1 // RUN: %clang_cc1 -analyze -analyzer-checker=optin.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s 2 3 // This file is for testing enhanced diagnostics produced by the GenericTaintChecker 4 5 typedef __typeof(sizeof(int)) size_t; 6 struct _IO_FILE; 7 typedef struct _IO_FILE FILE; 8 9 int scanf(const char *restrict format, ...); 10 int system(const char *command); 11 char* getenv( const char* env_var ); 12 size_t strlen( const char* str ); 13 char *strcat( char *dest, const char *src ); 14 char* strcpy( char* dest, const char* src ); 15 void *malloc(size_t size ); 16 void free( void *ptr ); 17 char *fgets(char *str, int n, FILE *stream); 18 extern FILE *stdin; 19 20 void taintDiagnostic(void) 21 { 22 char buf[128]; 23 scanf("%s", buf); // expected-note {{Taint originated here}} 24 // expected-note@-1 {{Taint propagated to the 2nd argument}} 25 system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}} 26 } 27 28 int taintDiagnosticOutOfBound(void) { 29 int index; 30 int Array[] = {1, 2, 3, 4, 5}; 31 scanf("%d", &index); // expected-note {{Taint originated here}} 32 // expected-note@-1 {{Taint propagated to the 2nd argument}} 33 return Array[index]; // expected-warning {{Potential out of bound access to 'Array' with tainted index}} 34 // expected-note@-1 {{Access of 'Array' with a tainted index}} 35 } 36 37 int taintDiagnosticDivZero(int operand) { 38 scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}} 39 // expected-note@-1 {{Taint originated here}} 40 // expected-note@-2 {{Taint propagated to the 2nd argument}} 41 return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}} 42 // expected-note@-1 {{Division by a tainted value, possibly zero}} 43 } 44 45 void taintDiagnosticVLA(void) { 46 int x; 47 scanf("%d", &x); // expected-note {{Value assigned to 'x'}} 48 // expected-note@-1 {{Taint originated here}} 49 // expected-note@-2 {{Taint propagated to the 2nd argument}} 50 int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted}} 51 // expected-note@-1 {{Declared variable-length array (VLA) has tainted}} 52 } 53 54 55 // Tests if the originated note is correctly placed even if the path is 56 // propagating through variables and expressions 57 int taintDiagnosticPropagation(){ 58 int res; 59 char *cmd=getenv("CMD"); // expected-note {{Taint originated here}} 60 // expected-note@-1 {{Taint propagated to the return value}} 61 if (cmd){ // expected-note {{Assuming 'cmd' is non-null}} 62 // expected-note@-1 {{Taking true branch}} 63 res = system(cmd); // expected-warning{{Untrusted data is passed to a system call}} 64 // expected-note@-1{{Untrusted data is passed to a system call}} 65 return res; 66 } 67 return -1; 68 } 69 70 // Taint origin should be marked correctly even if there are multiple taint 71 // sources in the function 72 int taintDiagnosticPropagation2(){ 73 int res; 74 char *user_env2=getenv("USER_ENV_VAR2");//unrelated taint source 75 char *cmd=getenv("CMD"); // expected-note {{Taint originated here}} 76 // expected-note@-1 {{Taint propagated to the return value}} 77 char *user_env=getenv("USER_ENV_VAR");//unrelated taint source 78 if (cmd){ // expected-note {{Assuming 'cmd' is non-null}} 79 // expected-note@-1 {{Taking true branch}} 80 res = system(cmd); // expected-warning{{Untrusted data is passed to a system call}} 81 // expected-note@-1{{Untrusted data is passed to a system call}} 82 return res; 83 } 84 return 0; 85 } 86 87 void testReadStdIn(){ 88 char buf[1024]; 89 fgets(buf, sizeof(buf), stdin);// expected-note {{Taint originated here}} 90 // expected-note@-1 {{Taint propagated to the 1st argument}} 91 system(buf);// expected-warning {{Untrusted data is passed to a system call}} 92 // expected-note@-1 {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}} 93 94 } 95 96 void multipleTaintSources(void) { 97 char cmd[2048], file[1024]; 98 scanf ("%1022[^\n] ", cmd); // expected-note {{Taint originated here}} 99 // expected-note@-1 {{Taint propagated to the 2nd argument}} 100 scanf ("%1023[^\n]", file); // expected-note {{Taint originated here}} 101 // expected-note@-1 {{Taint propagated to the 2nd argument}} 102 strcat(cmd, file); // expected-note {{Taint propagated to the 1st argument}} 103 strcat(cmd, " "); // expected-note {{Taint propagated to the 1st argument}} 104 system(cmd); // expected-warning {{Untrusted data is passed to a system call}} 105 // expected-note@-1{{Untrusted data is passed to a system call}} 106 } 107 108 void multipleTaintedArgs(void) { 109 char cmd[1024], file[1024], buf[2048]; 110 scanf("%1022s %1023s", cmd, file); // expected-note {{Taint originated here}} 111 // expected-note@-1 {{Taint propagated to the 2nd argument, 3rd argument}} 112 strcpy(buf, cmd);// expected-note {{Taint propagated to the 1st argument}} 113 strcat(buf, " ");// expected-note {{Taint propagated to the 1st argument}} 114 strcat(buf, file);// expected-note {{Taint propagated to the 1st argument}} 115 system(buf); // expected-warning {{Untrusted data is passed to a system call}} 116 // expected-note@-1{{Untrusted data is passed to a system call}} 117 } 118 119 void testTaintedMalloc(){ 120 size_t size = 0; 121 scanf("%zu", &size); // expected-note {{Taint originated here}} 122 // expected-note@-1 {{Taint propagated to the 2nd argument}} 123 int *p = malloc(size);// expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}} 124 // expected-note@-1{{malloc is called with a tainted (potentially attacker controlled) value}} 125 free(p); 126 } 127