commit 1bf405666c5499e5a3f7962b6ca5ddcef12cca89
author Zhongxing Xu <xuzhongxing@gmail.com> Thu Dec 03 09:15:23 2009 +0000
committer Zhongxing Xu <xuzhongxing@gmail.com> Thu Dec 03 09:15:23 2009 +0000
tree 26ca86a3d0183a21ac25900e52d3108c1cc95275
parent 459cc2387e682d08af63eb30874eb919b801fb42

Add security syntactic checker for mktemp.
Patch by Lei Zhang!


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@90444 91177308-0d34-0410-b5e6-96231b3b80d8

lib/Analysis/CheckSecuritySyntaxOnly.cpp

diff --git a/lib/Analysis/CheckSecuritySyntaxOnly.cpp b/lib/Analysis/CheckSecuritySyntaxOnly.cpp
index e6ab17a..3214101 100644
--- a/lib/Analysis/CheckSecuritySyntaxOnly.cpp
+++ b/lib/Analysis/CheckSecuritySyntaxOnly.cpp
@@ -23,6 +23,7 @@
   BugReporter &BR;
   IdentifierInfo *II_gets;
   IdentifierInfo *II_getpw;
+  IdentifierInfo *II_mktemp;
   enum { num_rands = 9 };
   IdentifierInfo *II_rand[num_rands];
   IdentifierInfo *II_random;
@@ -31,7 +32,8 @@
 
 public:
   WalkAST(BugReporter &br) : BR(br),
-    II_gets(0), II_getpw(0), II_rand(), II_random(0), II_setid() {}
+			     II_gets(0), II_getpw(0), II_mktemp(0),
+			     II_rand(), II_random(0), II_setid() {}
 
   // Statement visitor methods.
   void VisitCallExpr(CallExpr *CE);
@@ -48,6 +50,7 @@
   void CheckLoopConditionForFloat(const ForStmt *FS);
   void CheckCall_gets(const CallExpr *CE, const FunctionDecl *FD);
   void CheckCall_getpw(const CallExpr *CE, const FunctionDecl *FD);
+  void CheckCall_mktemp(const CallExpr *CE, const FunctionDecl *FD);
   void CheckCall_rand(const CallExpr *CE, const FunctionDecl *FD);
   void CheckCall_random(const CallExpr *CE, const FunctionDecl *FD);
   void CheckUncheckedReturnValue(CallExpr *CE);
@@ -79,6 +82,7 @@
   if (const FunctionDecl *FD = CE->getDirectCallee()) {
     CheckCall_gets(CE, FD);
     CheckCall_getpw(CE, FD);
+    CheckCall_mktemp(CE, FD);
     CheckCall_rand(CE, FD);
     CheckCall_random(CE, FD);
   }
@@ -288,6 +292,42 @@
 }
 
 //===----------------------------------------------------------------------===//
+// Check: Any use of 'mktemp' is insecure.It is obsoleted by mkstemp().
+// CWE-377: Insecure Temporary File
+//===----------------------------------------------------------------------===//
+
+void WalkAST::CheckCall_mktemp(const CallExpr *CE, const FunctionDecl *FD) {
+  if (FD->getIdentifier() != GetIdentifier(II_mktemp, "mktemp"))
+    return;
+
+  const FunctionProtoType *FPT = dyn_cast<FunctionProtoType>(FD->getType());
+  if(!FPT)
+    return;
+  
+  // Verify that the funcion takes a single argument.
+  if (FPT->getNumArgs() != 1)
+    return;
+
+  // Verify that the argument is Pointer Type.
+  const PointerType *PT = dyn_cast<PointerType>(FPT->getArgType(0));
+  if (!PT)
+    return;
+
+  // Verify that the argument is a 'char*'.
+  if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
+    return;
+  
+  // Issue a waring.
+  SourceRange R = CE->getCallee()->getSourceRange();
+  BR.EmitBasicReport("Potential insecure temporary file in call 'mktemp'",
+		     "Security",
+		     "Call to function 'mktemp' is insecure as it always "
+		     "creates or uses insecure temporary file",
+		     CE->getLocStart(), &R, 1);
+}
+
+
+//===----------------------------------------------------------------------===//
 // Check: Linear congruent random number generators should not be used
 // Originally: <rdar://problem/63371000>
 // CWE-338: Use of cryptographically weak prng