[clang] [clang][analyzer] Add taintedness to argv (PR #178054)

Mon, 23 Feb 2026 03:14:09 -0800 

================
@@ -1,14 +1,26 @@
-// RUN: %clang_analyze_cc1 
-analyzer-checker=optin.taint,core,security.ArrayBound -analyzer-config 
assume-controlled-environment=false -analyzer-output=text -verify %s
+// RUN: %clang_analyze_cc1 
-analyzer-checker=optin.taint,core,security.ArrayBound \
+// RUN: -analyzer-config assume-controlled-environment=false 
-analyzer-output=text -verify %s
 
-// This file is for testing enhanced diagnostics produced by the 
GenericTaintChecker
+// This file is for testing enhanced diagnostics produced by the
+// GenericTaintChecker
 
-// In an untrusted environment the cmd line arguments
-// are assumed to be tainted.
-int main( int argc, char *argv[], char *envp[] ) {// expected-note {{Taint 
originated in 'argc'}}
-   if (argc < 1)// expected-note {{'argc' is >= 1}}
+typedef __typeof(sizeof(int)) size_t;
+int system(const char *command);
+size_t strlen(const char *str);
+char *strncat(char *destination, const char *source, size_t num);
+char *strncpy(char *destination, const char *source, size_t num);
+
+// In an untrusted environment the the environment variables
+// coming through the envp are also tainted.
+int main(int argc, char *argv[],  char *envp[]) { // expected-note {{Taint 
originated in 'envp'}}
+  char cmd[2048] = "/bin/cat ";
+  char filename[1024];
+  if (!envp[0]) // expected-note {{Assuming the condition is false}}
                 // expected-note@-1 {{Taking false branch}}
-     return 1;         
-   int v[5]={1,2,3,4,5};   
-   return v[argc];// expected-warning {{Potential out of bound access to 'v' 
with tainted index}}
-                  // expected-note@-1 {{Access of 'v' with a tainted index 
that may be too large}}
- }
----------------
NagyDonat wrote:

Please restore this testcase which validates that `argc` is tainted -- it seems 
that the introduction of the `envp` test accidentally overwrites it.

Moreover extend it with a statement that looks e.g. like `int foo = 100 / argc; 
// no-warning` (at the beginning) to demonstrate that `TaintedDiv` is not 
triggered because we assume that `argc` is at least 1.

https://github.com/llvm/llvm-project/pull/178054
_______________________________________________
cfe-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to