1 //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Defines basic, non-domain-specific mechanisms for tracking tainted values. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 14 #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 15 16 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 18 19 namespace clang { 20 namespace ento { 21 namespace taint { 22 23 /// The type of taint, which helps to differentiate between different types of 24 /// taint. 25 using TaintTagType = unsigned; 26 27 static constexpr TaintTagType TaintTagGeneric = 0; 28 29 /// Create a new state in which the value of the statement is marked as tainted. 30 LLVM_NODISCARD ProgramStateRef 31 addTaint(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, 32 TaintTagType Kind = TaintTagGeneric); 33 34 /// Create a new state in which the value is marked as tainted. 35 LLVM_NODISCARD ProgramStateRef 36 addTaint(ProgramStateRef State, SVal V, 37 TaintTagType Kind = TaintTagGeneric); 38 39 /// Create a new state in which the symbol is marked as tainted. 40 LLVM_NODISCARD ProgramStateRef 41 addTaint(ProgramStateRef State, SymbolRef Sym, 42 TaintTagType Kind = TaintTagGeneric); 43 44 /// Create a new state in which the pointer represented by the region 45 /// is marked as tainted. 46 LLVM_NODISCARD ProgramStateRef 47 addTaint(ProgramStateRef State, const MemRegion *R, 48 TaintTagType Kind = TaintTagGeneric); 49 50 /// Create a new state in a which a sub-region of a given symbol is tainted. 51 /// This might be necessary when referring to regions that can not have an 52 /// individual symbol, e.g. if they are represented by the default binding of 53 /// a LazyCompoundVal. 54 LLVM_NODISCARD ProgramStateRef 55 addPartialTaint(ProgramStateRef State, 56 SymbolRef ParentSym, const SubRegion *SubRegion, 57 TaintTagType Kind = TaintTagGeneric); 58 59 /// Check if the statement has a tainted value in the given state. 60 bool isTainted(ProgramStateRef State, const Stmt *S, 61 const LocationContext *LCtx, 62 TaintTagType Kind = TaintTagGeneric); 63 64 /// Check if the value is tainted in the given state. 65 bool isTainted(ProgramStateRef State, SVal V, 66 TaintTagType Kind = TaintTagGeneric); 67 68 /// Check if the symbol is tainted in the given state. 69 bool isTainted(ProgramStateRef State, SymbolRef Sym, 70 TaintTagType Kind = TaintTagGeneric); 71 72 /// Check if the pointer represented by the region is tainted in the given 73 /// state. 74 bool isTainted(ProgramStateRef State, const MemRegion *Reg, 75 TaintTagType Kind = TaintTagGeneric); 76 77 void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n", 78 const char *sep = ""); 79 80 LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State); 81 82 /// The bug visitor prints a diagnostic message at the location where a given 83 /// variable was tainted. 84 class TaintBugVisitor final : public BugReporterVisitor { 85 private: 86 const SVal V; 87 88 public: 89 TaintBugVisitor(const SVal V) : V(V) {} 90 void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); } 91 92 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 93 BugReporterContext &BRC, 94 PathSensitiveBugReport &BR) override; 95 }; 96 97 } // namespace taint 98 } // namespace ento 99 } // namespace clang 100 101 #endif 102 103