Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5e265f4

Browse files
Robert MarshRobert Marsh
Robert Marsh
authored and
Robert Marsh
committed
C++: ExecTainted tests for int/string conversions
1 parent 9926892 commit 5e265f4

2 files changed

Lines changed: 157 additions & 0 deletions

File tree

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,12 +94,62 @@ edges
9494
| test.cpp:119:20:119:38 | (const char *)... | test.cpp:120:17:120:17 | call to operator+ |
9595
| test.cpp:119:20:119:38 | (const char *)... | test.cpp:120:19:120:22 | (reference to) |
9696
| test.cpp:119:20:119:38 | (const char *)... | test.cpp:120:19:120:22 | path indirection |
97+
| test.cpp:129:9:129:12 | (void *)... | test.cpp:129:9:129:12 | temp indirection |
98+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:131:11:131:14 | Store |
99+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:131:11:131:14 | call to atoi |
100+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:131:11:131:14 | call to atoi |
101+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:131:16:131:19 | array to pointer conversion |
102+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:131:16:131:19 | temp indirection |
103+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:132:42:132:42 | x |
104+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:133:10:133:16 | (const char *)... |
105+
| test.cpp:129:9:129:12 | fread output argument | test.cpp:133:10:133:16 | command indirection |
106+
| test.cpp:131:11:131:14 | call to atoi | test.cpp:131:11:131:14 | Store |
107+
| test.cpp:131:11:131:14 | call to atoi | test.cpp:132:42:132:42 | x |
108+
| test.cpp:131:11:131:14 | call to atoi | test.cpp:133:10:133:16 | (const char *)... |
109+
| test.cpp:131:11:131:14 | call to atoi | test.cpp:133:10:133:16 | command indirection |
110+
| test.cpp:140:9:140:11 | (void *)... | test.cpp:140:9:140:11 | str indirection |
111+
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | array to pointer conversion |
112+
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | str indirection |
113+
| test.cpp:140:9:140:11 | fread output argument | test.cpp:142:31:142:33 | str indirection |
114+
| test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | (const char *)... |
115+
| test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection |
116+
| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | command indirection |
117+
| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
118+
| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
119+
| test.cpp:150:9:150:11 | (void *)... | test.cpp:150:9:150:11 | str indirection |
120+
| test.cpp:150:9:150:11 | fread output argument | test.cpp:152:31:152:33 | array to pointer conversion |
121+
| test.cpp:150:9:150:11 | fread output argument | test.cpp:152:31:152:33 | str indirection |
122+
| test.cpp:150:9:150:11 | fread output argument | test.cpp:153:10:153:16 | (const char *)... |
123+
| test.cpp:150:9:150:11 | fread output argument | test.cpp:153:10:153:16 | command indirection |
124+
| test.cpp:160:9:160:12 | (void *)... | test.cpp:160:9:160:12 | temp indirection |
125+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:162:11:162:14 | Store |
126+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:162:11:162:14 | call to atoi |
127+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:162:11:162:14 | call to atoi |
128+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:162:16:162:19 | array to pointer conversion |
129+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:162:16:162:19 | temp indirection |
130+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:165:24:165:24 | x |
131+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:166:44:166:48 | array to pointer conversion |
132+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:166:44:166:48 | temp2 indirection |
133+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:166:44:166:48 | temp2 indirection |
134+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:168:10:168:16 | (const char *)... |
135+
| test.cpp:160:9:160:12 | fread output argument | test.cpp:168:10:168:16 | command indirection |
136+
| test.cpp:162:11:162:14 | call to atoi | test.cpp:162:11:162:14 | Store |
137+
| test.cpp:162:11:162:14 | call to atoi | test.cpp:165:24:165:24 | x |
138+
| test.cpp:162:11:162:14 | call to atoi | test.cpp:166:44:166:48 | array to pointer conversion |
139+
| test.cpp:162:11:162:14 | call to atoi | test.cpp:166:44:166:48 | temp2 indirection |
140+
| test.cpp:162:11:162:14 | call to atoi | test.cpp:168:10:168:16 | (const char *)... |
141+
| test.cpp:162:11:162:14 | call to atoi | test.cpp:168:10:168:16 | command indirection |
142+
| test.cpp:166:13:166:19 | sprintf output argument | test.cpp:168:10:168:16 | command indirection |
143+
| test.cpp:166:44:166:48 | temp2 indirection | test.cpp:166:13:166:19 | sprintf output argument |
144+
| test.cpp:166:44:166:48 | temp2 indirection | test.cpp:166:13:166:19 | sprintf output argument |
97145
#select
98146
| test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
99147
| test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:47:21:47:26 | call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
100148
| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:62:9:62:16 | fread output argument | user input (String read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
101149
| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:82:9:82:16 | fread output argument | user input (String read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
102150
| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:91:9:91:16 | fread output argument | user input (String read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
151+
| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:140:9:140:11 | fread output argument | user input (String read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
152+
| test.cpp:168:10:168:16 | command | test.cpp:160:9:160:12 | fread output argument | test.cpp:168:10:168:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:160:9:160:12 | fread output argument | user input (String read by fread) | test.cpp:166:13:166:19 | sprintf output argument | sprintf output argument |
103153
nodes
104154
| test.cpp:16:20:16:23 | argv | semmle.label | argv |
105155
| test.cpp:16:20:16:23 | argv | semmle.label | argv |
@@ -235,3 +285,61 @@ nodes
235285
| test.cpp:120:19:120:22 | (reference to) | semmle.label | (reference to) |
236286
| test.cpp:120:19:120:22 | path indirection | semmle.label | path indirection |
237287
| test.cpp:120:19:120:22 | path indirection | semmle.label | path indirection |
288+
| test.cpp:129:9:129:12 | (void *)... | semmle.label | (void *)... |
289+
| test.cpp:129:9:129:12 | (void *)... | semmle.label | (void *)... |
290+
| test.cpp:129:9:129:12 | array to pointer conversion | semmle.label | array to pointer conversion |
291+
| test.cpp:129:9:129:12 | fread output argument | semmle.label | fread output argument |
292+
| test.cpp:129:9:129:12 | temp | semmle.label | temp |
293+
| test.cpp:129:9:129:12 | temp indirection | semmle.label | temp indirection |
294+
| test.cpp:131:11:131:14 | Store | semmle.label | Store |
295+
| test.cpp:131:11:131:14 | call to atoi | semmle.label | call to atoi |
296+
| test.cpp:131:11:131:14 | call to atoi | semmle.label | call to atoi |
297+
| test.cpp:131:16:131:19 | array to pointer conversion | semmle.label | array to pointer conversion |
298+
| test.cpp:131:16:131:19 | temp indirection | semmle.label | temp indirection |
299+
| test.cpp:132:42:132:42 | x | semmle.label | x |
300+
| test.cpp:133:10:133:16 | (const char *)... | semmle.label | (const char *)... |
301+
| test.cpp:133:10:133:16 | command indirection | semmle.label | command indirection |
302+
| test.cpp:140:9:140:11 | (void *)... | semmle.label | (void *)... |
303+
| test.cpp:140:9:140:11 | (void *)... | semmle.label | (void *)... |
304+
| test.cpp:140:9:140:11 | array to pointer conversion | semmle.label | array to pointer conversion |
305+
| test.cpp:140:9:140:11 | fread output argument | semmle.label | fread output argument |
306+
| test.cpp:140:9:140:11 | fread output argument | semmle.label | fread output argument |
307+
| test.cpp:140:9:140:11 | str | semmle.label | str |
308+
| test.cpp:140:9:140:11 | str indirection | semmle.label | str indirection |
309+
| test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
310+
| test.cpp:142:31:142:33 | array to pointer conversion | semmle.label | array to pointer conversion |
311+
| test.cpp:142:31:142:33 | str indirection | semmle.label | str indirection |
312+
| test.cpp:142:31:142:33 | str indirection | semmle.label | str indirection |
313+
| test.cpp:143:10:143:16 | (const char *)... | semmle.label | (const char *)... |
314+
| test.cpp:143:10:143:16 | command indirection | semmle.label | command indirection |
315+
| test.cpp:143:10:143:16 | command indirection | semmle.label | command indirection |
316+
| test.cpp:150:9:150:11 | (void *)... | semmle.label | (void *)... |
317+
| test.cpp:150:9:150:11 | (void *)... | semmle.label | (void *)... |
318+
| test.cpp:150:9:150:11 | array to pointer conversion | semmle.label | array to pointer conversion |
319+
| test.cpp:150:9:150:11 | fread output argument | semmle.label | fread output argument |
320+
| test.cpp:150:9:150:11 | str | semmle.label | str |
321+
| test.cpp:150:9:150:11 | str indirection | semmle.label | str indirection |
322+
| test.cpp:152:31:152:33 | array to pointer conversion | semmle.label | array to pointer conversion |
323+
| test.cpp:152:31:152:33 | str indirection | semmle.label | str indirection |
324+
| test.cpp:153:10:153:16 | (const char *)... | semmle.label | (const char *)... |
325+
| test.cpp:153:10:153:16 | command indirection | semmle.label | command indirection |
326+
| test.cpp:160:9:160:12 | (void *)... | semmle.label | (void *)... |
327+
| test.cpp:160:9:160:12 | (void *)... | semmle.label | (void *)... |
328+
| test.cpp:160:9:160:12 | array to pointer conversion | semmle.label | array to pointer conversion |
329+
| test.cpp:160:9:160:12 | fread output argument | semmle.label | fread output argument |
330+
| test.cpp:160:9:160:12 | fread output argument | semmle.label | fread output argument |
331+
| test.cpp:160:9:160:12 | temp | semmle.label | temp |
332+
| test.cpp:160:9:160:12 | temp indirection | semmle.label | temp indirection |
333+
| test.cpp:162:11:162:14 | Store | semmle.label | Store |
334+
| test.cpp:162:11:162:14 | call to atoi | semmle.label | call to atoi |
335+
| test.cpp:162:11:162:14 | call to atoi | semmle.label | call to atoi |
336+
| test.cpp:162:16:162:19 | array to pointer conversion | semmle.label | array to pointer conversion |
337+
| test.cpp:162:16:162:19 | temp indirection | semmle.label | temp indirection |
338+
| test.cpp:165:24:165:24 | x | semmle.label | x |
339+
| test.cpp:166:13:166:19 | sprintf output argument | semmle.label | sprintf output argument |
340+
| test.cpp:166:44:166:48 | array to pointer conversion | semmle.label | array to pointer conversion |
341+
| test.cpp:166:44:166:48 | temp2 indirection | semmle.label | temp2 indirection |
342+
| test.cpp:166:44:166:48 | temp2 indirection | semmle.label | temp2 indirection |
343+
| test.cpp:168:10:168:16 | (const char *)... | semmle.label | (const char *)... |
344+
| test.cpp:168:10:168:16 | command indirection | semmle.label | command indirection |
345+
| test.cpp:168:10:168:16 | command indirection | semmle.label | command indirection |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,55 @@ void test11(FILE *f) {
120120
system(("mv " + path).data());
121121
}
122122

123+
int atoi(char *);
124+
125+
void test12(FILE *f) {
126+
char temp[10];
127+
char command[1000];
128+
129+
fread(temp, 1, 10, f);
130+
131+
int x = atoi(temp);
132+
sprintf(command, "tail -n %d foo.log", x);
133+
system(command); // GOOD: the user string was converted to an integer and back
134+
}
135+
136+
void test13(FILE *f) {
137+
char str[1000];
138+
char command[1000];
139+
140+
fread(str, 1, 1000, f);
141+
142+
sprintf(command, "echo %s", str);
143+
system(command); // BAD: the user string was printed into the command with the %s specifier
144+
}
145+
146+
void test14(FILE *f) {
147+
char str[1000];
148+
char command[1000];
149+
150+
fread(str, 1, 1000, f);
151+
152+
sprintf(command, "echo %p", str);
153+
system(command); // GOOD: the user string's address was printed into the command with the %p specifier
154+
}
155+
156+
void test15(FILE *f) {
157+
char temp[10];
158+
char command[1000];
159+
160+
fread(temp, 1, 10, f);
161+
162+
int x = atoi(temp);
163+
164+
char temp2[10];
165+
sprintf(temp2, "%d", x);
166+
sprintf(command, "tail -n %s foo.log", temp2);
167+
168+
system(command); // GOOD: the user string was converted to an integer and back
169+
}
170+
171+
123172
// TODO: test for call context sensitivity at concatenation site
124173

125174
// open question: do we want to report certain sources even when they're the start of the string?

0 commit comments

Comments
 (0)