C++: Add test annotations

jketema · jketema · commit d8a70d8d58c7 · 2024-09-04T10:23:51.000+02:00
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/brotliTest.cpp
@@ -25,13 +25,13 @@ namespace std {
 
 int brotli_test(int argc, const char **argv) {
     uint8_t *output = nullptr;
-    BrotliDecoderDecompress(1024 * 1024, (uint8_t *) argv[2],
+    BrotliDecoderDecompress(1024 * 1024, (uint8_t *) argv[2], // BAD
                             reinterpret_cast<size_t *>(1024 * 1024 * 1024), output);
     uint8_t **output2 = nullptr;
     const uint8_t **input2 = nullptr;
     std::strncpy(reinterpret_cast<char *>(input2), argv[2], 32);
     BrotliDecoderDecompressStream(0, reinterpret_cast<size_t *>(1024 * 1024),
-                                  input2, reinterpret_cast<size_t *>(1024 * 1024 * 1024),
+                                  input2, reinterpret_cast<size_t *>(1024 * 1024 * 1024), // BAD
                                   output2,
                                   reinterpret_cast<size_t *>(1024 * 1024 * 1024));
     return 0;
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/libarchiveTests.cpp
@@ -53,7 +53,7 @@ static int copy_data(struct archive *ar, struct archive *aw) {
     la_int64_t offset;
 
     for (;;) {
-        archive_read_data_block(ar, &buff, &size, &offset);
+        archive_read_data_block(ar, &buff, &size, &offset); // BAD
         if (r == ARCHIVE_EOF)
             return (ARCHIVE_OK);
         if (r < ARCHIVE_OK)
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/minizipTest.cpp
@@ -37,7 +37,7 @@ int minizip_test(int argc, const char **argv) {
     int32_t err;
     char buf[4096];
     do {
-        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf));
+        bytes_read = mz_zip_entry_read(zip_handle, (char *) argv[1], sizeof(buf)); // BAD
         if (bytes_read < 0) {
             err = bytes_read;
         }
@@ -55,7 +55,7 @@ int minizip_test(int argc, const char **argv) {
     mz_stream_os_open(entry_stream, entry_path, 1);
     int file_stream;
     int mz_stream_os_write;
-    mz_zip_reader_entry_save(zip_reader, file_stream, mz_stream_os_write);
+    mz_zip_reader_entry_save(zip_reader, file_stream, mz_stream_os_write); // BAD
     // the above sink is same as "mz_zip_reader_entry_save", "mz_zip_reader_entry_read", "mz_zip_reader_entry_save_process",
     // "mz_zip_reader_entry_save_file", "mz_zip_reader_entry_save_buffer", "mz_zip_reader_save_all" and "mz_zip_entry_read" functions
     mz_stream_os_close(entry_stream);
@@ -64,7 +64,7 @@ int minizip_test(int argc, const char **argv) {
     mz_zip_reader_delete(&zip_reader);
 
 
-    UnzOpen(argv[3]);
+    UnzOpen(argv[3]); // BAD
     return 0;
 }
 
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs/zlibTest.cpp
@@ -67,7 +67,7 @@ int UnsafeInflate(char *a) {
     // uLong  total_out; /* total number of bytes output so far */
     // the actual DE-compression work.
     inflateInit(&infstream);
-    inflate(&infstream, Z_NO_FLUSH);
+    inflate(&infstream, Z_NO_FLUSH); // BAD
     inflateEnd(&infstream);
 
 
@@ -98,7 +98,7 @@ int UnsafeGzread(char *fileName) {
     unsigned char unzipBuffer[8192];
     unsigned int unzippedBytes;
     while (true) {
-        unzippedBytes = gzread(inFileZ, unzipBuffer, 8192);
+        unzippedBytes = gzread(inFileZ, unzipBuffer, 8192); // BAD
         if (unzippedBytes > 0) {
             std::cout << unzippedBytes;
         } else {
@@ -118,7 +118,7 @@ int UnsafeGzfread(char *fileName) {
     }
     while (true) {
         char buffer[1000];
-        if (!gzfread(buffer, 999, 1, inFileZ)) {
+        if (!gzfread(buffer, 999, 1, inFileZ)) { // BAD
             break;
         }
     }
@@ -136,7 +136,7 @@ int UnsafeGzgets(char *fileName) {
     char *buffer = new char[4000000000];
     char *result;
     while (true) {
-        result = gzgets(inFileZ, buffer, 1000000000);
+        result = gzgets(inFileZ, buffer, 1000000000); // BAD
         if (result == nullptr) {
             break;
         }
@@ -160,7 +160,7 @@ bool InflateString(const unsigned char *input, const unsigned char *output, size
     destination_length = (uLong) output_length;
 
     int result = uncompress((Bytef *) output, &destination_length,
-                            (Bytef *) input, source_length);
+                            (Bytef *) input, source_length); // BAD
 
     return result == Z_OK;
 }
