Merge pull request #6593 from geoffw0/samate-move

C++: Add test cases with SAMATE Juliet code snippets to the codeql test suite.

Author: jbj

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp

@@ -0,0 +1,134 @@
+/**
+ * This test case is closely based on CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp
+ * from the SAMATE Juliet test suite.
+ */
+
+#define NULL (0)
+
+typedef unsigned long size_t;
+typedef size_t time_t;
+time_t time(time_t *timer);
+
+typedef struct {} FILE;
+extern FILE *stdin;
+FILE *fopen(const char *filename, const char *mode);
+int fclose(FILE *stream);
+#define FILENAME_MAX (4096)
+
+typedef unsigned long size_t;
+size_t strlen(const char *s);
+char *strcat(char *s1, const char *s2);
+char *fgets(char *s, int n, FILE *stream);
+
+int globalReturnsTrue() 
+{
+    return 1;
+}
+
+int globalReturnsFalse() 
+{
+    return 0;
+}
+
+void printLine(const char *str);
+
+#define BASEPATH "c:\\temp\\"
+#define FOPEN fopen
+
+namespace CWE23_Relative_Path_Traversal__char_console_fopen_11
+{
+
+void bad()
+{
+    char * data;
+    char dataBuffer[FILENAME_MAX] = BASEPATH;
+    data = dataBuffer;
+    if(globalReturnsTrue())
+    {
+        {
+            /* Read input from the console */
+            size_t dataLen = strlen(data);
+            /* if there is room in data, read into it from the console */
+            if (FILENAME_MAX-dataLen > 1)
+            {
+                /* POTENTIAL FLAW: Read data from the console */
+                if (fgets(data+dataLen, (int)(FILENAME_MAX-dataLen), stdin) != NULL)
+                {
+                    /* The next few lines remove the carriage return from the string that is
+                     * inserted by fgets() */
+                    dataLen = strlen(data);
+                    if (dataLen > 0 && data[dataLen-1] == '\n')
+                    {
+                        data[dataLen-1] = '\0';
+                    }
+                }
+                else
+                {
+                    printLine("fgets() failed");
+                    /* Restore NUL terminator if fgets fails */
+                    data[dataLen] = '\0';
+                }
+            }
+        }
+    }
+    {
+        FILE *pFile = NULL;
+        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
+        pFile = FOPEN(data, "wb+");
+        if (pFile != NULL)
+        {
+            fclose(pFile);
+        }
+    }
+}
+
+/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
+static void goodG2B1()
+{
+    char * data;
+    char dataBuffer[FILENAME_MAX] = BASEPATH;
+    data = dataBuffer;
+    if(globalReturnsFalse())
+    {
+        /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
+        printLine("Benign, fixed string");
+    }
+    else
+    {
+        /* FIX: Use a fixed file name */
+        strcat(data, "file.txt");
+    }
+    {
+        FILE *pFile = NULL;
+        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
+        pFile = FOPEN(data, "wb+");
+        if (pFile != NULL)
+        {
+            fclose(pFile);
+        }
+    }
+}
+
+/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
+static void goodG2B2()
+{
+    char * data;
+    char dataBuffer[FILENAME_MAX] = BASEPATH;
+    data = dataBuffer;
+    if(globalReturnsTrue())
+    {
+        /* FIX: Use a fixed file name */
+        strcat(data, "file.txt");
+    }
+    {
+        FILE *pFile = NULL;
+        /* POTENTIAL FLAW: Possibly opening a file without validating the file name or path */
+        pFile = FOPEN(data, "wb+");
+        if (pFile != NULL)
+        {
+            fclose(pFile);
+        }
+    }
+}
+
+}

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected

@@ -0,0 +1,17 @@
+edges
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
+nodes
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | semmle.label | ... + ... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | (const char *)... | semmle.label | (const char *)... |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
+#select
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | This argument to a file access function is derived from $@ and then passed to fopen(filename) | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-022/TaintedPath.ql

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.expected

@@ -0,0 +1 @@
+| tests.cpp:53:16:53:19 | data | This argument to an OS command is derived from $@ and then passed to system(string) | tests.cpp:33:34:33:39 | call to getenv | user input (getenv) |

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/ExecTainted.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-078/ExecTainted.ql

cpp/ql/test/query-tests/Security/CWE/CWE-078/SAMATE/ExecTainted/tests.cpp

@@ -0,0 +1,58 @@
+//semmle-extractor-options: --edg --target --edg win64
+
+// A selection of tests from the SAMATE Juliet framework for rule CWE-78.
+
+// library types, functions etc
+#define NULL (0)
+typedef unsigned long size_t;
+size_t strlen(const char *s);
+char *strncat(char *s1, const char *s2, size_t n);
+char *getenv(const char *name);
+int system(const char *string);
+void exit(int status);
+
+#define FULL_COMMAND "dir "
+#define ENV_VARIABLE "ADD"
+#define GETENV getenv
+#define SYSTEM system
+
+void printLine(const char *str);
+
+// ----------
+
+/* The static variable below is used to drive control flow in the source function */
+static int badStatic = 0;
+
+static char * badSource(char * data)
+{
+    if(badStatic)
+    {
+        {
+            /* Append input from an environment variable to data */
+            size_t dataLen = strlen(data);
+            char * environment = GETENV(ENV_VARIABLE);
+            /* If there is data in the environment variable */
+            if (environment != NULL)
+            {
+                /* POTENTIAL FLAW: Read data from an environment variable */
+                strncat(data+dataLen, environment, 100-dataLen-1);
+            }
+        }
+    }
+    return data;
+}
+
+void CWE78_OS_Command_Injection__char_environment_system_21_bad()
+{
+    char * data;
+    char data_buf[100] = FULL_COMMAND;
+    data = data_buf;
+    badStatic = 1; /* true */
+    data = badSource(data);
+    /* POTENTIAL FLAW: Execute command in data possibly leading to command injection [NOT DETECTED] */
+    if (SYSTEM(data) != 0)
+    {
+        printLine("command execution failed!");
+        exit(1);
+    }
+}

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected

@@ -0,0 +1,30 @@
+edges
+| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | (LPCSTR)... |
+| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | data |
+| test.cpp:37:73:37:76 | *data | test.cpp:43:32:43:35 | data indirection |
+| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | (LPCSTR)... |
+| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
+| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
+| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data indirection |
+| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
+| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:17:73:22 | data |
+| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
+| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
+| test.cpp:73:17:73:22 | data | test.cpp:37:73:37:76 | data |
+| test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | *data |
+nodes
+| test.cpp:37:73:37:76 | *data | semmle.label | *data |
+| test.cpp:37:73:37:76 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
+| test.cpp:43:32:43:35 | (LPCSTR)... | semmle.label | (LPCSTR)... |
+| test.cpp:43:32:43:35 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
+| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
+| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
+| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
+| test.cpp:73:17:73:22 | data | semmle.label | data |
+| test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
+#select
+| test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA | test.cpp:64:30:64:35 | call to getenv | call to getenv |

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-114/UncontrolledProcessOperation.ql

cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/test.cpp

@@ -0,0 +1,132 @@
+// Some SAMATE Juliet test cases for CWE-114.
+
+typedef unsigned long size_t;
+typedef unsigned int BOOL;
+typedef const char *LPCSTR;
+typedef void *HMODULE;
+#define NULL (0)
+
+size_t strlen(const char *s);
+char *strncat(char *s1, const char *s2, size_t n);
+
+HMODULE LoadLibraryA(LPCSTR libname);
+BOOL FreeLibrary(HMODULE hModule);
+
+char *getenv(const char *name);
+
+#define GETENV getenv
+#define ENV_VARIABLE "ADD"
+
+void printLine(const char *msg);
+
+// --- CWE114_Process_Control__w32_char_environment_82 ---
+
+class CWE114_Process_Control__w32_char_environment_82_base
+{
+public:
+    /* pure virtual function */
+    virtual void action(char * data) = 0;
+};
+
+class CWE114_Process_Control__w32_char_environment_82_bad : public CWE114_Process_Control__w32_char_environment_82_base
+{
+public:
+    void action(char * data);
+};
+
+void CWE114_Process_Control__w32_char_environment_82_bad::action(char * data)
+{
+    {
+        HMODULE hModule;
+        /* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to
+         * replace his own file with the intended library */
+        hModule = LoadLibraryA(data);
+        if (hModule != NULL)
+        {
+            FreeLibrary(hModule);
+            printLine("Library loaded and freed successfully");
+        }
+        else
+        {
+            printLine("Unable to load library");
+        }
+    }
+}
+
+void bad()
+{
+    char * data;
+    char dataBuffer[100] = "";
+    data = dataBuffer;
+    {
+        /* Append input from an environment variable to data */
+        size_t dataLen = strlen(data);
+        char * environment = GETENV(ENV_VARIABLE);
+        /* If there is data in the environment variable */
+        if (environment != NULL)
+        {
+            /* POTENTIAL FLAW: Read data from an environment variable */
+            strncat(data+dataLen, environment, 100-dataLen-1);
+        }
+    }
+    CWE114_Process_Control__w32_char_environment_82_base* baseObject = new CWE114_Process_Control__w32_char_environment_82_bad;
+    baseObject->action(data);
+    delete baseObject;
+}
+
+// --- CWE114_Process_Control__w32_char_console_33 ---
+
+typedef struct {} FILE;
+char *fgets(char *s, int n, FILE *stream);
+FILE *stdin;
+
+void CWE114_Process_Control__w32_char_console_33_bad()
+{
+    char * data;
+    char * &dataRef = data;
+    char dataBuffer[100] = "";
+    data = dataBuffer;
+    {
+        /* Read input from the console */
+        size_t dataLen = strlen(data);
+        /* if there is room in data, read into it from the console */
+        if (100-dataLen > 1)
+        {
+            /* POTENTIAL FLAW: Read data from the console [NOT DETECTED] */
+            if (fgets(data+dataLen, (int)(100-dataLen), stdin) != NULL)
+            {
+                /* The next few lines remove the carriage return from the string that is
+                 * inserted by fgets() */
+                dataLen = strlen(data);
+                if (dataLen > 0 && data[dataLen-1] == '\n')
+                {
+                    data[dataLen-1] = '\0';
+                }
+            }
+            else
+            {
+                printLine("fgets() failed");
+                /* Restore NUL terminator if fgets fails */
+                data[dataLen] = '\0';
+            }
+        }
+    }
+    {
+        char * data = dataRef;
+        {
+            HMODULE hModule;
+            /* POTENTIAL FLAW: If the path to the library is not specified, an attacker may be able to
+             * replace his own file with the intended library */
+            hModule = LoadLibraryA(data);
+            if (hModule != NULL)
+            {
+                FreeLibrary(hModule);
+                printLine("Library loaded and freed successfully");
+            }
+            else
+            {
+                printLine("Unable to load library");
+            }
+        }
+    }
+}

cpp/ql/test/query-tests/Security/CWE/CWE-119/SAMATE/BadlyBoundedWrite.expected

@@ -0,0 +1,4 @@
+| tests.cpp:350:13:350:19 | call to strncat | This 'call to strncat' operation is limited to 100 bytes but the destination is only 50 bytes. |
+| tests.cpp:452:9:452:15 | call to wcsncpy | This 'call to wcsncpy' operation is limited to 396 bytes but the destination is only 200 bytes. |
+| tests.cpp:481:9:481:16 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |
+| tests.cpp:630:13:630:20 | call to swprintf | This 'call to swprintf' operation is limited to 400 bytes but the destination is only 200 bytes. |