/* goodG2B uses the GoodSource with the BadSink */ void goodG2BSink(map<int, char *> dataMap) { char * data = dataMap[2]; { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2BSink() { char * data = CWE78_OS_Command_Injection__char_console_w32_execvp_45_goodG2BData; { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B uses the GoodSource with the BadSink */ void goodG2BSink(list<wchar_t *> dataList) { wchar_t * data = dataList.back(); { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
void CWE78_OS_Command_Injection__wchar_t_file_w32_execvp_66b_badSink(wchar_t * dataArray[]) { /* copy data out of dataArray */ wchar_t * data = dataArray[2]; { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
static void goodG2B() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; data = CWE78_OS_Command_Injection__wchar_t_console_w32_execvp_61b_goodG2BSource(data); { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B uses the GoodSource with the BadSink */ static void goodG2B() { char * data; char dataBuffer[100] = ""; data = dataBuffer; data = goodG2BSource(data); { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
void CWE78_OS_Command_Injection__char_listen_socket_w32_execvp_42_bad() { char * data; char dataBuffer[100] = ""; data = dataBuffer; data = badSource(data); { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B uses the GoodSource with the BadSink */ void CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_execvp_64b_goodG2BSink(void * dataVoidPtr) { /* cast void pointer to a pointer of the appropriate type */ wchar_t * * dataPtr = (wchar_t * *)dataVoidPtr; /* dereference dataPtr into data */ wchar_t * data = (*dataPtr); { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B uses the GoodSource with the BadSink */ static void goodG2B() { char * data; char dataBuffer[100] = ""; data = dataBuffer; /* FIX: Append a fixed string to data (not user / external input) */ strcat(data, "*.*"); { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */ static void goodG2B2() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(GLOBAL_CONST_TRUE) { /* FIX: Append a fixed string to data (not user / external input) */ wcscat(data, L"*.*"); } { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
void CWE78_OS_Command_Injection__char_console_w32_execvp_17_bad() { int i; char * data; char dataBuffer[100] = ""; data = dataBuffer; for(i = 0; i < 1; i++) { { /* Read input from the console */ size_t dataLen = strlen(data); /* if there is room in data, read into it from the console */ if (100-dataLen > 1) { /* POTENTIAL FLAW: Read data from the console */ if (fgets(data+dataLen, (int)(100-dataLen), stdin) != NULL) { /* The next few lines remove the carriage return from the string that is * inserted by fgets() */ dataLen = strlen(data); if (dataLen > 0 && data[dataLen-1] == '\n') { data[dataLen-1] = '\0'; } } else { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ data[dataLen] = '\0'; } } } } { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
void CWE78_OS_Command_Injection__char_file_w32_execvp_12_bad() { char * data; char dataBuffer[100] = ""; data = dataBuffer; if(globalReturnsTrueOrFalse()) { { /* Read input from a file */ size_t dataLen = strlen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (100-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgets(data+dataLen, (int)(100-dataLen), pFile) == NULL) { printLine("fgets() failed"); /* Restore NUL terminator if fgets fails */ data[dataLen] = '\0'; } fclose(pFile); } } } } else { /* FIX: Append a fixed string to data (not user / external input) */ strcat(data, "*.*"); } { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B() uses the GoodSource with the BadSink */ static void goodG2B() { char * data; CWE78_OS_Command_Injection__char_listen_socket_w32_execvp_34_unionType myUnion; char dataBuffer[100] = ""; data = dataBuffer; /* FIX: Append a fixed string to data (not user / external input) */ strcat(data, "*.*"); myUnion.unionFirst = data; { char * data = myUnion.unionSecond; { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } } }
std::string ExecuteProcess(const std::string& file, std::vector<std::string> args) { std::string execError = ""; // "The first argument, by convention, should point to // the filename associated with the file being executed." args.insert(args.begin(), Quote(file)); char** processArgs = new char*[args.size() + 1]; for (size_t a = 0; a < args.size(); ++a) { const std::string& arg = args.at(a); const size_t arg_size = arg.length() + 1; processArgs[a] = new char[arg_size]; STRCPY_T(processArgs[a], arg_size, arg.c_str()); } // "The array of pointers must be terminated by a NULL pointer." processArgs[args.size()] = NULL; { // Execute #ifdef WIN32 #define EXECVP _execvp #else #define EXECVP execvp #endif const int ret = EXECVP(file.c_str(), processArgs); if (ret == -1) { execError = strerror(errno); } } for (size_t a = 0; a < args.size(); ++a) { delete[] processArgs[a]; } delete[] processArgs; return execError; }
void CWE78_OS_Command_Injection__wchar_t_file_w32_execvp_17_bad() { int i; wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; for(i = 0; i < 1; i++) { { /* Read input from a file */ size_t dataLen = wcslen(data); FILE * pFile; /* if there is room in data, attempt to read the input from a file */ if (100-dataLen > 1) { pFile = fopen(FILENAME, "r"); if (pFile != NULL) { /* POTENTIAL FLAW: Read data from a file */ if (fgetws(data+dataLen, (int)(100-dataLen), pFile) == NULL) { printLine("fgetws() failed"); /* Restore NUL terminator if fgetws fails */ data[dataLen] = L'\0'; } fclose(pFile); } } } } { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
std::string ExecuteProcess(const std::string& file, std::vector<std::string> args) { // "The first argument, by convention, should point to // the filename associated with the file being executed." // NOTE: // spaces in the first argument or quoted file paths // are not supported on Windows, so translate <file> // to a short path there args.insert(args.begin(), GetShortFileName(file)); // "The array of pointers must be terminated by a NULL pointer." // --> include one extra argument string and leave it NULL std::vector<char*> processArgs(args.size() + 1, NULL); std::string execError; for (size_t a = 0; a < args.size(); ++a) { const std::string& arg = args[a]; const size_t argSize = arg.length() + 1; STRCPY_T(processArgs[a] = new char[argSize], argSize, arg.c_str()); } #ifdef WIN32 #define EXECVP _execvp #else #define EXECVP execvp #endif if (EXECVP(args[0].c_str(), &processArgs[0]) == -1) { LOG("[%s] error: \"%s\" %s (%d)", __FUNCTION__, args[0].c_str(), (execError = strerror(errno)).c_str(), errno); } #undef EXECVP for (size_t a = 0; a < args.size(); ++a) { delete[] processArgs[a]; } return execError; }
/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */ static void goodG2B1() { wchar_t * data; wchar_t dataBuffer[100] = L""; data = dataBuffer; if(globalReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); } else { /* FIX: Append a fixed string to data (not user / external input) */ wcscat(data, L"*.*"); } { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wexecvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */ static void goodG2B2() { char * data; char dataBuffer[100] = ""; data = dataBuffer; switch(6) { case 6: /* FIX: Append a fixed string to data (not user / external input) */ strcat(data, "*.*"); break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ printLine("Benign, fixed string"); break; } { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
void CWE78_OS_Command_Injection__char_environment_w32_execvp_01_bad() { char * data; char dataBuffer[100] = ""; data = dataBuffer; { /* Append input from an environment variable to data */ size_t dataLen = strlen(data); char * environment = GETENV(ENV_VARIABLE); /* If there is data in the environment variable */ if (environment != NULL) { /* POTENTIAL FLAW: Read data from an environment variable */ strncat(data+dataLen, environment, 100-dataLen-1); } } { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } }
void CWE78_OS_Command_Injection__char_listen_socket_w32_execvp_34_bad() { char * data; CWE78_OS_Command_Injection__char_listen_socket_w32_execvp_34_unionType myUnion; char dataBuffer[100] = ""; data = dataBuffer; { #ifdef _WIN32 WSADATA wsaData; int wsaDataInit = 0; #endif int recvResult; struct sockaddr_in service; char *replace; SOCKET listenSocket = INVALID_SOCKET; SOCKET acceptSocket = INVALID_SOCKET; size_t dataLen = strlen(data); do { #ifdef _WIN32 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR) { break; } wsaDataInit = 1; #endif /* POTENTIAL FLAW: Read data using a listen socket */ listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (listenSocket == INVALID_SOCKET) { break; } memset(&service, 0, sizeof(service)); service.sin_family = AF_INET; service.sin_addr.s_addr = INADDR_ANY; service.sin_port = htons(TCP_PORT); if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR) { break; } if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR) { break; } acceptSocket = accept(listenSocket, NULL, NULL); if (acceptSocket == SOCKET_ERROR) { break; } /* Abort on error or the connection was closed */ recvResult = recv(acceptSocket, (char *)(data + dataLen), sizeof(char) * (100 - dataLen - 1), 0); if (recvResult == SOCKET_ERROR || recvResult == 0) { break; } /* Append null terminator */ data[dataLen + recvResult / sizeof(char)] = '\0'; /* Eliminate CRLF */ replace = strchr(data, '\r'); if (replace) { *replace = '\0'; } replace = strchr(data, '\n'); if (replace) { *replace = '\0'; } } while (0); if (listenSocket != INVALID_SOCKET) { CLOSE_SOCKET(listenSocket); } if (acceptSocket != INVALID_SOCKET) { CLOSE_SOCKET(acceptSocket); } #ifdef _WIN32 if (wsaDataInit) { WSACleanup(); } #endif } myUnion.unionFirst = data; { char * data = myUnion.unionSecond; { char *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* execvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ EXECVP(COMMAND_INT, args); } } }