C++: Improve and differentiate the qhelp.

geoffw0 · geoffw0 · commit 5c6923c09949 · 2022-03-03T11:04:55.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.qhelp b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.qhelp
@@ -5,11 +5,11 @@
 <overview>
 <p>Exposing system data or debugging information may help an adversary to learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in these technologies.</p>
 
-<p>This query finds locations where system configuration information might be revealed to a user.</p>
+<p>This query finds locations where system configuration information might be revealed to a remote user.</p>
 </overview>
 
 <recommendation>
-<p>Do not expose system configuration information to users.  Be wary of the difference between information that could be helpful to users, and unnecessary details that could be useful to an adversary.</p>
+<p>Do not expose system configuration information to remote users.  Be wary of the difference between information that could be helpful to users, and unnecessary details that could be useful to an adversary.</p>
 </recommendation>
 
 <example>
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemDataCorrect.cpp b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemDataCorrect.cpp
@@ -2,6 +2,5 @@ char* path = getenv("PATH");
 
 //...
 
-fprintf(stderr, "A required executable file could not be found.  " \
-                "Please ensure that the software has been installed " \
-                "correctly or contact a system administrator.\n");
+message = "An internal error has occurred. Please try again or contact a system administrator.\n";
+send(socket, message, strlen(message), 0);
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemDataIncorrect.cpp b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemDataIncorrect.cpp
@@ -2,4 +2,5 @@ char* path = getenv("PATH");
 
 //...
 
-fprintf(stderr, "cannot find exe on path %s\n", path);
+sprintf(buffer, "Cannot find exe on path: %s", path);
+send(socket, buffer, strlen(buffer), 0);
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.qhelp b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.qhelp
@@ -5,7 +5,7 @@
 <overview>
 <p>Exposing system data or debugging information may help an adversary to learn about the system and form an attack plan.  An attacker can use error messages that reveal technologies, operating systems, and product versions to tune their attack against known vulnerabilities in these technologies.</p>
 
-<p>This query finds locations where system configuration information might be revealed to a user.</p>
+<p>This query finds locations where system configuration information that is particularly sensitive might be revealed to a user.</p>
 </overview>
 
 <recommendation>
@@ -15,11 +15,11 @@
 <example>
 <p>In this example the value of the <code>PATH</code> environment variable is revealed in full to the user when a particular error occurs.  This might reveal information such as the software installed on your system to an adversary who does not have legitimate access to that information.</p>
 
-<sample src="ExposedSystemDataIncorrect.cpp" />
+<sample src="PotentiallyExposedSystemDataIncorrect.cpp" />
 
 <p>The message should be rephrased without this information, for example:</p>
 
-<sample src="ExposedSystemDataCorrect.cpp" />
+<sample src="PotentiallyExposedSystemDataCorrect.cpp" />
 </example>
 
 <references>
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemDataCorrect.cpp b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemDataCorrect.cpp
@@ -0,0 +1,5 @@
+char* key = getenv("APP_KEY");
+
+//...
+
+fprintf(stderr, "Application key not recognized. Please ensure the key is correct or contact a system administrator.\n", key);
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemDataIncorrect.cpp b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemDataIncorrect.cpp
@@ -0,0 +1,5 @@
+char* key = getenv("APP_KEY");
+
+//...
+
+fprintf(stderr, "Key not recognized: %s\n", key);

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +char* key = getenv("APP_KEY");
++
 +//...
++
 +fprintf(stderr, "Application key not recognized. Please ensure the key is correct or contact a system administrator.\n", key);