Closed
Description
test code:
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <malloc.h>
#include <stdlib.h>
void bad(){
char * filename1 = getenv("PATH");
FILE * file1 = fopen(filename1, "r");
printf("Path: %s", filename1);
}
int main(){
bad();
}
fopen-flow-from-getenv.ql:
/**
* @name member variable to open or create resrouce
* @description Use a member variable to open or create resource. maybe unrelease and detect resource leaks.
* @kind path-problem
* @id cpp/member-variable-to-resource-leak
* @problem.severity warning
* @security-severity 7.8
* @tags efficiency
* security
* external/cwe/cwe-404
*/
import cpp
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.ir.IR
import semmle.code.cpp.controlflow.IRGuards
import semmle.code.cpp.security.FlowSources
predicate isFlowSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
predicate openSink(DataFlow::Node sink) {
exists(FunctionCall fc |
sink.asIndirectExpr(1) = fc.getArgument(0) and
fc.getTarget().hasGlobalName("fopen")
)
}
module EnvironmentToFileConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { isFlowSource(source, _) }
predicate isSink(DataFlow::Node sink) { openSink(sink)}
}
module Flow = DataFlow::Global<EnvironmentToFileConfig>;
import Flow::PathGraph
from Expr getenv, Expr fopen, Flow::PathNode source, Flow::PathNode sink
where
isFlowSource(source.getNode(), _) and
openSink(sink.getNode()) and
Flow::flowPath(source, sink)
select sink.getNode().asExpr(), source, sink, "open file by tainted data "