void CWE78_OS_Command_Injection__wchar_t_environment_w32_spawnv_13_bad()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
if(GLOBAL_CONST_FIVE==5)
{
{
/* Append input from an environment variable to data */
size_t dataLen = wcslen(data);
wchar_t * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
wcsncat(data+dataLen, environment, 100-dataLen-1);
}
}
}
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
void CWE78_OS_Command_Injection__wchar_t_environment_w32_spawnv_12_bad()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
if(globalReturnsTrueOrFalse())
{
{
/* Append input from an environment variable to data */
size_t dataLen = wcslen(data);
wchar_t * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
wcsncat(data+dataLen, environment, 100-dataLen-1);
}
}
}
else
{
/* FIX: Append a fixed string to data (not user / external input) */
wcscat(data, L"*.*");
}
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
void CWE78_OS_Command_Injection__wchar_t_connect_socket_w32_spawnv_65b_badSink(wchar_t * data)
{
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
void CWE78_OS_Command_Injection__wchar_t_file_w32_spawnv_81_goodG2B::action(wchar_t * data) const
{
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
/* goodG2B uses the GoodSource with the BadSink */
void goodG2BSink(vector<wchar_t *> dataVector)
{
wchar_t * data = dataVector[2];
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
void CWE78_OS_Command_Injection__wchar_t_file_w32_spawnv_66b_badSink(wchar_t * dataArray[])
{
/* copy data out of dataArray */
wchar_t * data = dataArray[2];
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
static void goodG2B()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
goodG2BSource(data);
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
void CWE78_OS_Command_Injection__wchar_t_environment_w32_spawnv_42_bad()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
data = badSource(data);
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
/* goodG2B uses the GoodSource with the BadSink */
static void goodG2B()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
/* FIX: Append a fixed string to data (not user / external input) */
wcscat(data, L"*.*");
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
wchar_t * data;
CWE78_OS_Command_Injection__wchar_t_file_w32_spawnv_34_unionType myUnion;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
/* FIX: Append a fixed string to data (not user / external input) */
wcscat(data, L"*.*");
myUnion.unionFirst = data;
{
wchar_t * data = myUnion.unionSecond;
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
}
void CWE78_OS_Command_Injection__wchar_t_console_w32_spawnv_34_bad()
{
wchar_t * data;
CWE78_OS_Command_Injection__wchar_t_console_w32_spawnv_34_unionType myUnion;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
{
/* Read input from the console */
size_t dataLen = wcslen(data);
/* if there is room in data, read into it from the console */
if (100-dataLen > 1)
{
/* POTENTIAL FLAW: Read data from the console */
if (fgetws(data+dataLen, (int)(100-dataLen), stdin) != NULL)
{
/* The next few lines remove the carriage return from the string that is
* inserted by fgetws() */
dataLen = wcslen(data);
if (dataLen > 0 && data[dataLen-1] == L'\n')
{
data[dataLen-1] = L'\0';
}
}
else
{
printLine("fgetws() failed");
/* Restore NUL terminator if fgetws fails */
data[dataLen] = L'\0';
}
}
}
myUnion.unionFirst = data;
{
wchar_t * data = myUnion.unionSecond;
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
}
void CWE78_OS_Command_Injection__wchar_t_file_w32_spawnv_12_bad()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
if(globalReturnsTrueOrFalse())
{
{
/* Read input from a file */
size_t dataLen = wcslen(data);
FILE * pFile;
/* if there is room in data, attempt to read the input from a file */
if (100-dataLen > 1)
{
pFile = fopen(FILENAME, "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read data from a file */
if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL)
{
printLine("fgetws() failed");
/* Restore NUL terminator if fgetws fails */
data[dataLen] = L'\0';
}
fclose(pFile);
}
}
}
}
else
{
/* FIX: Append a fixed string to data (not user / external input) */
wcscat(data, L"*.*");
}
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */
static void goodG2B1()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
if(5!=5)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Append a fixed string to data (not user / external input) */
wcscat(data, L"*.*");
}
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
void CWE78_OS_Command_Injection__wchar_t_file_w32_spawnv_34_bad()
{
wchar_t * data;
CWE78_OS_Command_Injection__wchar_t_file_w32_spawnv_34_unionType myUnion;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
{
/* Read input from a file */
size_t dataLen = wcslen(data);
FILE * pFile;
/* if there is room in data, attempt to read the input from a file */
if (100-dataLen > 1)
{
pFile = fopen(FILENAME, "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read data from a file */
if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL)
{
printLine("fgetws() failed");
/* Restore NUL terminator if fgetws fails */
data[dataLen] = L'\0';
}
fclose(pFile);
}
}
}
myUnion.unionFirst = data;
{
wchar_t * data = myUnion.unionSecond;
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
}
int wmain(int argc, wchar_t *argv[])
{
WCHAR path[MAX_PATH];
if (argc > 1 && !wcscmp(argv[1], L"-exec"))
{
WCHAR ** newArgs = new WCHAR*[argc+2];
newArgs[0] = argv[2];
DBG("\nPASS2: now run %ws\n", newArgs[0]);
int j=0;
for(int a=2; a < argc; a++)
{
DBG("\tArg[%d]: %ws\n", j, argv[a]);
newArgs[j++] = CheckArg(argv[a]);
}
newArgs[j] = 0;
int sts = _wspawnv(_P_OVERLAY, newArgs[0], newArgs);
return(sts);
//fprintf(stderr, "ERROR: failed to start %ws\n", newArgs[0]);
//return(1);
}
HMODULE hMod = GetModuleHandle(0);
GetModuleFileName(hMod, path,sizeof(path)-1);
HANDLE handle = CreateFile( path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
DBG("CALLING EXEWRAP %ws - %ws\n", argv[0], path);
BY_HANDLE_FILE_INFORMATION bhf;
if (GetFileInformationByHandle(handle, &bhf))
{
WCHAR redPath[2*MAX_PATH+8];
DWORD bytesRead;
DWORD offset = bhf.nFileSizeLow - sizeof(redPath);
SetFilePointer(handle, offset, NULL, FILE_BEGIN);
ReadFile(handle, redPath, sizeof(redPath), &bytesRead, NULL);
WCHAR *p = redPath;
if (!memcmp(p, L"ABCD", sizeof(WCHAR)*4))
{
WCHAR *procName = p+4;
WCHAR *wrapperPath = p+8+MAX_PATH;
DBG("WRAP %ws, wrapper=%ws\n", procName, wrapperPath);
WCHAR ** newArgs = new WCHAR*[argc+4];
newArgs[0] = wrapperPath;
newArgs[1] = (wchar_t*) L"-exec";
newArgs[2] = procName;
int j=3;
for(int a=1; a < argc; a++)
{
DBG("\tArg[%d]: %ws\n", j, argv[a]);
newArgs[j++] = CheckArg(argv[a]);
}
newArgs[j] = 0;
DBG("RERUN %ws -exec %ws\n", wrapperPath, procName);
int sts = _wspawnv(_P_OVERLAY, newArgs[0], newArgs);
return(sts);
//fprintf(stderr, "ERROR: failed to wrap %ws\n", wrapperPath);
//return(1);
#if 0
//_wexecv((const wchar_t*) argv[0], (const wchar_t* const*)argv);
PROCESS_INFORMATION pi;
STARTUPINFO si;
bool bOK = CreateProcess(
0,
procName,
0,
0,
FALSE,
0, // CREATE_SUSPENDED | CREATE_NEW_CONSOLE,
0,
0,
&si,
&pi);
if (!bOK)
printf("FAILED to create proc: %ws\n", procName);
else
printf("started proc: %ws\n", procName);
#endif
}
}
//printf("IN=%s, PROG=%s, myPID=%d\n", argv[0], prog, getpid());
//argv[0] = prog;
//spawnv(_P_WAIT, argv[0], argv);
//printf("failed to exec %s\n", argv[0]);
return(0);
}
void CWE78_OS_Command_Injection__wchar_t_connect_socket_w32_spawnv_15_bad()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
switch(6)
{
case 6:
{
#ifdef _WIN32
WSADATA wsaData;
int wsaDataInit = 0;
#endif
int recvResult;
struct sockaddr_in service;
wchar_t *replace;
SOCKET connectSocket = INVALID_SOCKET;
size_t dataLen = wcslen(data);
do
{
#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
#endif
/* POTENTIAL FLAW: Read data using a connect socket */
connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (connectSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
service.sin_port = htons(TCP_PORT);
if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed, make sure to recv one
* less char than is in the recv_buf in order to append a terminator */
/* Abort on error or the connection was closed */
recvResult = recv(connectSocket, (char *)(data + dataLen), sizeof(wchar_t) * (100 - dataLen - 1), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
data[dataLen + recvResult / sizeof(wchar_t)] = L'\0';
/* Eliminate CRLF */
replace = wcschr(data, L'\r');
if (replace)
{
*replace = L'\0';
}
replace = wcschr(data, L'\n');
if (replace)
{
*replace = L'\0';
}
}
while (0);
if (connectSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(connectSocket);
}
#ifdef _WIN32
if (wsaDataInit)
{
WSACleanup();
}
#endif
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
break;
}
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
void CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnv_31_bad()
{
wchar_t * data;
wchar_t dataBuffer[100] = L"";
data = dataBuffer;
{
#ifdef _WIN32
WSADATA wsaData;
int wsaDataInit = 0;
#endif
int recvResult;
struct sockaddr_in service;
wchar_t *replace;
SOCKET listenSocket = INVALID_SOCKET;
SOCKET acceptSocket = INVALID_SOCKET;
size_t dataLen = wcslen(data);
do
{
#ifdef _WIN32
if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
{
break;
}
wsaDataInit = 1;
#endif
/* POTENTIAL FLAW: Read data using a listen socket */
listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (listenSocket == INVALID_SOCKET)
{
break;
}
memset(&service, 0, sizeof(service));
service.sin_family = AF_INET;
service.sin_addr.s_addr = INADDR_ANY;
service.sin_port = htons(TCP_PORT);
if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
{
break;
}
if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
{
break;
}
acceptSocket = accept(listenSocket, NULL, NULL);
if (acceptSocket == SOCKET_ERROR)
{
break;
}
/* Abort on error or the connection was closed */
recvResult = recv(acceptSocket, (char *)(data + dataLen), sizeof(wchar_t) * (100 - dataLen - 1), 0);
if (recvResult == SOCKET_ERROR || recvResult == 0)
{
break;
}
/* Append null terminator */
data[dataLen + recvResult / sizeof(wchar_t)] = L'\0';
/* Eliminate CRLF */
replace = wcschr(data, L'\r');
if (replace)
{
*replace = L'\0';
}
replace = wcschr(data, L'\n');
if (replace)
{
*replace = L'\0';
}
}
while (0);
if (listenSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(listenSocket);
}
if (acceptSocket != INVALID_SOCKET)
{
CLOSE_SOCKET(acceptSocket);
}
#ifdef _WIN32
if (wsaDataInit)
{
WSACleanup();
}
#endif
}
{
wchar_t * dataCopy = data;
wchar_t * data = dataCopy;
{
wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL};
/* wspawnv - specify the path where the command is located */
/* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */
_wspawnv(_P_WAIT, COMMAND_INT_PATH, args);
}
}
}