C++: Fix 'rename'.

geoffw0 · geoffw0 · commit ab4b2c23428d · 2021-07-19T18:58:39.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -33,7 +33,7 @@ FunctionCall filenameOperation(Expr path) {
       ] and
     result.getArgument(0) = path
     or
-    name = ["fopen_s", "wfopen_s"] and
+    name = ["fopen_s", "wfopen_s", "rename"] and
     result.getArgument(1) = path
   )
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected
@@ -9,6 +9,7 @@
 | test2.cpp:170:7:170:10 | call to open | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:170:12:170:15 | path | filename | test2.cpp:168:6:168:10 | call to lstat | checked |
 | test2.cpp:245:3:245:7 | call to chmod | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:245:9:245:12 | path | filename | test2.cpp:238:6:238:10 | call to fopen | checked |
 | test2.cpp:255:3:255:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:255:10:255:14 | path1 | filename | test2.cpp:253:6:253:11 | call to rename | checked |
+| test2.cpp:265:7:265:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:265:13:265:17 | path2 | filename | test2.cpp:263:7:263:12 | call to rename | checked |
 | test2.cpp:277:7:277:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:277:13:277:16 | path | filename | test2.cpp:275:6:275:11 | call to access | checked |
 | test2.cpp:303:7:303:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:303:13:303:16 | path | filename | test2.cpp:301:7:301:12 | call to access | checked |
 | test2.cpp:317:7:317:11 | call to fopen | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test2.cpp:317:13:317:16 | path | filename | test2.cpp:313:6:313:11 | call to access | checked |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp
@@ -262,7 +262,7 @@ void test5_2(const char *path1, const char *path2)
 
 	if (!rename(path1, path2))
 	{
-		f = fopen(path2, "r"); // BAD [NOT DETECTED]
+		f = fopen(path2, "r"); // BAD
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ FunctionCall filenameOperation(Expr path) {`
`33`	`33`	`] and`
`34`	`34`	`result.getArgument(0) = path`
`35`	`35`	`or`
`36`		`- name = ["fopen_s", "wfopen_s"] and`
	`36`	`+ name = ["fopen_s", "wfopen_s", "rename"] and`
`37`	`37`	`result.getArgument(1) = path`
`38`	`38`	`)`
`39`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -262,7 +262,7 @@ void test5_2(const char path1, const char path2)`
`262`	`262`
`263`	`263`	`if (!rename(path1, path2))`
`264`	`264`	`{`
`265`		`- f = fopen(path2, "r"); // BAD [NOT DETECTED]`
	`265`	`+ f = fopen(path2, "r"); // BAD`
`266`	`266`	`}`
`267`	`267`	`}`
`268`	`268`