finilize tests for zlib

Author: am0o0

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs.ql

@@ -22,7 +22,7 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall fc, DecompressionFunction f | fc.getTarget() = f |
-      fc.getArgument(f.getArchiveParameterIndex()) = sink.asExpr() 
+      fc.getArgument(f.getArchiveParameterIndex()) = [sink.asExpr(), sink.asIndirectExpr()]
     )
   }
 

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibUncompress.qll

@@ -13,5 +13,5 @@ import DecompressionBomb
 class UncompressFunction extends DecompressionFunction {
   UncompressFunction() { this.hasGlobalName(["uncompress", "uncompress2"]) }
 
-  override int getArchiveParameterIndex() { result = 0 }
+  override int getArchiveParameterIndex() { result = 2 }
 }

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs.expected

@@ -0,0 +1,93 @@
+edges
+| zlibTest.cpp:52:25:52:25 | *a | zlibTest.cpp:63:25:63:35 | *a | provenance |  |
+| zlibTest.cpp:63:25:63:35 | *a | zlibTest.cpp:52:25:52:25 | *a | provenance |  |
+| zlibTest.cpp:63:25:63:35 | *a | zlibTest.cpp:69:17:69:26 | & ... | provenance | Config |
+| zlibTest.cpp:63:25:63:35 | *a | zlibTest.cpp:70:13:70:22 | & ... | provenance | Config |
+| zlibTest.cpp:69:17:69:26 | & ... | zlibTest.cpp:70:13:70:22 | & ... | provenance |  |
+| zlibTest.cpp:93:24:93:31 | *fileName | zlibTest.cpp:94:29:94:36 | *fileName | provenance |  |
+| zlibTest.cpp:94:22:94:27 | call to gzopen | zlibTest.cpp:94:22:94:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:94:22:94:27 | call to gzopen | zlibTest.cpp:101:32:101:38 | inFileZ | provenance |  |
+| zlibTest.cpp:94:29:94:36 | *fileName | zlibTest.cpp:93:24:93:31 | *fileName | provenance |  |
+| zlibTest.cpp:94:29:94:36 | *fileName | zlibTest.cpp:94:22:94:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:114:25:114:32 | *fileName | zlibTest.cpp:115:29:115:36 | *fileName | provenance |  |
+| zlibTest.cpp:115:22:115:27 | call to gzopen | zlibTest.cpp:115:22:115:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:115:22:115:27 | call to gzopen | zlibTest.cpp:121:38:121:44 | inFileZ | provenance |  |
+| zlibTest.cpp:115:29:115:36 | *fileName | zlibTest.cpp:114:25:114:32 | *fileName | provenance |  |
+| zlibTest.cpp:115:29:115:36 | *fileName | zlibTest.cpp:115:22:115:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:131:24:131:31 | *fileName | zlibTest.cpp:132:29:132:36 | *fileName | provenance |  |
+| zlibTest.cpp:132:22:132:27 | call to gzopen | zlibTest.cpp:132:22:132:27 | call to gzopen | provenance |  |
+| zlibTest.cpp:132:22:132:27 | call to gzopen | zlibTest.cpp:139:25:139:31 | inFileZ | provenance |  |
+| zlibTest.cpp:132:29:132:36 | *fileName | zlibTest.cpp:131:24:131:31 | *fileName | provenance |  |
+| zlibTest.cpp:132:29:132:36 | *fileName | zlibTest.cpp:132:22:132:27 | call to gzopen | provenance | Config |
+| zlibTest.cpp:156:41:156:45 | *input | zlibTest.cpp:163:29:163:43 | *input | provenance |  |
+| zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:169:19:169:25 | *access to array | provenance |  |
+| zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:170:18:170:24 | *access to array | provenance |  |
+| zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:171:19:171:25 | *access to array | provenance |  |
+| zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:172:18:172:24 | *access to array | provenance |  |
+| zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:174:19:174:66 | *access to array | provenance |  |
+| zlibTest.cpp:169:19:169:25 | *access to array | zlibTest.cpp:114:25:114:32 | *fileName | provenance |  |
+| zlibTest.cpp:169:19:169:25 | *access to array | zlibTest.cpp:169:19:169:25 | UnsafeGzfread output argument | provenance |  |
+| zlibTest.cpp:169:19:169:25 | UnsafeGzfread output argument | zlibTest.cpp:170:18:170:24 | *access to array | provenance |  |
+| zlibTest.cpp:169:19:169:25 | UnsafeGzfread output argument | zlibTest.cpp:171:19:171:25 | *access to array | provenance |  |
+| zlibTest.cpp:169:19:169:25 | UnsafeGzfread output argument | zlibTest.cpp:172:18:172:24 | *access to array | provenance |  |
+| zlibTest.cpp:169:19:169:25 | UnsafeGzfread output argument | zlibTest.cpp:174:19:174:66 | *access to array | provenance |  |
+| zlibTest.cpp:170:18:170:24 | *access to array | zlibTest.cpp:131:24:131:31 | *fileName | provenance |  |
+| zlibTest.cpp:170:18:170:24 | *access to array | zlibTest.cpp:170:18:170:24 | UnsafeGzgets output argument | provenance |  |
+| zlibTest.cpp:170:18:170:24 | UnsafeGzgets output argument | zlibTest.cpp:171:19:171:25 | *access to array | provenance |  |
+| zlibTest.cpp:170:18:170:24 | UnsafeGzgets output argument | zlibTest.cpp:172:18:172:24 | *access to array | provenance |  |
+| zlibTest.cpp:170:18:170:24 | UnsafeGzgets output argument | zlibTest.cpp:174:19:174:66 | *access to array | provenance |  |
+| zlibTest.cpp:171:19:171:25 | *access to array | zlibTest.cpp:52:25:52:25 | *a | provenance |  |
+| zlibTest.cpp:171:19:171:25 | *access to array | zlibTest.cpp:171:19:171:25 | UnsafeInflate output argument | provenance |  |
+| zlibTest.cpp:171:19:171:25 | UnsafeInflate output argument | zlibTest.cpp:172:18:172:24 | *access to array | provenance |  |
+| zlibTest.cpp:171:19:171:25 | UnsafeInflate output argument | zlibTest.cpp:174:19:174:66 | *access to array | provenance |  |
+| zlibTest.cpp:172:18:172:24 | *access to array | zlibTest.cpp:93:24:93:31 | *fileName | provenance |  |
+| zlibTest.cpp:172:18:172:24 | *access to array | zlibTest.cpp:172:18:172:24 | UnsafeGzread output argument | provenance |  |
+| zlibTest.cpp:172:18:172:24 | UnsafeGzread output argument | zlibTest.cpp:174:19:174:66 | *access to array | provenance |  |
+| zlibTest.cpp:174:19:174:66 | *access to array | zlibTest.cpp:156:41:156:45 | *input | provenance |  |
+nodes
+| zlibTest.cpp:52:25:52:25 | *a | semmle.label | *a |
+| zlibTest.cpp:52:25:52:25 | *a | semmle.label | *a |
+| zlibTest.cpp:63:25:63:35 | *a | semmle.label | *a |
+| zlibTest.cpp:69:17:69:26 | & ... | semmle.label | & ... |
+| zlibTest.cpp:70:13:70:22 | & ... | semmle.label | & ... |
+| zlibTest.cpp:93:24:93:31 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:93:24:93:31 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:94:22:94:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:94:22:94:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:94:29:94:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:101:32:101:38 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:114:25:114:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:114:25:114:32 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:115:22:115:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:115:22:115:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:115:29:115:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:121:38:121:44 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:131:24:131:31 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:131:24:131:31 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:132:22:132:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:132:22:132:27 | call to gzopen | semmle.label | call to gzopen |
+| zlibTest.cpp:132:29:132:36 | *fileName | semmle.label | *fileName |
+| zlibTest.cpp:139:25:139:31 | inFileZ | semmle.label | inFileZ |
+| zlibTest.cpp:156:41:156:45 | *input | semmle.label | *input |
+| zlibTest.cpp:163:29:163:43 | *input | semmle.label | *input |
+| zlibTest.cpp:168:27:168:30 | **argv | semmle.label | **argv |
+| zlibTest.cpp:169:19:169:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:169:19:169:25 | UnsafeGzfread output argument | semmle.label | UnsafeGzfread output argument |
+| zlibTest.cpp:170:18:170:24 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:170:18:170:24 | UnsafeGzgets output argument | semmle.label | UnsafeGzgets output argument |
+| zlibTest.cpp:171:19:171:25 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:171:19:171:25 | UnsafeInflate output argument | semmle.label | UnsafeInflate output argument |
+| zlibTest.cpp:172:18:172:24 | *access to array | semmle.label | *access to array |
+| zlibTest.cpp:172:18:172:24 | UnsafeGzread output argument | semmle.label | UnsafeGzread output argument |
+| zlibTest.cpp:174:19:174:66 | *access to array | semmle.label | *access to array |
+subpaths
+| zlibTest.cpp:169:19:169:25 | *access to array | zlibTest.cpp:114:25:114:32 | *fileName | zlibTest.cpp:114:25:114:32 | *fileName | zlibTest.cpp:169:19:169:25 | UnsafeGzfread output argument |
+| zlibTest.cpp:170:18:170:24 | *access to array | zlibTest.cpp:131:24:131:31 | *fileName | zlibTest.cpp:131:24:131:31 | *fileName | zlibTest.cpp:170:18:170:24 | UnsafeGzgets output argument |
+| zlibTest.cpp:171:19:171:25 | *access to array | zlibTest.cpp:52:25:52:25 | *a | zlibTest.cpp:52:25:52:25 | *a | zlibTest.cpp:171:19:171:25 | UnsafeInflate output argument |
+| zlibTest.cpp:172:18:172:24 | *access to array | zlibTest.cpp:93:24:93:31 | *fileName | zlibTest.cpp:93:24:93:31 | *fileName | zlibTest.cpp:172:18:172:24 | UnsafeGzread output argument |
+#select
+| zlibTest.cpp:70:13:70:22 | & ... | zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:70:13:70:22 | & ... | This Decompression output $@. | zlibTest.cpp:168:27:168:30 | **argv | is not limited |
+| zlibTest.cpp:101:32:101:38 | inFileZ | zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:101:32:101:38 | inFileZ | This Decompression output $@. | zlibTest.cpp:168:27:168:30 | **argv | is not limited |
+| zlibTest.cpp:121:38:121:44 | inFileZ | zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:121:38:121:44 | inFileZ | This Decompression output $@. | zlibTest.cpp:168:27:168:30 | **argv | is not limited |
+| zlibTest.cpp:139:25:139:31 | inFileZ | zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:139:25:139:31 | inFileZ | This Decompression output $@. | zlibTest.cpp:168:27:168:30 | **argv | is not limited |
+| zlibTest.cpp:163:29:163:43 | *input | zlibTest.cpp:168:27:168:30 | **argv | zlibTest.cpp:163:29:163:43 | *input | This Decompression output $@. | zlibTest.cpp:168:27:168:30 | **argv | is not limited |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-409/zlibTest.cpp

@@ -1,4 +1,3 @@
-
 #define Z_NULL  0
 #  define FAR
 typedef unsigned char Byte;
@@ -145,9 +144,32 @@ int UnsafeGzgets(char *fileName) {
     return 0;
 }
 
+typedef unsigned long uLong;
+typedef long unsigned int size_t;
+typedef uLong uLongf;
+typedef unsigned char Bytef;
+#define Z_OK            0
+
+int uncompress(Bytef *dest, uLongf *destLen,
+               const Bytef *source, uLong sourceLen) { return 0; }
+
+bool InflateString(const unsigned char *input, const unsigned char *output, size_t output_length) {
+    uLong source_length;
+    source_length = (uLong) 500;
+    uLong destination_length;
+    destination_length = (uLong) output_length;
+
+    int result = uncompress((Bytef *) output, &destination_length,
+                            (Bytef *) input, source_length);
+
+    return result == Z_OK;
+}
+
 int main(int argc, char **argv) {
     UnsafeGzfread(argv[2]);
     UnsafeGzgets(argv[2]);
     UnsafeInflate(argv[2]);
     UnsafeGzread(argv[2]);
+    const unsigned char *output;
+    InflateString(reinterpret_cast<const unsigned char *>(argv[1]), output, 1024 * 1024 * 1024);
 }