C++: Add test cases where several specific values are permitted.

geoffw0 · geoffw0 · commit edd09f09cd80 · 2020-05-15T17:01:23.000+01:00
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -80,6 +80,14 @@ edges
 | test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
+| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
 nodes
 | field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
 | field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
@@ -168,6 +176,16 @@ nodes
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:301:19:301:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:301:19:301:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:309:19:309:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:309:19:309:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
 #select
 | field_conflation.c:20:3:20:8 | call to malloc | field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:20:13:20:13 | x | This allocation size is derived from $@ and might overflow | field_conflation.c:12:22:12:27 | call to getenv | user input (getenv) |
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -186,3 +204,5 @@ nodes
 | test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
 | test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
 | test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
+| test.cpp:305:4:305:9 | call to malloc | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:301:19:301:24 | call to getenv | user input (getenv) |
+| test.cpp:314:3:314:8 | call to malloc | test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:309:19:309:24 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -297,4 +297,20 @@ void equality_cases() {
 
 		malloc(size * sizeof(int)); // BAD
 	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if ((size == 50) || (size == 100))
+		{
+			malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+		}
+	}
+	{
+		int size = atoi(getenv("USER"));
+
+		if (size != 50 && size != 100)
+			return;
+
+		malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+	}
 }
