forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtest.c
More file actions
63 lines (52 loc) · 1.46 KB
/
test.c
File metadata and controls
63 lines (52 loc) · 1.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// Semmle test case for rule TaintedPath.ql (User-controlled data in path expression)
// Associated with CWE-022: Improper Limitation of a Pathname to a Restricted Directory. http://cwe.mitre.org/data/definitions/22.html
#include "stdlib.h"
///// Test code /////
int main(int argc, char** argv) {
char *userAndFile = argv[2];
{
char fileBuffer[FILENAME_MAX] = "/home/";
char *fileName = fileBuffer;
size_t len = strlen(fileName);
strncat(fileName+len, userAndFile, FILENAME_MAX-len-1);
// BAD: a string from the user is used in a filename
fopen(fileName, "wb+");
}
{
char fileBuffer[FILENAME_MAX] = "/home/";
char *fileName = fileBuffer;
size_t len = strlen(fileName);
// GOOD: use a fixed file
char* fixed = "file.txt";
strncat(fileName+len, fixed, FILENAME_MAX-len-1);
fopen(fileName, "wb+");
}
{
char *fileName = argv[1];
fopen(fileName, "wb+"); // BAD
}
{
char fileName[20];
scanf("%s", fileName);
fopen(fileName, "wb+"); // BAD
}
{
char *fileName = (char*)malloc(20 * sizeof(char));
scanf("%s", fileName);
fopen(fileName, "wb+"); // BAD
}
{
char *aNumber = getenv("A_NUMBER");
double number = strtod(aNumber, 0);
char fileName[20];
sprintf(fileName, "/foo/%f", number);
fopen(fileName, "wb+"); // GOOD
}
{
void read(const char *fileName);
read(argv[1]); // BAD [NOT DETECTED]
}
}
void read(char *fileName) {
fopen(fileName, "wb+");
}