Skip to content

Commit 459870a

Browse files
jketemajketema
committed
C++: Add additional command line injection tests
1 parent 8bf1729 commit 459870a

File tree

2 files changed

+87
-0
lines changed

2 files changed

+87
-0
lines changed

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,38 @@ edges
3535
| test.cpp:142:11:142:17 | sprintf output argument | test.cpp:143:10:143:16 | command indirection |
3636
| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
3737
| test.cpp:142:31:142:33 | str indirection | test.cpp:142:11:142:17 | sprintf output argument |
38+
| test.cpp:174:9:174:16 | fread output argument | test.cpp:177:20:177:27 | filename indirection |
39+
| test.cpp:174:9:174:16 | fread output argument | test.cpp:178:22:178:26 | flags indirection |
40+
| test.cpp:174:9:174:16 | fread output argument | test.cpp:180:22:180:29 | filename indirection |
41+
| test.cpp:177:13:177:17 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
42+
| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
43+
| test.cpp:177:20:177:27 | filename indirection | test.cpp:177:13:177:17 | strncat output argument |
44+
| test.cpp:178:13:178:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
45+
| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
46+
| test.cpp:178:22:178:26 | flags indirection | test.cpp:178:13:178:19 | strncat output argument |
47+
| test.cpp:180:13:180:19 | strncat output argument | test.cpp:183:32:183:38 | command indirection |
48+
| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
49+
| test.cpp:180:22:180:29 | filename indirection | test.cpp:180:13:180:19 | strncat output argument |
50+
| test.cpp:186:53:186:60 | *filename | test.cpp:187:18:187:25 | filename indirection |
51+
| test.cpp:186:53:186:60 | *filename | test.cpp:188:20:188:24 | flags indirection |
52+
| test.cpp:186:53:186:60 | filename | test.cpp:187:18:187:25 | filename indirection |
53+
| test.cpp:186:53:186:60 | filename | test.cpp:188:20:188:24 | flags indirection |
54+
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
55+
| test.cpp:187:11:187:15 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
56+
| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
57+
| test.cpp:187:18:187:25 | filename indirection | test.cpp:187:11:187:15 | strncat output argument |
58+
| test.cpp:188:11:188:17 | command [post update] | test.cpp:188:11:188:17 | command [post update] |
59+
| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:16:196:22 | command [post update] |
60+
| test.cpp:188:11:188:17 | command [post update] | test.cpp:196:16:196:22 | command [post update] |
61+
| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
62+
| test.cpp:188:11:188:17 | strncat output argument | test.cpp:188:11:188:17 | command [post update] |
63+
| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
64+
| test.cpp:188:20:188:24 | flags indirection | test.cpp:188:11:188:17 | strncat output argument |
65+
| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:32:196:39 | filename |
66+
| test.cpp:194:9:194:16 | fread output argument | test.cpp:196:32:196:39 | filename indirection |
67+
| test.cpp:196:16:196:22 | command [post update] | test.cpp:198:32:198:38 | command indirection |
68+
| test.cpp:196:32:196:39 | filename | test.cpp:186:53:186:60 | filename |
69+
| test.cpp:196:32:196:39 | filename indirection | test.cpp:186:53:186:60 | *filename |
3870
nodes
3971
| test.cpp:16:20:16:23 | argv | semmle.label | argv |
4072
| test.cpp:22:13:22:20 | sprintf output argument | semmle.label | sprintf output argument |
@@ -72,6 +104,27 @@ nodes
72104
| test.cpp:142:11:142:17 | sprintf output argument | semmle.label | sprintf output argument |
73105
| test.cpp:142:31:142:33 | str indirection | semmle.label | str indirection |
74106
| test.cpp:143:10:143:16 | command indirection | semmle.label | command indirection |
107+
| test.cpp:174:9:174:16 | fread output argument | semmle.label | fread output argument |
108+
| test.cpp:177:13:177:17 | strncat output argument | semmle.label | strncat output argument |
109+
| test.cpp:177:20:177:27 | filename indirection | semmle.label | filename indirection |
110+
| test.cpp:178:13:178:19 | strncat output argument | semmle.label | strncat output argument |
111+
| test.cpp:178:22:178:26 | flags indirection | semmle.label | flags indirection |
112+
| test.cpp:180:13:180:19 | strncat output argument | semmle.label | strncat output argument |
113+
| test.cpp:180:22:180:29 | filename indirection | semmle.label | filename indirection |
114+
| test.cpp:183:32:183:38 | command indirection | semmle.label | command indirection |
115+
| test.cpp:186:53:186:60 | *filename | semmle.label | *filename |
116+
| test.cpp:186:53:186:60 | filename | semmle.label | filename |
117+
| test.cpp:187:11:187:15 | strncat output argument | semmle.label | strncat output argument |
118+
| test.cpp:187:18:187:25 | filename indirection | semmle.label | filename indirection |
119+
| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
120+
| test.cpp:188:11:188:17 | command [post update] | semmle.label | command [post update] |
121+
| test.cpp:188:11:188:17 | strncat output argument | semmle.label | strncat output argument |
122+
| test.cpp:188:20:188:24 | flags indirection | semmle.label | flags indirection |
123+
| test.cpp:194:9:194:16 | fread output argument | semmle.label | fread output argument |
124+
| test.cpp:196:16:196:22 | command [post update] | semmle.label | command [post update] |
125+
| test.cpp:196:32:196:39 | filename | semmle.label | filename |
126+
| test.cpp:196:32:196:39 | filename indirection | semmle.label | filename indirection |
127+
| test.cpp:198:32:198:38 | command indirection | semmle.label | command indirection |
75128
subpaths
76129
#select
77130
| test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
@@ -83,3 +136,8 @@ subpaths
83136
| test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:25 | call to getenv | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:113:20:113:25 | call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | Call | Call |
84137
| test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:25 | call to getenv | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:119:20:119:25 | call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | Call | Call |
85138
| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string) | test.cpp:140:9:140:11 | fread output argument | user input (String read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
139+
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
140+
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
141+
| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
142+
| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
143+
| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.cpp

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,35 @@ void test15(FILE *f) {
168168
system(command); // GOOD: the user string was converted to an integer and back
169169
}
170170

171+
void test16(FILE *f, bool use_flags) {
172+
// BAD: the user string is injected directly into a command
173+
char command[1000] = "mv ", flags[1000] = "-R", filename[1000];
174+
fread(filename, 1, 1000, f);
175+
176+
if (use_flags) {
177+
strncat(flags, filename, 1000);
178+
strncat(command, flags, 1000);
179+
} else {
180+
strncat(command, filename, 1000);
181+
}
182+
183+
execl("/bin/sh", "sh", "-c", command);
184+
}
185+
186+
void test17_inner(char *command, char *flags, char *filename) {
187+
strncat(flags, filename, 1000);
188+
strncat(command, flags, 1000);
189+
}
190+
191+
void test17(FILE *f) {
192+
// BAD: the user string is injected directly into a command
193+
char command[1000] = "mv ", flags[1000] = "-R", filename[1000];
194+
fread(filename, 1, 1000, f);
195+
196+
test17_inner(command, flags, filename);
197+
198+
execl("/bin/sh", "sh", "-c", command);
199+
}
171200

172201
// TODO: test for call context sensitivity at concatenation site
173202

0 commit comments

Comments
 (0)