Skip to content

Commit edd09f0

Browse files
committed
C++: Add test cases where several specific values are permitted.
1 parent 48f3db3 commit edd09f0

File tree

2 files changed

+36
-0
lines changed

2 files changed

+36
-0
lines changed

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,14 @@ edges
8080
| test.cpp:279:17:279:20 | get_size output argument | test.cpp:281:11:281:28 | ... * ... |
8181
| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
8282
| test.cpp:295:18:295:21 | get_size output argument | test.cpp:298:10:298:27 | ... * ... |
83+
| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
84+
| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
85+
| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
86+
| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
87+
| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
88+
| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
89+
| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
90+
| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
8391
nodes
8492
| field_conflation.c:12:22:12:27 | call to getenv | semmle.label | call to getenv |
8593
| field_conflation.c:12:22:12:34 | (const char *)... | semmle.label | (const char *)... |
@@ -168,6 +176,16 @@ nodes
168176
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
169177
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
170178
| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
179+
| test.cpp:301:19:301:24 | call to getenv | semmle.label | call to getenv |
180+
| test.cpp:301:19:301:32 | (const char *)... | semmle.label | (const char *)... |
181+
| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
182+
| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
183+
| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
184+
| test.cpp:309:19:309:24 | call to getenv | semmle.label | call to getenv |
185+
| test.cpp:309:19:309:32 | (const char *)... | semmle.label | (const char *)... |
186+
| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
187+
| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
188+
| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
171189
#select
172190
| field_conflation.c:20:3:20:8 | call to malloc | field_conflation.c:12:22:12:27 | call to getenv | field_conflation.c:20:13:20:13 | x | This allocation size is derived from $@ and might overflow | field_conflation.c:12:22:12:27 | call to getenv | user input (getenv) |
173191
| test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -186,3 +204,5 @@ nodes
186204
| test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
187205
| test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
188206
| test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
207+
| test.cpp:305:4:305:9 | call to malloc | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:301:19:301:24 | call to getenv | user input (getenv) |
208+
| test.cpp:314:3:314:8 | call to malloc | test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:309:19:309:24 | call to getenv | user input (getenv) |

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -297,4 +297,20 @@ void equality_cases() {
297297

298298
malloc(size * sizeof(int)); // BAD
299299
}
300+
{
301+
int size = atoi(getenv("USER"));
302+
303+
if ((size == 50) || (size == 100))
304+
{
305+
malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
306+
}
307+
}
308+
{
309+
int size = atoi(getenv("USER"));
310+
311+
if (size != 50 && size != 100)
312+
return;
313+
314+
malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
315+
}
300316
}

0 commit comments

Comments
 (0)