C++: Add ad-hoc SAMATE Juliet test cases (that were previously internal). Directory structures cleaned up in a few places.

Author: geoffw0

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp

@@ -0,0 +1,164 @@
+/**
+ * This test case is closely based on CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp
+ * from the SAMATE test suite.
+ */
+
+#define NULL (0)
+
+typedef size_t time_t;
+time_t time(time_t *timer);
+void srand(unsigned int seed);
+
+typedef struct {} FILE;
+extern FILE *stdin;
+FILE *fopen(const char *filename, const char *mode);
+int fclose(FILE *stream);
+#define FILENAME_MAX (4096)
+
+typedef unsigned long size_t;
+size_t strlen(const char *s);
+char *strcat(char *s1, const char *s2);
+char *fgets(char *s, int n, FILE *stream);
+
+int globalReturnsTrue() 
+{
+    return 1;
+}
+
+int globalReturnsFalse() 
+{
+    return 0;
+}
+
+void printLine(const char *str);
+
+#define BASEPATH "c:\\temp\\"
+#define FOPEN fopen
+
+namespace CWE23_Relative_Path_Traversal__char_console_fopen_11
+{
+
+void bad()
+{
+    char * data;
+    char dataBuffer[FILENAME_MAX] = BASEPATH;
+    data = dataBuffer;
+    if(globalReturnsTrue())
+    {
+        {
+            /* Read input from the console */
+            size_t dataLen = strlen(data);
+            /* if there is room in data, read into it from the console */
+            if (FILENAME_MAX-dataLen > 1)
+            {
+                /* POTENTIAL FLAW: Read data from the console */
+                if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL)
+                {
+                    /* The next few lines remove the carriage return from the string that is
+                     * inserted by fgets() */
+                    dataLen = strlen(data);
+                    if (dataLen > 0 && data[dataLen-1] == '\n')
+                    {
+                        data[dataLen-1] = '\0';
+                    }
+                }
+                else
+                {
+                    printLine("fgets() failed");
+                    /* Restore NUL terminator if fgets fails */
+                    data[dataLen] = '\0';
+                }
+            }
+        }
+    }
+    {
+        FILE *pFile = NULL;
+        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
+        pFile = FOPEN(data, "wb+");
+        if (pFile != NULL)
+        {
+            fclose(pFile);
+        }
+    }
+}
+
+/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
+static void goodG2B1()
+{
+    char * data;
+    char dataBuffer[FILENAME_MAX] = BASEPATH;
+    data = dataBuffer;
+    if(globalReturnsFalse())
+    {
+        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
+        printLine("Benign, fixed string");
+    }
+    else
+    {
+        /* FIX: Use a fixed file name */
+        strcat(data, "file.txt");
+    }
+    {
+        FILE *pFile = NULL;
+        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
+        pFile = FOPEN(data, "wb+");
+        if (pFile != NULL)
+        {
+            fclose(pFile);
+        }
+    }
+}
+
+/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
+static void goodG2B2()
+{
+    char * data;
+    char dataBuffer[FILENAME_MAX] = BASEPATH;
+    data = dataBuffer;
+    if(globalReturnsTrue())
+    {
+        /* FIX: Use a fixed file name */
+        strcat(data, "file.txt");
+    }
+    {
+        FILE *pFile = NULL;
+        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
+        pFile = FOPEN(data, "wb+");
+        if (pFile != NULL)
+        {
+            fclose(pFile);
+        }
+    }
+}
+
+void good()
+{
+    goodG2B1();
+    goodG2B2();
+}
+
+} /* close namespace */
+
+/* Below is the main(). It is only used when building this testcase on
+   its own for testing or for building a binary to use in testing binary
+   analysis tools. It is not used when compiling all the testcases as one
+   application, which is how source code analysis tools are tested. */
+
+using namespace CWE23_Relative_Path_Traversal__char_console_fopen_11; /* so that we can use good and bad easily */
+
+int main(int argc, char * argv[])
+{
+    /* seed randomness */
+    srand( (unsigned)time(NULL) );
+#ifndef OMITGOOD
+    printLine("Calling good()...");
+    good();
+    printLine("Finished good()");
+#endif /* OMITGOOD */
+#ifndef OMITBAD
+    printLine("Calling bad()...");
+    bad();
+    printLine("Finished bad()");
+#endif /* OMITBAD */
+    return 0;
+}

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath.expected

@@ -0,0 +1,17 @@
+edges
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
+nodes
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | semmle.label | ... + ... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
+#select
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | This argument to a file access function is derived from $@ and then passed to fopen(filename) | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-022/TaintedPath.ql

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted.expected

@@ -0,0 +1 @@
+| tests.cpp:55:16:55:19 | data | This argument to an OS command is derived from $@ and then passed to system(string) | tests.cpp:35:34:35:39 | call to getenv | user input (getenv) |

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-078/ExecTainted.ql

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/tests.cpp

@@ -0,0 +1,58 @@
+//semmle-extractor-options: --edg --target --edg win64
+
+// A selection of tests from the samate framework for rule CWE-78.
+
+// library types, functions etc
+#define NULL (0)
+typedef unsigned long size_t;
+size_t strlen(const char *s);
+char *strncat(char *s1, const char *s2, size_t n);n);
+char *getenv(const char *name);
+int system(const char *string);
+void exit(int status);
+
+#define FULL_COMMAND "dir "
+#define ENV_VARIABLE "ADD"
+#define GETENV getenv
+#define SYSTEM system
+
+void printLine(const char *str);
+
+// ----------
+
+/* The static variable below is used to drive control flow in the source function */
+static int badStatic = 0;
+
+static char * badSource(char * data)
+{
+    if(badStatic)
+    {
+        {
+            /* Append input from an environment variable to data */
+            size_t dataLen = strlen(data);
+            char * environment = GETENV(ENV_VARIABLE);
+            /* If there is data in the environment variable */
+            if (environment != NULL)
+            {
+                /* POTENTIAL FLAW: Read data from an environment variable */
+                strncat(data+dataLen, environment, 100-dataLen-1);
+            }
+        }
+    }
+    return data;
+}
+
+void CWE78_OS_Command_Injection__char_environment_system_21_bad()
+{
+    char * data;
+    char data_buf[100] = FULL_COMMAND;
+    data = data_buf;
+    badStatic = 1; /* true */
+    data = badSource(data);
+    /* POTENTIAL FLAW: Execute command in data possibly leading to command injection [NOT DETECTED] */
+    if (SYSTEM(data) != 0)
+    {
+        printLine("command execution failed!");
+        exit(1);
+    }
+}

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -0,0 +1,30 @@
+edges
+| test.cpp:35:73:35:76 | *data | test.cpp:41:32:41:35 | (LPCSTR)... |
+| test.cpp:35:73:35:76 | *data | test.cpp:41:32:41:35 | data |
+| test.cpp:35:73:35:76 | *data | test.cpp:41:32:41:35 | data indirection |
+| test.cpp:35:73:35:76 | data | test.cpp:41:32:41:35 | (LPCSTR)... |
+| test.cpp:35:73:35:76 | data | test.cpp:41:32:41:35 | data |
+| test.cpp:35:73:35:76 | data | test.cpp:41:32:41:35 | data |
+| test.cpp:35:73:35:76 | data | test.cpp:41:32:41:35 | data indirection |
+| test.cpp:62:30:62:35 | call to getenv | test.cpp:71:17:71:22 | data |
+| test.cpp:62:30:62:35 | call to getenv | test.cpp:71:17:71:22 | data |
+| test.cpp:62:30:62:35 | call to getenv | test.cpp:71:24:71:27 | data indirection |
+| test.cpp:62:30:62:35 | call to getenv | test.cpp:71:24:71:27 | data indirection |
+| test.cpp:71:17:71:22 | data | test.cpp:35:73:35:76 | data |
+| test.cpp:71:24:71:27 | data indirection | test.cpp:35:73:35:76 | *data |
+nodes
+| test.cpp:35:73:35:76 | *data | semmle.label | *data |
+| test.cpp:35:73:35:76 | data | semmle.label | data |
+| test.cpp:41:32:41:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
+| test.cpp:41:32:41:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
+| test.cpp:41:32:41:35 | data | semmle.label | data |
+| test.cpp:41:32:41:35 | data | semmle.label | data |
+| test.cpp:41:32:41:35 | data | semmle.label | data |
+| test.cpp:41:32:41:35 | data indirection | semmle.label | data indirection |
+| test.cpp:41:32:41:35 | data indirection | semmle.label | data indirection |
+| test.cpp:62:30:62:35 | call to getenv | semmle.label | call to getenv |
+| test.cpp:62:30:62:35 | call to getenv | semmle.label | call to getenv |
+| test.cpp:71:17:71:22 | data | semmle.label | data |
+| test.cpp:71:24:71:27 | data indirection | semmle.label | data indirection |
+#select
+| test.cpp:41:32:41:35 | data | test.cpp:62:30:62:35 | call to getenv | test.cpp:41:32:41:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA | test.cpp:62:30:62:35 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-114/UncontrolledProcessOperation.ql