void CWE427_Uncontrolled_Search_Path_Element__char_file_03_bad()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
if(5==5)
{
{
/* Read input from a file */
size_t dataLen = strlen(data);
FILE * pFile;
/* if there is room in data, attempt to read the input from a file */
if (250-dataLen > 1)
{
pFile = fopen(FILENAME, "r");
if (pFile != NULL)
{
/* POTENTIAL FLAW: Read data from a file */
if (fgets(data+dataLen, (int)(250-dataLen), pFile) == NULL)
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[dataLen] = '\0';
}
fclose(pFile);
}
}
}
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void badSink(vector<char *> dataVector)
{
/* copy data out of dataVector */
char * data = dataVector[2];
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void badSink(map<int, wchar_t *> dataMap)
{
/* copy data out of dataMap */
wchar_t * data = dataMap[2];
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void badSink(list<wchar_t *> dataList)
{
/* copy data out of dataList */
wchar_t * data = dataList.back();
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void CWE427_Uncontrolled_Search_Path_Element__char_connect_socket_66b_badSink(char * dataArray[])
{
/* copy data out of dataArray */
char * data = dataArray[2];
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void ProcessEnv::resetEnv(const char* envName)
{
if (!envName)
return;
Int32 i;
size_t nameLen=strlen(envName);
CollHeap *stmtHeap = CmpCommon::statementHeap();
NAList<Int32> deleteArray(stmtHeap, 16); // 16 should be more than enough
// find the env in existing env array
for (i=0; i < envs_.getSize(); i++)
{
if (envs_.used(i))
{
char* pTemp = strchr(envs_[i], '=');
if (pTemp) // found '='
{
Int32 envLen = (Int32)(pTemp - envs_[i]);
if (envLen == nameLen && strncmp(envName, envs_[i], nameLen) == 0 )
{ // found matching env var name
*(pTemp) = '\0';
PUTENV(envs_[i]);
NADELETEBASIC(envs_[i], heap_);
deleteArray.insert(i);
}
}
}
}
// remove from the env array
for (Int32 j = 0; j < deleteArray.entries(); j++) {
envs_.remove(deleteArray[j]);
}
}
/* goodG2B uses the GoodSource with the BadSink */
static void goodG2B()
{
wchar_t * data;
wchar_t dataBuffer[250] = L"PATH=";
data = dataBuffer;
data = goodG2BSource(data);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
/* goodG2B uses the GoodSource with the BadSink */
void CWE427_Uncontrolled_Search_Path_Element__wchar_t_listen_socket_64b_goodG2BSink(void * dataVoidPtr)
{
/* cast void pointer to a pointer of the appropriate type */
wchar_t * * dataPtr = (wchar_t * *)dataVoidPtr;
/* dereference dataPtr into data */
wchar_t * data = (*dataPtr);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void CWE427_Uncontrolled_Search_Path_Element__wchar_t_environment_42_bad()
{
wchar_t * data;
wchar_t dataBuffer[250] = L"PATH=";
data = dataBuffer;
data = badSource(data);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
static void goodG2B()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
data = CWE427_Uncontrolled_Search_Path_Element__char_listen_socket_61b_goodG2BSource(data);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void ProcessEnv::addOrChangeEnv(char **newenvs, Lng32 nEnvs)
{
Lng32 i,j;
for (i=0; i < nEnvs; i++)
{
char* pTemp = strchr(newenvs[i], '=');
if (pTemp)
{
NABoolean sameValue = FALSE;
Int32 envNameLen = pTemp - (newenvs[i]) + 1; // including '='
char* envName = new char[envNameLen+1];
strncpy(envName, newenvs[i], envNameLen);
envName[envNameLen] = '\0';
NABoolean envChanged = FALSE;
CollIndex entriesChecked = 0;
for (j=0; entriesChecked < envs_.entries(); j++)
{
if ( envs_.used(j) )
{
if (strcmp(newenvs[i], envs_[j]) == 0)
{
sameValue = TRUE;
break;
}
else if (strncmp(envName, envs_[j], envNameLen) == 0)
{
envChanged = TRUE;
break;
}
entriesChecked++;
}
}
if (!sameValue)
{
CollIndex index = j; // Put to the same location if value changed
if ( envChanged )
{
NADELETEBASIC(envs_[j], heap_);
envs_.remove(j);
}
else
index = envs_.unusedIndex(); // Insert a new env string
UInt32 len = strlen(newenvs[i]);
char *copyEnv = new (heap_) char[len + 1];
strcpy(copyEnv, newenvs[i]);
copyEnv[len] = 0;
PUTENV(copyEnv);
envs_.insertAt(index, copyEnv);
}
delete[] envName;
}
}
}
void CWE427_Uncontrolled_Search_Path_Element__char_listen_socket_22_bad()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
CWE427_Uncontrolled_Search_Path_Element__char_listen_socket_22_badGlobal = 1; /* true */
data = CWE427_Uncontrolled_Search_Path_Element__char_listen_socket_22_badSource(data);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
static void goodG2B1()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
goodG2B1Static = 0; /* false */
data = goodG2B1Source(data);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
static void goodG2B2()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
CWE427_Uncontrolled_Search_Path_Element__char_console_22_goodG2B2Global = 1; /* true */
data = CWE427_Uncontrolled_Search_Path_Element__char_console_22_goodG2B2Source(data);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
static void goodG2B()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
goto source;
source:
/* FIX: Set the path as the "system" path */
strcat(data, NEW_PATH);
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
static void goodG2B2()
{
wchar_t * data;
wchar_t dataBuffer[250] = L"PATH=";
data = dataBuffer;
if(staticTrue)
{
/* FIX: Set the path as the "system" path */
wcscat(data, NEW_PATH);
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
static void goodG2B2()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
if(GLOBAL_CONST_FIVE==5)
{
/* FIX: Set the path as the "system" path */
strcat(data, NEW_PATH);
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
static void goodG2B()
{
int h;
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
for(h = 0; h < 1; h++)
{
/* FIX: Set the path as the "system" path */
strcat(data, NEW_PATH);
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
/* goodG2B() uses the GoodSource with the BadSink */
static void goodG2B()
{
char * data;
CWE427_Uncontrolled_Search_Path_Element__char_listen_socket_34_unionType myUnion;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
/* FIX: Set the path as the "system" path */
strcat(data, NEW_PATH);
myUnion.unionFirst = data;
{
char * data = myUnion.unionSecond;
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
}
Int32 Envvar::reset()
{
if ((!getenv(name)) || (!env_str)) // this should be true,
return -1; // otherwise its an internal error.
// VO, Plan versioning support: The code below '#else' will not
// reset the env var properly on NT, a subsequent 'sh env;' command
// will still display it with its original value.
char * ptr = strchr (env_str, '=');
ptr[1] = 0;
Int32 i = PUTENV(env_str);
if (i) cerr << "*** ERROR " << i << " from putenv." << endl;
invalidateEnvVarDependentCaches(name);
return 0;
}
/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
static void goodG2B1()
{
wchar_t * data;
wchar_t dataBuffer[250] = L"PATH=";
data = dataBuffer;
if(staticFalse)
{
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
printLine("Benign, fixed string");
}
else
{
/* FIX: Set the path as the "system" path */
wcscat(data, NEW_PATH);
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void init_callin_functable(void)
{
unsigned char *env_top, *address_top;
uint4 address_len;
int save_errno;
address_top = GTM64_ONLY(i2ascl)NON_GTM64_ONLY(i2asc)(gtmvectortable_address, (UINTPTR_T)(&callintogtm_vectortable[0]));
*address_top = '\0';
address_len = (uint4)(address_top - >mvectortable_address[0]);
env_top = >mvectortable_env[0];
MEMCPY_LIT(env_top, GTM_CALLIN_START_ENV);
memcpy((env_top + strlen(GTM_CALLIN_START_ENV)), gtmvectortable_address, address_len);
*(env_top + strlen(GTM_CALLIN_START_ENV) + address_len) = '\0';
if (PUTENV((char *)gtmvectortable_env))
{
save_errno = errno;
rts_error(VARLSTCNT(8) ERR_SYSCALL, 5, LEN_AND_LIT("putenv"), CALLFROM, save_errno);
}
}
Int32 Envvar::set()
{
// Envvars are added by creating a string "envvar_name=envvar_value"
// and then adding it ("putting" it) to environment.
delete [] env_str;
env_str = new char[strlen(name) + 1/*for = */ + strlen(value)
+1/*for null*/];
strcpy(env_str, name);
strcat(env_str, "=");
strcat(env_str, value);
Int32 i = PUTENV(env_str);
if (i) cerr << "*** ERROR " << i << " from putenv." << endl;
invalidateEnvVarDependentCaches(name);
return i;
}
void ProcessEnv::dumpEnvs()
{
// To test the PUTENV still works
const char* aString = "DUMPENV=ddd";
PUTENV((char *)aString);
ofstream outStream("DUMPENVS");
Int32 i=0;
outStream << "ProcessEnv::dumpEnvs() " << endl << flush;
while (ENVIRON[i])
{
char tempstr[2048];
strncpy( tempstr, ENVIRON[i], sizeof(tempstr));
char* p = strchr(tempstr, '=');
if ( p ) *p = 0;
char *s;
if (s = getenv(tempstr))
outStream << "environ[" << i << "] ---- " <<
tempstr << " ---> " << s << endl;
i++;
}
}
void CWE427_Uncontrolled_Search_Path_Element__char_environment_18_bad()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
goto source;
source:
{
/* Append input from an environment variable to data */
size_t dataLen = strlen(data);
char * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
strncat(data+dataLen, environment, 250-dataLen-1);
}
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void ProcessEnv::removeEnv(char **newenvs, Lng32 nEnvs)
{
Lng32 i,j;
CollHeap *stmtHeap = CmpCommon::statementHeap();
NAList<Lng32> deleteArray(stmtHeap, 16);
#pragma warning (disable : 4018) //warning elimination
for (j=0; j < envs_.getSize(); j++)
#pragma warning (default : 4018) //warning elimination
{
if (envs_.used(j))
{
for (i=0; i < nEnvs; i++)
if (strcmp(newenvs[i], envs_[j]) ==0 )
break;
if ( i >= nEnvs )
{
// can't find it in newenvs, envs_[j] must have been deleted
char* pTemp = strchr(envs_[j], '=');
if (pTemp)
{
*(pTemp+1) = '\0';
PUTENV(envs_[j]);
NADELETEBASIC(envs_[j], heap_);
deleteArray.insert(j);
}
}
}
}
#pragma warning (disable : 4018) //warning elimination
for (j=0; j < deleteArray.entries(); j++) {
#pragma warning (default : 4018) //warning elimination
envs_.remove(deleteArray[j]);
}
}
void CWE427_Uncontrolled_Search_Path_Element__wchar_t_environment_17_bad()
{
int i;
wchar_t * data;
wchar_t dataBuffer[250] = L"PATH=";
data = dataBuffer;
for(i = 0; i < 1; i++)
{
{
/* Append input from an environment variable to data */
size_t dataLen = wcslen(data);
wchar_t * environment = GETENV(ENV_VARIABLE);
/* If there is data in the environment variable */
if (environment != NULL)
{
/* POTENTIAL FLAW: Read data from an environment variable */
wcsncat(data+dataLen, environment, 250-dataLen-1);
}
}
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
void init_callin_functable(void)
{
unsigned char *env_top, *address_top;
uint4 address_len;
/* The address of the vector table containing pointers
* to gt_timers functions is of type unsigned int which
* is o.k in current GT.M implementations, however when
* GT.M migrates to a fully 64 port this part of the code
* might have be re-visited.
*/
assert ( 64 > sizeof(gtmvectortable_address));
address_top = i2asc(gtmvectortable_address, (uint4 )&callintogtm_vectortable[0]);
*address_top = '\0';
address_len = (uint4 )(address_top - >mvectortable_address[0]);
env_top = >mvectortable_env[0];
memcpy(env_top, GTM_CALLIN_START_ENV, strlen(GTM_CALLIN_START_ENV));
memcpy((env_top + strlen(GTM_CALLIN_START_ENV)), gtmvectortable_address, address_len);
*(env_top + strlen(GTM_CALLIN_START_ENV) + address_len) = '\0';
if (PUTENV((char *)gtmvectortable_env))
{
rts_error(VARLSTCNT(1) errno);
}
}
void CWE427_Uncontrolled_Search_Path_Element__char_console_02_bad()
{
char * data;
char dataBuffer[250] = "PATH=";
data = dataBuffer;
if(1)
{
{
/* Read input from the console */
size_t dataLen = strlen(data);
/* if there is room in data, read into it from the console */
if (250-dataLen > 1)
{
/* POTENTIAL FLAW: Read data from the console */
if (fgets(data+dataLen, (int)(250-dataLen), stdin) != NULL)
{
/* The next few lines remove the carriage return from the string that is
* inserted by fgets() */
dataLen = strlen(data);
if (dataLen > 0 && data[dataLen-1] == '\n')
{
data[dataLen-1] = '\0';
}
}
else
{
printLine("fgets() failed");
/* Restore NUL terminator if fgets fails */
data[dataLen] = '\0';
}
}
}
}
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
CWE427_Uncontrolled_Search_Path_Element__wchar_t_environment_83_bad::~CWE427_Uncontrolled_Search_Path_Element__wchar_t_environment_83_bad()
{
/* POTENTIAL FLAW: Set a new environment variable with a path that is possibly insecure */
PUTENV(data);
}
