search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Run DCE after a LoopFlatten test to reduce spurious output [nfc]
[llvm-project.git] / clang / test / Analysis / taint-diagnostic-visitor.c
blob8a7510177f3e444a661519b806eb8abbfd5c3a4b
1 // RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
2
3 // This file is for testing enhanced diagnostics produced by the GenericTaintChecker
4
5 typedef __typeof(sizeof(int)) size_t;
6 struct _IO_FILE;
7 typedef struct _IO_FILE FILE;
8
9 int scanf(const char *restrict format, ...);
10 int system(const char *command);
11 char* getenv( const char* env_var );
12 size_t strlen( const char* str );
13 int atoi( const char* str );
14 void *malloc(size_t size );
15 void free( void *ptr );
16 char *fgets(char *str, int n, FILE *stream);
17 extern FILE *stdin;
18
19 void taintDiagnostic(void)
20 {
21 char buf[128];
22 scanf("%s", buf); // expected-note {{Taint originated here}}
23 // expected-note@-1 {{Taint propagated to the 2nd argument}}
24 system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
25 }
26
27 int taintDiagnosticOutOfBound(void) {
28 int index;
29 int Array[] = {1, 2, 3, 4, 5};
30 scanf("%d", &index); // expected-note {{Taint originated here}}
31 // expected-note@-1 {{Taint propagated to the 2nd argument}}
32 return Array[index]; // expected-warning {{Out of bound memory access (index is tainted)}}
33 // expected-note@-1 {{Out of bound memory access (index is tainted)}}
34 }
35
36 int taintDiagnosticDivZero(int operand) {
37 scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}}
38 // expected-note@-1 {{Taint originated here}}
39 // expected-note@-2 {{Taint propagated to the 2nd argument}}
40 return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}}
41 // expected-note@-1 {{Division by a tainted value, possibly zero}}
42 }
43
44 void taintDiagnosticVLA(void) {
45 int x;
46 scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
47 // expected-note@-1 {{Taint originated here}}
48 // expected-note@-2 {{Taint propagated to the 2nd argument}}
49 int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted size}}
50 // expected-note@-1 {{Declared variable-length array (VLA) has tainted size}}
51 }
52
53
54 // Tests if the originated note is correctly placed even if the path is
55 // propagating through variables and expressions
56 char *taintDiagnosticPropagation(){
57 char *pathbuf;
58 char *size=getenv("SIZE"); // expected-note {{Taint originated here}}
59 // expected-note@-1 {{Taint propagated to the return value}}
60 if (size){ // expected-note {{Assuming 'size' is non-null}}
61 // expected-note@-1 {{Taking true branch}}
62 pathbuf=(char*) malloc(atoi(size)); // expected-warning{{Untrusted data is used to specify the buffer size}}
63 // expected-note@-1{{Untrusted data is used to specify the buffer size}}
64 // expected-note@-2 {{Taint propagated to the return value}}
65 return pathbuf;
66 }
67 return 0;
68 }
69
70 // Taint origin should be marked correctly even if there are multiple taint
71 // sources in the function
72 char *taintDiagnosticPropagation2(){
73 char *pathbuf;
74 char *user_env2=getenv("USER_ENV_VAR2");//unrelated taint source
75 char *size=getenv("SIZE"); // expected-note {{Taint originated here}}
76 // expected-note@-1 {{Taint propagated to the return value}}
77 char *user_env=getenv("USER_ENV_VAR");//unrelated taint source
78 if (size){ // expected-note {{Assuming 'size' is non-null}}
79 // expected-note@-1 {{Taking true branch}}
80 pathbuf=(char*) malloc(atoi(size)+1); // expected-warning{{Untrusted data is used to specify the buffer size}}
81 // expected-note@-1{{Untrusted data is used to specify the buffer size}}
82 // expected-note@-2 {{Taint propagated to the return value}}
83 return pathbuf;
84 }
85 return 0;
86 }
87
88 void testReadStdIn(){
89 char buf[1024];
90 fgets(buf, sizeof(buf), stdin);// expected-note {{Taint originated here}}
91 // expected-note@-1 {{Taint propagated to the 1st argument}}
92 system(buf);// expected-warning {{Untrusted data is passed to a system call}}
93 // expected-note@-1 {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
94
95 }
96
97 void multipleTaintSources(void) {
98 int x,y,z;
99 scanf("%d", &x); // expected-note {{Taint originated here}}
100 // expected-note@-1 {{Taint propagated to the 2nd argument}}
101 scanf("%d", &y); // expected-note {{Taint originated here}}
102 // expected-note@-1 {{Taint propagated to the 2nd argument}}
103 scanf("%d", &z);
104 int* ptr = (int*) malloc(y + x); // expected-warning {{Untrusted data is used to specify the buffer size}}
105 // expected-note@-1{{Untrusted data is used to specify the buffer size}}
106 free (ptr);
107 }
108
109 void multipleTaintedArgs(void) {
110 int x,y;
111 scanf("%d %d", &x, &y); // expected-note {{Taint originated here}}
112 // expected-note@-1 {{Taint propagated to the 2nd argument, 3rd argument}}
113 int* ptr = (int*) malloc(x + y); // expected-warning {{Untrusted data is used to specify the buffer size}}
114 // expected-note@-1{{Untrusted data is used to specify the buffer size}}
115 free (ptr);
116 }
LLVM monorepo