Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 783ce48

Browse files
geoffw0geoffw0
committed
C++: Add test cases for ZMQ summary models.
1 parent 1264e6e commit 783ce48

4 files changed

Lines changed: 80 additions & 3 deletions

File tree

cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,5 +32,3 @@ private class ZmqSinks extends SinkModelCsv {
3232
]
3333
}
3434
}
35-
36-
// TODO: flow into / through zmq_msg_data ?

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8223,3 +8223,50 @@ WARNING: Module TaintTracking has been deprecated and may be removed in future (
82238223
| vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
82248224
| vector.cpp:532:8:532:9 | ref arg vs | vector.cpp:533:2:533:2 | vs | |
82258225
| vector.cpp:532:8:532:9 | vs | vector.cpp:532:10:532:10 | call to operator[] | TAINT |
8226+
| zmq.cpp:17:21:17:26 | socket | zmq.cpp:17:21:17:26 | socket | |
8227+
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:17:35:17:46 | message_data | |
8228+
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:20:35:20:46 | message_data | |
8229+
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:25:3:25:14 | message_data | |
8230+
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:26:8:26:19 | message_data | |
8231+
| zmq.cpp:17:35:17:46 | message_data | zmq.cpp:28:35:28:46 | message_data | |
8232+
| zmq.cpp:17:56:17:66 | message_len | zmq.cpp:20:49:20:59 | message_len | |
8233+
| zmq.cpp:17:56:17:66 | message_len | zmq.cpp:28:49:28:59 | message_len | |
8234+
| zmq.cpp:18:13:18:19 | message | zmq.cpp:20:26:20:32 | message | |
8235+
| zmq.cpp:18:13:18:19 | message | zmq.cpp:21:10:21:16 | message | |
8236+
| zmq.cpp:18:13:18:19 | message | zmq.cpp:22:24:22:30 | message | |
8237+
| zmq.cpp:18:13:18:19 | message | zmq.cpp:28:26:28:32 | message | |
8238+
| zmq.cpp:18:13:18:19 | message | zmq.cpp:29:10:29:16 | message | |
8239+
| zmq.cpp:18:13:18:19 | message | zmq.cpp:30:24:30:30 | message | |
8240+
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:20:26:20:32 | message [inner post update] | |
8241+
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:21:10:21:16 | message | |
8242+
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:22:24:22:30 | message | |
8243+
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:28:26:28:32 | message | |
8244+
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:29:10:29:16 | message | |
8245+
| zmq.cpp:20:25:20:32 | ref arg & ... | zmq.cpp:30:24:30:30 | message | |
8246+
| zmq.cpp:20:26:20:32 | message | zmq.cpp:20:25:20:32 | & ... | |
8247+
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data | |
8248+
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:25:3:25:14 | message_data | |
8249+
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:26:8:26:19 | message_data | |
8250+
| zmq.cpp:20:35:20:46 | ref arg message_data | zmq.cpp:28:35:28:46 | message_data | |
8251+
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:22:24:22:30 | message [inner post update] | |
8252+
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:28:26:28:32 | message | |
8253+
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:29:10:29:16 | message | |
8254+
| zmq.cpp:22:23:22:30 | ref arg & ... | zmq.cpp:30:24:30:30 | message | |
8255+
| zmq.cpp:22:24:22:30 | message | zmq.cpp:22:23:22:30 | & ... | |
8256+
| zmq.cpp:25:3:25:14 | message_data | zmq.cpp:25:3:25:17 | access to array | TAINT |
8257+
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:17:35:17:46 | message_data | |
8258+
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:25:3:25:14 | message_data [inner post update] | |
8259+
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:26:8:26:19 | message_data | |
8260+
| zmq.cpp:25:3:25:17 | access to array [post update] | zmq.cpp:28:35:28:46 | message_data | |
8261+
| zmq.cpp:25:3:25:28 | ... = ... | zmq.cpp:25:3:25:17 | access to array [post update] | |
8262+
| zmq.cpp:25:16:25:16 | 0 | zmq.cpp:25:3:25:17 | access to array | TAINT |
8263+
| zmq.cpp:25:21:25:26 | call to source | zmq.cpp:25:3:25:28 | ... = ... | |
8264+
| zmq.cpp:26:8:26:19 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data | |
8265+
| zmq.cpp:26:8:26:19 | ref arg message_data | zmq.cpp:28:35:28:46 | message_data | |
8266+
| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:28:26:28:32 | message [inner post update] | |
8267+
| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:29:10:29:16 | message | |
8268+
| zmq.cpp:28:25:28:32 | ref arg & ... | zmq.cpp:30:24:30:30 | message | |
8269+
| zmq.cpp:28:26:28:32 | message | zmq.cpp:28:25:28:32 | & ... | |
8270+
| zmq.cpp:28:35:28:46 | ref arg message_data | zmq.cpp:17:35:17:46 | message_data | |
8271+
| zmq.cpp:30:23:30:30 | ref arg & ... | zmq.cpp:30:24:30:30 | message [inner post update] | |
8272+
| zmq.cpp:30:24:30:30 | message | zmq.cpp:30:23:30:30 | & ... | |

cpp/ql/test/library-tests/dataflow/taint-tests/zmq.cpp

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
2+
int source();
3+
void sink(...);
4+
5+
// --- ZMC networking library ---
6+
7+
typedef unsigned long size_t;
8+
9+
struct zmq_msg_t {
10+
// ...
11+
};
12+
typedef void (*zmq_free_fn)();
13+
14+
int zmq_msg_init_data(zmq_msg_t *msg, void *data, size_t size, zmq_free_fn *ffn, void *hint);
15+
void *zmq_msg_data(zmq_msg_t *msg);
16+
17+
void test_zmc(void *socket, char *message_data, size_t message_len) {
18+
zmq_msg_t message;
19+
20+
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
21+
sink(message); // $ SPURIOUS: ast
22+
sink(zmq_msg_data(&message));
23+
}
24+
25+
message_data[0] = source();
26+
sink(message_data); // $ ast,ir
27+
28+
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
29+
sink(message); // $ ast MISSING: ir
30+
sink(zmq_msg_data(&message)); // $ MISSING: ast,ir
31+
}
32+
}

cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -140,7 +140,7 @@ void test_zmq(void *remoteSocket)
140140
}
141141

142142
// send as message
143-
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
143+
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) { // (detected here)
144144
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable (detected above)
145145
// ...
146146
}

0 commit comments

Comments
 (0)