File: sensitive-1.c

package info (click to toggle)
gcc-arm-none-eabi 15%3A14.2.rel1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,099,328 kB
  • sloc: cpp: 3,627,108; ansic: 2,571,498; ada: 834,230; f90: 235,082; makefile: 79,231; asm: 74,984; xml: 51,692; exp: 39,736; sh: 33,298; objc: 15,629; python: 15,069; fortran: 14,429; pascal: 7,003; awk: 5,070; perl: 3,106; ml: 285; lisp: 253; lex: 204; haskell: 135
file content (64 lines) | stat: -rw-r--r-- 2,774 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
#include <stdio.h>

/* Solaris needs this for <unistd.h> to declare getpass.  */
#define __EXTENSIONS__
#include <unistd.h>

#include <string.h>

/* Declare getpass, in case unistd doesn't declare it.
   Parenthesize it, in case it's a macro.
   Don't use a prototype, to avoid const mismatches.  */
extern char *(getpass) ();

char test_1 (FILE *logfile)
{
  char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
  fprintf (logfile, "got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" "warning" } */
  /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
}

char test_2 (FILE *logfile, int i)
{
  char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
  fprintf (logfile, "got password[%i]: %s\n", i, password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
  /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
}

char test_3 (FILE *logfile)
{
  char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
  printf ("got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" "warning" } */
  /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
}

char test_4 (FILE *logfile)
{
  char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
  fwrite (password, strlen (password), 1, logfile); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" "warning" } */
  /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
}

static void called_by_test_5 (const char *value)
{
  printf ("%s", value); /* { dg-warning "sensitive value 'value' written to output file \\\[CWE-532\\\]" } */
}

char test_5 (FILE *logfile)
{
  char *password = getpass (">");
  called_by_test_5 (password); /* { dg-message "passing sensitive value 'password' in call to 'called_by_test_5' from 'test_5'" } */
}

static char *called_by_test_6 (void)
{
  return getpass (">"); /* { dg-message "sensitive value acquired here" } */
}

char test_6 (FILE *logfile)
{
  char *password = called_by_test_6 (); /* { dg-message "returning sensitive value to 'test_6' from 'called_by_test_6'" } */
  printf ("%s", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
}

/* TODO: strdup etc, strcpy, memcpy, etc.  */