C++: Add a test (cleaned up) that was previously in the internal repo.

geoffw0 · geoffw0 · commit 7a3f9c78950d · 2021-01-04T15:35:18.000Z
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
@@ -0,0 +1,13 @@
+edges
+| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | (const char *)... |
+| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | (const char *)... |
+| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 |
+| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 |
+nodes
+| test.c:14:20:14:23 | argv | semmle.label | argv |
+| test.c:14:20:14:23 | argv | semmle.label | argv |
+| test.c:19:18:19:23 | (const char *)... | semmle.label | (const char *)... |
+| test.c:19:18:19:23 | (const char *)... | semmle.label | (const char *)... |
+| test.c:19:18:19:23 | query1 | semmle.label | query1 |
+#select
+| test.c:19:18:19:23 | query1 | test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:14:20:14:23 | argv | user input (argv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-089/SqlTainted.ql
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
@@ -0,0 +1,27 @@
+// Semmle test case for rule SprintfToSqlQuery.ql (Uncontrolled sprintf for SQL query)
+// Associated with CWE-089: SQL injection. http://cwe.mitre.org/data/definitions/89.html
+
+///// Library routines /////
+
+typedef unsigned long size_t;
+int snprintf(char *s, size_t n, const char *format, ...);
+void sanitizeString(char *stringOut, size_t len, const char *strIn);
+int mysql_query(int arg1, const char *sqlArg);
+
+///// Test code /////
+
+int main(int argc, char** argv) {
+  char *userName = argv[2];
+
+  // a string from the user is injected directly into an SQL query.
+  char query1[1000] = {0};
+  snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
+  mysql_query(0, query1); // BAD
+  
+  // the user string is encoded by a library routine.
+  char userNameSanitized[1000] = {0};
+  sanitizeString(userNameSanitized, 1000, userName); 
+  char query2[1000] = {0};
+  snprintf(query2, 1000, "SELECT UID FROM USERS where name = \"%s\"", userNameSanitized);
+  mysql_query(0, query2); // GOOD
+}
