hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add isBarrier to CgiXss.ql.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2021-02-16 18:58:28 +01:00
parent f0ce524c0d
commit fa44cedd38
3 changed files with 36 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected
View File

@@ -8,14 +8,14 @@ edges
| search.c:22:24:22:28 | *query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:22:24:22:28 | query | search.c:23:39:23:43 | query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:41:21:41:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | query |
| search.c:41:21:41:26 | call to getenv | search.c:22:24:22:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:14:24:14:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | *query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | query |
| search.c:51:21:51:26 | call to getenv | search.c:22:24:22:28 | query |
nodes
| search.c:14:24:14:28 | *query | semmle.label | *query |
| search.c:14:24:14:28 | query | semmle.label | query |
@@ -29,12 +29,12 @@ nodes
| search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query |
| search.c:23:39:23:43 | query | semmle.label | query |
| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
| search.c:41:21:41:26 | call to getenv | semmle.label | call to getenv |
| search.c:45:5:45:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:45:17:45:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
| search.c:47:5:47:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:47:17:47:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:51:21:51:26 | call to getenv | semmle.label | call to getenv |
| search.c:55:5:55:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:55:17:55:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
| search.c:57:5:57:15 | Argument 0 | semmle.label | Argument 0 |
| search.c:57:17:57:25 | Argument 0 indirection | semmle.label | Argument 0 indirection |
#select
| search.c:17:8:17:12 | query | search.c:41:21:41:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
| search.c:23:39:23:43 | query | search.c:41:21:41:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
| search.c:17:8:17:12 | query | search.c:51:21:51:26 | call to getenv | search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |
| search.c:23:39:23:43 | query | search.c:51:21:51:26 | call to getenv | search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:51:21:51:26 | call to getenv | this query data |

20
cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c
View File

@@ -26,7 +26,7 @@ void bad_server2(char* query) {
puts(do_search(query));
}
void good_server(char* query) {
void good_server1(char* query) {
puts("<p>Query results for ");
// GOOD: Escape HTML characters before adding to a page
char* query_escaped = escape_html(query);
@@ -37,14 +37,26 @@ void good_server(char* query) {
puts(do_search(query));
}
int snprintf(char *, int, const char *, ...);
void good_server2(char* query) {
puts("<p>Query results for ");
// GOOD: Only an integer is added to the page.
int i = 0;
snprintf(query, 16, "value=%i", &i);
printf("\n<p>%i</p>\n", i);
}
int main(int argc, char** argv) {
char* raw_query = getenv("QUERY_STRING");
if (strcmp("good", argv[0]) == 0) {
good_server(raw_query);
if (strcmp("good1", argv[0]) == 0) {
good_server1(raw_query);
} else if (strcmp("bad1", argv[0]) == 0) {
bad_server1(raw_query);
} else {
} else if (strcmp("bad2", argv[0]) == 0) {
bad_server2(raw_query);
} else if (strcmp("good2", argv[0]) == 0) {
good_server2(raw_query);
}
}