Skip to content

Commit ce63809

Browse files
authored
Merge pull request #5492 from geoffw0/samateissue
C++: Test taint regression
2 parents 3c26779 + b38a9d5 commit ce63809

File tree

2 files changed

+46
-0
lines changed

2 files changed

+46
-0
lines changed

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,14 @@ edges
3535
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
3636
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
3737
| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
38+
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | (const char *)... |
39+
| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
40+
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | (const char *)... |
41+
| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
42+
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | (const char *)... |
43+
| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
44+
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | (const char *)... |
45+
| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
3846
nodes
3947
| test.cpp:24:30:24:36 | *command | semmle.label | *command |
4048
| test.cpp:24:30:24:36 | command | semmle.label | command |
@@ -70,10 +78,22 @@ nodes
7078
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
7179
| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
7280
| test.cpp:79:10:79:13 | data | semmle.label | data |
81+
| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
82+
| test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
83+
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
84+
| test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
85+
| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
86+
| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
87+
| test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
88+
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
89+
| test.cpp:107:15:107:20 | (const char *)... | semmle.label | (const char *)... |
90+
| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
7391
#select
7492
| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
7593
| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
7694
| test.cpp:62:10:62:15 | buffer | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
7795
| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
7896
| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
7997
| test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
98+
| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:98:17:98:22 | buffer | buffer |
99+
| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:106:17:106:22 | buffer | buffer |

cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/test.cpp

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,3 +81,29 @@ void testReferencePointer2()
8181
system(data2); // BAD [NOT DETECTED]
8282
}
8383
}
84+
85+
// ---
86+
87+
typedef unsigned long size_t;
88+
89+
void accept(int arg, char *buf, size_t *bufSize);
90+
void recv(int arg, char *buf, size_t bufSize);
91+
void LoadLibrary(const char *arg);
92+
93+
void testAcceptRecv(int socket1, int socket2)
94+
{
95+
{
96+
char buffer[1024];
97+
98+
recv(socket1, buffer, 1024);
99+
LoadLibrary(buffer); // BAD: using data from recv
100+
}
101+
102+
{
103+
char buffer[1024];
104+
105+
accept(socket2, 0, 0);
106+
recv(socket2, buffer, 1024);
107+
LoadLibrary(buffer); // BAD: using data from recv
108+
}
109+
}

0 commit comments

Comments
 (0)