Merge pull request #552 from geoffw0/move-security-tests-add

CPP: Add the Semmle security tests.

Author: jbj

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

@@ -0,0 +1 @@
+| test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename) | test.c:9:23:9:26 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-022/TaintedPath.ql

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/stdlib.h

@@ -0,0 +1,13 @@
+// Semmle test case for rule TaintedPath.ql (User-controlled data in path expression)
+// Associated with CWE-022: Improper Limitation of a Pathname to a Restricted Directory. http://cwe.mitre.org/data/definitions/22.html
+
+///// Library routines /////
+
+typedef struct {} FILE;
+#define FILENAME_MAX 1000
+typedef unsigned long size_t;
+
+FILE *fopen(const char *filename, const char *mode);
+int sprintf(char *s, const char *format, ...);
+size_t strlen(const char *s);
+char *strncat(char *s1, const char *s2, size_t n);

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/test.c

@@ -0,0 +1,30 @@
+// Semmle test case for rule TaintedPath.ql (User-controlled data in path expression)
+// Associated with CWE-022: Improper Limitation of a Pathname to a Restricted Directory. http://cwe.mitre.org/data/definitions/22.html
+
+#include "stdlib.h"
+
+///// Test code /////
+
+int main(int argc, char** argv) {
+  char *userAndFile = argv[2];
+  
+  {
+    char fileBuffer[FILENAME_MAX] = "/home/";
+    char *fileName = fileBuffer;
+    size_t len = strlen(fileName);
+    strncat(fileName+len, userAndFile, FILENAME_MAX-len-1);
+    // BAD: a string from the user is used in a filename
+    fopen(fileName, "wb+");
+  }
+
+  {
+    char fileBuffer[FILENAME_MAX] = "/home/";
+    char *fileName = fileBuffer;
+    size_t len = strlen(fileName);
+    // GOOD: use a fixed file
+    char* fixed = "file.txt";
+    strncat(fileName+len, fixed, FILENAME_MAX-len-1);
+    fopen(fileName, "wb+");
+  }
+}
+

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -0,0 +1 @@
+| test.c:21:12:21:19 | command1 | This argument to an OS command is derived from $@ and then passed to system(string) | test.c:14:20:14:23 | argv | user input (argv) |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-078/ExecTainted.ql

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/test.c

@@ -0,0 +1,33 @@
+// Semmle test case for rule ExecTainted.ql (Uncontrolled data used in OS command)
+// Associated with CWE-078: OS Command Injection. http://cwe.mitre.org/data/definitions/78.html
+
+///// Library routines /////
+
+int sprintf(char *s, const char *format, ...);
+int system(const char *string);
+
+extern void encodeShellString(char *shellStr, int maxChars, const char* cStr);
+
+///// Test code /////
+
+int main(int argc, char** argv) {
+  char *userName = argv[2];
+  
+  {
+    // BAD: a string from the user is injected directly into
+    // a command.
+    char command1[1000] = {0};
+    sprintf(command1, "userinfo -v \"%s\"", userName);
+    system(command1);
+  }
+
+  {  
+    // GOOD: the user string is encoded by a library routine.
+    char userNameQuoted[1000] = {0};
+    encodeShellString(userNameQuoted, 1000, userName); 
+    char command2[1000] = {0};
+    sprintf(command2, "userinfo -v %s", userNameQuoted);
+    system(command2);
+  }
+}
+

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.expected

@@ -0,0 +1,2 @@
+| search.c:17:8:17:12 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |
+| search.c:23:39:23:43 | query | Cross-site scripting vulnerability due to $@. | search.c:41:21:41:26 | call to getenv | this query data |

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/CgiXss.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-079/CgiXss.ql

cpp/ql/test/query-tests/Security/CWE/CWE-079/semmle/CgiXss/search.c

@@ -0,0 +1,50 @@
+// Semmle test case for rule CgiXss.ql (CGI script vulnerable to cross-site scripting)
+// Associated with CWE-079: Cross-site Scripting. http://cwe.mitre.org/data/definitions/79.html
+
+// Standard library routines
+void free(void *ptr);
+char *getenv(const char *name);
+int printf(const char *format, ...);
+int puts(const char *s);
+
+// External routines
+char* do_search(char* query);
+char* escape_html(char* raw);
+
+void bad_server1(char* query) {
+  puts("<p>Query results for ");
+  // BAD: Printing out an HTTP parameter with no escaping
+  puts(query);
+  puts("\n<p>\n");
+  puts(do_search(query));
+}
+
+void bad_server2(char* query) {
+  printf("<p>Query results for %s\n", query);
+  // BAD: Printing out an HTTP parameter with no escaping
+  puts("\n<p>");
+  puts(do_search(query));
+}
+
+void good_server(char* query) {
+  puts("<p>Query results for ");
+  // GOOD: Escape HTML characters before adding to a page
+  char* query_escaped = escape_html(query);
+  puts(query_escaped);
+  free(query_escaped);
+
+  puts("\n<p>\n");
+  puts(do_search(query));
+}
+
+int main(int argc, char** argv) {
+  char* raw_query = getenv("QUERY_STRING");
+  if (strcmp("good", argv[0]) == 0) {
+    good_server(raw_query);
+  } else if (strcmp("bad1", argv[0]) == 0) {
+    bad_server1(raw_query);
+  } else {
+    bad_server2(raw_query);
+  }
+}
+