Merge branch 'main' into break-bigstep-at-store

2026-04-26 17:25:19 +02:00 · 2024-04-16 15:33:21 +01:00
parent 7155af50be 4886bb1116
commit dd656d34be
402 changed files with 5371 additions and 17855 deletions
--- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected
+++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.expected
@@ -0,0 +1 @@
+| test.cpp:27:5:27:6 | f1 | The variable 'b' is used in this function but may not be initialized when it is called. |
--- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref
+++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/GlobalUseBeforeInit.qlref
@@ -0,0 +1 @@
+Critical/GlobalUseBeforeInit.ql
--- a/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp
+++ b/cpp/ql/test/query-tests/Critical/GlobalUseBeforeInit/test.cpp
@@ -0,0 +1,38 @@
+typedef __builtin_va_list va_list;
+typedef struct {} FILE;
+
+extern FILE * stdin;
+extern FILE * stdout;
+extern FILE * stderr;
+
+#define va_start(args, fmt) __builtin_va_start(args,fmt)
+#define va_end(args) __builtin_va_end(args);
+
+int vfprintf (FILE *, const char *, va_list);
+
+int a = 1;
+int b;
+
+int my_printf(const char * fmt, ...)
+{
+    va_list vl;
+    int ret;
+    va_start(vl, fmt);
+    ret = vfprintf(stdout, fmt, vl);
+    ret = vfprintf(stderr, fmt, vl);
+    va_end(vl);
+    return ret;
+}
+
+int f1()
+{
+    my_printf("%d\n", a + 2);
+    my_printf("%d\n", b + 2); // BAD
+    return 0;
+}
+
+int main()
+{
+    int b = f1();
+    return 0;
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -12,6 +12,16 @@ edges
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance |  |
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance |  |
 | tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance |  |
+| tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary] to write: Argument[0 indirection] in zmq_msg_init_data | provenance |  |
+| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance |  |
+| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:143:34:143:45 | *message_data | provenance |  |
+| tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:134:2:134:30 | *... = ... | provenance |  |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance |  |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance |  |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance |  |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance |  |
+| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | provenance |  |
+| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance |  |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:26:15:26:20 | *call to getenv | provenance |  |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance |  |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance |  |
@@ -42,6 +52,17 @@ nodes
 | tests2.cpp:111:14:111:15 | *c1 [*ptr] | semmle.label | *c1 [*ptr] |
 | tests2.cpp:111:14:111:19 | *ptr | semmle.label | *ptr |
 | tests2.cpp:111:17:111:19 | *ptr | semmle.label | *ptr |
+| tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | semmle.label | [summary param] 1 indirection in zmq_msg_init_data |
+| tests2.cpp:120:5:120:21 | [summary] to write: Argument[0 indirection] in zmq_msg_init_data | semmle.label | [summary] to write: Argument[0 indirection] in zmq_msg_init_data |
+| tests2.cpp:134:2:134:30 | *... = ... | semmle.label | *... = ... |
+| tests2.cpp:134:17:134:22 | *call to getenv | semmle.label | *call to getenv |
+| tests2.cpp:138:23:138:34 | *message_data | semmle.label | *message_data |
+| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | semmle.label | zmq_msg_init_data output argument |
+| tests2.cpp:143:34:143:45 | *message_data | semmle.label | *message_data |
+| tests2.cpp:144:33:144:40 | *& ... | semmle.label | *& ... |
+| tests2.cpp:147:20:147:27 | *& ... | semmle.label | *& ... |
+| tests2.cpp:155:32:155:39 | *& ... | semmle.label | *& ... |
+| tests2.cpp:158:20:158:27 | *& ... | semmle.label | *& ... |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | semmle.label | *call to getenv |
 | tests_sockets.cpp:26:15:26:20 | *call to getenv | semmle.label | *call to getenv |
 | tests_sockets.cpp:39:19:39:22 | *path | semmle.label | *path |
@@ -53,6 +74,7 @@ nodes
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | *pathbuf | semmle.label | *pathbuf |
 subpaths
+| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] 1 indirection in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary] to write: Argument[0 indirection] in zmq_msg_init_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument |
 #select
 | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
 | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
@@ -64,6 +86,11 @@ subpaths
 | tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
 | tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
 | tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
+| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
+| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
 | tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
 | tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
 | tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
@@ -1,15 +1,15 @@
 // Semmle test cases for rule CWE-497

-// library functions etc
+// --- library functions etc ---

 #include "tests.h"

+typedef unsigned long size_t;
+
+void *memcpy(void *dest, const void *src, size_t count);
 char *getenv(const char *name);
 char *strcpy(char *s1, const char *s2);
-
-
-
-
+size_t strlen(const char *s);



@@ -45,7 +45,7 @@ passwd *getpwuid(int uid);

 int val();

-// test cases
+// --- test cases ---

 const char *global1 = mysql_get_client_info();
 const char *global2 = "abc";
@@ -112,3 +112,51 @@ void test1()
 		send(sock, c2.ptr, val(), val()); // GOOD: not system data
 	}
 }
+
+struct zmq_msg_t {
+};
+typedef void (*zmq_free_fn)();
+
+int zmq_msg_init_data(zmq_msg_t *msg, void *data, size_t size, zmq_free_fn *ffn, void *hint);
+int zmq_msg_init_size(zmq_msg_t *msg, size_t size);
+void *zmq_msg_data(zmq_msg_t *msg);
+int zmq_send(void *socket, const void *buf, size_t len, int flags);
+int zmq_sendmsg(void *socket, zmq_msg_t *msg, int flags); // deprecated
+int zmq_msg_send(zmq_msg_t *msg, void *socket, int flags);
+
+void test_zmq(void *remoteSocket)
+{
+	zmq_msg_t message;
+	char *message_data;
+	size_t message_len;
+
+	// prepare data
+	message_data = getenv("HOME");
+	message_len = strlen(message_data) + 1;
+
+	// send as data
+	if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable
+		// ...
+	}
+
+	// send as message
+	if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
+		if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable
+			// ...
+		}
+		if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
+			// ...
+		}
+	}
+
+	// send as message (alternative path)
+	if (zmq_msg_init_size(&message, message_len) == 0) {
+		memcpy(zmq_msg_data(&message), message_data, message_len);
+		if (zmq_sendmsg(remoteSocket,&message, message_len)) { // BAD: outputs HOME environment variable
+			// ...
+		}
+		if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
+			// ...
+		}
+	}
+}
				`@@ -0,0 +1 @@`
				`\| test.cpp:27:5:27:6 \| f1 \| The variable 'b' is used in this function but may not be initialized when it is called. \|`