infer_clone/infer/tests/codetoanalyze/cpp/quandary/arrays.cpp

/*
 * Copyright (c) 2017-present, Facebook, Inc.
 *
 * This source code is licensed under the MIT license found in the
 * LICENSE file in the root directory of this source tree.
 */

#include <array>
#include <string>

extern int __infer_taint_source();
extern void skip(int i, int j);

// mocking gflags-generated field
extern int FLAGS_size;

namespace arrays {

void array_sink1_bad(int arr[]) {
  int source = __infer_taint_source();
  arr[source] = 2;
}

int array_sink2_bad(int arr[]) {
  int source = __infer_taint_source();
  return arr[source];
}

int array_sink3_bad(int arr[]) { return arr[1 + __infer_taint_source()]; }

void array_sink4_bad(int arr[]) {
  int source = __infer_taint_source();
  skip(1, arr[source]);
}

void std_array_sink_bad(std::array<int, 2> arr) {
  int source = __infer_taint_source();
  arr[source] = 2;
}

void std_string_sink_bad(std::string str) {
  int source = __infer_taint_source();
  str[source] = 'a';
}

int stack_smash_bad() {
  int source = __infer_taint_source();
  int arr[source];
  return arr[0]; // could read from anywhere in the stack
}

void gflag_to_stack_allocated_array_bad() { int arr[FLAGS_size]; }

// if we're not careful, this will re-report the warning in the callee
void read_global_no_double_report_ok() {
  int i = FLAGS_size;
  gflag_to_stack_allocated_array_bad();
}

void strcpy_bad(char* str) {
  char* source = getenv("some_var");
  strcpy(str, source);
}

void memcpy_bad(void* data1, void* data2) {
  int source = __infer_taint_source();
  memcpy(data1, data2, source);
}

void wmemcpy_bad(wchar_t* data1, wchar_t* data2) {
  int source = __infer_taint_source();
  wmemcpy(data1, data2, source);
}

void memmove_bad(void* data1, void* data2) {
  int source = __infer_taint_source();
  memmove(data1, data2, source);
}

void wmemmove_bad(wchar_t* data1, wchar_t* data2) {
  int source = __infer_taint_source();
  wmemmove(data1, data2, source);
}

void memset_bad(char* str) {
  int source = __infer_taint_source();
  memset(str, '0', source);
}

void strncpy_bad(char* str1, char* str2) {
  int source = __infer_taint_source();
  strncpy(str1, str2, source);
}
void copies_ok(char* str) {
  char* source = getenv("some_var");
  int len = std::min(strlen(str), strlen(source));
  memcpy(str, source, len);
  memmove(str, source, len);
  memset(str, '0', len);
  strncpy(str, source, len);
}

// these examples used to crash the HIL conversion
char index_of_literal_ok1() { return "foo"[1]; }

char index_of_literal_ok2() { return "foo"[7]; }

char index_of_literal_ok3(int i) { return "foo"[i]; }
} // namespace arrays
[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4 8 years ago			`/*`
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD \| xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a 7 years ago			`* Copyright (c) 2017-present, Facebook, Inc.`
[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4 8 years ago			`*`
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD \| xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a 7 years ago			`* This source code is licensed under the MIT license found in the`
			`* LICENSE file in the root directory of this source tree.`
[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4 8 years ago			`*/`

[quandary] vector and array access as sink Summary: Useful for identifying user-controlled array accesses that could lead to buffer overflows Reviewed By: mbouaziz Differential Revision: D5520985 fbshipit-source-id: 92984f6 7 years ago			`#include <array>`
			`#include <string>`

			`extern int __infer_taint_source();`
			`extern void skip(int i, int j);`

[quandary] fix invariant 1: "sink(s) with only non-footprint source" violations Summary: In a summary, you never want to see a trace where non-footprint sources flow to a sink. Such a trace is useless because nothing the caller does can make more data flow into that sink. Reviewed By: jeremydubreil Differential Revision: D5779983 fbshipit-source-id: d06778a 7 years ago			`// mocking gflags-generated field`
			`extern int FLAGS_size;`

[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4 8 years ago			`namespace arrays {`

[quandary] vector and array access as sink Summary: Useful for identifying user-controlled array accesses that could lead to buffer overflows Reviewed By: mbouaziz Differential Revision: D5520985 fbshipit-source-id: 92984f6 7 years ago			`void array_sink1_bad(int arr[]) {`
			`int source = __infer_taint_source();`
			`arr[source] = 2;`
			`}`

			`int array_sink2_bad(int arr[]) {`
			`int source = __infer_taint_source();`
			`return arr[source];`
			`}`

			`int array_sink3_bad(int arr[]) { return arr[1 + __infer_taint_source()]; }`

			`void array_sink4_bad(int arr[]) {`
			`int source = __infer_taint_source();`
			`skip(1, arr[source]);`
			`}`

			`void std_array_sink_bad(std::array<int, 2> arr) {`
			`int source = __infer_taint_source();`
			`arr[source] = 2;`
			`}`

			`void std_string_sink_bad(std::string str) {`
			`int source = __infer_taint_source();`
			`str[source] = 'a';`
			`}`

[quandary] stack allocation of array as sink Reviewed By: grievejia Differential Revision: D5550052 fbshipit-source-id: 17568b1 7 years ago			`int stack_smash_bad() {`
			`int source = __infer_taint_source();`
			`int arr[source];`
			`return arr[0]; // could read from anywhere in the stack`
			`}`

[quandary] fix invariant 1: "sink(s) with only non-footprint source" violations Summary: In a summary, you never want to see a trace where non-footprint sources flow to a sink. Such a trace is useless because nothing the caller does can make more data flow into that sink. Reviewed By: jeremydubreil Differential Revision: D5779983 fbshipit-source-id: d06778a 7 years ago			`void gflag_to_stack_allocated_array_bad() { int arr[FLAGS_size]; }`

			`// if we're not careful, this will re-report the warning in the callee`
			`void read_global_no_double_report_ok() {`
			`int i = FLAGS_size;`
			`gflag_to_stack_allocated_array_bad();`
			`}`

[quandary] add memcpy, memset, and similar as sinks Reviewed By: jeremydubreil Differential Revision: D5676226 fbshipit-source-id: 52a20d1 7 years ago			`void strcpy_bad(char* str) {`
			`char* source = getenv("some_var");`
			`strcpy(str, source);`
			`}`

			`void memcpy_bad(void* data1, void* data2) {`
			`int source = __infer_taint_source();`
			`memcpy(data1, data2, source);`
			`}`

			`void wmemcpy_bad(wchar_t* data1, wchar_t* data2) {`
			`int source = __infer_taint_source();`
			`wmemcpy(data1, data2, source);`
			`}`

			`void memmove_bad(void* data1, void* data2) {`
			`int source = __infer_taint_source();`
			`memmove(data1, data2, source);`
			`}`

			`void wmemmove_bad(wchar_t* data1, wchar_t* data2) {`
			`int source = __infer_taint_source();`
			`wmemmove(data1, data2, source);`
			`}`

			`void memset_bad(char* str) {`
			`int source = __infer_taint_source();`
			`memset(str, '0', source);`
			`}`

			`void strncpy_bad(char* str1, char* str2) {`
			`int source = __infer_taint_source();`
			`strncpy(str1, str2, source);`
			`}`
			`void copies_ok(char* str) {`
			`char* source = getenv("some_var");`
			`int len = std::min(strlen(str), strlen(source));`
			`memcpy(str, source, len);`
			`memmove(str, source, len);`
			`memset(str, '0', len);`
			`strncpy(str, source, len);`
			`}`

[hil] fix crash when translating C code that indexes string literals like arrays or does pointer arithmetic Summary: HIL had only been tested in Java, and it made some assumptions about what array expressions look like (the LHS is always resolvable to an access path) and assignments (the LHS is always an access path) that aren't true in C. Fixed the code so we won't crash in this case. Thanks to jeremydubreil for catching this. Reviewed By: jeremydubreil Differential Revision: D5047649 fbshipit-source-id: e8484f4 8 years ago			`// these examples used to crash the HIL conversion`
			`char index_of_literal_ok1() { return "foo"[1]; }`

			`char index_of_literal_ok2() { return "foo"[7]; }`

			`char index_of_literal_ok3(int i) { return "foo"[i]; }`
Change license to MIT Summary: Change the license of the source code from BSD + PATENTS to MIT. Change `checkCopyright` to reflect the new license and learn some new file types. Generated with: ``` git grep BSD \| xargs -n 1 ./scripts/checkCopyright -i ``` Reviewed By: jeremydubreil, mbouaziz, jberdine Differential Revision: D8071249 fbshipit-source-id: 97ca23a 7 years ago			`} // namespace arrays`