C++: Add a taint test for gets.

geoffw0 · geoffw0 · commit 8dcd46f9e713 · 2020-02-24T11:25:28.000Z
diff --git a/cpp/ql/test/library-tests/dataflow/security-taint/tainted.expected b/cpp/ql/test/library-tests/dataflow/security-taint/tainted.expected
@@ -52,3 +52,9 @@
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |  |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |  |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |  |
+| test.cpp:87:12:87:15 | call to gets | test.cpp:85:8:85:14 | pointer |  |
+| test.cpp:87:12:87:15 | call to gets | test.cpp:87:2:87:8 | pointer |  |
+| test.cpp:87:12:87:15 | call to gets | test.cpp:87:12:87:15 | call to gets |  |
+| test.cpp:87:17:87:22 | buffer | test.cpp:80:18:80:18 | s |  |
+| test.cpp:87:17:87:22 | buffer | test.cpp:84:7:84:12 | buffer |  |
+| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | buffer |  |
diff --git a/cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected b/cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected
@@ -8,3 +8,6 @@
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
 | test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | AST only |
+| test.cpp:87:12:87:15 | call to gets | test.cpp:87:2:87:8 | pointer | AST only |
+| test.cpp:87:17:87:22 | buffer | test.cpp:84:7:84:12 | buffer | AST only |
+| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion | IR only |
diff --git a/cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected b/cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected
@@ -40,3 +40,8 @@
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |  |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |  |
 | test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |  |
+| test.cpp:87:12:87:15 | call to gets | test.cpp:85:8:85:14 | pointer |  |
+| test.cpp:87:12:87:15 | call to gets | test.cpp:87:12:87:15 | call to gets |  |
+| test.cpp:87:17:87:22 | buffer | test.cpp:80:18:80:18 | s |  |
+| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | array to pointer conversion |  |
+| test.cpp:87:17:87:22 | buffer | test.cpp:87:17:87:22 | buffer |  |
diff --git a/cpp/ql/test/library-tests/dataflow/security-taint/test.cpp b/cpp/ql/test/library-tests/dataflow/security-taint/test.cpp
@@ -76,3 +76,13 @@ void guard() {
     if (len > 1000) return;
     char **node = (char **) malloc(len * sizeof(char *));
 }
+
+char *gets(char *s);
+
+void test_gets()
+{
+	char buffer[1024];
+	char *pointer;
+
+	pointer = gets(buffer);
+}
