C++: Move the example from the experimental CWE-089 query into a test.

Author: MathiasVP

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -5,6 +5,14 @@ edges
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | (const char *)... |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | (const char *)... |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array indirection |
+| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array indirection |
 nodes
 | test.c:15:20:15:23 | argv | semmle.label | argv |
 | test.c:15:20:15:23 | argv | semmle.label | argv |
@@ -13,5 +21,15 @@ nodes
 | test.c:21:18:21:23 | query1 | semmle.label | query1 |
 | test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
 | test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
+| test.cpp:44:27:44:30 | argv | semmle.label | argv |
+| test.cpp:44:27:44:30 | argv | semmle.label | argv |
+| test.cpp:44:27:44:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:44:27:44:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:44:27:44:33 | access to array | semmle.label | access to array |
+| test.cpp:44:27:44:33 | access to array | semmle.label | access to array |
+| test.cpp:44:27:44:33 | access to array | semmle.label | access to array |
+| test.cpp:44:27:44:33 | access to array indirection | semmle.label | access to array indirection |
+| test.cpp:44:27:44:33 | access to array indirection | semmle.label | access to array indirection |
 #select
 | test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
+| test.cpp:44:27:44:33 | access to array | test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)) | test.cpp:44:27:44:30 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.cpp

@@ -0,0 +1,48 @@
+int sprintf(char* str, const char* format, ...);
+
+namespace std
+{
+	template<class charT> struct char_traits;
+
+	template <class T> class allocator {
+	public:
+		allocator() throw();
+	};
+	
+	template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
+	class basic_string {
+	public:
+		explicit basic_string(const Allocator& a = Allocator());
+		basic_string(const charT* s, const Allocator& a = Allocator());
+
+		const charT* c_str() const;
+	};
+
+	typedef basic_string<char> string;
+}
+
+namespace pqxx {
+    struct connection {};
+
+    struct row {};
+    struct result {};
+
+    struct work {
+      work(connection&);
+
+      row exec1(const char*);
+      result exec(const std::string&);
+      std::string quote(const char*);
+    };
+}
+
+int main(int argc, char** argv) {
+    pqxx::connection c;
+    pqxx::work w(c);
+    
+    pqxx::row r = w.exec1(argv[1]); // BAD
+    
+    pqxx::result r2 = w.exec(w.quote(argv[1])); // GOOD
+
+    return 0;
+}