| // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \ |
| // RUN: -Wno-incompatible-library-redeclaration -verify %s \ |
| // RUN: -analyzer-checker=alpha.security.taint \ |
| // RUN: -analyzer-checker=core \ |
| // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \ |
| // RUN: -analyzer-checker=debug.ExprInspection \ |
| // RUN: -analyzer-config \ |
| // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml |
| |
| // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \ |
| // RUN: -Wno-incompatible-library-redeclaration -verify %s \ |
| // RUN: -DFILE_IS_STRUCT \ |
| // RUN: -analyzer-checker=alpha.security.taint \ |
| // RUN: -analyzer-checker=core \ |
| // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \ |
| // RUN: -analyzer-checker=debug.ExprInspection \ |
| // RUN: -analyzer-config \ |
| // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml |
| |
| // RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast \ |
| // RUN: -Wno-incompatible-library-redeclaration -verify %s \ |
| // RUN: -analyzer-checker=alpha.security.taint \ |
| // RUN: -analyzer-checker=debug.ExprInspection \ |
| // RUN: -analyzer-config \ |
| // RUN: alpha.security.taint.TaintPropagation:Config=justguessit \ |
| // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE |
| |
| // CHECK-INVALID-FILE: (frontend): invalid input for checker option |
| // CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config', |
| // CHECK-INVALID-FILE-SAME: that expects a valid filename instead of |
| // CHECK-INVALID-FILE-SAME: 'justguessit' |
| |
| // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \ |
| // RUN: -verify %s \ |
| // RUN: -analyzer-checker=alpha.security.taint \ |
| // RUN: -analyzer-checker=debug.ExprInspection \ |
| // RUN: -analyzer-config \ |
| // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \ |
| // RUN: 2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED |
| |
| // CHECK-ILL-FORMED: (frontend): invalid input for checker option |
| // CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config', |
| // CHECK-ILL-FORMED-SAME: that expects a valid yaml file: [[MSG]] |
| |
| // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \ |
| // RUN: -verify %s \ |
| // RUN: -analyzer-checker=alpha.security.taint \ |
| // RUN: -analyzer-checker=debug.ExprInspection \ |
| // RUN: -analyzer-config \ |
| // RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \ |
| // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG |
| |
| // CHECK-INVALID-ARG: (frontend): invalid input for checker option |
| // CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config', |
| // CHECK-INVALID-ARG-SAME: that expects an argument number for propagation |
| // CHECK-INVALID-ARG-SAME: rules greater or equal to -1 |
| |
| typedef long long rsize_t; |
| typedef __typeof(sizeof(int)) size_t; |
| typedef signed long long ssize_t; |
| typedef __WCHAR_TYPE__ wchar_t; |
| void clang_analyzer_isTainted_char(char); |
| void clang_analyzer_isTainted_wchar(wchar_t); |
| void clang_analyzer_isTainted_charp(char*); |
| void clang_analyzer_isTainted_int(int); |
| |
| int coin(); |
| |
| int scanf(const char *restrict format, ...); |
| char *gets(char *str); |
| char *gets_s(char *str, rsize_t n); |
| int getchar(void); |
| |
| typedef struct _FILE FILE; |
| #ifdef FILE_IS_STRUCT |
| extern struct _FILE *stdin; |
| #else |
| extern FILE *stdin; |
| #endif |
| |
| #define bool _Bool |
| #define NULL (void*)0 |
| |
| wchar_t *fgetws(wchar_t *ws, int n, FILE *stream); |
| wchar_t *wmemset(wchar_t *wcs, wchar_t wc, unsigned long n); |
| wchar_t *wmemcpy(wchar_t *dest, const wchar_t *src, size_t n); |
| wchar_t *wmemmove(wchar_t *dest, const wchar_t *src, size_t n); |
| size_t wcslen(const wchar_t *s); |
| wchar_t *wcscpy(wchar_t * dest, const wchar_t * src); |
| wchar_t *wcsncpy(wchar_t *dest, const wchar_t *src, size_t n); |
| wchar_t *wcscat(wchar_t *dest, const wchar_t *src); |
| wchar_t *wcsncat(wchar_t *dest,const wchar_t *src, size_t n); |
| int swprintf(wchar_t *wcs, size_t maxlen, const wchar_t *format, ...); |
| |
| char *getenv(const char *name); |
| |
| FILE *fopen(const char *name, const char *mode); |
| |
| int fscanf(FILE *restrict stream, const char *restrict format, ...); |
| int sprintf(char *str, const char *format, ...); |
| void setproctitle(const char *fmt, ...); |
| void setproctitle_init(int argc, char *argv[], char *envp[]); |
| |
| // Define string functions. Use builtin for some of them. They all default to |
| // the processing in the taint checker. |
| #define strcpy(dest, src) \ |
| ((__builtin_object_size(dest, 0) != -1ULL) \ |
| ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ |
| : __inline_strcpy_chk(dest, src)) |
| |
| static char *__inline_strcpy_chk (char *dest, const char *src) { |
| return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1)); |
| } |
| char *stpcpy(char *restrict s1, const char *restrict s2); |
| char *strncpy( char * destination, const char * source, size_t num ); |
| char *strndup(const char *s, size_t n); |
| char *strncat(char *restrict s1, const char *restrict s2, size_t n); |
| |
| void *malloc(size_t); |
| void *calloc(size_t nmemb, size_t size); |
| void bcopy(void *s1, void *s2, size_t n); |
| |
| |
| // function | pathname | filename | fd | arglist | argv[] | envp[] |
| // =============================================================== |
| // 1 execl | X | | | X | | |
| // 2 execle | X | | | X | | X |
| // 3 execlp | | X | | X | | |
| // 4 execv | X | | | | X | |
| // 5 execve | X | | | | X | X |
| // 6 execvp | | X | | | X | |
| // 7 execvpe | | X | | | X | X |
| // 8 fexecve | | | X | | X | X |
| // =============================================================== |
| // letter | | p | f | l | v | e |
| // |
| // legend: |
| // - pathname: rel/abs path to the binary |
| // - filename: file name searched in PATH to execute the binary |
| // - fd: accepts a file descriptor |
| // - arglist: accepts variadic arguments |
| // - argv: accepts a pointer to array, denoting the new argv |
| // - envp: accepts a pointer to array, denoting the new envp |
| |
| int execl(const char *path, const char *arg, ...); |
| int execle(const char *path, const char *arg, ...); |
| int execlp(const char *file, const char *arg, ...); |
| int execv(const char *path, char *const argv[]); |
| int execve(const char *path, char *const argv[], char *const envp[]); |
| int execvp(const char *file, char *const argv[]); |
| int execvpe(const char *file, char *const argv[], char *const envp[]); |
| int fexecve(int fd, char *const argv[], char *const envp[]); |
| FILE *popen(const char *command, const char *type); |
| int pclose(FILE *stream); |
| int system(const char *command); |
| |
| |
| typedef size_t socklen_t; |
| |
| struct sockaddr { |
| unsigned short sa_family; |
| char sa_data[14]; |
| }; |
| |
| #define BUFSIZE 10 |
| |
| int Buffer[BUFSIZE]; |
| void bufferScanfDirect(void) |
| { |
| int n; |
| scanf("%d", &n); |
| Buffer[n] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| |
| void bufferScanfArithmetic1(int x) { |
| int n; |
| scanf("%d", &n); |
| int m = (n - 3); |
| Buffer[m] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| |
| void bufferScanfArithmetic2(int x) { |
| int n; |
| scanf("%d", &n); |
| int m = 100 - (n + 3) * x; |
| Buffer[m] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| |
| void bufferScanfAssignment(int x) { |
| int n; |
| scanf("%d", &n); |
| int m; |
| if (x > 0) { |
| m = n; |
| Buffer[m] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| } |
| |
| void scanfArg(void) { |
| int t = 0; |
| scanf("%d", t); // expected-warning {{format specifies type 'int *' but the argument has type 'int'}} |
| } |
| |
| void bufferGetchar(int x) { |
| int m = getchar(); |
| Buffer[m] = 1; //expected-warning {{Potential out of bound access}} |
| } |
| |
| extern const unsigned short int **__ctype_b_loc (void); |
| enum { _ISdigit = 2048 }; |
| # define isdigit(c) ((*__ctype_b_loc ())[(int) (c)] & (unsigned short int) _ISdigit) |
| |
| int isdigitImplFalsePositive(void) { |
| // If this code no longer produces a bug report, then consider removing the |
| // special case that disables buffer overflow reports coming from the isXXXXX |
| // macros in ctypes.h. |
| int c = getchar(); |
| return ((*__ctype_b_loc ())[(int) (c)] & (unsigned short int) _ISdigit); |
| //expected-warning@-1 {{Potential out of bound access}} |
| } |
| |
| int isdigitSuppressed(void) { |
| // Same code as above, but reports are suppressed based on macro name: |
| int c = getchar(); |
| return isdigit(c); //no-warning |
| } |
| |
| // Some later tests use isdigit as a function, so we need to undef it: |
| #undef isdigit |
| |
| void testUncontrolledFormatString(char **p) { |
| char s[80]; |
| fscanf(stdin, "%s", s); |
| char buf[128]; |
| sprintf(buf,s); // expected-warning {{Uncontrolled Format String}} |
| setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}} |
| |
| // Test taint propagation through strcpy and family. |
| char scpy[80]; |
| strcpy(scpy, s); |
| sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}} |
| |
| stpcpy(*(++p), s); // this generates __inline. |
| setproctitle(*(p), 3); // expected-warning {{Uncontrolled Format String}} |
| |
| char spcpy[80]; |
| stpcpy(spcpy, s); |
| setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}} |
| |
| char *spcpyret; |
| spcpyret = stpcpy(spcpy, s); |
| setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}} |
| |
| char sncpy[80]; |
| strncpy(sncpy, s, 20); |
| setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}} |
| |
| char *dup; |
| dup = strndup(s, 20); |
| setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}} |
| |
| } |
| |
| void testTaintSystemCall(void) { |
| char buffer[156]; |
| char addr[128]; |
| scanf("%s", addr); |
| system(addr); // expected-warning {{Untrusted data is passed to a system call}} |
| |
| // Test that spintf transfers taint. |
| sprintf(buffer, "/bin/mail %s < /tmp/email", addr); |
| system(buffer); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| void testTaintSystemCall2(void) { |
| // Test that snpintf transfers taint. |
| char buffern[156]; |
| char addr[128]; |
| scanf("%s", addr); |
| __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr); |
| // expected-warning@-1 {{'snprintf' will always be truncated; specified size is 10, but format string expands to at least 24}} |
| system(buffern); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| void testTaintSystemCall3(void) { |
| char buffern2[156]; |
| int numt; |
| char addr[128]; |
| scanf("%s %d", addr, &numt); |
| __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd"); |
| system(buffern2); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| void testGets(void) { |
| char str[50]; |
| gets(str); |
| system(str); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| void testGets_s(void) { |
| char str[50]; |
| gets_s(str, 49); |
| system(str); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| void testTaintedBufferSize(void) { |
| size_t ts; |
| // The functions malloc, calloc, bcopy and memcpy are not taint sinks in the |
| // default config of GenericTaintChecker (because that would cause too many |
| // false positives). |
| // FIXME: We should generate warnings when a value passed to these functions |
| // is tainted and _can be very large_ (because that's exploitable). This |
| // functionality probably belongs to the checkers that do more detailed |
| // modeling of these functions (MallocChecker and CStringChecker). |
| scanf("%zd", &ts); |
| int *buf1 = (int*)malloc(ts*sizeof(int)); // warn here, ts is unbounded and tainted |
| char *dst = (char*)calloc(ts, sizeof(char)); // warn here, ts is unbounded tainted |
| bcopy(buf1, dst, ts); // no warning here, since the size of buf1, dst equals ts. Cannot overflow. |
| __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // warn here, dst overflows (whatever the value of ts) |
| |
| // If both buffers are trusted, do not issue a warning. |
| char *dst2 = (char*)malloc(ts*sizeof(char)); // warn here, ts in unbounded |
| strncat(dst2, dst, ts); // no-warning |
| } |
| |
| #define AF_UNIX 1 /* local to host (pipes) */ |
| #define AF_INET 2 /* internetwork: UDP, TCP, etc. */ |
| #define AF_LOCAL AF_UNIX /* backward compatibility */ |
| #define SOCK_STREAM 1 |
| int socket(int, int, int); |
| size_t read(int, void *, size_t); |
| |
| void testSocket(void) { |
| int sock; |
| char buffer[100]; |
| |
| sock = socket(AF_INET, SOCK_STREAM, 0); |
| read(sock, buffer, 100); |
| execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}} |
| |
| sock = socket(AF_LOCAL, SOCK_STREAM, 0); |
| read(sock, buffer, 100); |
| execl(buffer, "filename", 0); // no-warning |
| |
| sock = socket(AF_INET, SOCK_STREAM, 0); |
| // References to both buffer and &buffer as an argument should taint the argument |
| read(sock, &buffer, 100); |
| execl(buffer, "filename", 0); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| void testStruct(void) { |
| struct { |
| char buf[16]; |
| int length; |
| } tainted; |
| |
| char buffer[16]; |
| int sock; |
| |
| sock = socket(AF_INET, SOCK_STREAM, 0); |
| read(sock, &tainted, sizeof(tainted)); |
| clang_analyzer_isTainted_int(tainted.length); // expected-warning {{YES }} |
| } |
| |
| void testStructArray(void) { |
| struct { |
| int length; |
| } tainted[4]; |
| |
| char dstbuf[16], srcbuf[16]; |
| int sock; |
| |
| sock = socket(AF_INET, SOCK_STREAM, 0); |
| __builtin_memset(srcbuf, 0, sizeof(srcbuf)); |
| |
| read(sock, &tainted[0], sizeof(tainted)); |
| clang_analyzer_isTainted_int(tainted[0].length); // expected-warning {{YES}} |
| |
| __builtin_memset(&tainted, 0, sizeof(tainted)); |
| read(sock, &tainted, sizeof(tainted)); |
| clang_analyzer_isTainted_int(tainted[0].length); // expected-warning {{YES}} |
| |
| __builtin_memset(&tainted, 0, sizeof(tainted)); |
| // If we taint element 1, we should not raise an alert on taint for element 0 or element 2 |
| read(sock, &tainted[1], sizeof(tainted)); |
| clang_analyzer_isTainted_int(tainted[0].length); // expected-warning {{NO}} |
| clang_analyzer_isTainted_int(tainted[2].length); // expected-warning {{NO}} |
| } |
| |
| void testUnion(void) { |
| union { |
| int x; |
| char y[4]; |
| } tainted; |
| |
| char buffer[4]; |
| |
| int sock = socket(AF_INET, SOCK_STREAM, 0); |
| read(sock, &tainted.y, sizeof(tainted.y)); |
| // FIXME: overlapping regions aren't detected by isTainted yet |
| __builtin_memcpy(buffer, tainted.y, tainted.x); |
| } |
| |
| int testDivByZero(void) { |
| int x; |
| scanf("%d", &x); |
| return 5/x; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| // Zero-sized VLAs. |
| void testTaintedVLASize(void) { |
| int x; |
| scanf("%d", &x); |
| int vla[x]; // expected-warning{{Declared variable-length array (VLA) has tainted (attacker controlled) size that can be 0 or negative}} |
| } |
| |
| // Tainted-sanitized VLAs. |
| void testTaintedSanitizedVLASize(void) { |
| int x; |
| scanf("%d", &x); |
| if (x<1) |
| return; |
| int vla[x]; // no-warning |
| } |
| |
| int testTaintedAllocaMem() { |
| char x; |
| void * p; |
| scanf("%c", &x); |
| p = __builtin_alloca(1); |
| __builtin_memcpy(p, &x, 1); |
| return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| int testTaintedMallocMem() { |
| char x; |
| void * p; |
| scanf("%c", &x); |
| p = malloc(1); |
| __builtin_memcpy(p, &x, 1); |
| return 5 / *(char*)p; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| |
| // This computation used to take a very long time. |
| #define longcmp(a,b,c) { \ |
| a -= c; a ^= c; c += b; b -= a; b ^= (a<<6) | (a >> (32-b)); a += c; c -= b; c ^= b; b += a; \ |
| a -= c; a ^= c; c += b; b -= a; b ^= a; a += c; c -= b; c ^= b; b += a; } |
| |
| unsigned radar11369570_hanging(const unsigned char *arr, int l) { |
| unsigned a, b, c; |
| a = b = c = 0x9899e3 + l; |
| while (l >= 6) { |
| unsigned t; |
| scanf("%d", &t); |
| a += b; |
| a ^= a; |
| a += (arr[3] + ((unsigned) arr[2] << 8) + ((unsigned) arr[1] << 16) + ((unsigned) arr[0] << 24)); |
| longcmp(a, t, c); |
| l -= 12; |
| } |
| return 5/a; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| // Check that we do not assert of the following code. |
| int SymSymExprWithDiffTypes(void* p) { |
| int i; |
| scanf("%d", &i); |
| int j = (i % (int)(long)p); |
| return 5/j; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| |
| void constraintManagerShouldTreatAsOpaque(int rhs) { |
| int i; |
| scanf("%d", &i); |
| // This comparison used to hit an assertion in the constraint manager, |
| // which didn't handle NonLoc sym-sym comparisons. |
| if (i < rhs) |
| return; |
| if (i < rhs) |
| *(volatile int *) 0; // no-warning |
| } |
| |
| int testSprintf_is_not_a_source(char *buf, char *msg) { |
| int x = sprintf(buf, "%s", msg); // no-warning |
| return 1 / x; // no-warning: 'sprintf' is not a taint source |
| } |
| |
| int testSprintf_propagates_taint(char *buf, char *msg) { |
| scanf("%s", msg); |
| int x = sprintf(buf, "%s", msg); // propagate taint! |
| return 1 / x; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| void test_wchar_apis_dont_propagate(const char *path) { |
| // strlen, wcslen, strnlen and alike intentionally don't propagate taint. |
| // See the details here: https://github.com/llvm/llvm-project/pull/66086 |
| // This isn't ideal, but this is only what we have now. |
| |
| FILE *f = fopen(path, "r"); |
| clang_analyzer_isTainted_charp((char*)f); // expected-warning {{YES}} |
| wchar_t wbuf[10]; |
| fgetws(wbuf, sizeof(wbuf)/sizeof(*wbuf), f); |
| clang_analyzer_isTainted_wchar(*wbuf); // expected-warning {{YES}} |
| int n = wcslen(wbuf); |
| clang_analyzer_isTainted_int(n); // expected-warning {{NO}} |
| |
| wchar_t dst[100] = L"ABC"; |
| clang_analyzer_isTainted_wchar(*dst); // expected-warning {{NO}} |
| wcsncat(dst, wbuf, sizeof(wbuf)/sizeof(*wbuf)); |
| clang_analyzer_isTainted_wchar(*dst); // expected-warning {{YES}} |
| |
| int m = wcslen(dst); |
| clang_analyzer_isTainted_int(m); // expected-warning {{NO}} |
| } |
| |
| int scanf_s(const char *format, ...); |
| int testScanf_s_(int *out) { |
| scanf_s("%d", out); |
| return 1 / *out; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| #define _IO_FILE FILE |
| int _IO_getc(_IO_FILE *__fp); |
| int testUnderscoreIO_getc(_IO_FILE *fp) { |
| char c = _IO_getc(fp); |
| return 1 / c; // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| char *getcwd(char *buf, size_t size); |
| int testGetcwd(char *buf, size_t size) { |
| char *c = getcwd(buf, size); |
| return system(c); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| char *getwd(char *buf); |
| int testGetwd(char *buf) { |
| char *c = getwd(buf); |
| return system(c); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| ssize_t readlink(const char *path, char *buf, size_t bufsiz); |
| int testReadlink(char *path, char *buf, size_t bufsiz) { |
| ssize_t s = readlink(path, buf, bufsiz); |
| system(buf); // expected-warning {{Untrusted data is passed to a system call}} |
| // readlink never returns 0 |
| return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| ssize_t readlinkat(int dirfd, const char *pathname, char *buf, size_t bufsiz); |
| int testReadlinkat(int dirfd, char *path, char *buf, size_t bufsiz) { |
| ssize_t s = readlinkat(dirfd, path, buf, bufsiz); |
| system(buf); // expected-warning {{Untrusted data is passed to a system call}} |
| (void)(1 / dirfd); // arg 0 is not tainted |
| system(path); // arg 1 is not tainted |
| (void)(1 / bufsiz); // arg 3 is not tainted |
| // readlinkat never returns 0 |
| return 1 / (s + 1); // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| char *get_current_dir_name(void); |
| int testGet_current_dir_name() { |
| char *d = get_current_dir_name(); |
| return system(d); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| int gethostname(char *name, size_t len); |
| int testGethostname(char *name, size_t len) { |
| gethostname(name, len); |
| return system(name); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| int getnameinfo(const struct sockaddr *restrict addr, socklen_t addrlen, |
| char *restrict host, socklen_t hostlen, |
| char *restrict serv, socklen_t servlen, int flags); |
| int testGetnameinfo(const struct sockaddr *restrict addr, socklen_t addrlen, |
| char *restrict host, socklen_t hostlen, |
| char *restrict serv, socklen_t servlen, int flags) { |
| getnameinfo(addr, addrlen, host, hostlen, serv, servlen, flags); |
| |
| system(host); // expected-warning {{Untrusted data is passed to a system call}} |
| return system(serv); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| int getseuserbyname(const char *linuxuser, char **selinuxuser, char **level); |
| int testGetseuserbyname(const char *linuxuser, char **selinuxuser, char **level) { |
| getseuserbyname(linuxuser, selinuxuser, level); |
| system(selinuxuser[0]); // expected-warning {{Untrusted data is passed to a system call}} |
| return system(level[0]); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| typedef int gid_t; |
| int getgroups(int size, gid_t list[]); |
| int testGetgroups(int size, gid_t list[], bool flag) { |
| int result = getgroups(size, list); |
| if (flag) |
| return 1 / list[0]; // expected-warning {{Division by a tainted value, possibly zero}} |
| |
| return 1 / (result + 1); // expected-warning {{Division by a tainted value, possibly zero}} |
| } |
| |
| char *getlogin(void); |
| int testGetlogin() { |
| char *n = getlogin(); |
| return system(n); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| int getlogin_r(char *buf, size_t bufsize); |
| int testGetlogin_r(char *buf, size_t bufsize) { |
| getlogin_r(buf, bufsize); |
| return system(buf); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| int fscanf_s(FILE *stream, const char *format, ...); |
| void testFscanf_s(const char *fname, int *d) { |
| FILE *f = fopen(fname, "r"); |
| fscanf_s(f, "%d", d); |
| clang_analyzer_isTainted_int(*d); // expected-warning {{YES}} |
| } |
| |
| int fread(void *buffer, size_t size, size_t count, FILE *stream); |
| void testFread(const char *fname, int *buffer, size_t size, size_t count) { |
| FILE *f = fopen(fname, "r"); |
| size_t read = fread(buffer, size, count, f); |
| |
| clang_analyzer_isTainted_int(*buffer); // expected-warning {{YES}} |
| clang_analyzer_isTainted_int(read); // expected-warning {{YES}} |
| } |
| |
| ssize_t recv(int sockfd, void *buf, size_t len, int flags); |
| int accept(int fd, struct sockaddr *addr, socklen_t *addrlen); |
| int bind(int fd, const struct sockaddr *addr, socklen_t addrlen); |
| int listen(int fd, int backlog); |
| |
| void testRecv(int *buf, size_t len, int flags) { |
| int fd; |
| scanf("%d", &fd); // fake a tainted a file descriptor |
| |
| size_t read = recv(fd, buf, len, flags); |
| clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}} |
| clang_analyzer_isTainted_int(read); // expected-warning {{YES}} |
| } |
| |
| ssize_t recvfrom(int sockfd, void *restrict buf, size_t len, int flags, |
| struct sockaddr *restrict src_addr, |
| socklen_t *restrict addrlen); |
| void testRecvfrom(int *restrict buf, size_t len, int flags, |
| struct sockaddr *restrict src_addr, |
| socklen_t *restrict addrlen) { |
| int fd; |
| scanf("%d", &fd); // fake a tainted a file descriptor |
| |
| size_t read = recvfrom(fd, buf, len, flags, src_addr, addrlen); |
| clang_analyzer_isTainted_int(*buf); // expected-warning {{YES}} |
| clang_analyzer_isTainted_int(read); // expected-warning {{YES}} |
| } |
| |
| char *ttyname(int fd); |
| void testTtyname() { |
| int fd; |
| scanf("%d", &fd); // fake a tainted a file descriptor |
| |
| char *name = ttyname(fd); |
| clang_analyzer_isTainted_charp(name); // expected-warning {{YES}} |
| } |
| |
| int ttyname_r(int fd, char *buf, size_t buflen); |
| void testTtyname_r(char *buf, size_t buflen) { |
| int fd; |
| scanf("%d", &fd); // fake a tainted a file descriptor |
| |
| int result = ttyname_r(fd, buf, buflen); |
| clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}} |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| char *dirname(char *path); |
| void testDirname() { |
| char buf[10]; |
| scanf("%9s", buf); |
| |
| char *name = dirname(buf); |
| clang_analyzer_isTainted_charp(name); // expected-warning {{YES}} |
| } |
| |
| char *basename(char *path); |
| void testBasename() { |
| char buf[10]; |
| scanf("%9s", buf); |
| |
| char *name = basename(buf); |
| clang_analyzer_isTainted_charp(name); // expected-warning {{YES}} |
| } |
| |
| int fnmatch(const char *pattern, const char *string, int flags); |
| void testFnmatch(const char *pattern, int flags) { |
| char string[10]; |
| scanf("%9s", string); |
| |
| int result = fnmatch(pattern, string, flags); |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| void *memchr(const void *s, int c, size_t n); |
| void testMemchr(int c, size_t n) { |
| char buf[10]; |
| scanf("%9s", buf); |
| |
| char *result = memchr(buf, c, n); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| void *memrchr(const void *s, int c, size_t n); |
| void testMemrchr(int c, size_t n) { |
| char buf[10]; |
| scanf("%9s", buf); |
| |
| char *result = memrchr(buf, c, n); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| void *rawmemchr(const void *s, int c); |
| void testRawmemchr(int c) { |
| char buf[10]; |
| scanf("%9s", buf); |
| |
| char *result = rawmemchr(buf, c); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| int mbtowc(wchar_t *pwc, const char *s, size_t n); |
| void testMbtowc(wchar_t *pwc, size_t n) { |
| char buf[10]; |
| scanf("%9s", buf); |
| |
| int result = mbtowc(pwc, buf, n); |
| clang_analyzer_isTainted_char(*pwc); // expected-warning {{YES}} |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| int wctomb(char *s, wchar_t wc); |
| void testWctomb(char *buf) { |
| wchar_t wc = getchar(); |
| |
| int result = wctomb(buf, wc); |
| clang_analyzer_isTainted_char(*buf); // expected-warning {{YES}} |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| int wcwidth(wchar_t c); |
| void testWcwidth() { |
| wchar_t wc = getchar(); |
| |
| int width = wcwidth(wc); |
| clang_analyzer_isTainted_int(width); // expected-warning {{YES}} |
| } |
| |
| int memcmp(const void *s1, const void *s2, size_t n); |
| void testMemcmpWithLHSTainted(size_t n, char *rhs) { |
| char lhs[10]; |
| scanf("%9s", lhs); |
| |
| int cmp_result = memcmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void testMemcmpWithRHSTainted(size_t n, char *lhs) { |
| char rhs[10]; |
| scanf("%9s", rhs); |
| |
| int cmp_result = memcmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void *memcpy(void *restrict dest, const void *restrict src, size_t n); |
| void testMemcpy(char *dst, size_t n) { |
| char src[10]; |
| scanf("%9s", src); |
| |
| char *result = memcpy(dst, src, n); |
| |
| clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}} |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| void *memmove(void *dest, const void *src, size_t n); |
| void testMemmove(char *dst, size_t n) { |
| char src[10]; |
| scanf("%9s", src); |
| |
| char *result = memmove(dst, src, n); |
| |
| clang_analyzer_isTainted_char(*dst); // expected-warning {{YES}} |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen); |
| void testMemmem(const void *needle, size_t needlelen) { |
| char haystack[10]; |
| scanf("%9s", haystack); |
| |
| char *result = memmem(haystack, 9, needle, needlelen); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *strstr(const char *haystack, const char *needle); |
| void testStrstr(const char *needle) { |
| char haystack[10]; |
| scanf("%9s", haystack); |
| |
| char *result = strstr(haystack, needle); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *strcasestr(const char *haystack, const char *needle); |
| void testStrcasestr(const char *needle) { |
| char haystack[10]; |
| scanf("%9s", haystack); |
| |
| char *result = strcasestr(haystack, needle); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *strchrnul(const char *s, int c); |
| void testStrchrnul() { |
| char s[10]; |
| scanf("%9s", s); |
| |
| char *result = strchrnul(s, 9); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *index(const char *s, int c); |
| void testIndex() { |
| char s[10]; |
| scanf("%9s", s); |
| |
| char *result = index(s, 9); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *rindex(const char *s, int c); |
| void testRindex() { |
| char s[10]; |
| scanf("%9s", s); |
| |
| char *result = rindex(s, 9); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| int strcmp(const char *s1, const char *s2); |
| void testStrcmpWithLHSTainted(char *rhs) { |
| char lhs[10]; |
| scanf("%9s", lhs); |
| |
| int cmp_result = strcmp(lhs, rhs); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void testStrcmpWithRHSTainted(char *lhs) { |
| char rhs[10]; |
| scanf("%9s", rhs); |
| |
| int cmp_result = strcmp(lhs, rhs); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| int strcasecmp(const char *s1, const char *s2); |
| void testStrcasecmpWithLHSTainted(char *rhs) { |
| char lhs[10]; |
| scanf("%9s", lhs); |
| |
| int cmp_result = strcasecmp(lhs, rhs); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void testStrcasecmpWithRHSTainted(char *lhs) { |
| char rhs[10]; |
| scanf("%9s", rhs); |
| |
| int cmp_result = strcasecmp(lhs, rhs); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| int strncmp(const char *s1, const char *s2, size_t n); |
| void testStrncmpWithLHSTainted(char *rhs, size_t n) { |
| char lhs[10]; |
| scanf("%9s", lhs); |
| |
| int cmp_result = strncmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void testStrncmpWithRHSTainted(char *lhs, size_t n) { |
| char rhs[10]; |
| scanf("%9s", rhs); |
| |
| int cmp_result = strncmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void testStrncmpWithNTainted(char *lhs, char *rhs) { |
| int n; |
| scanf("%d", &n); |
| |
| int cmp_result = strncmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| int strncasecmp(const char *s1, const char *s2, size_t n); |
| void testStrncasecmpWithLHSTainted(char *rhs, size_t n) { |
| char lhs[10]; |
| scanf("%9s", lhs); |
| |
| int cmp_result = strncmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void testStrncasecmpWithRHSTainted(char *lhs, size_t n) { |
| char rhs[10]; |
| scanf("%9s", rhs); |
| |
| int cmp_result = strncmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| void testStrncasecmpWithNTainted(char *lhs, char *rhs) { |
| int n; |
| scanf("%d", &n); |
| |
| int cmp_result = strncmp(lhs, rhs, n); |
| clang_analyzer_isTainted_int(cmp_result); // expected-warning {{YES}} |
| } |
| |
| size_t strspn(const char *s, const char *accept); |
| void testStrspnFirstArgTainted(const char *accept) { |
| char s[10]; |
| scanf("%9s", s); |
| |
| size_t result = strspn(s, accept); |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| void testStrspnSecondArgTainted(const char *s) { |
| char accept[10]; |
| scanf("%9s", accept); |
| |
| size_t result = strspn(s, accept); |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| size_t strcspn(const char *s, const char *reject); |
| void testStrcspnFirstArgTainted(const char *reject) { |
| char s[10]; |
| scanf("%9s", s); |
| |
| size_t result = strcspn(s, reject); |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| void testStrcspnSecondArgTainted(const char *s) { |
| char reject[10]; |
| scanf("%9s", reject); |
| |
| size_t result = strcspn(s, reject); |
| clang_analyzer_isTainted_int(result); // expected-warning {{YES}} |
| } |
| |
| char *strpbrk(const char *s, const char *accept); |
| void testStrpbrk(const char *accept) { |
| char s[10]; |
| scanf("%9s", s); |
| |
| char *result = strpbrk(s, accept); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *strndup(const char *s, size_t n); |
| void testStrndup(size_t n) { |
| char s[10]; |
| scanf("%9s", s); |
| |
| char *result = strndup(s, n); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *strdupa(const char *s); |
| void testStrdupa() { |
| char s[10]; |
| scanf("%9s", s); |
| |
| char *result = strdupa(s); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| char *strndupa(const char *s, size_t n); |
| void testStrndupa(size_t n) { |
| char s[10]; |
| scanf("%9s", s); |
| |
| char *result = strndupa(s, n); |
| clang_analyzer_isTainted_charp(result); // expected-warning {{YES}} |
| } |
| |
| size_t strlen(const char *s); |
| void testStrlen_dont_propagate() { |
| // strlen, wcslen, strnlen and alike intentionally don't propagate taint. |
| // See the details here: https://github.com/llvm/llvm-project/pull/66086 |
| // This isn't ideal, but this is only what we have now. |
| char s[10]; |
| scanf("%9s", s); |
| |
| size_t result = strlen(s); |
| // strlen propagating taint would bring in many false positives |
| clang_analyzer_isTainted_int(result); // expected-warning {{NO}} |
| } |
| |
| size_t strnlen(const char *s, size_t maxlen); |
| void testStrnlen_dont_propagate(size_t maxlen) { |
| // strlen, wcslen, strnlen and alike intentionally don't propagate taint. |
| // See the details here: https://github.com/llvm/llvm-project/pull/66086 |
| // This isn't ideal, but this is only what we have now. |
| char s[10]; |
| scanf("%9s", s); |
| size_t result = strnlen(s, maxlen); |
| clang_analyzer_isTainted_int(result); // expected-warning {{NO}} |
| } |
| |
| long strtol(const char *restrict nptr, char **restrict endptr, int base); |
| long long strtoll(const char *restrict nptr, char **restrict endptr, int base); |
| unsigned long int strtoul(const char *nptr, char **endptr, int base); |
| unsigned long long int strtoull(const char *nptr, char **endptr, int base); |
| void testStrtolVariants(char **restrict endptr, int base) { |
| char s[10]; |
| scanf("%9s", s); |
| |
| long result_l = strtol(s, endptr, base); |
| clang_analyzer_isTainted_int(result_l); // expected-warning {{YES}} |
| |
| long long result_ll = strtoll(s, endptr, base); |
| clang_analyzer_isTainted_int(result_ll); // expected-warning {{YES}} |
| |
| unsigned long result_ul = strtoul(s, endptr, base); |
| clang_analyzer_isTainted_int(result_ul); // expected-warning {{YES}} |
| |
| unsigned long long result_ull = strtoull(s, endptr, base); |
| clang_analyzer_isTainted_int(result_ull); // expected-warning {{YES}} |
| } |
| |
| int isalnum(int c); |
| int isalpha(int c); |
| int isascii(int c); |
| int isblank(int c); |
| int iscntrl(int c); |
| int isdigit(int c); |
| int isgraph(int c); |
| int islower(int c); |
| int isprint(int c); |
| int ispunct(int c); |
| int isspace(int c); |
| int isupper(int c); |
| int isxdigit(int c); |
| |
| void testIsFunctions() { |
| char c; |
| scanf("%c", &c); |
| |
| int alnum = isalnum(c); |
| clang_analyzer_isTainted_int(alnum); // expected-warning {{YES}} |
| |
| int alpha = isalpha(c); |
| clang_analyzer_isTainted_int(alpha); // expected-warning {{YES}} |
| |
| int ascii = isascii(c); |
| clang_analyzer_isTainted_int(ascii); // expected-warning {{YES}} |
| |
| int blank = isblank(c); |
| clang_analyzer_isTainted_int(blank); // expected-warning {{YES}} |
| |
| int cntrl = iscntrl(c); |
| clang_analyzer_isTainted_int(cntrl); // expected-warning {{YES}} |
| |
| int digit = isdigit(c); |
| clang_analyzer_isTainted_int(digit); // expected-warning {{YES}} |
| |
| int graph = isgraph(c); |
| clang_analyzer_isTainted_int(graph); // expected-warning {{YES}} |
| |
| int lower = islower(c); |
| clang_analyzer_isTainted_int(lower); // expected-warning {{YES}} |
| |
| int print = isprint(c); |
| clang_analyzer_isTainted_int(print); // expected-warning {{YES}} |
| |
| int punct = ispunct(c); |
| clang_analyzer_isTainted_int(punct); // expected-warning {{YES}} |
| |
| int space = isspace(c); |
| clang_analyzer_isTainted_int(space); // expected-warning {{YES}} |
| |
| int upper = isupper(c); |
| clang_analyzer_isTainted_int(upper); // expected-warning {{YES}} |
| |
| int xdigit = isxdigit(c); |
| clang_analyzer_isTainted_int(xdigit); // expected-warning {{YES}} |
| } |
| |
| void qsort(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *)); |
| void qsort_r(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *, void *), void *arg); |
| void testQsort() { |
| int data[1]; |
| scanf("%d", data); |
| |
| qsort(data, sizeof(data), sizeof(data[0]), NULL); |
| clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}} |
| qsort_r(data, sizeof(data), sizeof(data[0]), NULL, NULL); |
| clang_analyzer_isTainted_int(data[0]); // expected-warning {{YES}} |
| } |
| |
| // Test configuration |
| int mySource1(void); |
| void mySource2(int*); |
| void myScanf(const char*, ...); |
| int myPropagator(int, int*); |
| int mySnprintf(char*, size_t, const char*, ...); |
| bool isOutOfRange(const int*); // const filter function |
| void sanitizeCmd(char*); // non-const filter function |
| void mySink(int, int, int); |
| |
| void testConfigurationSources1(void) { |
| int x = mySource1(); |
| Buffer[x] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| |
| void testConfigurationSources2(void) { |
| int x; |
| mySource2(&x); |
| Buffer[x] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| |
| void testConfigurationSources3(void) { |
| int x, y; |
| myScanf("%d %d", &x, &y); |
| Buffer[y] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| |
| void testConfigurationPropagation(void) { |
| int x = mySource1(); |
| int y; |
| myPropagator(x, &y); |
| Buffer[y] = 1; // expected-warning {{Potential out of bound access }} |
| } |
| |
| void testConfigurationFilter(void) { |
| int x = mySource1(); |
| if (isOutOfRange(&x)) // the filter function |
| return; |
| Buffer[x] = 1; // no-warning |
| } |
| |
| void testConfigurationFilterNonConst(void) { |
| char buffer[1000]; |
| myScanf("%s", buffer); // makes buffer tainted |
| system(buffer); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| void testConfigurationFilterNonConst2(void) { |
| char buffer[1000]; |
| myScanf("%s", buffer); // makes buffer tainted |
| sanitizeCmd(buffer); // removes taintedness |
| system(buffer); // no-warning |
| } |
| |
| void testConfigurationSinks(void) { |
| int x = mySource1(); |
| mySink(x, 1, 2); |
| // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}} |
| mySink(1, x, 2); // no-warning |
| mySink(1, 2, x); |
| // expected-warning@-1 {{Untrusted data is passed to a user-defined sink}} |
| } |
| |
| int test_exec_like_functions() { |
| char buf[100] = {0}; |
| scanf("%99s", buf); |
| clang_analyzer_isTainted_char(buf[0]); // expected-warning {{YES}} |
| |
| char *cleanArray[] = {"ENV1=V1", "ENV2=V2", NULL}; |
| char *taintedArray[] = {buf, "ENV2=V2", NULL}; |
| clang_analyzer_isTainted_char(taintedArray[0][0]); // expected-warning {{YES}} |
| clang_analyzer_isTainted_char(*(char*)taintedArray[0]); // expected-warning {{YES}} |
| clang_analyzer_isTainted_char(*(char*)taintedArray); // expected-warning {{NO}} We should have YES here. |
| // FIXME: Above the triple pointer indirection will confuse the checker, |
| // as we only check two levels. The results would be worse, if the tainted |
| // subobject ("buf") would not be at the beginning of the enclosing object, |
| // for the same reason. |
| |
| switch (coin()) { |
| default: break; |
| // Execute `path` with all arguments after `path` until a NULL pointer |
| // and environment from `environ'. |
| case 0: return execl("path", "arg0", "arg1", "arg2", NULL); // no-warning |
| case 1: return execl(buf, "arg0", "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return execl("path", buf, "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| case 3: return execl("path", "arg0", buf, "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| case 4: return execl("path", "arg0", "arg1", buf, NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| switch (coin()) { |
| default: break; |
| // Execute `path` with all arguments after `PATH` until a NULL pointer, |
| // and the argument after that for environment. |
| case 0: return execle("path", "arg0", "arg1", NULL, cleanArray); // no-warning |
| case 1: return execle( buf, "arg0", "arg1", NULL, cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return execle("path", buf, "arg1", NULL, cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 3: return execle("path", "arg0", buf, NULL, cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 4: return execle("path", "arg0", "arg1", NULL, buf); // expected-warning {{Untrusted data is passed to a system call}} |
| case 5: return execle("path", "arg0", "arg1", NULL, taintedArray); // FIXME: We might wanna have a report here. |
| } |
| |
| switch (coin()) { |
| default: break; |
| // Execute `file`, searching in the `PATH' environment variable if it |
| // contains no slashes, with all arguments after `file` until a NULL |
| // pointer and environment from `environ'. |
| case 0: return execlp("file", "arg0", "arg1", "arg2", NULL); // no-warning |
| case 1: return execlp( buf, "arg0", "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return execlp("file", buf, "arg1", "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| case 3: return execlp("file", "arg0", buf, "arg2", NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| case 4: return execlp("file", "arg0", "arg1", buf, NULL); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| switch (coin()) { |
| default: break; |
| // Execute `path` with arguments `ARGV` and environment from `environ'. |
| case 0: return execv("path", /*argv=*/ cleanArray); // no-warning |
| case 1: return execv( buf, /*argv=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return execv("path", /*argv=*/taintedArray); // FIXME: We might wanna have a report here. |
| } |
| |
| switch (coin()) { |
| default: break; |
| // Replace the current process, executing `path` with arguments `ARGV` |
| // and environment `ENVP`. `ARGV` and `ENVP` are terminated by NULL pointers. |
| case 0: return execve("path", /*argv=*/ cleanArray, /*envp=*/cleanArray); // no-warning |
| case 1: return execve( buf, /*argv=*/ cleanArray, /*envp=*/cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return execve("path", /*argv=*/taintedArray, /*envp=*/cleanArray); // FIXME: We might wanna have a report here. |
| case 3: return execve("path", /*argv=*/cleanArray, /*envp=*/taintedArray); // FIXME: We might wanna have a report here. |
| } |
| |
| switch (coin()) { |
| default: break; |
| // Execute `file`, searching in the `PATH' environment variable if it |
| // contains no slashes, with arguments `ARGV` and environment from `environ'. |
| case 0: return execvp("file", /*argv=*/ cleanArray); // no-warning |
| case 1: return execvp( buf, /*argv=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return execvp("file", /*argv=*/taintedArray); // FIXME: We might wanna have a report here. |
| } |
| |
| // execvpe |
| switch (coin()) { |
| default: break; |
| // Execute `file`, searching in the `PATH' environment variable if it |
| // contains no slashes, with arguments `ARGV` and environment `ENVP`. |
| // `ARGV` and `ENVP` are terminated by NULL pointers. |
| case 0: return execvpe("file", /*argv=*/ cleanArray, /*envp=*/ cleanArray); // no-warning |
| case 1: return execvpe( buf, /*argv=*/ cleanArray, /*envp=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return execvpe("file", /*argv=*/taintedArray, /*envp=*/ cleanArray); // FIXME: We might wanna have a report here. |
| case 3: return execvpe("file", /*argv=*/ cleanArray, /*envp=*/taintedArray); // FIXME: We might wanna have a report here. |
| } |
| |
| int cleanFD = coin(); |
| int taintedFD; |
| scanf("%d", &taintedFD); |
| clang_analyzer_isTainted_int(taintedFD); // expected-warning {{YES}} |
| |
| switch (coin()) { |
| default: break; |
| // Execute the file `FD` refers to, overlaying the running program image. |
| // `ARGV` and `ENVP` are passed to the new program, as for `execve'. |
| case 0: return fexecve( cleanFD, /*argv=*/ cleanArray, /*envp=*/ cleanArray); // no-warning |
| case 1: return fexecve(taintedFD, /*argv=*/ cleanArray, /*envp=*/ cleanArray); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return fexecve( cleanFD, /*argv=*/taintedArray, /*envp=*/ cleanArray); // FIXME: We might wanna have a report here. |
| case 3: return fexecve( cleanFD, /*argv=*/ cleanArray, /*envp=*/taintedArray); // FIXME: We might wanna have a report here. |
| } |
| |
| switch (coin()) { |
| default: break; |
| // Create a new stream connected to a pipe running the given `command`. |
| case 0: return pclose(popen("command", /*mode=*/"r")); // no-warning |
| case 1: return pclose(popen( buf, /*mode=*/"r")); // expected-warning {{Untrusted data is passed to a system call}} |
| case 2: return pclose(popen("command", /*mode=*/buf)); // 'mode' is not a taint sink. |
| } |
| |
| switch (coin()) { |
| default: break; |
| // Execute the given line as a shell command. |
| case 0: return system("command"); // no-warning |
| case 1: return system( buf); // expected-warning {{Untrusted data is passed to a system call}} |
| } |
| |
| return 0; |
| } |
| |
| void testUnknownFunction(void (*foo)(void)) { |
| foo(); // no-crash |
| } |
| |
| void testProctitleFalseNegative(void) { |
| char flag[80]; |
| fscanf(stdin, "%79s", flag); |
| char *argv[] = {"myapp", flag}; |
| // FIXME: We should have a warning below: Untrusted data passed to sink. |
| setproctitle_init(1, argv, 0); |
| } |
| |
| void testProctitle2(char *real_argv[]) { |
| char *app = getenv("APP_NAME"); |
| if (!app) |
| return; |
| char *argv[] = {app, "--foobar"}; |
| setproctitle_init(1, argv, 0); // expected-warning {{Untrusted data is passed to a user-defined sink}} |
| setproctitle_init(1, real_argv, argv); // expected-warning {{Untrusted data is passed to a user-defined sink}} |
| } |
| |
| void testAcceptPropagates() { |
| int listenSocket = socket(2, 1, 6); |
| clang_analyzer_isTainted_int(listenSocket); // expected-warning {{YES}} |
| int acceptSocket = accept(listenSocket, 0, 0); |
| clang_analyzer_isTainted_int(acceptSocket); // expected-warning {{YES}} |
| } |