From 1bf405666c5499e5a3f7962b6ca5ddcef12cca89 Mon Sep 17 00:00:00 2001 From: Zhongxing Xu Date: Thu, 3 Dec 2009 09:15:23 +0000 Subject: [PATCH] Add security syntactic checker for mktemp. Patch by Lei Zhang! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90444 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Analysis/CheckSecuritySyntaxOnly.cpp | 42 +++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/lib/Analysis/CheckSecuritySyntaxOnly.cpp b/lib/Analysis/CheckSecuritySyntaxOnly.cpp index e6ab17a759..3214101c64 100644 --- a/lib/Analysis/CheckSecuritySyntaxOnly.cpp +++ b/lib/Analysis/CheckSecuritySyntaxOnly.cpp @@ -23,6 +23,7 @@ class WalkAST : public StmtVisitor { BugReporter &BR; IdentifierInfo *II_gets; IdentifierInfo *II_getpw; + IdentifierInfo *II_mktemp; enum { num_rands = 9 }; IdentifierInfo *II_rand[num_rands]; IdentifierInfo *II_random; @@ -31,7 +32,8 @@ class WalkAST : public StmtVisitor { public: WalkAST(BugReporter &br) : BR(br), - II_gets(0), II_getpw(0), II_rand(), II_random(0), II_setid() {} + II_gets(0), II_getpw(0), II_mktemp(0), + II_rand(), II_random(0), II_setid() {} // Statement visitor methods. void VisitCallExpr(CallExpr *CE); @@ -48,6 +50,7 @@ public: void CheckLoopConditionForFloat(const ForStmt *FS); void CheckCall_gets(const CallExpr *CE, const FunctionDecl *FD); void CheckCall_getpw(const CallExpr *CE, const FunctionDecl *FD); + void CheckCall_mktemp(const CallExpr *CE, const FunctionDecl *FD); void CheckCall_rand(const CallExpr *CE, const FunctionDecl *FD); void CheckCall_random(const CallExpr *CE, const FunctionDecl *FD); void CheckUncheckedReturnValue(CallExpr *CE); @@ -79,6 +82,7 @@ void WalkAST::VisitCallExpr(CallExpr *CE) { if (const FunctionDecl *FD = CE->getDirectCallee()) { CheckCall_gets(CE, FD); CheckCall_getpw(CE, FD); + CheckCall_mktemp(CE, FD); CheckCall_rand(CE, FD); CheckCall_random(CE, FD); } @@ -287,6 +291,42 @@ void WalkAST::CheckCall_getpw(const CallExpr *CE, const FunctionDecl *FD) { CE->getLocStart(), &R, 1); } +//===----------------------------------------------------------------------===// +// Check: Any use of 'mktemp' is insecure.It is obsoleted by mkstemp(). +// CWE-377: Insecure Temporary File +//===----------------------------------------------------------------------===// + +void WalkAST::CheckCall_mktemp(const CallExpr *CE, const FunctionDecl *FD) { + if (FD->getIdentifier() != GetIdentifier(II_mktemp, "mktemp")) + return; + + const FunctionProtoType *FPT = dyn_cast(FD->getType()); + if(!FPT) + return; + + // Verify that the funcion takes a single argument. + if (FPT->getNumArgs() != 1) + return; + + // Verify that the argument is Pointer Type. + const PointerType *PT = dyn_cast(FPT->getArgType(0)); + if (!PT) + return; + + // Verify that the argument is a 'char*'. + if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) + return; + + // Issue a waring. + SourceRange R = CE->getCallee()->getSourceRange(); + BR.EmitBasicReport("Potential insecure temporary file in call 'mktemp'", + "Security", + "Call to function 'mktemp' is insecure as it always " + "creates or uses insecure temporary file", + CE->getLocStart(), &R, 1); +} + + //===----------------------------------------------------------------------===// // Check: Linear congruent random number generators should not be used // Originally: