================
@@ -827,8 +831,40 @@ void GenericTaintChecker::initTaintRules(CheckerContext
&C) const {
std::make_move_iterator(Rules.end()));
}
+// The incoming parameters of the main function get tainted
+// if the program called in an untrusted environment.
+void GenericTaintChecker::checkBeginFunction(CheckerContext &C) const {
+ if (!C.inTopFrame() || C.getAnalysisManager()
+ .getAnalyzerOptions()
+ .ShouldAssumeControlledEnvironment)
+ return;
+
+ const auto *FD = dyn_cast<FunctionDecl>(C.getLocationContext()->getDecl());
+ if (!FD || !FD->isMain() || FD->param_size() < 2)
+ return;
+
+ ProgramStateRef State = C.getState();
+ const MemRegion *ArgvReg =
+ State->getRegion(FD->parameters()[1], C.getLocationContext());
+ SVal ArgvSval = State->getSVal(ArgvReg);
+ // Add taintedness to argv**
+ State = addTaint(State, ArgvSval);
+
+ const NoteTag *OriginatingTag =
+ C.getNoteTag([ArgvSval](PathSensitiveBugReport &BR) -> std::string {
+ // We give diagnostics only for taint related reports
+ if (!BR.isInteresting(ArgvSval) ||
+ BR.getBugType().getCategory() != categories::TaintedData)
+ return "";
+
+ return MsgTaintOrigin;
----------------
NagyDonat wrote:
Instead of using the generic canned message, consider using "Taint originated
in the parameter 'argv'" (with code that inserts the actual name of the
argument).
The current behavior is acceptable, but this would be more user-friendly. Also
in `main` there is only one relevant taint source, but if you later want to
generalize this behavior for other functions (that are marked as
"interface/entry" functions by the user), then naming the argument will be
important to clarify the situation.
https://github.com/llvm/llvm-project/pull/178054
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
