Fixing typos & incorporating feedback.

(MSFT feedback) Adding a new tag in the header @msrc.severity important

Author: raulgarciamsft

cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.qhelp

@@ -4,7 +4,7 @@
 <qhelp>
 
 <overview>
-  <p>This query indicates that there is a call to a function of the <code>CreateProcess*</code> family of functions, which may result in a security vulnerability if the path contains spaces.</p>
+  <p>This query indicates that there is a call to a function of the <code>CreateProcess*</code> family of functions, which introduces a security vulnerability.</p>
 </overview>
 
 <recommendation>
@@ -13,9 +13,9 @@
 </recommendation>
 
 <example>
-<p>In the following example, <code>CreateProcessW</code> is called with a NULL value for <code>lpApplicationName</code>, 
+<p>In the following example, <code>CreateProcessW</code> is called with a <code>NULL</code> value for <code>lpApplicationName</code>, 
 and the value for <code>lpCommandLine</code> that represent the application path is not quoted and has spaces in it.</p>
-<p>If an attacker has access to the file system, it is possible to elevate privileges by creating a file such as "C:\Program.exe" that will be executed instead of the intended application.</p>
+<p>If an attacker has access to the file system, they can elevate privileges by creating a file such as <code>C:\Program.exe</code> that will be executed instead of the intended application.</p>
 <sample src="UnsafeCreateProcessCall.cpp" />
 
 <p>To fix this issue, specify a valid string for <code>lpApplicationName</code>, or quote the path for <code>lpCommandLine</code>. For example:</p>

cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql

@@ -1,10 +1,11 @@
 /**
  * @name NULL application name with an unquoted path in call to CreateProcess
- * @description Calling a function of the CreateProcess* family of functions, which may result in a security vulnerability if the path contains spaces.
+ * @description Calling a function of the CreateProcess* family of functions, where the path contains spaces, introduces a security vulnerability.
  * @id cpp/unsafe-create-process-call
  * @kind problem
  * @problem.severity error
  * @precision medium
+ * @msrc.severity important
  * @tags security
  *       external/cwe/cwe-428
  *       external/microsoft/C6277
@@ -124,6 +125,6 @@ where
     QuotedCommandInCreateProcessFunctionConfiguration quotedConfig |
     cmd = call.getArgument(call.getCommandLineArgumentId())
     and quotedConfig.hasFlow(DataFlow2::exprNode(source), DataFlow2::exprNode(cmd))
-    and msg2 = " and with an unquoted lpCommandLine (" + cmd + ") may result in a security vulnerability if the path contains spaces."
+    and msg2 = " and with an unquoted lpCommandLine (" + cmd + ") introduces a security vulnerability if the path contains spaces."
   )
 select call, msg1 + " " + msg2

cpp/ql/test/query-tests/Security/CWE/CWE-428/UnsafeCreateProcessCall.expected

@@ -1,13 +1,13 @@
-| UnsafeCreateProcessCall.cpp:103:5:103:18 | call to CreateProcessA | call to CreateProcessA with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:109:5:109:18 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:115:5:115:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:121:5:121:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (lpCommandLine) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:127:5:127:27 | call to CreateProcessWithTokenW | call to CreateProcessWithTokenW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:135:5:135:27 | call to CreateProcessWithLogonW | call to CreateProcessWithLogonW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:145:5:145:24 | call to CreateProcessAsUserA | call to CreateProcessAsUserA with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:152:5:152:24 | call to CreateProcessAsUserW | call to CreateProcessAsUserW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:159:5:159:23 | call to CreateProcessAsUserW | call to CreateProcessAsUserW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:167:5:167:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (lpApplicationName)  and with an unquoted lpCommandLine (C:\\Program\tFiles\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:176:5:176:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (lpCommandLine) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:209:5:209:27 | call to CreateProcessWithTokenW | call to CreateProcessWithTokenW with lpApplicationName == NULL (lpApplicationName)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
-| UnsafeCreateProcessCall.cpp:258:5:258:27 | call to CreateProcessWithLogonW | call to CreateProcessWithLogonW with lpApplicationName == NULL (lpApplicationName)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) may result in a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:103:5:103:18 | call to CreateProcessA | call to CreateProcessA with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:109:5:109:18 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:115:5:115:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:121:5:121:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (lpCommandLine) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:127:5:127:27 | call to CreateProcessWithTokenW | call to CreateProcessWithTokenW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:135:5:135:27 | call to CreateProcessWithLogonW | call to CreateProcessWithLogonW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:145:5:145:24 | call to CreateProcessAsUserA | call to CreateProcessAsUserA with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:152:5:152:24 | call to CreateProcessAsUserW | call to CreateProcessAsUserW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:159:5:159:23 | call to CreateProcessAsUserW | call to CreateProcessAsUserW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:167:5:167:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (lpApplicationName)  and with an unquoted lpCommandLine (C:\\Program\tFiles\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:176:5:176:17 | call to CreateProcessW | call to CreateProcessW with lpApplicationName == NULL (0)  and with an unquoted lpCommandLine (lpCommandLine) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:209:5:209:27 | call to CreateProcessWithTokenW | call to CreateProcessWithTokenW with lpApplicationName == NULL (lpApplicationName)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |
+| UnsafeCreateProcessCall.cpp:258:5:258:27 | call to CreateProcessWithLogonW | call to CreateProcessWithLogonW with lpApplicationName == NULL (lpApplicationName)  and with an unquoted lpCommandLine (C:\\Program Files\\MyApp) introduces a security vulnerability if the path contains spaces. |