search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[RISCV] Add shrinkwrap test cases showing gaps in current impl
[llvm-project.git] / clang / test / Analysis / taint-diagnostic-visitor.c
blob223df9951fd6b9e3322f9eeb03f0fcd290f90f39
1 // RUN: %clang_cc1 -analyze -analyzer-checker=optin.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
2
3 // This file is for testing enhanced diagnostics produced by the GenericTaintChecker
4
5 typedef __typeof(sizeof(int)) size_t;
6 struct _IO_FILE;
7 typedef struct _IO_FILE FILE;
8
9 int scanf(const char *restrict format, ...);
10 int system(const char *command);
11 char* getenv( const char* env_var );
12 size_t strlen( const char* str );
13 char *strcat( char *dest, const char *src );
14 char* strcpy( char* dest, const char* src );
15 void *malloc(size_t size );
16 void free( void *ptr );
17 char *fgets(char *str, int n, FILE *stream);
18 extern FILE *stdin;
19
20 void taintDiagnostic(void)
21 {
22 char buf[128];
23 scanf("%s", buf); // expected-note {{Taint originated here}}
24 // expected-note@-1 {{Taint propagated to the 2nd argument}}
25 system(buf); // expected-warning {{Untrusted data is passed to a system call}} // expected-note {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
26 }
27
28 int taintDiagnosticOutOfBound(void) {
29 int index;
30 int Array[] = {1, 2, 3, 4, 5};
31 scanf("%d", &index); // expected-note {{Taint originated here}}
32 // expected-note@-1 {{Taint propagated to the 2nd argument}}
33 return Array[index]; // expected-warning {{Potential out of bound access to 'Array' with tainted index}}
34 // expected-note@-1 {{Access of 'Array' with a tainted index}}
35 }
36
37 int taintDiagnosticDivZero(int operand) {
38 scanf("%d", &operand); // expected-note {{Value assigned to 'operand'}}
39 // expected-note@-1 {{Taint originated here}}
40 // expected-note@-2 {{Taint propagated to the 2nd argument}}
41 return 10 / operand; // expected-warning {{Division by a tainted value, possibly zero}}
42 // expected-note@-1 {{Division by a tainted value, possibly zero}}
43 }
44
45 void taintDiagnosticVLA(void) {
46 int x;
47 scanf("%d", &x); // expected-note {{Value assigned to 'x'}}
48 // expected-note@-1 {{Taint originated here}}
49 // expected-note@-2 {{Taint propagated to the 2nd argument}}
50 int vla[x]; // expected-warning {{Declared variable-length array (VLA) has tainted}}
51 // expected-note@-1 {{Declared variable-length array (VLA) has tainted}}
52 }
53
54
55 // Tests if the originated note is correctly placed even if the path is
56 // propagating through variables and expressions
57 int taintDiagnosticPropagation(){
58 int res;
59 char *cmd=getenv("CMD"); // expected-note {{Taint originated here}}
60 // expected-note@-1 {{Taint propagated to the return value}}
61 if (cmd){ // expected-note {{Assuming 'cmd' is non-null}}
62 // expected-note@-1 {{Taking true branch}}
63 res = system(cmd); // expected-warning{{Untrusted data is passed to a system call}}
64 // expected-note@-1{{Untrusted data is passed to a system call}}
65 return res;
66 }
67 return -1;
68 }
69
70 // Taint origin should be marked correctly even if there are multiple taint
71 // sources in the function
72 int taintDiagnosticPropagation2(){
73 int res;
74 char *user_env2=getenv("USER_ENV_VAR2");//unrelated taint source
75 char *cmd=getenv("CMD"); // expected-note {{Taint originated here}}
76 // expected-note@-1 {{Taint propagated to the return value}}
77 char *user_env=getenv("USER_ENV_VAR");//unrelated taint source
78 if (cmd){ // expected-note {{Assuming 'cmd' is non-null}}
79 // expected-note@-1 {{Taking true branch}}
80 res = system(cmd); // expected-warning{{Untrusted data is passed to a system call}}
81 // expected-note@-1{{Untrusted data is passed to a system call}}
82 return res;
83 }
84 return 0;
85 }
86
87 void testReadStdIn(){
88 char buf[1024];
89 fgets(buf, sizeof(buf), stdin);// expected-note {{Taint originated here}}
90 // expected-note@-1 {{Taint propagated to the 1st argument}}
91 system(buf);// expected-warning {{Untrusted data is passed to a system call}}
92 // expected-note@-1 {{Untrusted data is passed to a system call (CERT/STR02-C. Sanitize data passed to complex subsystems)}}
93
94 }
95
96 void multipleTaintSources(void) {
97 char cmd[2048], file[1024];
98 scanf ("%1022[^\n] ", cmd); // expected-note {{Taint originated here}}
99 // expected-note@-1 {{Taint propagated to the 2nd argument}}
100 scanf ("%1023[^\n]", file); // expected-note {{Taint originated here}}
101 // expected-note@-1 {{Taint propagated to the 2nd argument}}
102 strcat(cmd, file); // expected-note {{Taint propagated to the 1st argument}}
103 strcat(cmd, " "); // expected-note {{Taint propagated to the 1st argument}}
104 system(cmd); // expected-warning {{Untrusted data is passed to a system call}}
105 // expected-note@-1{{Untrusted data is passed to a system call}}
106 }
107
108 void multipleTaintedArgs(void) {
109 char cmd[1024], file[1024], buf[2048];
110 scanf("%1022s %1023s", cmd, file); // expected-note {{Taint originated here}}
111 // expected-note@-1 {{Taint propagated to the 2nd argument, 3rd argument}}
112 strcpy(buf, cmd);// expected-note {{Taint propagated to the 1st argument}}
113 strcat(buf, " ");// expected-note {{Taint propagated to the 1st argument}}
114 strcat(buf, file);// expected-note {{Taint propagated to the 1st argument}}
115 system(buf); // expected-warning {{Untrusted data is passed to a system call}}
116 // expected-note@-1{{Untrusted data is passed to a system call}}
117 }
118
119 void testTaintedMalloc(){
120 size_t size = 0;
121 scanf("%zu", &size); // expected-note {{Taint originated here}}
122 // expected-note@-1 {{Taint propagated to the 2nd argument}}
123 int *p = malloc(size);// expected-warning{{malloc is called with a tainted (potentially attacker controlled) value}}
124 // expected-note@-1{{malloc is called with a tainted (potentially attacker controlled) value}}
125 free(p);
126 }
LLVM monorepo