C++: CWE-020/ExternalAPIs (+ add tests based on qhelp)

Author: d10c

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -53,7 +53,7 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 
   predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll@13:36:13:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll@16:43:16:92)
+    any() // normal use in UntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in CountUntrustedDataToExternalAPI.ql
   }
 }
 

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll

@@ -48,7 +48,7 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 
   predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll@13:36:13:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll@16:43:16:92)
+    any() // normal use in IRUntrustedDataToExternalApi.ql; used via ExternalApiUsedWithUntrustedData (no location) in IRCountUntrustedDataToExternalAPI.ql
   }
 }
 

cpp/ql/test/query-tests/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.expected

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/query-tests/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.qlref

@@ -0,0 +1,18 @@
+typedef unsigned long size_t;
+typedef size_t FILE;
+
+char *strcat(char *s1, const char *s2);
+char *fgets(char *s, int n, FILE *stream);
+char *fputs(const char *s, FILE *stream);
+
+void do_get(FILE* request, FILE* response) {
+  char page[1024];
+  fgets(page, 1024, request);
+
+  char buffer[1024];
+  strcat(buffer, "The page \"");
+  strcat(buffer, page);
+  strcat(buffer, "\" was not found.");
+
+  fputs(buffer, response);
+}

cpp/ql/test/query-tests/Security/CWE/CWE-020/ExternalAPISinkExample.cpp

@@ -0,0 +1,18 @@
+typedef unsigned long size_t;
+typedef size_t FILE;
+
+char *strcat(char *s1, const char *s2);
+char *fgets(char *s, int n, FILE *stream);
+char *fputs(const char *s, FILE *stream);
+
+void do_get(FILE* request, FILE* response) {
+  char user_id[1024];
+  fgets(user_id, 1024, request);
+
+  char buffer[1024];
+  strcat(buffer, "SELECT * FROM user WHERE user_id='");
+  strcat(buffer, user_id);
+  strcat(buffer, "'");
+
+  // ...
+}

cpp/ql/test/query-tests/Security/CWE/CWE-020/ExternalAPITaintStepExample.cpp

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/query-tests/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.expected

@@ -0,0 +1,4 @@
+#select
+edges
+nodes
+subpaths

cpp/ql/test/query-tests/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql