar.value2); // $ MISSING: ir
madFieldToIndirectFieldVar.value = source();
sink(madFieldToIndirectFieldVar.ptr);
sink(*(madFieldToIndirectFieldVar.ptr)); // $ MISSING: ir
madIndirectFieldToFieldVar->value = source();
sink((*madIndirectFieldToFieldVar).value2); // $ MISSING: ir
sink(madIndirectFieldToFieldVar->value2); // $ MISSING: ir
// test source + sinks + summaries together
madSinkArg0(madArg0ToReturn(remoteMadSource())); // $ ir
madSinkArg0(madArg0ToReturnValueFlow(remoteMadSource())); // $ ir
madSinkArg0(madArg0IndirectToReturn(sourcePtr()));
madSinkArg0(madArg0IndirectToReturn(sourceIndirect())); // $ ir
}
// --- MAD class members ---
class MyClass {
public:
// sources
int memberRemoteMadSource(); // $ interpretElement
void memberRemoteMadSourceIndirectArg0(int *x); // $ interpretElement
int memberRemoteMadSourceVar; // $ interpretElement
void qualifierSource(); // $ interpretElement
void qualifierFieldSource(); // $ interpretElement
// sinks
void memberMadSinkArg0(int x); // $ interpretElement
int memberMadSinkVar; // $ interpretElement
void qualifierSink(); // $ interpretElement
void qualifierArg0Sink(int x); // $ interpretElement
void qualifierFieldSink(); // $ interpretElement
// summaries
void madArg0ToSelf(int x); // $ interpretElement
int madSelfToReturn(); // $ interpretElement
int notASummary();
void madArg0ToField(int x); // $ interpretElement
int madFieldToReturn(); // $ interpretElement
int val;
};
class MyDerivedClass : public MyClass {
public:
int subtypeRemoteMadSource1(); // $ interpretElement
int subtypeNonSource();
int subtypeRemoteMadSource2(); // $ interpretElement
};
MyClass source2();
void sink(MyClass mc);
namespace MyNamespace {
class MyClass {
public:
// sinks
void namespaceMemberMadSinkArg0(int x); // $ interpretElement
static void namespaceStaticMemberMadSinkArg0(int x); // $ interpretElement
int namespaceMemberMadSinkVar; // $ interpretElement
static int namespaceStaticMemberMadSinkVar; // $ interpretElement
// summaries
int namespaceMadSelfToReturn(); // $ interpretElement
};
}
MyNamespace::MyClass source3();
void test_class_members() {
MyClass mc, mc2, mc3, mc4, mc5, mc6, mc7, mc8, mc9, mc10, mc11;
MyClass *ptr, *mc4_ptr;
MyDerivedClass mdc;
MyNamespace::MyClass mnc, mnc2;
MyNamespace::MyClass *mnc2_ptr;
// test class member sources
sink(mc.memberRemoteMadSource()); // $ ir
int a;
mc.memberRemoteMadSourceIndirectArg0(&a);
sink(a); // $ ir
sink(mc.memberRemoteMadSourceVar); // $ ir
// test subtype sources
sink(mdc.memberRemoteMadSource()); // $ ir
sink(mdc.subtypeRemoteMadSource1()); // $ ir
sink(mdc.subtypeNonSource());
sink(mdc.subtypeRemoteMadSource2()); // $ ir
// test class member sinks
mc.memberMadSinkArg0(source()); // $ ir
mc.memberMadSinkVar = source(); // $ ir
mnc.namespaceMemberMadSinkArg0(source()); // $ ir
MyNamespace::MyClass::namespaceStaticMemberMadSinkArg0(source()); // $ ir
mnc.namespaceMemberMadSinkVar = source(); // $ ir
MyNamespace::MyClass::namespaceStaticMemberMadSinkVar = source(); // $ ir
// test class member summaries
sink(mc2);
mc2.madArg0ToSelf(0);
sink(mc2);
mc2.madArg0ToSelf(source());
sink(mc2); // $ ir
ptr = new MyClass();
sink(*ptr);
ptr->madArg0ToSelf(0);
sink(*ptr);
ptr->madArg0ToSelf(source());
sink(*ptr); // $ ir
mc3.madArg0ToField(source());
sink(mc3.val); // $ ir
mc4 = source2();
mc4_ptr = &mc4;
sink(mc4); // $ ir
sink(mc4.madSelfToReturn()); // $ ir
sink(mc4.notASummary());
sink(mc4_ptr->madSelfToReturn()); // $ ir
sink(mc4_ptr->notASummary());
sink(source2().madSelfToReturn()); // $ ir
sink(source2().notASummary());
mc5.val = source();
sink(mc5.madFieldToReturn()); // $ ir
mnc2 = source3();
mnc2_ptr = &mnc2;
sink(mnc2.namespaceMadSelfToReturn()); // $ ir
sink(mnc2_ptr->namespaceMadSelfToReturn()); // $ ir
sink(source3().namespaceMadSelfToReturn()); // $ ir
// test class member sources + sinks + summaries together
mc.memberMadSinkArg0(mc.memberRemoteMadSource()); // $ ir
mc6.madArg0ToSelf(source());
sink(mc6.madSelfToReturn()); // $ ir
mc7.madArg0ToField(source());
sink(mc7.madFieldToReturn()); // $ ir
// test taint involving qualifier
sink(mc8);
mc8.qualifierArg0Sink(0);
mc8.qualifierArg0Sink(source()); // $ ir
mc9 = source2();
mc9.qualifierSink(); // $ ir
mc9.qualifierArg0Sink(0); // $ ir
mc8.qualifierSource();
sink(mc8); // $ ir
mc8.qualifierSink(); // $ ir
mc9.qualifierArg0Sink(0); // $ ir
// test taint involving qualifier field
sink(mc10.val);
mc10.qualifierFieldSource();
sink(mc10.val); // $ MISSING: ir
mc11.val = source();
sink(mc11.val); // $ ir
mc11.qualifierFieldSink(); // $ MISSING: ir
}
// --- MAD cases involving function pointers ---
struct intPair {
int first;
int second;
};
int madCallArg0ReturnToReturn(int (*fun_ptr)()); // $ interpretElement
intPair madCallArg0ReturnToReturnFirst(int (*fun_ptr)()); // $ interpretElement
void madCallArg0WithValue(void (*fun_ptr)(int), int value); // $ interpretElement
int madCallReturnValueIgnoreFunction(void (*fun_ptr)(int), int value); // $ interpretElement
int getTainted() { return source(); }
void useValue(int x) { sink(x); } // $ ir
void dontUseValue(int x) { }
void test_function_pointers() {
sink(madCallArg0ReturnToReturn(&notASource));
sink(madCallArg0ReturnToReturn(&getTainted)); // $ ir
sink(madCallArg0ReturnToReturn(&source)); // $ MISSING: ir
sink(madCallArg0ReturnToReturnFirst(&getTainted).first); // $ ir
sink(madCallArg0ReturnToReturnFirst(&getTainted).second);
madCallArg0WithValue(&useValue, source());
madCallArg0WithValue(&sink, source()); // $ MISSING: ir
madCallReturnValueIgnoreFunction(&sink, source());
sink(madCallReturnValueIgnoreFunction(&dontUseValue, source())); // $ ir
}

2
cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.expected
View File

@@ -1,2 +1,2 @@
failures
testFailures
failures

65
cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp
View File

@@ -50,3 +50,68 @@ void test_inet(char *hostname, char *servname, struct addrinfo *hints) {
addrinfo *res;
int ret = getaddrinfo(hostname, servname, hints, &res); // $ remote_source
}
typedef unsigned int wint_t;
// getc variants
int getc(FILE *stream);
wint_t getwc(FILE *stream);
int _getc_nolock(FILE *stream);
wint_t _getwc_nolock(FILE *stream);
int getch(void);
int _getch(void);
wint_t _getwch(void);
int _getch_nolock(void);
wint_t _getwch_nolock(void);
int getchar(void);
wint_t getwchar();
int _getchar_nolock(void);
wint_t _getwchar_nolock(void);
void test_getchar(FILE *stream) {
int a = getc(stream); // $ remote_source
wint_t b = getwc(stream); // $ remote_source
int c = _getc_nolock(stream); // $ remote_source
wint_t d = _getwc_nolock(stream); // $ remote_source
int e = getch(); // $ local_source
int f = _getch(); // $ local_source
wint_t g = _getwch(); // $ local_source
int h = _getch_nolock(); // $ local_source
wint_t i = _getwch_nolock(); // $ local_source
int j = getchar(); // $ local_source
wint_t k = getwchar(); // $ local_source
int l = _getchar_nolock(); // $ local_source
wint_t m = _getwchar_nolock(); // $ local_source
}
// ZMC networking library
typedef unsigned long size_t;
struct zmq_msg_t {
};
int zmq_msg_init(zmq_msg_t *msg);
int zmq_msg_recv(zmq_msg_t *msg, void *socket, int flags);
int zmq_recvmsg(void *socket, zmq_msg_t *msg, int flags); // deprecated
int zmq_recv(void *socket, void *buf, size_t len, int flags);
void test_zmc(void *socket) {
zmq_msg_t msg1, msg2;
char buffer[1024];
if (zmq_recv(socket, buffer, sizeof(buffer), 0) >= 0) { // $ remote_source
// ...
}
zmq_msg_init(&msg1);
if (zmq_msg_recv(&msg1, socket, 0) >= 0) { // $ remote_source
// ...
}
zmq_msg_init(&msg2);
if (zmq_recvmsg(socket, &msg2, 0) >= 0) { // $ remote_source
// ...
}
}

47
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -8223,3 +8223,50 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
| vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
| vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
| vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
| zmq.cpp:17:21:17:26 | socket | zmq.cpp:17:21:17:26 | socket | |
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:17:35:17:46 | message_data | |
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:20:35:20:46 | message_data | |
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:25:3:25:14 | message_data | |
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:26:8:26:19 | message_data | |
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:28:35:28:46 | message_data | |
| zmq.cpp:17:56:17:66 | message_len | zmq.cpp:20:49:20:59 | message_len | |
| zmq.cpp:17:56:17:66 | message_len | zmq.cpp:28:49:28:59 | message_len | |
| zmq.cpp:18:13:18:19 | message | zmq.cpp:20:26:20:32 | message | |
| zmq.cpp:18:13:18:19 | message | zmq.cpp:21:10:21:16 | message | |
| zmq.cpp:18:13:18:19 | message | zmq.cpp:22:24:22:30 | message | |
| zmq.cpp:18:13:18:19 | message | zmq.cpp:28:26:28:32 | message | |
| zmq.cpp:18:13:18:19 | message | zmq.cpp:29:10:29:16 | message | |
| zmq.cpp:18:13:18:19 | message | zmq.cpp:30:24:30:30 | message | |
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:20:26:20:32 | message [inner post update] | |
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:21:10:21:16 | message | |
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:22:24:22:30 | message | |
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:28:26:28:32 | message | |
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:29:10:29:16 | message | |
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:30:24:30:30 | message | |
| zmq.cpp:20:26:20:32 | message | zmq.cpp:20:25:20:32 | & ... | |
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data | |
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:25:3:25:14 | message_data | |
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:26:8:26:19 | message_data | |
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:28:35:28:46 | message_data | |
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:22:24:22:30 | message [inner post update] | |
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:28:26:28:32 | message | |
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:29:10:29:16 | message | |
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:30:24:30:30 | message | |
| zmq.cpp:22:24:22:30 | message | zmq.cpp:22:23:22:30 | & ... | |
| zmq.cpp:25:3:25:14 | message_data | zmq.cpp:25:3:25:17 | access to array | TAINT |
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:17:35:17:46 | message_data | |
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:25:3:25:14 | message_data [inner post update] | |
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:26:8:26:19 | message_data | |
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:28:35:28:46 | message_data | |
| zmq.cpp:25:3:25:28 | ... = ... | zmq.cpp:25:3:25:17 | access to array [post update] | |
| zmq.cpp:25:16:25:16 | 0 | zmq.cpp:25:3:25:17 | access to array | TAINT |
| zmq.cpp:25:21:25:26 | call to source | zmq.cpp:25:3:25:28 | ... = ... | |
| zmq.cpp:26:8:26:19 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data | |
| zmq.cpp:26:8:26:19 | ref arg message_data | zmq.cpp:28:35:28:46 | message_data | |
| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:28:26:28:32 | message [inner post update] | |
| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:29:10:29:16 | message | |
| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:30:24:30:30 | message | |
| zmq.cpp:28:26:28:32 | message | zmq.cpp:28:25:28:32 | & ... | |
| zmq.cpp:28:35:28:46 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data | |
| zmq.cpp:30:23:30:30 | ref arg & ... | zmq.cpp:30:24:30:30 | message [inner post update] | |
| zmq.cpp:30:24:30:30 | message | zmq.cpp:30:23:30:30 | & ... | |

32
cpp/ql/test/library-tests/dataflow/taint-tests/zmq.cpp Normal file
View File

@@ -0,0 +1,32 @@
int source();
void sink(...);
// --- ZMC networking library ---
typedef unsigned long size_t;
struct zmq_msg_t {
// ...
};
typedef void (*zmq_free_fn)();
int zmq_msg_init_data(zmq_msg_t *msg, void *data, size_t size, zmq_free_fn *ffn, void *hint);
void *zmq_msg_data(zmq_msg_t *msg);
void test_zmc(void *socket, char *message_data, size_t message_len) {
zmq_msg_t message;
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
sink(message); // $ SPURIOUS: ast
sink(zmq_msg_data(&message));
}
message_data[0] = source();
sink(message_data); // $ ast,ir
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
sink(message); // $ ast,ir
sink(zmq_msg_data(&message)); // $ ir MISSING: ast
}
}

5
cpp/ql/test/library-tests/fields/fields/Fields.expected
View File

@@ -1,13 +1,18 @@
| fields.cpp:3:8:3:12 | Entry | fields.cpp:4:9:4:12 | name | public | CharPointerType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:4:9:4:12 | name | public | PointerOrArrayOrReferenceType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:5:8:5:8 | t | public | Enum | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:6:9:6:9 | s | public | CharPointerType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:6:9:6:9 | s | public | PointerOrArrayOrReferenceType | char |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:7:7:7:7 | i | public | IntType | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:7:7:7:7 | i | public | MicrosoftInt32Type | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:9:7:9:14 | internal | private | IntType | |
| fields.cpp:3:8:3:12 | Entry | fields.cpp:9:7:9:14 | internal | private | MicrosoftInt32Type | |
| fields.cpp:12:7:12:10 | Name | fields.cpp:13:15:13:15 | s | private | PointerOrArrayOrReferenceType | const char |
| fields.cpp:12:7:12:10 | Name | fields.cpp:13:15:13:15 | s | private | PointerType | const char |
| fields.cpp:16:7:16:11 | Table | fields.cpp:17:9:17:9 | p | private | PointerOrArrayOrReferenceType | Name |
| fields.cpp:16:7:16:11 | Table | fields.cpp:17:9:17:9 | p | private | PointerType | Name |
| fields.cpp:16:7:16:11 | Table | fields.cpp:18:7:18:8 | sz | private | IntType | |
| fields.cpp:16:7:16:11 | Table | fields.cpp:18:7:18:8 | sz | private | MicrosoftInt32Type | |
| fields.cpp:26:7:26:10 | Date | fields.cpp:28:16:28:26 | cache_valid | private | BoolType | |
| fields.cpp:26:7:26:10 | Date | fields.cpp:30:17:30:21 | cache | public | CharPointerType | char |
| fields.cpp:26:7:26:10 | Date | fields.cpp:30:17:30:21 | cache | public | PointerOrArrayOrReferenceType | char |

2
cpp/ql/test/library-tests/types/__wchar_t/wchar_t.expected
View File

@@ -1,3 +1,3 @@
| file://:0:0:0:0 | __wchar_t * | IteratorByPointer, PointerType | Wchar_t, WideCharType |
| file://:0:0:0:0 | __wchar_t * | IteratorByPointer, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, PointerType | Wchar_t, WideCharType |
| file://:0:0:0:0 | const __wchar_t | SpecifiedType | Wchar_t, WideCharType |
| file://:0:0:0:0 | wchar_t | Wchar_t, WideCharType | |

2
cpp/ql/test/library-tests/types/wchar_t_typedef/wchar_t.expected
View File

@@ -1,3 +1,3 @@
| file://:0:0:0:0 | wchar_t | Wchar_t, WideCharType | |
| file://:0:0:0:0 | wchar_t * | IteratorByPointer, PointerType | CTypedefType, Wchar_t |
| file://:0:0:0:0 | wchar_t * | IteratorByPointer, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, PointerType | CTypedefType, Wchar_t |
| ms.c:2:24:2:30 | wchar_t | CTypedefType, Wchar_t | |

74
cpp/ql/test/library-tests/variables/variables/types.expected
View File

@@ -27,59 +27,59 @@
| __fp16 | BinaryFloatingPointType, RealNumberType | | | | |
| __int128 | Int128Type | | | | |
| __va_list_tag | DirectAccessHolder, MetricClass, Struct, StructLikeClass | | | | |
| __va_list_tag & | LValueReferenceType | | __va_list_tag | | |
| __va_list_tag && | RValueReferenceType | | __va_list_tag | | |
| __va_list_tag & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | __va_list_tag | | |
| __va_list_tag && | PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, RValueReferenceType | | __va_list_tag | | |
| address | DirectAccessHolder, MetricClass, Struct, StructLikeClass | | | | |
| address & | LValueReferenceType | | address | | |
| address && | RValueReferenceType | | address | | |
| address & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | address | | |
| address && | PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, RValueReferenceType | | address | | |
| auto | AutoType | | | | |
| bool | BoolType | | | | |
| char | MicrosoftInt8Type, PlainCharType | | | | |
| char8_t | Char8Type | | | | |
| char16_t | Char16Type | | | | |
| char32_t | Char32Type | | | | |
| char * | CharPointerType, IteratorByPointer | | char | | |
| char *[3] | ArrayType | char * | char * | | |
| char *[32] | ArrayType | char * | char * | | |
| char *[] | ArrayType | char * | char * | | |
| char[2] | ArrayType | char | char | | |
| char[3] | ArrayType | char | char | | |
| char[5] | ArrayType | char | char | | |
| char[6] | ArrayType | char | char | | |
| char[8] | ArrayType | char | char | | |
| char[9] | ArrayType | char | char | | |
| char[10] | ArrayType | char | char | | |
| char[53] | ArrayType | char | char | | |
| char[] | ArrayType | char | char | | |
| char * | CharPointerType, IteratorByPointer, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | char | | |
| char *[3] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char * | char * | | |
| char *[32] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char * | char * | | |
| char *[] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char * | char * | | |
| char[2] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[3] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[5] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[6] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[8] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[9] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[10] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[53] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| char[] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | char | char | | |
| const __va_list_tag | SpecifiedType | | __va_list_tag | | |
| const __va_list_tag & | LValueReferenceType | | const __va_list_tag | | |
| const __va_list_tag & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | const __va_list_tag | | |
| const address | SpecifiedType | | address | | |
| const address & | LValueReferenceType | | const address | | |
| const address & | LValueReferenceType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | const address | | |
| const char | SpecifiedType | | char | | |
| const char * | IteratorByPointer, PointerType | | const char | | |
| const char *[3] | ArrayType | const char * | const char * | | |
| const char *[] | ArrayType | const char * | const char * | | |
| const char[5] | ArrayType | const char | const char | | |
| const char[6] | ArrayType | const char | const char | | |
| const char[8] | ArrayType | const char | const char | | |
| const char[9] | ArrayType | const char | const char | | |
| const char[10] | ArrayType | const char | const char | | |
| const char[53] | ArrayType | const char | const char | | |
| const char * | IteratorByPointer, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, PointerType | | const char | | |
| const char *[3] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char * | const char * | | |
| const char *[] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char * | const char * | | |
| const char[5] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char | const char | | |
| const char[6] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char | const char | | |
| const char[8] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char | const char | | |
| const char[9] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char | const char | | |
| const char[10] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char | const char | | |
| const char[53] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | const char | const char | | |
| const double | SpecifiedType | | double | | |
| const int | SpecifiedType | | int | | |
| decltype(nullptr) | NullPointerType | | | | |
| double | DoubleType | | | | |
| error | ErroneousType | | | | |
| float | FloatType | | | | |
| float[3] | ArrayType | float | float | | |
| float[3] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | float | float | | |
| int | IntType, MicrosoftInt32Type | | | | |
| int * | IntPointerType, IteratorByPointer | | int | | |
| int[4] | ArrayType | int | int | | |
| int[8] | ArrayType | int | int | | |
| int[10] | ArrayType | int | int | | |
| int[10][20] | ArrayType | int[20] | int[20] | | |
| int[20] | ArrayType | int | int | | |
| int[] | ArrayType | int | int | | |
| int * | IntPointerType, IteratorByPointer, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | | int | | |
| int[4] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | int | int | | |
| int[8] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | int | int | | |
| int[10] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | int | int | | |
| int[10][20] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | int[20] | int[20] | | |
| int[20] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | int | int | | |
| int[] | ArrayType, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection | int | int | | |
| long | LongType | | | | |
| long double | LongDoubleType | | | | |
| long long | LongLongType, MicrosoftInt64Type | | | | |
@@ -99,5 +99,5 @@
| unsigned long long | LongLongType | | | | unsigned integral |
| unsigned short | ShortType | | | | unsigned integral |
| void | VoidType | | | | |
| void * | IteratorByPointer, VoidPointerType | | void | | |
| void * | IteratorByPointer, PointerOrArrayOrReferenceType, PointerOrArrayOrReferenceTypeIndirection, VoidPointerType | | void | | |
| wchar_t | Wchar_t, WideCharType | | | | |

86
cpp/ql/test/library-tests/variables/variables/variable.expected
View File

@@ -6,64 +6,36 @@
| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int | Field | | |
| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * | Field | | |
| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * | Field | | |
| variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | GlobalVariable | const | static |
| variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | StaticStorageDurationVariable | const | static |
| variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | GlobalVariable | const | static |
| variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | StaticStorageDurationVariable | const | static |
| variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | GlobalVariable | | |
| variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | StaticStorageDurationVariable | | |
| variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | GlobalVariable | | |
| variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | StaticStorageDurationVariable | | |
| variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | GlobalVariable | | |
| variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | StaticStorageDurationVariable | | |
| variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | GlobalVariable | | static |
| variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | StaticStorageDurationVariable | | static |
| variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | GlobalVariable | | static |
| variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | static |
| variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | GlobalVariable | | |
| variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | StaticStorageDurationVariable | | |
| variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | GlobalVariable | | |
| variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | StaticStorageDurationVariable | | |
| variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | GlobalVariable | | |
| variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | StaticStorageDurationVariable | | |
| variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | GlobalVariable | | |
| variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | StaticStorageDurationVariable | | |
| variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | GlobalVariable | | |
| variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | StaticStorageDurationVariable | | |
| variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | GlobalVariable | | |
| variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | StaticStorageDurationVariable | | |
| variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | GlobalVariable | | |
| variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | StaticStorageDurationVariable | | |
| variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | GlobalVariable | | |
| variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | StaticStorageDurationVariable | | |
| variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | GlobalVariable | | |
| variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | StaticStorageDurationVariable | | |
| variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | GlobalVariable | | |
| variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | StaticStorageDurationVariable | | |
| variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | GlobalVariable | | |
| variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | StaticStorageDurationVariable | | |
| variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | LocalVariable | | |
| variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | SemanticStackVariable | | |
| variables.cpp:43:14:43:18 | local | file://:0:0:0:0 | int | StaticLocalVariable | | static |
| variables.cpp:1:12:1:12 | i | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:2:12:2:12 | i | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:3:12:3:12 | i | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:5:11:5:11 | c | file://:0:0:0:0 | const int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | const | static |
| variables.cpp:6:14:6:15 | pi | file://:0:0:0:0 | const double | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | const | static |
| variables.cpp:8:10:8:10 | a | file://:0:0:0:0 | unsigned int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:10:14:10:14 | b | file://:0:0:0:0 | unsigned int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:12:13:12:17 | kings | file://:0:0:0:0 | const char *[] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:14:6:14:6 | p | file://:0:0:0:0 | int * | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:14:9:14:9 | q | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:15:12:15:13 | v1 | file://:0:0:0:0 | int[10] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | static |
| variables.cpp:15:21:15:22 | pv | file://:0:0:0:0 | int * | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | static |
| variables.cpp:17:7:17:8 | fp | file://:0:0:0:0 | ..(*)(..) | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:19:7:19:8 | v2 | file://:0:0:0:0 | float[3] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:20:7:20:8 | v3 | file://:0:0:0:0 | char *[32] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:22:5:22:6 | d2 | file://:0:0:0:0 | int[10][20] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:24:6:24:7 | v4 | file://:0:0:0:0 | char[3] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:26:5:26:6 | v5 | file://:0:0:0:0 | int[8] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:28:7:28:8 | p2 | file://:0:0:0:0 | char * | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:29:6:29:7 | p3 | file://:0:0:0:0 | char[] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:31:6:31:10 | alpha | file://:0:0:0:0 | char[] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:34:5:34:6 | av | file://:0:0:0:0 | int[] | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:35:6:35:8 | ap1 | file://:0:0:0:0 | int * | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:36:6:36:8 | ap2 | file://:0:0:0:0 | int * | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:37:6:37:8 | ap3 | file://:0:0:0:0 | int * | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |
| variables.cpp:41:7:41:11 | local | file://:0:0:0:0 | char[] | LocalVariable, SemanticStackVariable | | |
| variables.cpp:43:14:43:18 | local | file://:0:0:0:0 | int | GlobalLikeVariable, StaticLocalVariable | | static |
| variables.cpp:48:9:48:12 | name | file://:0:0:0:0 | char * | Field | | |
| variables.cpp:49:12:49:17 | number | file://:0:0:0:0 | long | Field | | |
| variables.cpp:50:9:50:14 | street | file://:0:0:0:0 | char * | Field | | |
| variables.cpp:51:9:51:12 | town | file://:0:0:0:0 | char * | Field | | |
| variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | MemberVariable | | static |
| variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | StaticStorageDurationVariable | | static |
| variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | GlobalVariable | | |
| variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | StaticStorageDurationVariable | | |
| variables.cpp:52:16:52:22 | country | file://:0:0:0:0 | char * | MemberVariable, StaticStorageDurationVariable | | static |
| variables.cpp:56:14:56:29 | externInFunction | file://:0:0:0:0 | int | GlobalLikeVariable, GlobalVariable, StaticStorageDurationVariable | | |

15
cpp/ql/test/library-tests/variables/variables/variable.ql
View File

@@ -1,10 +1,17 @@
import cpp
from Variable v, Type t, string qlClass, string const, string static
string interestingQlClass(Variable v) {
result = v.getAQlClass() and
(
result.matches("%Variable%")
or
result.matches("%Field%")
)
}
from Variable v, Type t, string const, string static
where
t = v.getType() and
qlClass = v.getAQlClass() and
(qlClass.matches("%Variable%") or qlClass.matches("%Field%")) and
(if v.isConst() then const = "const" else const = "") and
if v.isStatic() then static = "static" else static = ""
select v, t, qlClass, const, static
select v, t, concat(interestingQlClass(v), ", "), const, static

1
cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected Normal file
View File

@@ -0,0 +1 @@
| test.cpp:27:5:27:6 | f1 | The variable 'b' is used in this function but may not be initialized when it is called. |

1
cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref Normal file
View File

@@ -0,0 +1 @@
Critical/GlobalUseBeforeInit.ql

38
cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp Normal file
View File

@@ -0,0 +1,38 @@
typedef __builtin_va_list va_list;
typedef struct {} FILE;
extern FILE * stdin;
extern FILE * stdout;
extern FILE * stderr;
#define va_start(args, fmt) __builtin_va_start(args,fmt)
#define va_end(args) __builtin_va_end(args);
int vfprintf (FILE *, const char *, va_list);
int a = 1;
int b;
int my_printf(const char * fmt, ...)
{
va_list vl;
int ret;
va_start(vl, fmt);
ret = vfprintf(stdout, fmt, vl);
ret = vfprintf(stderr, fmt, vl);
va_end(vl);
return ret;
}
int f1()
{
my_printf("%d\n", a + 2);
my_printf("%d\n", b + 2); // BAD
return 0;
}
int main()
{
int b = f1();
return 0;
}

27
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
View File

@@ -12,6 +12,16 @@ edges
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance | |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary] to write: Argument[0 indirection] in zmq_msg_init_data | provenance | |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:143:34:143:45 | *message_data | provenance | |
| tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:134:2:134:30 | *... = ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:26:15:26:20 | *call to getenv | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance | |
@@ -42,6 +52,17 @@ nodes
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | semmle.label | *c1 [*ptr] |
| tests2.cpp:111:14:111:19 | *ptr | semmle.label | *ptr |
| tests2.cpp:111:17:111:19 | *ptr | semmle.label | *ptr |
| tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | semmle.label | [summary param] 1 indirection in zmq_msg_init_data |
| tests2.cpp:120:5:120:21 | [summary] to write: Argument[0 indirection] in zmq_msg_init_data | semmle.label | [summary] to write: Argument[0 indirection] in zmq_msg_init_data |
| tests2.cpp:134:2:134:30 | *... = ... | semmle.label | *... = ... |
| tests2.cpp:134:17:134:22 | *call to getenv | semmle.label | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | semmle.label | *message_data |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | semmle.label | zmq_msg_init_data output argument |
| tests2.cpp:143:34:143:45 | *message_data | semmle.label | *message_data |
| tests2.cpp:144:33:144:40 | *& ... | semmle.label | *& ... |
| tests2.cpp:147:20:147:27 | *& ... | semmle.label | *& ... |
| tests2.cpp:155:32:155:39 | *& ... | semmle.label | *& ... |
| tests2.cpp:158:20:158:27 | *& ... | semmle.label | *& ... |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | semmle.label | *call to getenv |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | semmle.label | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | semmle.label | *path |
@@ -53,6 +74,7 @@ nodes
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | semmle.label | *pathbuf |
subpaths
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary] to write: Argument[0 indirection] in zmq_msg_init_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument |
#select
| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
@@ -64,6 +86,11 @@ subpaths
| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |

60
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
View File

@@ -1,15 +1,15 @@
// Semmle test cases for rule CWE-497
// library functions etc
// --- library functions etc ---
#include "tests.h"
typedef unsigned long size_t;
void *memcpy(void *dest, const void *src, size_t count);
char *getenv(const char *name);
char *strcpy(char *s1, const char *s2);
size_t strlen(const char *s);
@@ -45,7 +45,7 @@ passwd *getpwuid(int uid);
int val();
// test cases
// --- test cases ---
const char *global1 = mysql_get_client_info();
const char *global2 = "abc";
@@ -112,3 +112,51 @@ void test1()
send(sock, c2.ptr, val(), val()); // GOOD: not system data
}
}
struct zmq_msg_t {
};
typedef void (*zmq_free_fn)();
int zmq_msg_init_data(zmq_msg_t *msg, void *data, size_t size, zmq_free_fn *ffn, void *hint);
int zmq_msg_init_size(zmq_msg_t *msg, size_t size);
void *zmq_msg_data(zmq_msg_t *msg);
int zmq_send(void *socket, const void *buf, size_t len, int flags);
int zmq_sendmsg(void *socket, zmq_msg_t *msg, int flags); // deprecated
int zmq_msg_send(zmq_msg_t *msg, void *socket, int flags);
void test_zmq(void *remoteSocket)
{
zmq_msg_t message;
char *message_data;
size_t message_len;
// prepare data
message_data = getenv("HOME");
message_len = strlen(message_data) + 1;
// send as data
if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable
// ...
}
// send as message
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
// ...
}
}
// send as message (alternative path)
if (zmq_msg_init_size(&message, message_len) == 0) {
memcpy(zmq_msg_data(&message), message_data, message_len);
if (zmq_sendmsg(remoteSocket,&message, message_len)) { // BAD: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
// ...
}
}
}