C++: Make the command line models work and add environment models

jketema · jketema · commit a4626693ad58 · 2025-05-23T09:49:18.000+02:00
diff --git a/cpp/ql/lib/ext/Windows.model.yml b/cpp/ql/lib/ext/Windows.model.yml
@@ -5,12 +5,16 @@ extensions:
       extensible: sourceModel
     data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
       # processenv.h
-      - ["", "", False, "GetCommandLineA", "", "", "ReturnValue[*]", "local", "manual"]
-      - ["", "", False, "GetCommandLineW", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetCommandLineA", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "GetCommandLineW", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsA", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsW", "", "", "ReturnValue", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableA", "", "", "Argument[*1]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableW", "", "", "Argument[*1]", "local", "manual"]
   - addsTo:
       pack: codeql/cpp-all
       extensible: summaryModel
     data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
       # shellapi.h
-      - ["", "", False, "CommandLineToArgvA", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
-      - ["", "", False, "CommandLineToArgvW", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
+      - ["", "", False, "CommandLineToArgvA", "", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
+      - ["", "", False, "CommandLineToArgvW", "", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
@@ -9,7 +9,18 @@ edges
 | test.c:48:20:48:33 | *globalUsername | test.c:51:18:51:23 | *query1 | provenance | TaintFunction |
 | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | provenance |  |
 | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | provenance |  |
-| test.c:99:57:99:64 | *pCmdLine | test.c:103:18:103:23 | *query1 | provenance | TaintFunction |
+| test.c:81:8:81:25 | [summary param] 0 in CommandLineToArgvA | test.c:81:8:81:25 | [summary] to write: ReturnValue[*] in CommandLineToArgvA | provenance | MaD:331 |
+| test.c:86:15:86:29 | call to GetCommandLineA | test.c:86:15:86:29 | call to GetCommandLineA | provenance | Src:MaD:325  |
+| test.c:86:15:86:29 | call to GetCommandLineA | test.c:88:36:88:38 | cmd | provenance |  |
+| test.c:86:15:86:29 | call to GetCommandLineA | test.c:92:18:92:23 | *query1 | provenance | TaintFunction |
+| test.c:88:17:88:34 | *call to CommandLineToArgvA | test.c:88:17:88:34 | *call to CommandLineToArgvA | provenance |  |
+| test.c:88:17:88:34 | *call to CommandLineToArgvA | test.c:96:18:96:23 | *query2 | provenance | TaintFunction |
+| test.c:88:36:88:38 | cmd | test.c:81:8:81:25 | [summary param] 0 in CommandLineToArgvA | provenance |  |
+| test.c:88:36:88:38 | cmd | test.c:88:17:88:34 | *call to CommandLineToArgvA | provenance | MaD:331 |
+| test.c:98:15:98:36 | call to GetEnvironmentStringsA | test.c:98:15:98:36 | call to GetEnvironmentStringsA | provenance | Src:MaD:327  |
+| test.c:98:15:98:36 | call to GetEnvironmentStringsA | test.c:101:18:101:23 | *query3 | provenance | TaintFunction |
+| test.c:98:15:98:36 | call to GetEnvironmentStringsA | test.c:106:18:106:23 | *query4 | provenance | TaintFunction |
+| test.c:110:57:110:64 | *pCmdLine | test.c:113:18:113:23 | *query1 | provenance | TaintFunction |
 | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | provenance |  |
 nodes
 | test.c:14:27:14:30 | **argv | semmle.label | **argv |
@@ -24,15 +35,33 @@ nodes
 | test.c:75:8:75:16 | gets output argument | semmle.label | gets output argument |
 | test.c:76:17:76:25 | *userInput | semmle.label | *userInput |
 | test.c:77:20:77:28 | *userInput | semmle.label | *userInput |
-| test.c:99:57:99:64 | *pCmdLine | semmle.label | *pCmdLine |
-| test.c:103:18:103:23 | *query1 | semmle.label | *query1 |
+| test.c:81:8:81:25 | [summary param] 0 in CommandLineToArgvA | semmle.label | [summary param] 0 in CommandLineToArgvA |
+| test.c:81:8:81:25 | [summary] to write: ReturnValue[*] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[*] in CommandLineToArgvA |
+| test.c:86:15:86:29 | call to GetCommandLineA | semmle.label | call to GetCommandLineA |
+| test.c:86:15:86:29 | call to GetCommandLineA | semmle.label | call to GetCommandLineA |
+| test.c:88:17:88:34 | *call to CommandLineToArgvA | semmle.label | *call to CommandLineToArgvA |
+| test.c:88:17:88:34 | *call to CommandLineToArgvA | semmle.label | *call to CommandLineToArgvA |
+| test.c:88:36:88:38 | cmd | semmle.label | cmd |
+| test.c:92:18:92:23 | *query1 | semmle.label | *query1 |
+| test.c:96:18:96:23 | *query2 | semmle.label | *query2 |
+| test.c:98:15:98:36 | call to GetEnvironmentStringsA | semmle.label | call to GetEnvironmentStringsA |
+| test.c:98:15:98:36 | call to GetEnvironmentStringsA | semmle.label | call to GetEnvironmentStringsA |
+| test.c:101:18:101:23 | *query3 | semmle.label | *query3 |
+| test.c:106:18:106:23 | *query4 | semmle.label | *query4 |
+| test.c:110:57:110:64 | *pCmdLine | semmle.label | *pCmdLine |
+| test.c:113:18:113:23 | *query1 | semmle.label | *query1 |
 | test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
 | test.cpp:43:27:43:33 | *access to array | semmle.label | *access to array |
 subpaths
+| test.c:88:36:88:38 | cmd | test.c:81:8:81:25 | [summary param] 0 in CommandLineToArgvA | test.c:81:8:81:25 | [summary] to write: ReturnValue[*] in CommandLineToArgvA | test.c:88:17:88:34 | *call to CommandLineToArgvA |
 #select
 | test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | **argv | test.c:21:18:21:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
 | test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | **argv | test.c:51:18:51:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | **argv | user input (a command-line argument) |
 | test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
 | test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
-| test.c:103:18:103:23 | query1 | test.c:99:57:99:64 | *pCmdLine | test.c:103:18:103:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:99:57:99:64 | *pCmdLine | user input (a command-line) |
+| test.c:92:18:92:23 | query1 | test.c:86:15:86:29 | call to GetCommandLineA | test.c:92:18:92:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:86:15:86:29 | call to GetCommandLineA | user input (external) |
+| test.c:96:18:96:23 | query2 | test.c:86:15:86:29 | call to GetCommandLineA | test.c:96:18:96:23 | *query2 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:86:15:86:29 | call to GetCommandLineA | user input (external) |
+| test.c:101:18:101:23 | query3 | test.c:98:15:98:36 | call to GetEnvironmentStringsA | test.c:101:18:101:23 | *query3 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:98:15:98:36 | call to GetEnvironmentStringsA | user input (external) |
+| test.c:106:18:106:23 | query4 | test.c:98:15:98:36 | call to GetEnvironmentStringsA | test.c:106:18:106:23 | *query4 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:98:15:98:36 | call to GetEnvironmentStringsA | user input (external) |
+| test.c:113:18:113:23 | query1 | test.c:110:57:110:64 | *pCmdLine | test.c:113:18:113:23 | *query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:110:57:110:64 | *pCmdLine | user input (a command-line) |
 | test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | **argv | user input (a command-line argument) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
@@ -78,26 +78,36 @@ void ODBCTests(){
 }
 
 char* GetCommandLineA();
-char** CommandLineToArgvA(char *, int*);
+char** CommandLineToArgvA(char*, int*);
+char* GetEnvironmentStringsA();
+int GetEnvironmentVariableA(const char*, char*, int);
 
 void getCommandLine() {
-  char *cmd = GetCommandLineA();
+  char* cmd = GetCommandLineA();
   int argc;
-  char **argv = CommandLineToArgvA(cmd, &argc);
+  char** argv = CommandLineToArgvA(cmd, &argc);
 
-  // a string from the user is injected directly into an SQL query.
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", cmd);
   mysql_query(0, query1); // BAD
 
-  // a string from the user is injected directly into an SQL query.
   char query2[1000] = {0};
   snprintf(query2, 1000, "SELECT UID FROM USERS where name = \"%s\"", argv[1]);
   mysql_query(0, query2); // BAD
+
+  char* env = GetEnvironmentStringsA();
+  char query3[1000] = {0};
+  snprintf(query3, 1000, "SELECT UID FROM USERS where name = \"%s\"", env);
+  mysql_query(0, query3); // BAD
+
+  char query4[1000];
+  GetEnvironmentVariableA("FOO", query4, sizeof(query4));
+  snprintf(query4, 1000, "SELECT UID FROM USERS where name = \"%s\"", env);
+  mysql_query(0, query4); // BAD
+
 }
 
 int WinMain(void *hInstance, void *hPrevInstance, char *pCmdLine, int nCmdShow) {
-  // a string from the user is injected directly into an SQL query.
   char query1[1000] = {0};
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", pCmdLine);
   mysql_query(0, query1); // BAD
