C++: Add tests for more edge cases.

geoffw0 · geoffw0 · commit 13ae15b867a2 · 2023-01-13T18:38:29.000Z
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/AuthenticationBypass.expected
@@ -17,6 +17,24 @@ edges
 | test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
 | test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address |
 | test.cpp:38:25:38:42 | (const char *)... | test.cpp:42:14:42:20 | address indirection |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address indirection |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address indirection |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address |
+| test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address indirection |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:52:14:52:20 | address |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:52:14:52:20 | address |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:52:14:52:20 | address indirection |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:56:14:56:20 | address |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:56:14:56:20 | address |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:56:14:56:20 | address indirection |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:60:14:60:20 | address |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:60:14:60:20 | address |
+| test.cpp:49:25:49:42 | (const char *)... | test.cpp:60:14:60:20 | address indirection |
 subpaths
 nodes
 | test.cpp:16:25:16:30 | call to getenv | semmle.label | call to getenv |
@@ -34,7 +52,21 @@ nodes
 | test.cpp:42:14:42:20 | address | semmle.label | address |
 | test.cpp:42:14:42:20 | address | semmle.label | address |
 | test.cpp:42:14:42:20 | address indirection | semmle.label | address indirection |
+| test.cpp:49:25:49:30 | call to getenv | semmle.label | call to getenv |
+| test.cpp:49:25:49:42 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:52:14:52:20 | address | semmle.label | address |
+| test.cpp:52:14:52:20 | address | semmle.label | address |
+| test.cpp:52:14:52:20 | address indirection | semmle.label | address indirection |
+| test.cpp:56:14:56:20 | address | semmle.label | address |
+| test.cpp:56:14:56:20 | address | semmle.label | address |
+| test.cpp:56:14:56:20 | address indirection | semmle.label | address indirection |
+| test.cpp:60:14:60:20 | address | semmle.label | address |
+| test.cpp:60:14:60:20 | address | semmle.label | address |
+| test.cpp:60:14:60:20 | address indirection | semmle.label | address indirection |
 #select
 | test.cpp:20:7:20:12 | call to strcmp | test.cpp:16:25:16:30 | call to getenv | test.cpp:20:14:20:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:16:25:16:30 | call to getenv | call to getenv |
 | test.cpp:31:7:31:12 | call to strcmp | test.cpp:27:25:27:30 | call to getenv | test.cpp:31:14:31:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:27:25:27:30 | call to getenv | call to getenv |
 | test.cpp:42:7:42:12 | call to strcmp | test.cpp:38:25:38:30 | call to getenv | test.cpp:42:14:42:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:38:25:38:30 | call to getenv | call to getenv |
+| test.cpp:52:7:52:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:52:14:52:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
+| test.cpp:56:7:56:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:56:14:56:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
+| test.cpp:60:7:60:12 | call to strcmp | test.cpp:49:25:49:30 | call to getenv | test.cpp:60:14:60:20 | address | Untrusted input $@ might be vulnerable to a spoofing attack. | test.cpp:49:25:49:30 | call to getenv | call to getenv |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-290/semmle/AuthenticationBypass/test.cpp
@@ -43,3 +43,27 @@ void processRequest3()
     isServer = 1;
   }
 }
+
+void processRequest4() 
+{
+  const char *address = getenv("SERVERIP");
+  bool cond = false;
+
+  if (strcmp(address, "127.0.0.1")) { cond = true; } // BAD
+  if (strcmp(address, "127_0_0_1")) { cond = true; } // GOOD (not an IP)
+  if (strcmp(address, "127.0.0")) { cond = true; } // GOOD (not an IP)
+  if (strcmp(address, "127.0.0.0.1")) { cond = true; } // GOOD (not an IP)
+  if (strcmp(address, "http://mycompany")) { cond = true; } // BAD
+  if (strcmp(address, "http_//mycompany")) { cond = true; } // GOOD (not an address)
+  if (strcmp(address, "htt://mycompany")) { cond = true; } // GOOD (not an address)
+  if (strcmp(address, "httpp://mycompany")) { cond = true; } // GOOD (not an address)
+  if (strcmp(address, "mycompany.com")) { cond = true; } // BAD
+  if (strcmp(address, "mycompany_com")) { cond = true; } // GOOD (not an address)
+  if (strcmp(address, "mycompany.c")) { cond = true; } // GOOD (not an address)
+  if (strcmp(address, "mycompany.comm")) { cond = true; } // GOOD (not an address)
+
+  if (cond) {
+    isServer = 1;
+  }
+}
+
