gcc/testsuite/gcc.dg/analyzer/sensitive-1.c - gcc.git - Git at Google

 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>

 char test_1 (FILE *logfile)
 {
   char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
   fprintf (logfile, "got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
   /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target *-*-* } .-1 } */
 }

 char test_2 (FILE *logfile, int i)
 {
   char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
   fprintf (logfile, "got password[%i]: %s\n", i, password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
   /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target *-*-* } .-1 } */
 }

 char test_3 (FILE *logfile)
 {
   char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
   printf ("got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
   /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target *-*-* } .-1 } */
 }

 char test_4 (FILE *logfile)
 {
   char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
   fwrite (password, strlen (password), 1, logfile); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
   /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target *-*-* } .-1 } */
 }

 static void called_by_test_5 (const char *value)
 {
   printf ("%s", value); /* { dg-warning "sensitive value 'value' written to output file \\\[CWE-532\\\]" } */
 }

 char test_5 (FILE *logfile)
 {
   char *password = getpass (">");
   called_by_test_5 (password); /* { dg-message "passing sensitive value 'password' in call to 'called_by_test_5' from 'test_5'" } */
 }

 static char *called_by_test_6 (void)
 {
   return getpass (">"); /* { dg-message "sensitive value acquired here" } */
 }

 char test_6 (FILE *logfile)
 {
   char *password = called_by_test_6 (); /* { dg-message "returning sensitive value to 'test_6' from 'called_by_test_6'" } */
   printf ("%s", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
 }

 /* TODO: strdup etc, strcpy, memcpy, etc.  */
	#include <stdio.h>
	#include <unistd.h>
	#include <string.h>

	char test_1 (FILE *logfile)
	{
	char password = getpass (">"); / { dg-message "\\(1\\) sensitive value acquired here" } */
	fprintf (logfile, "got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
	/* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target --* } .-1 } */
	}

	char test_2 (FILE *logfile, int i)
	{
	char password = getpass (">"); / { dg-message "\\(1\\) sensitive value acquired here" } */
	fprintf (logfile, "got password[%i]: %s\n", i, password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
	/* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target --* } .-1 } */
	}

	char test_3 (FILE *logfile)
	{
	char password = getpass (">"); / { dg-message "\\(1\\) sensitive value acquired here" } */
	printf ("got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
	/* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target --* } .-1 } */
	}

	char test_4 (FILE *logfile)
	{
	char password = getpass (">"); / { dg-message "\\(1\\) sensitive value acquired here" } */
	fwrite (password, strlen (password), 1, logfile); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
	/* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "" { target --* } .-1 } */
	}

	static void called_by_test_5 (const char *value)
	{
	printf ("%s", value); /* { dg-warning "sensitive value 'value' written to output file \\\[CWE-532\\\]" } */
	}

	char test_5 (FILE *logfile)
	{
	char *password = getpass (">");
	called_by_test_5 (password); /* { dg-message "passing sensitive value 'password' in call to 'called_by_test_5' from 'test_5'" } */
	}

	static char *called_by_test_6 (void)
	{
	return getpass (">"); /* { dg-message "sensitive value acquired here" } */
	}

	char test_6 (FILE *logfile)
	{
	char password = called_by_test_6 (); / { dg-message "returning sensitive value to 'test_6' from 'called_by_test_6'" } */
	printf ("%s", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
	}

	/* TODO: strdup etc, strcpy, memcpy, etc. */