test/Analysis/security-syntax-checks.m - clang - Git at Google

 // RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core.experimental.SecuritySyntactic %s -verify

 // <rdar://problem/6336718> rule request: floating point used as loop
 //  condition (FLP30-C, FLP-30-CPP)
 //
 // For reference: https://www.securecoding.cert.org/confluence/display/seccode/FLP30-C.+Do+not+use+floating+point+variables+as+loop+counters
 //
 void test_float_condition() {
   for (float x = 0.1f; x <= 1.0f; x += 0.1f) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
   for (float x = 100000001.0f; x <= 100000010.0f; x += 1.0f) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
   for (float x = 100000001.0f; x <= 100000010.0f; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
   for (double x = 100000001.0; x <= 100000010.0; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}
   for (double x = 100000001.0; ((x)) <= 100000010.0; ((x))++ ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}

   for (double x = 100000001.0; 100000010.0 >= x; x = x + 1.0 ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}

   int i = 0;
   for (double x = 100000001.0; ((x)) <= 100000010.0; ((x))++, ++i ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}

   typedef float FooType;
   for (FooType x = 100000001.0f; x <= 100000010.0f; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'FooType'}}
 }

 // <rdar://problem/6335715> rule request: gets() buffer overflow
 // Part of recommendation: 300-BSI (buildsecurityin.us-cert.gov)
 char* gets(char *buf);

 void test_gets() {
   char buff[1024];
   gets(buff); // expected-warning{{Call to function 'gets' is extremely insecure as it can always result in a buffer overflow}}
 }

 int getpw(unsigned int uid, char *buf);

 void test_getpw() {
   char buff[1024];
   getpw(2, buff); // expected-warning{{The getpw() function is dangerous as it may overflow the provided buffer. It is obsoleted by getpwuid().}}
 }

 // <rdar://problem/6337132> CWE-273: Failure to Check Whether Privileges Were
 //  Dropped Successfully
 typedef unsigned int __uint32_t;
 typedef __uint32_t __darwin_uid_t;
 typedef __uint32_t __darwin_gid_t;
 typedef __darwin_uid_t uid_t;
 typedef __darwin_gid_t gid_t;
 int setuid(uid_t);
 int setregid(gid_t, gid_t);
 int setreuid(uid_t, uid_t);
 extern void check(int);
 void abort(void);

 void test_setuid()
 {
   setuid(2); // expected-warning{{The return value from the call to 'setuid' is not checked.  If an error occurs in 'setuid', the following code may execute with unexpected privileges}}
   setuid(0); // expected-warning{{The return value from the call to 'setuid' is not checked.  If an error occurs in 'setuid', the following code may execute with unexpected privileges}}
   if (setuid (2) != 0)
     abort();

   // Currently the 'setuid' check is not flow-sensitive, and only looks
   // at whether the function was called in a compound statement.  This
   // will lead to false negatives, but there should be no false positives.
   int t = setuid(2);  // no-warning
   (void)setuid (2); // no-warning

   check(setuid (2)); // no-warning

   setreuid(2,2); // expected-warning{{The return value from the call to 'setreuid' is not checked.  If an error occurs in 'setreuid', the following code may execute with unexpected privileges}}
   setregid(2,2); // expected-warning{{The return value from the call to 'setregid' is not checked.  If an error occurs in 'setregid', the following code may execute with unexpected privileges}}
 }

 // <rdar://problem/6337100> CWE-338: Use of cryptographically weak prng
 int      rand(void);
 double   drand48(void);
 double   erand48(unsigned short[3]);
 long     jrand48(unsigned short[3]);
 void     lcong48(unsigned short[7]);
 long     lrand48(void);
 long     mrand48(void);
 long     nrand48(unsigned short[3]);
 long     random(void);
 int      rand_r(unsigned *);

 void test_rand()
 {
   unsigned short a[7];
   unsigned b;

   rand();	// expected-warning{{Function 'rand' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   drand48();	// expected-warning{{Function 'drand48' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   erand48(a);	// expected-warning{{Function 'erand48' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   jrand48(a);	// expected-warning{{Function 'jrand48' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   lcong48(a);	// expected-warning{{Function 'lcong48' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   lrand48();	// expected-warning{{Function 'lrand48' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   mrand48();	// expected-warning{{Function 'mrand48' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   nrand48(a);	// expected-warning{{Function 'nrand48' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   rand_r(&b);	// expected-warning{{Function 'rand_r' is obsolete because it implements a poor random number generator.  Use 'arc4random' instead}}
   random();	// expected-warning{{The 'random' function produces a sequence of values that an adversary may be able to predict.  Use 'arc4random' instead}}
 }

 char *mktemp(char *buf);

 void test_mktemp() {
   char *x = mktemp("/tmp/zxcv"); // expected-warning{{Call to function 'mktemp' is insecure as it always creates or uses insecure temporary file}}
 }
	// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core.experimental.SecuritySyntactic %s -verify

	// <rdar://problem/6336718> rule request: floating point used as loop
	// condition (FLP30-C, FLP-30-CPP)
	//
	// For reference: https://www.securecoding.cert.org/confluence/display/seccode/FLP30-C.+Do+not+use+floating+point+variables+as+loop+counters
	//
	void test_float_condition() {
	for (float x = 0.1f; x <= 1.0f; x += 0.1f) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
	for (float x = 100000001.0f; x <= 100000010.0f; x += 1.0f) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
	for (float x = 100000001.0f; x <= 100000010.0f; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'float'}}
	for (double x = 100000001.0; x <= 100000010.0; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}
	for (double x = 100000001.0; ((x)) <= 100000010.0; ((x))++ ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}

	for (double x = 100000001.0; 100000010.0 >= x; x = x + 1.0 ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}

	int i = 0;
	for (double x = 100000001.0; ((x)) <= 100000010.0; ((x))++, ++i ) {} // expected-warning{{Variable 'x' with floating point type 'double'}}

	typedef float FooType;
	for (FooType x = 100000001.0f; x <= 100000010.0f; x++ ) {} // expected-warning{{Variable 'x' with floating point type 'FooType'}}
	}

	// <rdar://problem/6335715> rule request: gets() buffer overflow
	// Part of recommendation: 300-BSI (buildsecurityin.us-cert.gov)
	char* gets(char *buf);

	void test_gets() {
	char buff[1024];
	gets(buff); // expected-warning{{Call to function 'gets' is extremely insecure as it can always result in a buffer overflow}}
	}

	int getpw(unsigned int uid, char *buf);

	void test_getpw() {
	char buff[1024];
	getpw(2, buff); // expected-warning{{The getpw() function is dangerous as it may overflow the provided buffer. It is obsoleted by getpwuid().}}
	}

	// <rdar://problem/6337132> CWE-273: Failure to Check Whether Privileges Were
	// Dropped Successfully
	typedef unsigned int __uint32_t;
	typedef __uint32_t __darwin_uid_t;
	typedef __uint32_t __darwin_gid_t;
	typedef __darwin_uid_t uid_t;
	typedef __darwin_gid_t gid_t;
	int setuid(uid_t);
	int setregid(gid_t, gid_t);
	int setreuid(uid_t, uid_t);
	extern void check(int);
	void abort(void);

	void test_setuid()
	{
	setuid(2); // expected-warning{{The return value from the call to 'setuid' is not checked. If an error occurs in 'setuid', the following code may execute with unexpected privileges}}
	setuid(0); // expected-warning{{The return value from the call to 'setuid' is not checked. If an error occurs in 'setuid', the following code may execute with unexpected privileges}}
	if (setuid (2) != 0)
	abort();

	// Currently the 'setuid' check is not flow-sensitive, and only looks
	// at whether the function was called in a compound statement. This
	// will lead to false negatives, but there should be no false positives.
	int t = setuid(2); // no-warning
	(void)setuid (2); // no-warning

	check(setuid (2)); // no-warning

	setreuid(2,2); // expected-warning{{The return value from the call to 'setreuid' is not checked. If an error occurs in 'setreuid', the following code may execute with unexpected privileges}}
	setregid(2,2); // expected-warning{{The return value from the call to 'setregid' is not checked. If an error occurs in 'setregid', the following code may execute with unexpected privileges}}
	}

	// <rdar://problem/6337100> CWE-338: Use of cryptographically weak prng
	int rand(void);
	double drand48(void);
	double erand48(unsigned short[3]);
	long jrand48(unsigned short[3]);
	void lcong48(unsigned short[7]);
	long lrand48(void);
	long mrand48(void);
	long nrand48(unsigned short[3]);
	long random(void);
	int rand_r(unsigned *);

	void test_rand()
	{
	unsigned short a[7];
	unsigned b;

	rand(); // expected-warning{{Function 'rand' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	drand48(); // expected-warning{{Function 'drand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	erand48(a); // expected-warning{{Function 'erand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	jrand48(a); // expected-warning{{Function 'jrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	lcong48(a); // expected-warning{{Function 'lcong48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	lrand48(); // expected-warning{{Function 'lrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	mrand48(); // expected-warning{{Function 'mrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	nrand48(a); // expected-warning{{Function 'nrand48' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	rand_r(&b); // expected-warning{{Function 'rand_r' is obsolete because it implements a poor random number generator. Use 'arc4random' instead}}
	random(); // expected-warning{{The 'random' function produces a sequence of values that an adversary may be able to predict. Use 'arc4random' instead}}
	}

	char mktemp(char buf);

	void test_mktemp() {
	char *x = mktemp("/tmp/zxcv"); // expected-warning{{Call to function 'mktemp' is insecure as it always creates or uses insecure temporary file}}
	}