Lines Matching +full:prop +full:-
1 //== GenericTaintChecker.cpp ----------------------------------- -*- C++ -*--=//
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
15 //===----------------------------------------------------------------------===//
39 #define DEBUG_TYPE "taint-checker"
51 /// Check for CWE-134: Uncontrolled Format String.
54 "(CWE-134: Uncontrolled Format String)";
57 /// CERT/STR02-C. "Sanitize data passed to complex subsystems"
58 /// CWE-78, "Failure to Sanitize Data into an OS Command"
61 "(CERT/STR02-C. Sanitize data passed to complex subsystems)";
65 "Untrusted data is passed to a user-defined sink";
71 constexpr ArgIdxTy ReturnValueIndex{-1};
93 dyn_cast_or_null<DeclRegion>(SymReg->getSymbol()->getOriginRegion()); in isStdin()
99 if (const auto *D = dyn_cast_or_null<VarDecl>(DeclReg->getDecl())) { in isStdin()
100 D = D->getCanonicalDecl(); in isStdin()
101 if (D->getName() == "stdin" && D->hasExternalStorage() && D->isExternC()) { in isStdin()
103 const QualType Ty = D->getType().getCanonicalType(); in isStdin()
105 if (Ty->isPointerType()) in isStdin()
106 return Ty->getPointeeType() == FILETy; in isStdin()
113 const QualType ArgTy = LValue.getType(State->getStateManager().getContext()); in getPointeeOf()
114 if (!ArgTy->isPointerType() || !ArgTy->getPointeeType()->isVoidType()) in getPointeeOf()
115 return State->getSVal(LValue); in getPointeeOf()
119 return State->getSVal(LValue, State->getStateManager().getContext().CharTy); in getPointeeOf()
156 PathSensitiveBugReport &BR) -> std::string { in taintOriginTrackerTag()
186 PathSensitiveBugReport &BR) -> std::string { in taintPropagationExplainerTag()
291 static GenericTaintRule Prop(ArgSet &&SrcArgs, ArgSet &&DstArgs) { in Prop() function in __anoncee4e0c00111::GenericTaintRule
300 /// Handles the resolution of indexes of type ArgIdxTy to Expr*-s.
406 /// access user-provided configuration.
470 /// A set which is used to pass information from call pre-visit instruction
471 /// to the call post-visit. The values are signed integers, which are either
484 "an argument number for propagation rules greater or equal to -1"); in REGISTER_MAP_WITH_PROGRAMSTATE()
496 StringRef{C.Scope}.split(NameParts, "::", /*MaxSplit*/ -1, in parseNameParts()
543 P, GenericTaintRule::Prop(std::move(SrcDesc), std::move(DstDesc)), Rules); in parseConfig()
608 {{CDM::CLibrary, {"accept"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
609 {{CDM::CLibrary, {"atoi"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
610 {{CDM::CLibrary, {"atol"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
611 {{CDM::CLibrary, {"atoll"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
612 {{CDM::CLibrary, {"fgetc"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
613 {{CDM::CLibrary, {"fgetln"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
615 TR::Prop({{2}}, {{0, ReturnValueIndex}})}, in initTaintRules()
617 TR::Prop({{2}}, {{0, ReturnValueIndex}})}, in initTaintRules()
618 {{CDM::CLibrary, {"fscanf"}}, TR::Prop({{0}}, {{}, 2})}, in initTaintRules()
619 {{CDM::CLibrary, {"fscanf_s"}}, TR::Prop({{0}}, {{}, 2})}, in initTaintRules()
620 {{CDM::CLibrary, {"sscanf"}}, TR::Prop({{0}}, {{}, 2})}, in initTaintRules()
621 {{CDM::CLibrary, {"sscanf_s"}}, TR::Prop({{0}}, {{}, 2})}, in initTaintRules()
623 {{CDM::CLibrary, {"getc"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
625 TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
626 {{CDM::CLibrary, {"getdelim"}}, TR::Prop({{3}}, {{0}})}, in initTaintRules()
630 {{CDM::CLibrary, {"getline"}}, TR::Prop({{2}}, {{0}})}, in initTaintRules()
631 {{CDM::CLibrary, {"getw"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
633 TR::Prop({{0, 1, 2, 3}}, {{1, ReturnValueIndex}})}, in initTaintRules()
635 TR::Prop({{0, 2}}, {{1, ReturnValueIndex}})}, in initTaintRules()
637 TR::Prop({{3}}, {{0, ReturnValueIndex}})}, in initTaintRules()
639 TR::Prop({{0}}, {{1, ReturnValueIndex}})}, in initTaintRules()
641 TR::Prop({{0}}, {{1, ReturnValueIndex}})}, in initTaintRules()
643 {{CDM::CLibrary, {"ttyname"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
645 TR::Prop({{0}}, {{1, ReturnValueIndex}})}, in initTaintRules()
647 {{CDM::CLibrary, {"basename"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
648 {{CDM::CLibrary, {"dirname"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
649 {{CDM::CLibrary, {"fnmatch"}}, TR::Prop({{1}}, {{ReturnValueIndex}})}, in initTaintRules()
651 {{CDM::CLibrary, {"mbtowc"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})}, in initTaintRules()
652 {{CDM::CLibrary, {"wctomb"}}, TR::Prop({{1}}, {{0, ReturnValueIndex}})}, in initTaintRules()
653 {{CDM::CLibrary, {"wcwidth"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
656 TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})}, in initTaintRules()
658 TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})}, in initTaintRules()
660 TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})}, in initTaintRules()
661 {{CDM::CLibraryMaybeHardened, {"bcopy"}}, TR::Prop({{0, 2}}, {{1}})}, in initTaintRules()
667 {{CDM::CLibrary, {"memmem"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, in initTaintRules()
668 {{CDM::CLibrary, {"strstr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
669 {{CDM::CLibrary, {"strcasestr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
674 TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
676 TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
677 {{CDM::CLibrary, {"rawmemchr"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
679 TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
681 TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
683 TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
684 {{CDM::CLibrary, {"index"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
685 {{CDM::CLibrary, {"rindex"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
689 {{CDM::CLibrary, {"qsort"}}, TR::Prop({{0}}, {{0}})}, in initTaintRules()
690 {{CDM::CLibrary, {"qsort_r"}}, TR::Prop({{0}}, {{0}})}, in initTaintRules()
692 {{CDM::CLibrary, {"strcmp"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, in initTaintRules()
694 TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, in initTaintRules()
696 TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})}, in initTaintRules()
698 TR::Prop({{0, 1, 2}}, {{ReturnValueIndex}})}, in initTaintRules()
699 {{CDM::CLibrary, {"strspn"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, in initTaintRules()
700 {{CDM::CLibrary, {"strcspn"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, in initTaintRules()
701 {{CDM::CLibrary, {"strpbrk"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
703 {{CDM::CLibrary, {"strndup"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, in initTaintRules()
704 {{CDM::CLibrary, {"strndupa"}}, TR::Prop({{0, 1}}, {{ReturnValueIndex}})}, in initTaintRules()
705 {{CDM::CLibrary, {"strdup"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
706 {{CDM::CLibrary, {"strdupa"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
707 {{CDM::CLibrary, {"wcsdup"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
710 // See the details here: https://github.com/llvm/llvm-project/pull/66086 in initTaintRules()
712 {{CDM::CLibrary, {"strtol"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, in initTaintRules()
713 {{CDM::CLibrary, {"strtoll"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, in initTaintRules()
714 {{CDM::CLibrary, {"strtoul"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, in initTaintRules()
715 {{CDM::CLibrary, {"strtoull"}}, TR::Prop({{0}}, {{1, ReturnValueIndex}})}, in initTaintRules()
717 {{CDM::CLibrary, {"tolower"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
718 {{CDM::CLibrary, {"toupper"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
720 {{CDM::CLibrary, {"isalnum"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
721 {{CDM::CLibrary, {"isalpha"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
722 {{CDM::CLibrary, {"isascii"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
723 {{CDM::CLibrary, {"isblank"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
724 {{CDM::CLibrary, {"iscntrl"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
725 {{CDM::CLibrary, {"isdigit"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
726 {{CDM::CLibrary, {"isgraph"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
727 {{CDM::CLibrary, {"islower"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
728 {{CDM::CLibrary, {"isprint"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
729 {{CDM::CLibrary, {"ispunct"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
730 {{CDM::CLibrary, {"isspace"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
731 {{CDM::CLibrary, {"isupper"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
732 {{CDM::CLibrary, {"isxdigit"}}, TR::Prop({{0}}, {{ReturnValueIndex}})}, in initTaintRules()
735 TR::Prop({{1}}, {{0, ReturnValueIndex}})}, in initTaintRules()
737 TR::Prop({{1}}, {{0, ReturnValueIndex}})}, in initTaintRules()
739 TR::Prop({{0, 1}}, {{0, ReturnValueIndex}})}, in initTaintRules()
741 TR::Prop({{0, 1}}, {{0, ReturnValueIndex}})}, in initTaintRules()
743 TR::Prop({{1, 2}}, {{0, ReturnValueIndex}})}, in initTaintRules()
745 TR::Prop({{0, 1, 2}}, {{0, ReturnValueIndex}})}, in initTaintRules()
746 {{CDM::CLibraryMaybeHardened, {"strlcpy"}}, TR::Prop({{1, 2}}, {{0}})}, in initTaintRules()
747 {{CDM::CLibraryMaybeHardened, {"strlcat"}}, TR::Prop({{0, 1, 2}}, {{0}})}, in initTaintRules()
756 TR::Prop({{1, 2}, 3}, {{0, ReturnValueIndex}})}, in initTaintRules()
759 TR::Prop({{1}, 2}, {{0, ReturnValueIndex}})}, in initTaintRules()
763 TR::Prop({{1, 4}, 5}, {{0, ReturnValueIndex}})}, in initTaintRules()
767 TR::Prop({{3}, 4}, {{0, ReturnValueIndex}})}, in initTaintRules()
810 // User-provided taint configuration. in initTaintRules()
816 Mgr->getAnalyzerOptions().getCheckerStringOption(this, Option); in initTaintRules()
838 Call.isGlobalCFunction() ? StaticTaintRules->lookup(Call) : nullptr) in checkPreCall()
839 Rule->process(*this, Call, C); in checkPreCall()
840 else if (const auto *Rule = DynamicTaintRules->lookup(Call)) in checkPreCall()
841 Rule->process(*this, Call, C); in checkPreCall()
846 // TODO: Make CallDescription be able to match attributes such as printf-like in checkPreCall()
862 // Depending on what was tainted at pre-visit, we determined a set of in checkPostCall()
865 TaintArgsOnPostVisitTy TaintArgsMap = State->get<TaintArgsOnPostVisit>(); in checkPostCall()
870 assert(!TaintArgs->isEmpty()); in checkPostCall()
910 State = State->remove<TaintArgsOnPostVisit>(CurrentFrame); in checkPostCall()
982 const auto WouldEscape = [](SVal V, QualType Ty) -> bool { in process()
986 const bool IsNonConstRef = Ty->isReferenceType() && !Ty.isConstQualified(); in process()
988 Ty->isPointerType() && !Ty->getPointeeType().isConstQualified(); in process()
994 auto &F = State->getStateManager().get_context<ArgIdxFactory>(); in process()
1006 // non-const pointer or reference to a function which is in process()
1011 if (WouldEscape(V, E->getType()) && getTaintedPointeeOrPointer(State, V)) { in process()
1022 State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result); in process()
1048 static CheckerProgramPointTag Tag(BT->getCheckerName(), Msg); in generateReportIfTainted()
1051 report->addRange(E->getSourceRange()); in generateReportIfTainted()
1053 report->markInteresting(TaintedSym); in generateReportIfTainted()
1076 const FunctionDecl *FDecl = CallDecl->getAsFunction(); in getPrintfFormatArgumentNum()
1082 for (const auto *Format : FDecl->specific_attrs<FormatAttr>()) { in getPrintfFormatArgumentNum()
1083 ArgNum = Format->getFormatIdx() - 1; in getPrintfFormatArgumentNum()
1084 if ((Format->getType()->getName() == "printf") && CallNumArgs > ArgNum) in getPrintfFormatArgumentNum()
1111 if (ID->getName() != "socket") in taintUnsafeSocketProtocol()
1114 SourceLocation DomLoc = Call.getArgExpr(0)->getExprLoc(); in taintUnsafeSocketProtocol()
1123 auto &F = State->getStateManager().get_context<ArgIdxFactory>(); in taintUnsafeSocketProtocol()
1125 State = State->set<TaintArgsOnPostVisit>(C.getStackFrame(), Result); in taintUnsafeSocketProtocol()
1140 checker->isTaintReporterCheckerEnabled = true; in registerGenericTaintChecker()
1141 checker->BT.emplace(Mgr.getCurrentCheckerName(), "Use of Untrusted Data", in registerGenericTaintChecker()