codeql/cpp/ql/test/library-tests/dataflow/security-taint/test.cpp at sauyon/java-spring-stringutils · ByteDecoder/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
// Test for the general-purpose taint-tracking
// mechanism that is used by several of the security queries.

///// Library functions //////

typedef unsigned long size_t;

int strcmp(const char *s1, const char *s2);
char *getenv(const char *name);
size_t strlen(const char *s);
char *strcpy(char *s1, const char *s2);

void *malloc(size_t size);

int atoi(const char *nptr);

//// Test code /////

bool isAdmin = false;

void test1()
{
	const char *envStr = getenv("USERINFO");

	if (!strcmp(envStr, "admin")) {
		isAdmin = true;
	}

	if (!strcmp(envStr, "none")) {
		isAdmin = false;
	}
}

extern const char *specialUser;

void test2()
{
	const char *envStr = getenv("USERINFO");

	if (!strcmp(envStr, specialUser)) {
		isAdmin = true;
	}
}

const char *envStrGlobal;

void test3()
{
	const char *envStr = getenv("USERINFO");
	const char **envStr_ptr = &envStrGlobal;

	*envStr_ptr = envStr;

	if (!strcmp(envStrGlobal, "admin")) {
		isAdmin = true;
	}
}

void bugWithBinop() {
     const char *userName = getenv("USER_NAME");

     // The following is tainted, but should not cause
     // the whole program to be considered tainted.
     int bytes = strlen(userName) + 1;
}

char* copying() {
    const char *userName = getenv("USER_NAME");
    char copy[1024];
    strcpy(copy, userName);
    return copy; // copy should be tainted
}

void guard() {
    int len = atoi(getenv("FOOBAZ_BRANCHING"));
    if (len > 1000) return;
    char **node = (char **) malloc(len * sizeof(char *));
}

const char *alias_global;

void mallocBuffer() {
    const char *userName = getenv("USER_NAME");
	char *alias = (char*)malloc(4096);
	char *copy = (char*)malloc(4096);
	strcpy(copy, userName);
	alias_global = alias; // to force a Chi node on all aliased memory
	if (!strcmp(copy, "admin")) { // copy should be tainted
		isAdmin = true;
	}
}

char *gets(char *s);

void test_gets()
{
	char buffer[1024];
	char *pointer;

	pointer = gets(buffer);
}

const char *alias_global_new;

void newBuffer() {
    const char *userName = getenv("USER_NAME");
	char *alias = new char[4096];
	char *copy = new char[4096];
	strcpy(copy, userName);
	alias_global_new = alias; // to force a Chi node on all aliased memory
	if (!strcmp(copy, "admin")) { // copy should be tainted
		isAdmin = true;
	}
}