C++: more tests for command injection

Robert Marsh · Robert Marsh · commit 8f4df8603a04 · 2021-09-15T10:55:49.000-07:00
diff --git a/cpp/ql/test/include/iterator.h b/cpp/ql/test/include/iterator.h
@@ -0,0 +1,97 @@
+#if !defined(CODEQL_ITERATOR_H)
+#define CODEQL_ITERATOR_H
+
+typedef unsigned long size_t;
+
+#include "type_traits.h"
+
+namespace std {
+	struct ptrdiff_t;
+
+	template<class I> struct iterator_traits;
+
+	template <class Category,
+			  class value_type,
+			  class difference_type = ptrdiff_t,
+			  class pointer_type = value_type*,
+			  class reference_type = value_type&>
+	struct iterator {
+		typedef Category iterator_category;
+
+		iterator();
+		iterator(iterator<Category, remove_const_t<value_type> > const &other); // non-const -> const conversion constructor
+
+		iterator &operator++();
+		iterator operator++(int);
+		iterator &operator--();
+		iterator operator--(int);
+		bool operator==(iterator other) const;
+		bool operator!=(iterator other) const;
+		reference_type operator*() const;
+		pointer_type operator->() const;
+		iterator operator+(int);
+		iterator operator-(int);
+		iterator &operator+=(int);
+		iterator &operator-=(int);
+		int operator-(iterator);
+		reference_type operator[](int);
+	};
+
+	struct input_iterator_tag {};
+	struct forward_iterator_tag : public input_iterator_tag {};
+	struct bidirectional_iterator_tag : public forward_iterator_tag {};
+	struct random_access_iterator_tag : public bidirectional_iterator_tag {};
+
+	struct output_iterator_tag {};
+
+	template<class Container>
+	class back_insert_iterator {
+	protected:
+		Container* container = nullptr;
+	public:
+		using iterator_category = output_iterator_tag;
+		using value_type = void;
+		using difference_type = ptrdiff_t;
+		using pointer = void;
+		using reference = void;
+		using container_type = Container;
+		constexpr back_insert_iterator() noexcept = default;
+		constexpr explicit back_insert_iterator(Container& x);
+		back_insert_iterator& operator=(const typename Container::value_type& value);
+		back_insert_iterator& operator=(typename Container::value_type&& value);
+		back_insert_iterator& operator*();
+		back_insert_iterator& operator++();
+		back_insert_iterator operator++(int);
+	};
+
+	template<class Container>
+	constexpr back_insert_iterator<Container> back_inserter(Container& x) {
+		return back_insert_iterator<Container>(x);
+	}
+
+	template<class Container>
+	class front_insert_iterator {
+	protected:
+		Container* container = nullptr;
+	public:
+		using iterator_category = output_iterator_tag;
+		using value_type = void;
+		using difference_type = ptrdiff_t;
+		using pointer = void;
+		using reference = void;
+		using container_type = Container;
+		constexpr front_insert_iterator() noexcept = default;
+		constexpr explicit front_insert_iterator(Container& x);
+		constexpr front_insert_iterator& operator=(const typename Container::value_type& value);
+		constexpr front_insert_iterator& operator=(typename Container::value_type&& value);
+		constexpr front_insert_iterator& operator*();
+		constexpr front_insert_iterator& operator++();
+		constexpr front_insert_iterator operator++(int);
+	};
+	template<class Container>
+	constexpr front_insert_iterator<Container> front_inserter(Container& x) {
+		return front_insert_iterator<Container>(x);
+	}
+}
+
+#endif
diff --git a/cpp/ql/test/include/string.h b/cpp/ql/test/include/string.h
@@ -0,0 +1,84 @@
+#if !defined(CODEQL_STRING_H)
+#define CODEQL_STRING_H
+
+#include "iterator.h"
+
+namespace std
+{
+	template<class charT> struct char_traits;
+
+	typedef size_t streamsize;
+
+	template <class T> class allocator {
+	public:
+		allocator() throw();
+		typedef size_t size_type;
+	};
+
+	template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
+	class basic_string {
+	public:
+		using value_type = charT;
+		using reference = value_type&;
+		using const_reference = const value_type&;
+		typedef typename Allocator::size_type size_type;
+		static const size_type npos = -1;
+
+		explicit basic_string(const Allocator& a = Allocator());
+		basic_string(const charT* s, const Allocator& a = Allocator());
+		template<class InputIterator> basic_string(InputIterator begin, InputIterator end, const Allocator& a = Allocator());
+
+		const charT* c_str() const;
+		charT* data() noexcept;
+		size_t length() const;
+
+		typedef std::iterator<random_access_iterator_tag, charT> iterator;
+		typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
+
+		iterator begin();
+		iterator end();
+		const_iterator begin() const;
+		const_iterator end() const;
+		const_iterator cbegin() const;
+		const_iterator cend() const;
+
+		void push_back(charT c);
+
+		const charT& front() const;
+		charT& front();
+		const charT& back() const;
+		charT& back();
+
+		const_reference operator[](size_type pos) const;
+		reference operator[](size_type pos);
+		const_reference at(size_type n) const;
+		reference at(size_type n);
+		template<class T> basic_string& operator+=(const T& t);
+		basic_string& operator+=(const charT* s);
+		basic_string& append(const basic_string& str);
+		basic_string& append(const charT* s);
+		basic_string& append(size_type n, charT c);
+		template<class InputIterator> basic_string& append(InputIterator first, InputIterator last); 
+		basic_string& assign(const basic_string& str);
+		basic_string& assign(size_type n, charT c);
+		template<class InputIterator> basic_string& assign(InputIterator first, InputIterator last);
+		basic_string& insert(size_type pos, const basic_string& str);
+		basic_string& insert(size_type pos, size_type n, charT c);
+		basic_string& insert(size_type pos, const charT* s);
+		iterator insert(const_iterator p, size_type n, charT c);
+		template<class InputIterator> iterator insert(const_iterator p, InputIterator first, InputIterator last); 
+		basic_string& replace(size_type pos1, size_type n1, const basic_string& str);
+		basic_string& replace(size_type pos1, size_type n1, size_type n2, charT c);
+		size_type copy(charT* s, size_type n, size_type pos = 0) const;
+		void clear() noexcept;
+		basic_string substr(size_type pos = 0, size_type n = npos) const;
+		void swap(basic_string& s) noexcept/*(allocator_traits<Allocator>::propagate_on_container_swap::value || allocator_traits<Allocator>::is_always_equal::value)*/;
+	};
+
+	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);
+	template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const charT* rhs);
+
+	typedef basic_string<char> string;
+}
+
+#endif
diff --git a/cpp/ql/test/include/type_traits.h b/cpp/ql/test/include/type_traits.h
@@ -2,20 +2,41 @@
 #define CODEQL_TYPE_TRAITS_H
 
 namespace std {
-    template<typename T>
-    struct remove_reference {
-        typedef T type;
-    };
+    template<class T>
+    struct remove_const { typedef T type; };
+
+    template<class T>
+    struct remove_const<const T> { typedef T type; };
+
+    // `remove_const_t<T>` removes any `const` specifier from `T`
+    template<class T>
+    using remove_const_t = typename remove_const<T>::type;
+
+    template<class T>
+    struct remove_reference { typedef T type; };
 
-    template<typename T>
-    struct remove_reference<T&> {
+    template<class T>
+    struct remove_reference<T &> { typedef T type; };
+
+    template<class T>
+    struct remove_reference<T &&> { typedef T type; };
+
+    // `remove_reference_t<T>` removes any `&` from `T`
+    template<class T>
+    using remove_reference_t = typename remove_reference<T>::type;
+
+    template<class T>
+    struct decay_impl {
         typedef T type;
     };
 
-    template<typename T>
-    struct remove_reference<T&&> {
-        typedef T type;
+    template<class T, size_t t_size>
+    struct decay_impl<T[t_size]> {
+        typedef T* type;
     };
+
+    template<class T>
+    using decay_t = typename decay_impl<remove_reference_t<T>>::type;
 }
 
 #endif
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.c
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp
@@ -0,0 +1,100 @@
+// Semmle test case for rule ExecTainted.ql (Uncontrolled data used in OS command)
+// Associated with CWE-078: OS Command Injection. http://cwe.mitre.org/data/definitions/78.html
+
+///// Library routines /////
+
+int sprintf(char *s, const char *format, ...);
+int system(const char *string);
+
+char *getenv(char *var);
+
+extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
+#include "../../../../../../include/string.h"
+///// Test code /////
+
+int main(int argc, char** argv) {
+  char *userName = argv[2];
+  
+  {
+    // BAD: a string from the user is injected directly into
+    // a command.
+    char command1[1000] = {0};
+    sprintf(command1, "userinfo -v \"%s\"", userName);
+    system(command1);
+  }
+
+  {  
+    // GOOD: the user string is encoded by a library routine.
+    char userNameQuoted[1000] = {0};
+    encodeShellString(userNameQuoted, 1000, userName); 
+    char command2[1000] = {0};
+    sprintf(command2, "userinfo -v %s", userNameQuoted);
+    system(command2);
+  }
+}
+
+void test2(char* arg2) {
+  // GOOD?: the user string is the *first* part of the command, like $CC in many environments
+  char *envCC = getenv("CC");
+  
+  char command[1000];
+  sprintf("%s %s", envCC, arg2);
+  system(command);
+}
+
+void test3(char* arg1) {
+  // GOOD?: the user string is a `$CFLAGS` environment variable
+  char *envCflags = getenv("CFLAGS");
+  
+  char command[1000];
+  sprintf(command, "%s %s", arg1, envCflags);
+  system(command);
+}
+
+typedef unsigned long size_t;
+typedef void FILE;
+size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
+char *strncat(char *s1, const char *s2, size_t n);
+
+void test4(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  strncat(command, filename, 1000);
+  system(command);
+}
+
+void test5(FILE *f) {
+  // GOOD?: the user string is the start of a command
+  char command[1000], filename[1000] = " test.txt";
+  fread(command, 1, 1000, f);
+
+  strncat(command, filename, 1000);
+  system(command);
+}
+
+int execl(char *path, char *arg1, ...);
+
+void test6(FILE *f) {
+  // BAD: the user string is injected directly into a command
+  char command[1000] = "mv ", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  strncat(command, filename, 1000);
+  execl("/bin/sh", "sh", "-c", command);
+}
+
+void test7(FILE *f) {
+  // GOOD [FALSE POSITIVE]: the user string is a positional argument to a shell script
+  char path[1000] = "/home/me/", filename[1000];
+  fread(filename, 1, 1000, f);
+
+  strncat(path, filename, 1000);
+  execl("/bin/sh", "sh", "-c", "script.sh", path);
+}
+
+// TODO: concatenations via operator+, more sinks, test for call context sensitivity at
+// concatenation site
+
+// open question: do we want to report certain sources even when they're the start of the string?
