C++: Model secure_getenv and _wgetenv as local flow sources

jketema · jketema · commit 01d8ad98f6cf · 2022-12-07T13:37:12.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Getenv.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Getenv.qll
@@ -1,15 +1,19 @@
 /**
- * Provides an implementation class modeling the POSIX function `getenv`.
+ * Provides an implementation class modeling the POSIX function `getenv` and
+ * various similar functions.
  */
 
 import cpp
 import semmle.code.cpp.models.interfaces.FlowSource
 
 /**
- * The POSIX function `getenv`.
+ * The POSIX function `getenv`, the GNU function `secure_getenv`, and the
+ * Windows function `_wgetenv`.
  */
 class Getenv extends LocalFlowSourceFunction {
-  Getenv() { this.hasGlobalOrStdOrBslName("getenv") }
+  Getenv() {
+    this.hasGlobalOrStdOrBslName("getenv") or this.hasGlobalName(["secure_getenv", "_wgetenv"])
+  }
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
     (
