void bad() { wchar_t * data; /* define a function pointer */ void (*funcPtr) (wchar_t *) = badSink; wchar_t dataBuffer[FILENAME_MAX] = BASEPATH; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, FILENAME_MAX-dataLen-1); } } /* use the function pointer */ funcPtr(data); }
void CWE134_Uncontrolled_Format_String__wchar_t_environment_snprintf_66_bad() { wchar_t * data; wchar_t * dataArray[5]; wchar_t dataBuffer[100] = L""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } /* put data in array */ dataArray[2] = data; CWE134_Uncontrolled_Format_String__wchar_t_environment_snprintf_66b_badSink(dataArray); }
void CWE78_OS_Command_Injection__wchar_t_environment_execlp_66_bad() { wchar_t * data; wchar_t * dataArray[5]; wchar_t dataBuffer[100] = L""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } /* put data in array */ dataArray[2] = data; CWE78_OS_Command_Injection__wchar_t_environment_execlp_66b_badSink(dataArray); }
void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_03_bad() { wchar_t * data; wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t)); wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t)); if(5==5) { /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination * buffer in various memory copying functions using a "large" source buffer. */ data = dataBadBuffer; data[0] = L'\0'; /* null terminate */ } { wchar_t source[100]; wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */ wcsncat(data, source, 100); printWLine(data); } }
/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2B() { wchar_t * data; data = NULL; /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */ data = new wchar_t[100]; data[0] = L'\0'; /* null terminate */ { wchar_t * dataCopy = data; wchar_t * data = dataCopy; { wchar_t source[100]; wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */ wcsncat(data, source, 100); printWLine(data); delete [] data; } } }
void CWE134_Uncontrolled_Format_String__wchar_t_environment_printf_65_bad() { wchar_t * data; /* define a function pointer */ void (*funcPtr) (wchar_t *) = CWE134_Uncontrolled_Format_String__wchar_t_environment_printf_65b_badSink; wchar_t dataBuffer[100] = L""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } /* use the function pointer */ funcPtr(data); }
int main(int argc, char *argv[]) { const char *usage = "usage: git credential-wincred <get|store|erase>\n"; if (!argv[1]) die(usage); /* git use binary pipes to avoid CRLF-issues */ _setmode(_fileno(stdin), _O_BINARY); _setmode(_fileno(stdout), _O_BINARY); read_credential(); load_cred_funcs(); if (!protocol || !(host || path)) return 0; /* prepare 'target', the unique key for the credential */ wcscpy(target, L"git:"); wcsncat(target, protocol, ARRAY_SIZE(target)); wcsncat(target, L"://", ARRAY_SIZE(target)); if (wusername) { wcsncat(target, wusername, ARRAY_SIZE(target)); wcsncat(target, L"@", ARRAY_SIZE(target)); } if (host) wcsncat(target, host, ARRAY_SIZE(target)); if (path) { wcsncat(target, L"/", ARRAY_SIZE(target)); wcsncat(target, path, ARRAY_SIZE(target)); } if (!strcmp(argv[1], "get")) get_credential(); else if (!strcmp(argv[1], "store")) store_credential(); else if (!strcmp(argv[1], "erase")) erase_credential(); /* otherwise, ignore unknown action */ return 0; }
void CWE78_OS_Command_Injection__wchar_t_environment_popen_65_bad() { wchar_t * data; /* define a function pointer */ void (*funcPtr) (wchar_t *) = CWE78_OS_Command_Injection__wchar_t_environment_popen_65b_badSink; wchar_t data_buf[100] = FULL_COMMAND; data = data_buf; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } /* use the function pointer */ funcPtr(data); }
void bad() { wchar_t * data; wchar_t dataBuffer[FILENAME_MAX] = BASEPATH; data = dataBuffer; if(globalReturnsTrueOrFalse()) { { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, FILENAME_MAX-dataLen-1); } } } else { /* FIX: Use a fixed file name */ wcscat(data, L"file.txt"); } { HANDLE hFile; /* POTENTIAL FLAW: Possibly creating and opening a file without validating the file name or path */ hFile = CreateFileW(data, (GENERIC_WRITE|GENERIC_READ), 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { CloseHandle(hFile); } } }
/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */ static void goodB2G2() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(staticReturnsTrue()) { { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } } if(staticReturnsTrue()) { { int i, n, intVariable; if (swscanf(data, L"%d", &n) == 1) { /* FIX: limit loop iteration counts */ if (n < MAX_LOOP) { intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } } }
void bad() { wchar_t * data; wchar_t * &dataRef = data; wchar_t dataBuffer[100] = L""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } { wchar_t * data = dataRef; badVaSink(data, data); } }
void bad() { wchar_t * data; wchar_t * &dataRef = data; wchar_t dataBuffer[100]; data = dataBuffer; /* FLAW: Do not initialize data */ ; /* empty statement needed for some flow variants */ { wchar_t * data = dataRef; { size_t sourceLen; wchar_t source[100]; wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ sourceLen = wcslen(source); /* POTENTIAL FLAW: If data is not initialized properly, wcsncat() may not function correctly */ wcsncat(data, source, sourceLen); printWLine(data); } } }
static void goodB2G() { wchar_t * data; vector<wchar_t *> dataVector; wchar_t dataBuffer[100] = L""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } dataVector.insert(dataVector.end(), 1, data); dataVector.insert(dataVector.end(), 1, data); dataVector.insert(dataVector.end(), 1, data); goodB2GSink(dataVector); }
BOOL PrintfDosPath(__in LPCTSTR lpwzNtFullPath,__out LPCTSTR lpwzDosFullPath) { char cDrive = 'A'; for (int i=0;i<26;i++) { memset((WCHAR *)lpwzDosFullPath,0,sizeof(lpwzDosFullPath)); swprintf( (WCHAR *)lpwzDosFullPath, L"%c:%s", cDrive+i, lpwzNtFullPath ); if (GetFileAttributesW((WCHAR *)lpwzDosFullPath) != INVALID_FILE_ATTRIBUTES) { return TRUE; } } memset((WCHAR *)lpwzDosFullPath,0,sizeof(lpwzDosFullPath)); wcsncat((WCHAR *)lpwzDosFullPath,lpwzNtFullPath,wcslen(lpwzNtFullPath)); return FALSE; }
/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2B() { wchar_t * data; CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_34_unionType myUnion; data = NULL; /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */ data = (wchar_t *)malloc(100*sizeof(wchar_t)); data[0] = L'\0'; /* null terminate */ myUnion.unionFirst = data; { wchar_t * data = myUnion.unionSecond; { wchar_t source[100]; wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */ wcsncat(data, source, 100); printWLine(data); free(data); } } }
/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2B() { wchar_t * data; wchar_t * &dataRef = data; wchar_t dataBuffer[100]; data = dataBuffer; /* FIX: Properly initialize data */ data[0] = L'\0'; /* null terminate */ { wchar_t * data = dataRef; { size_t sourceLen; wchar_t source[100]; wmemset(source, L'C', 100-1); /* fill with L'C's */ source[100-1] = L'\0'; /* null terminate */ sourceLen = wcslen(source); /* POTENTIAL FLAW: If data is not initialized properly, wcsncat() may not function correctly */ wcsncat(data, source, sourceLen); printWLine(data); } } }
static void goodB2G() { wchar_t * data; map<int, wchar_t *> dataMap; wchar_t dataBuffer[100] = L""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } dataMap[0] = data; dataMap[1] = data; dataMap[2] = data; goodB2GSink(dataMap); }
/* goodB2G1() - use badsource and goodsink by changing globalTrue to globalFalse */ static void goodB2G1() { wchar_t * data; data = (wchar_t *)malloc(100*sizeof(wchar_t)); data[0] = L'\0'; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } if(globalFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { { size_t i; /* FIX: Use a loop variable to traverse through the string pointed to by data */ for (i=0; i < wcslen(data); i++) { if (data[i] == SEARCH_CHAR) { printLine("We have a match!"); break; } } free(data); } } }
void bad() { wchar_t * data; vector<wchar_t *> dataVector; wchar_t dataBuffer[FILENAME_MAX] = BASEPATH; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, FILENAME_MAX-dataLen-1); } } /* Put data in a vector */ dataVector.insert(dataVector.end(), 1, data); dataVector.insert(dataVector.end(), 1, data); dataVector.insert(dataVector.end(), 1, data); badSink(dataVector); }
void bad() { wchar_t * data; map<int, wchar_t *> dataMap; wchar_t dataBuffer[FILENAME_MAX] = BASEPATH; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, FILENAME_MAX-dataLen-1); } } /* Put data in a map */ dataMap[0] = data; dataMap[1] = data; dataMap[2] = data; badSink(dataMap); }
void CWE78_OS_Command_Injection__wchar_t_environment_w32_spawnlp_18_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; goto source; source: { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } /* wspawnlp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ _wspawnlp(_P_WAIT, COMMAND_INT, COMMAND_INT, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL); }
void CWE134_Uncontrolled_Format_String__wchar_t_environment_printf_18_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; goto source; source: { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } goto sink; sink: /* POTENTIAL FLAW: Do not specify the format allowing a possible format string vulnerability */ wprintf(data); }
void bad() { wchar_t * data; list<wchar_t *> dataList; wchar_t dataBuffer[100] = L""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } /* Put data in a list */ dataList.push_back(data); dataList.push_back(data); dataList.push_back(data); badSink(dataList); }
void CWE78_OS_Command_Injection__wchar_t_environment_execl_08_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(staticReturnsTrue()) { { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } } /* wexecl - specify the path where the command is located */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECL(COMMAND_INT_PATH, COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL); }
/* goodB2G() - use badsource and goodsink by reversing the blocks on the second goto statement */ static void goodB2G() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; goto source; source: { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } goto sink; sink: /* FIX: Specify the format disallowing a format string vulnerability */ wprintf(L"%s\n", data); }
void CWE427_Uncontrolled_Search_Path_Element__wchar_t_environment_17_bad() { int i; wchar_t * data; wchar_t dataBuffer[250] = L"PATH="; data = dataBuffer; for(i = 0; i < 1; i++) { { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 250-dataLen-1); } } } /* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */ PUTENV(data); }
void bad() { wchar_t * data; unionType myUnion; wchar_t dataBuffer[FILENAME_MAX] = BASEPATH; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, FILENAME_MAX-dataLen-1); } } myUnion.unionFirst = data; { wchar_t * data = myUnion.unionSecond; { HANDLE hFile; /* POTENTIAL FLAW: Possibly creating and opening a file without validating the file name or path */ hFile = CreateFileW(data, (GENERIC_WRITE|GENERIC_READ), 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile != INVALID_HANDLE_VALUE) { CloseHandle(hFile); } } } }
void CWE606_Unchecked_Loop_Condition__wchar_t_environment_08_bad() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(staticReturnsTrue()) { { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } } if(staticReturnsTrue()) { { int i, n, intVariable; if (swscanf(data, L"%d", &n) == 1) { /* POTENTIAL FLAW: user-supplied value 'n' could lead to very large loop iteration */ intVariable = 0; for (i = 0; i < n; i++) { /* INCIDENTAL: CWE 561: Dead Code - non-avoidable if n <= 0 */ intVariable++; /* avoid a dead/empty code block issue */ } printIntLine(intVariable); } } } }
/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */ static void goodG2B1() { wchar_t * data; wchar_t dataBuffer[100]; data = dataBuffer; if(staticReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */ wmemset(data, L'A', 50-1); /* fill with L'A's */ data[50-1] = L'\0'; /* null terminate */ } { wchar_t dest[50] = L""; /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/ wcsncat(dest, data, wcslen(data)); dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */ printWLine(data); } }
void CWE78_OS_Command_Injection__wchar_t_environment_w32spawnl_17_bad() { int i; wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; for(i = 0; i < 1; i++) { { /* Append input from an environment variable to data */ size_t dataLen = wcslen(data); wchar_t * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ wcsncat(data+dataLen, environment, 100-dataLen-1); } } } /* wspawnl - specify the path where the command is located */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ _wspawnl(_P_WAIT, COMMAND_INT_PATH, COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL); }