hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Test IR taint through library functions

Browse Source
This commit is contained in:
Jonas Jensen
2020-01-20 13:46:14 +01:00
parent 80997a3323
commit fa00e96ba8
3 changed files with 54 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp Normal file
View File

@@ -0,0 +1,28 @@
int atoi(const char *nptr);
char *getenv(const char *name);
char *strcat(char * s1, const char * s2);
char *strdup(const char *);
char *_strdup(const char *);
char *unmodeled_function(const char *);
void sink(const char *);
void sink(int);
int main(int argc, char *argv[]) {
int taintedInt = atoi(getenv("VAR"));
taintedInt++; // BUG: `taintedInt` isn't marked as tainted. Only `++` is.
sink(_strdup(getenv("VAR"))); // BUG: no taint
sink(strdup(getenv("VAR")));
sink(unmodeled_function(getenv("VAR")));
char untainted_buf[100] = "";
char buf[100] = "VAR = ";
sink(strcat(buf, getenv("VAR"))); // BUG: no taint
sink(buf); // BUG: no taint
sink(untainted_buf); // the two buffers would be conflated if we added flow through partial chi inputs
return 0;
}