hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5185 from MathiasVP/block-integral-types-in-cgixss-query

Browse Source 
C++: Add isBarrier to cpp/cgi-xss
This commit is contained in:
Mathias Vorreiter Pedersen
2021-02-17 12:44:45 +01:00
committed by GitHub
parent eee49cde85 25beadcb05
commit e0dca2be20
3 changed files with 41 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
View File

@@ -34,6 +34,10 @@ class Configuration extends TaintTrackingConfiguration {
override predicate isSink(Element tainted) {
exists(PrintStdoutCall call | call.getAnArgument() = tainted)
}
override predicate isBarrier(Expr e) {
super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
}
}
from QueryString query, Element printedArg, PathNode sourceNode, PathNode sinkNode

32
cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
View File

@@ -8,14 +8,14 @@ edges
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | query |
nodes
| search.c:14:24:14:28 | *query | semmle.label | *query |
| search.c:14:24:14:28 | query | semmle.label | query |
@@ -29,12 +29,12 @@ nodes
| search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query |
| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
| search.c:45:5:45:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:45:17:45:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
| search.c:47:5:47:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:47:17:47:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:55:5:55:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:55:17:55:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
| search.c:57:5:57:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:57:17:57:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
#select
| search.c:17:8:17:12 | query | search.c:41:21:41:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
| search.c:23:39:23:43 | query | search.c:41:21:41:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
| search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
| search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |

31
cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
View File

@@ -26,7 +26,7 @@ void bad_server2(char* query) {
puts(do_search(query));
}
void good_server(char* query) {
void good_server1(char* query) {
puts("<p>Query results for ");
// GOOD: Escape HTML characters before adding to a page
char* query_escaped = escape_html(query);
@@ -37,14 +37,25 @@ void good_server(char* query) {
puts(do_search(query));
}
int main(int argc, char** argv) {
char* raw_query = getenv("QUERY_STRING");
if (strcmp("good", argv[0]) == 0) {
good_server(raw_query);
} else if (strcmp("bad1", argv[0]) == 0) {
bad_server1(raw_query);
} else {
bad_server2(raw_query);
}
int sscanf(const char *s, const char *format, ...);
void good_server2(char* query) {
puts("<p>Query results for ");
// GOOD: Only an integer is added to the page.
int i = 0;
sscanf(query, "value=%i", &i);
printf("\n<p>%i</p>\n", i);
}
int main(int argc, char** argv) {
char* raw_query = getenv("QUERY_STRING");
if (strcmp("good1", argv[0]) == 0) {
good_server1(raw_query);
} else if (strcmp("bad1", argv[0]) == 0) {
bad_server1(raw_query);
} else if (strcmp("bad2", argv[0]) == 0) {
bad_server2(raw_query);
} else if (strcmp("good2", argv[0]) == 0) {
good_server2(raw_query);
}
}