diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst index dbd6d77878235..e68b10dc2c1c6 100644 --- a/clang/docs/analyzer/checkers.rst +++ b/clang/docs/analyzer/checkers.rst @@ -533,7 +533,253 @@ Warns when a nullable pointer is returned from a function that has _Nonnull retu optin ^^^^^ -Checkers for portability, performance or coding style specific rules. +Optional checkers for portability, performance, security or coding style checkers +which may not be applicable to all projects. + +optin.security.taint +^^^^^^^^^^^^^^^^^^^^ + +Checkers implementing +`taint analysis `_. + +.. optin-security-taint-TaintPropagation: + +optin.security.taint.TaintPropagation (C, C++) +"""""""""""""""""""""""""""""""""""""""""""""" + +Taint analysis identifies potential security vulnerabilities where the +attacker can inject malicious data to the program to execute an attack +(privilege escalation, command injection, SQL injection etc.). + +The malicious data is injected at the taint source (e.g. ``getenv()`` call) +which is then propagated through function calls and being used as arguments of +sensitive operations, also called as taint sinks (e.g. ``system()`` call). + +One can defend against this type of vulnerability by always checking and +sanitizing the potentially malicious, untrusted user input. + +The goal of the checker is to discover and show to the user these potential +taint source-sink pairs and the propagation call chain. + +The most notable examples of taint sources are: + + - data from network + - files or standard input + - environment variables + - data from databases + +Let us examine a practical example of a Command Injection attack. + +.. code-block:: c + + // Command Injection Vulnerability Example + int main(int argc, char** argv) { + char cmd[2048] = "/bin/cat "; + char filename[1024]; + printf("Filename:"); + scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here + strcat(cmd, filename); + system(cmd); // Warning: Untrusted data is passed to a system call + } + +The program prints the content of any user specified file. +Unfortunately the attacker can execute arbitrary commands +with shell escapes. For example with the following input the `ls` command is also +executed after the contents of `/etc/shadow` is printed. +`Input: /etc/shadow ; ls /` + +The analysis implemented in this checker points out this problem. + +One can protect against such attack by for example checking if the provided +input refers to a valid file and removing any invalid user input. + +.. code-block:: c + + // No vulnerability anymore, but we still get the warning + void sanitizeFileName(char* filename){ + if (access(filename,F_OK)){// Verifying user input + printf("File does not exist\n"); + filename[0]='\0'; + } + } + int main(int argc, char** argv) { + char cmd[2048] = "/bin/cat "; + char filename[1024]; + printf("Filename:"); + scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here + sanitizeFileName(filename);// filename is safe after this point + if (!filename[0]) + return -1; + strcat(cmd, filename); + system(cmd); // Superfluous Warning: Untrusted data is passed to a system call + } + +Unfortunately, the checker cannot discover automatically that the programmer +have performed data sanitation, so it still emits the warning. + +One can get rid of this superfluous warning by telling by specifying the +sanitation functions in the taint configuration file (see +:doc:`user-docs/TaintAnalysisConfiguration`). + +.. code-block:: YAML + + Filters: + - Name: sanitizeFileName + Args: [0] + +The clang invocation to pass the configuration file location: + +.. code-block:: bash + + clang --analyze -Xclang -analyzer-config -Xclang optin.security.taint.TaintPropagation:Config=`pwd`/taint_config.yml ... + +If you are validating your inputs instead of sanitizing them, or don't want to +mention each sanitizing function in our configuration, +you can use a more generic approach. + +Introduce a generic no-op `csa_mark_sanitized(..)` function to +tell the Clang Static Analyzer +that the variable is safe to be used on that analysis path. + +.. code-block:: c + + // Marking sanitized variables safe. + // No vulnerability anymore, no warning. + + // User csa_mark_sanitize function is for the analyzer only + #ifdef __clang_analyzer__ + void csa_mark_sanitized(const void *); + #endif + + int main(int argc, char** argv) { + char cmd[2048] = "/bin/cat "; + char filename[1024]; + printf("Filename:"); + scanf (" %1023[^\n]", filename); + if (access(filename,F_OK)){// Verifying user input + printf("File does not exist\n"); + return -1; + } + #ifdef __clang_analyzer__ + csa_mark_sanitized(filename); // Indicating to CSA that filename variable is safe to be used after this point + #endif + strcat(cmd, filename); + system(cmd); // No warning + } + +Similarly to the previous example, you need to +define a `Filter` function in a `YAML` configuration file +and add the `csa_mark_sanitized` function. + +.. code-block:: YAML + + Filters: + - Name: csa_mark_sanitized + Args: [0] + +Then calling `csa_mark_sanitized(X)` will tell the analyzer that `X` is safe to +be used after this point, because its contents are verified. It is the +responsibility of the programmer to ensure that this verification was indeed +correct. Please note that `csa_mark_sanitized` function is only declared and +used during Clang Static Analysis and skipped in (production) builds. + +Further examples of injection vulnerabilities this checker can find. + +.. code-block:: c + + void test() { + char x = getchar(); // 'x' marked as tainted + system(&x); // warn: untrusted data is passed to a system call + } + + // note: compiler internally checks if the second param to + // sprintf is a string literal or not. + // Use -Wno-format-security to suppress compiler warning. + void test() { + char s[10], buf[10]; + fscanf(stdin, "%s", s); // 's' marked as tainted + + sprintf(buf, s); // warn: untrusted data used as a format string + } + + void test() { + size_t ts; + scanf("%zd", &ts); // 'ts' marked as tainted + int *p = (int *)malloc(ts * sizeof(int)); + // warn: untrusted data used as buffer size + } + +There are built-in sources, propagations and sinks even if no external taint +configuration is provided. + +Default sources: + ``_IO_getc``, ``fdopen``, ``fopen``, ``freopen``, ``get_current_dir_name``, + ``getch``, ``getchar``, ``getchar_unlocked``, ``getwd``, ``getcwd``, + ``getgroups``, ``gethostname``, ``getlogin``, ``getlogin_r``, ``getnameinfo``, + ``gets``, ``gets_s``, ``getseuserbyname``, ``readlink``, ``readlinkat``, + ``scanf``, ``scanf_s``, ``socket``, ``wgetch`` + +Default propagations rules: + ``atoi``, ``atol``, ``atoll``, ``basename``, ``dirname``, ``fgetc``, + ``fgetln``, ``fgets``, ``fnmatch``, ``fread``, ``fscanf``, ``fscanf_s``, + ``index``, ``inflate``, ``isalnum``, ``isalpha``, ``isascii``, ``isblank``, + ``iscntrl``, ``isdigit``, ``isgraph``, ``islower``, ``isprint``, ``ispunct``, + ``isspace``, ``isupper``, ``isxdigit``, ``memchr``, ``memrchr``, ``sscanf``, + ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``memcmp``, + ``memcpy``, ``memmem``, ``memmove``, ``mbtowc``, ``pread``, ``qsort``, + ``qsort_r``, ``rawmemchr``, ``read``, ``recv``, ``recvfrom``, ``rindex``, + ``strcasestr``, ``strchr``, ``strchrnul``, ``strcasecmp``, ``strcmp``, + ``strcspn``, ``strlen``, ``strncasecmp``, ``strncmp``, ``strndup``, + ``strndupa``, ``strnlen``, ``strpbrk``, ``strrchr``, ``strsep``, ``strspn``, + ``strstr``, ``strtol``, ``strtoll``, ``strtoul``, ``strtoull``, ``tolower``, + ``toupper``, ``ttyname``, ``ttyname_r``, ``wctomb``, ``wcwidth`` + +Default sinks: + ``printf``, ``setproctitle``, ``system``, ``popen``, ``execl``, ``execle``, + ``execlp``, ``execv``, ``execvp``, ``execvP``, ``execve``, ``dlopen``, + ``memcpy``, ``memmove``, ``strncpy``, ``strndup``, ``malloc``, ``calloc``, + ``alloca``, ``memccpy``, ``realloc``, ``bcopy`` + +Please note that there are no built-in filter functions. + +One can configure their own taint sources, sinks, and propagation rules by +providing a configuration file via checker option +``optin.security.taint.TaintPropagation:Config``. The configuration file is in +`YAML `_ format. The +taint-related options defined in the config file extend but do not override the +built-in sources, rules, sinks. The format of the external taint configuration +file is not stable, and could change without any notice even in a non-backward +compatible way. + +For a more detailed description of configuration options, please see the +:doc:`user-docs/TaintAnalysisConfiguration`. For an example see +:ref:`clangsa-taint-configuration-example`. + +**Configuration** + +* `Config` Specifies the name of the YAML configuration file. The user can + define their own taint sources and sinks. + +**Related Guidelines** + +* `CWE Data Neutralization Issues + `_ +* `SEI Cert STR02-C. Sanitize data passed to complex subsystems + `_ +* `SEI Cert ENV33-C. Do not call system() + `_ +* `ENV03-C. Sanitize the environment when invoking external programs + `_ + +**Limitations** + +* The taintedness property is not propagated through function calls which are + unknown (or too complex) to the analyzer, unless there is a specific + propagation rule built-in to the checker or given in the YAML configuration + file. This causes potential true positive findings to be lost. + +Optional checkers for portability, performance, security +or coding style specific rules. .. _optin-cplusplus-UninitializedObject: @@ -2217,7 +2463,7 @@ Warn about buffer overflows (newer checker). buf[0][-1] = 1; // warn } - // note: requires alpha.security.taint check turned on. + // note: requires optin.security.taint check turned on. void test() { char s[] = "abc"; int x = getchar(); @@ -2406,248 +2652,6 @@ pointer. These functions include: getenv, localeconv, asctime, setlocale, strerr // dereferencing invalid pointer } -alpha.security.taint -^^^^^^^^^^^^^^^^^^^^ - -Checkers implementing -`taint analysis `_. - -.. _alpha-security-taint-TaintPropagation: - -alpha.security.taint.TaintPropagation (C, C++) -"""""""""""""""""""""""""""""""""""""""""""""" - -Taint analysis identifies potential security vulnerabilities where the -attacker can inject malicious data to the program to execute an attack -(privilege escalation, command injection, SQL injection etc.). - -The malicious data is injected at the taint source (e.g. ``getenv()`` call) -which is then propagated through function calls and being used as arguments of -sensitive operations, also called as taint sinks (e.g. ``system()`` call). - -One can defend against this type of vulnerability by always checking and -sanitizing the potentially malicious, untrusted user input. - -The goal of the checker is to discover and show to the user these potential -taint source-sink pairs and the propagation call chain. - -The most notable examples of taint sources are: - - - data from network - - files or standard input - - environment variables - - data from databases - -Let us examine a practical example of a Command Injection attack. - -.. code-block:: c - - // Command Injection Vulnerability Example - int main(int argc, char** argv) { - char cmd[2048] = "/bin/cat "; - char filename[1024]; - printf("Filename:"); - scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here - strcat(cmd, filename); - system(cmd); // Warning: Untrusted data is passed to a system call - } - -The program prints the content of any user specified file. -Unfortunately the attacker can execute arbitrary commands -with shell escapes. For example with the following input the `ls` command is also -executed after the contents of `/etc/shadow` is printed. -`Input: /etc/shadow ; ls /` - -The analysis implemented in this checker points out this problem. - -One can protect against such attack by for example checking if the provided -input refers to a valid file and removing any invalid user input. - -.. code-block:: c - - // No vulnerability anymore, but we still get the warning - void sanitizeFileName(char* filename){ - if (access(filename,F_OK)){// Verifying user input - printf("File does not exist\n"); - filename[0]='\0'; - } - } - int main(int argc, char** argv) { - char cmd[2048] = "/bin/cat "; - char filename[1024]; - printf("Filename:"); - scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here - sanitizeFileName(filename);// filename is safe after this point - if (!filename[0]) - return -1; - strcat(cmd, filename); - system(cmd); // Superfluous Warning: Untrusted data is passed to a system call - } - -Unfortunately, the checker cannot discover automatically that the programmer -have performed data sanitation, so it still emits the warning. - -One can get rid of this superfluous warning by telling by specifying the -sanitation functions in the taint configuration file (see -:doc:`user-docs/TaintAnalysisConfiguration`). - -.. code-block:: YAML - - Filters: - - Name: sanitizeFileName - Args: [0] - -The clang invocation to pass the configuration file location: - -.. code-block:: bash - - clang --analyze -Xclang -analyzer-config -Xclang alpha.security.taint.TaintPropagation:Config=`pwd`/taint_config.yml ... - -If you are validating your inputs instead of sanitizing them, or don't want to -mention each sanitizing function in our configuration, -you can use a more generic approach. - -Introduce a generic no-op `csa_mark_sanitized(..)` function to -tell the Clang Static Analyzer -that the variable is safe to be used on that analysis path. - -.. code-block:: c - - // Marking sanitized variables safe. - // No vulnerability anymore, no warning. - - // User csa_mark_sanitize function is for the analyzer only - #ifdef __clang_analyzer__ - void csa_mark_sanitized(const void *); - #endif - - int main(int argc, char** argv) { - char cmd[2048] = "/bin/cat "; - char filename[1024]; - printf("Filename:"); - scanf (" %1023[^\n]", filename); - if (access(filename,F_OK)){// Verifying user input - printf("File does not exist\n"); - return -1; - } - #ifdef __clang_analyzer__ - csa_mark_sanitized(filename); // Indicating to CSA that filename variable is safe to be used after this point - #endif - strcat(cmd, filename); - system(cmd); // No warning - } - -Similarly to the previous example, you need to -define a `Filter` function in a `YAML` configuration file -and add the `csa_mark_sanitized` function. - -.. code-block:: YAML - - Filters: - - Name: csa_mark_sanitized - Args: [0] - -Then calling `csa_mark_sanitized(X)` will tell the analyzer that `X` is safe to -be used after this point, because its contents are verified. It is the -responsibility of the programmer to ensure that this verification was indeed -correct. Please note that `csa_mark_sanitized` function is only declared and -used during Clang Static Analysis and skipped in (production) builds. - -Further examples of injection vulnerabilities this checker can find. - -.. code-block:: c - - void test() { - char x = getchar(); // 'x' marked as tainted - system(&x); // warn: untrusted data is passed to a system call - } - - // note: compiler internally checks if the second param to - // sprintf is a string literal or not. - // Use -Wno-format-security to suppress compiler warning. - void test() { - char s[10], buf[10]; - fscanf(stdin, "%s", s); // 's' marked as tainted - - sprintf(buf, s); // warn: untrusted data used as a format string - } - - void test() { - size_t ts; - scanf("%zd", &ts); // 'ts' marked as tainted - int *p = (int *)malloc(ts * sizeof(int)); - // warn: untrusted data used as buffer size - } - -There are built-in sources, propagations and sinks even if no external taint -configuration is provided. - -Default sources: - ``_IO_getc``, ``fdopen``, ``fopen``, ``freopen``, ``get_current_dir_name``, - ``getch``, ``getchar``, ``getchar_unlocked``, ``getwd``, ``getcwd``, - ``getgroups``, ``gethostname``, ``getlogin``, ``getlogin_r``, ``getnameinfo``, - ``gets``, ``gets_s``, ``getseuserbyname``, ``readlink``, ``readlinkat``, - ``scanf``, ``scanf_s``, ``socket``, ``wgetch`` - -Default propagations rules: - ``atoi``, ``atol``, ``atoll``, ``basename``, ``dirname``, ``fgetc``, - ``fgetln``, ``fgets``, ``fnmatch``, ``fread``, ``fscanf``, ``fscanf_s``, - ``index``, ``inflate``, ``isalnum``, ``isalpha``, ``isascii``, ``isblank``, - ``iscntrl``, ``isdigit``, ``isgraph``, ``islower``, ``isprint``, ``ispunct``, - ``isspace``, ``isupper``, ``isxdigit``, ``memchr``, ``memrchr``, ``sscanf``, - ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``memcmp``, - ``memcpy``, ``memmem``, ``memmove``, ``mbtowc``, ``pread``, ``qsort``, - ``qsort_r``, ``rawmemchr``, ``read``, ``recv``, ``recvfrom``, ``rindex``, - ``strcasestr``, ``strchr``, ``strchrnul``, ``strcasecmp``, ``strcmp``, - ``strcspn``, ``strncasecmp``, ``strncmp``, ``strndup``, - ``strndupa``, ``strpbrk``, ``strrchr``, ``strsep``, ``strspn``, - ``strstr``, ``strtol``, ``strtoll``, ``strtoul``, ``strtoull``, ``tolower``, - ``toupper``, ``ttyname``, ``ttyname_r``, ``wctomb``, ``wcwidth`` - -Default sinks: - ``printf``, ``setproctitle``, ``system``, ``popen``, ``execl``, ``execle``, - ``execlp``, ``execv``, ``execvp``, ``execvP``, ``execve``, ``dlopen``, - ``memcpy``, ``memmove``, ``strncpy``, ``strndup``, ``malloc``, ``calloc``, - ``alloca``, ``memccpy``, ``realloc``, ``bcopy`` - -Please note that there are no built-in filter functions. - -One can configure their own taint sources, sinks, and propagation rules by -providing a configuration file via checker option -``alpha.security.taint.TaintPropagation:Config``. The configuration file is in -`YAML `_ format. The -taint-related options defined in the config file extend but do not override the -built-in sources, rules, sinks. The format of the external taint configuration -file is not stable, and could change without any notice even in a non-backward -compatible way. - -For a more detailed description of configuration options, please see the -:doc:`user-docs/TaintAnalysisConfiguration`. For an example see -:ref:`clangsa-taint-configuration-example`. - -**Configuration** - -* `Config` Specifies the name of the YAML configuration file. The user can - define their own taint sources and sinks. - -**Related Guidelines** - -* `CWE Data Neutralization Issues - `_ -* `SEI Cert STR02-C. Sanitize data passed to complex subsystems - `_ -* `SEI Cert ENV33-C. Do not call system() - `_ -* `ENV03-C. Sanitize the environment when invoking external programs - `_ - -**Limitations** - -* The taintedness property is not propagated through function calls which are - unknown (or too complex) to the analyzer, unless there is a specific - propagation rule built-in to the checker or given in the YAML configuration - file. This causes potential true positive findings to be lost. - alpha.unix ^^^^^^^^^^^ diff --git a/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst b/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst index 94db84494e00b..04fc54bc8181b 100644 --- a/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst +++ b/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst @@ -3,7 +3,7 @@ Taint Analysis Configuration ============================ The Clang Static Analyzer uses taint analysis to detect security-related issues in code. -The backbone of taint analysis in the Clang SA is the `GenericTaintChecker`, which the user can access via the :ref:`alpha-security-taint-TaintPropagation` checker alias and this checker has a default taint-related configuration. +The backbone of taint analysis in the Clang SA is the `GenericTaintChecker`, which the user can access via the :ref:`optin-security-taint-TaintPropagation` checker alias and this checker has a default taint-related configuration. The built-in default settings are defined in code, and they are always in effect once the checker is enabled, either directly or via the alias. The checker also provides a configuration interface for extending the default settings by providing a configuration file in `YAML `_ format. This documentation describes the syntax of the configuration file and gives the informal semantics of the configuration options. @@ -18,7 +18,7 @@ ________ Taint analysis works by checking for the occurrence of special operations during the symbolic execution of the program. Taint analysis defines sources, sinks, and propagation rules. It identifies errors by detecting a flow of information that originates from a taint source, reaches a taint sink, and propagates through the program paths via propagation rules. -A source, sink, or an operation that propagates taint is mainly domain-specific knowledge, but there are some built-in defaults provided by :ref:`alpha-security-taint-TaintPropagation`. +A source, sink, or an operation that propagates taint is mainly domain-specific knowledge, but there are some built-in defaults provided by :ref:`optin-security-taint-TaintPropagation`. It is possible to express that a statement sanitizes tainted values by providing a ``Filters`` section in the external configuration (see :ref:`clangsa-taint-configuration-example` and :ref:`clangsa-taint-filter-details`). There are no default filters defined in the built-in settings. The checker's documentation also specifies how to provide a custom taint configuration with command-line options. diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td index 65c1595eb6245..a80e171ac61ef 100644 --- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td +++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td @@ -68,8 +68,9 @@ def Performance : Package<"performance">, ParentPackage; def Security : Package <"security">; def InsecureAPI : Package<"insecureAPI">, ParentPackage; +def SecurityOptIn : Package<"security">, ParentPackage; +def Taint : Package<"taint">, ParentPackage; def SecurityAlpha : Package<"security">, ParentPackage; -def Taint : Package<"taint">, ParentPackage; def CERT : Package<"cert">, ParentPackage; def POS : Package<"pos">, ParentPackage; @@ -1050,11 +1051,11 @@ def GenericTaintChecker : Checker<"TaintPropagation">, "Config", "Specifies the name of the configuration file.", "", - InAlpha>, + Released>, ]>, Documentation; -} // end "alpha.security.taint" +} // end "optin.security.taint" //===----------------------------------------------------------------------===// // Mac OS X, Cocoa, and Core Foundation checkers. diff --git a/clang/test/Analysis/analyzer-config.c b/clang/test/Analysis/analyzer-config.c index d86ca5d19219c..d34bd1b96b5d9 100644 --- a/clang/test/Analysis/analyzer-config.c +++ b/clang/test/Analysis/analyzer-config.c @@ -11,7 +11,6 @@ // CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04 // CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01 -// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = "" // CHECK-NEXT: alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions = true // CHECK-NEXT: alpha.unix.StdCLibraryFunctions:DisplayLoadedSummaries = false // CHECK-NEXT: alpha.unix.StdCLibraryFunctions:ModelPOSIX = false @@ -112,6 +111,7 @@ // CHECK-NEXT: optin.cplusplus.VirtualCall:ShowFixIts = false // CHECK-NEXT: optin.osx.cocoa.localizability.NonLocalizedStringChecker:AggressiveReport = false // CHECK-NEXT: optin.performance.Padding:AllowedPad = 24 +// CHECK-NEXT: optin.security.taint.TaintPropagation:Config = "" // CHECK-NEXT: osx.NumberObjectConversion:Pedantic = false // CHECK-NEXT: osx.cocoa.RetainCount:TrackNSCFStartParam = false // CHECK-NEXT: prune-paths = true diff --git a/clang/test/Analysis/assume-controlled-environment.c b/clang/test/Analysis/assume-controlled-environment.c index fce1a1e7bae33..0055025a7ef48 100644 --- a/clang/test/Analysis/assume-controlled-environment.c +++ b/clang/test/Analysis/assume-controlled-environment.c @@ -1,12 +1,12 @@ // RUN: %clang_analyze_cc1 -verify=untrusted-env %s \ // RUN: -analyzer-checker=core \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=debug.TaintTest // RUN: %clang_analyze_cc1 -verify %s -DEXPECT_NO_WARNINGS \ // RUN: -analyzer-config assume-controlled-environment=true \ // RUN: -analyzer-checker=core \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=debug.TaintTest diff --git a/clang/test/Analysis/bool-assignment.c b/clang/test/Analysis/bool-assignment.c index c32bc8f9e8b14..372006de96bb6 100644 --- a/clang/test/Analysis/bool-assignment.c +++ b/clang/test/Analysis/bool-assignment.c @@ -1,5 +1,5 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint -verify -std=c99 -Dbool=_Bool %s -// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint -verify -x c++ %s +// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,optin.security.taint -verify -std=c99 -Dbool=_Bool %s +// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,optin.security.taint -verify -x c++ %s // Test C++'s bool and C's _Bool. // FIXME: We stopped warning on these when SValBuilder got smarter about diff --git a/clang/test/Analysis/cxx-method-names.cpp b/clang/test/Analysis/cxx-method-names.cpp index 22ec4db34796b..1e390d6560cdb 100644 --- a/clang/test/Analysis/cxx-method-names.cpp +++ b/clang/test/Analysis/cxx-method-names.cpp @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,osx,alpha.unix,alpha.security.taint -verify %s +// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,osx,alpha.unix,optin.security.taint -verify %s // expected-no-diagnostics class Evil { diff --git a/clang/test/Analysis/debug-exprinspection-istainted.c b/clang/test/Analysis/debug-exprinspection-istainted.c index 8d1ebca930885..7c272557a49ea 100644 --- a/clang/test/Analysis/debug-exprinspection-istainted.c +++ b/clang/test/Analysis/debug-exprinspection-istainted.c @@ -1,7 +1,7 @@ // RUN: %clang_analyze_cc1 -verify %s \ // RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=debug.ExprInspection \ -// RUN: -analyzer-checker=alpha.security.taint +// RUN: -analyzer-checker=optin.security.taint int scanf(const char *restrict format, ...); void clang_analyzer_isTainted(char); diff --git a/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c b/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c index b1042f9034d7d..b1f7714aa97aa 100644 --- a/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c +++ b/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-diagnostics-taint-test.c.sarif - +// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-diagnostics-taint-test.c.sarif - #include "../Inputs/system-header-simulator.h" int atoi(const char *nptr); diff --git a/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c b/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c index 61d19817407e2..39c6643469fa9 100644 --- a/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c +++ b/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.security.taint,debug.TaintTest,unix.Malloc %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-multi-diagnostic-test.c.sarif - +// RUN: %clang_analyze_cc1 -analyzer-checker=core,optin.security.taint,debug.TaintTest,unix.Malloc %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-multi-diagnostic-test.c.sarif - #include "../Inputs/system-header-simulator.h" #include "../Inputs/system-header-simulator-for-malloc.h" #define ERR -1 diff --git a/clang/test/Analysis/global-region-invalidation-errno.c b/clang/test/Analysis/global-region-invalidation-errno.c index 9de10ad59095a..ca0db8cc8e5ec 100644 --- a/clang/test/Analysis/global-region-invalidation-errno.c +++ b/clang/test/Analysis/global-region-invalidation-errno.c @@ -1,9 +1,9 @@ // RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \ -// RUN: -analyzer-checker=core,deadcode,alpha.security.taint \ +// RUN: -analyzer-checker=core,deadcode,optin.security.taint \ // RUN: -DERRNO_VAR // RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \ -// RUN: -analyzer-checker=core,deadcode,alpha.security.taint \ +// RUN: -analyzer-checker=core,deadcode,optin.security.taint \ // RUN: -DERRNO_FUNC // Note, we do need to include headers here, since the analyzer checks if the function declaration is located in a system header. diff --git a/clang/test/Analysis/global-region-invalidation.c b/clang/test/Analysis/global-region-invalidation.c index faca3baf11caf..7bfb60dcc5e06 100644 --- a/clang/test/Analysis/global-region-invalidation.c +++ b/clang/test/Analysis/global-region-invalidation.c @@ -1,5 +1,5 @@ // RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \ -// RUN: -analyzer-checker=core,deadcode,alpha.security.taint,debug.TaintTest,debug.ExprInspection +// RUN: -analyzer-checker=core,deadcode,optin.security.taint,debug.TaintTest,debug.ExprInspection void clang_analyzer_eval(int); diff --git a/clang/test/Analysis/redefined_system.c b/clang/test/Analysis/redefined_system.c index 0a55c36c6dd5b..66039d5fef229 100644 --- a/clang/test/Analysis/redefined_system.c +++ b/clang/test/Analysis/redefined_system.c @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=osx,unix,core,alpha.security.taint -w -verify %s +// RUN: %clang_analyze_cc1 -analyzer-checker=osx,unix,core,optin.security.taint -w -verify %s // expected-no-diagnostics // Make sure we don't crash when someone redefines a system function we reason about. diff --git a/clang/test/Analysis/string.c b/clang/test/Analysis/string.c index d369ee9f7d854..ae26c5c8d1bad 100644 --- a/clang/test/Analysis/string.c +++ b/clang/test/Analysis/string.c @@ -25,7 +25,7 @@ // RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \ // RUN: -DUSE_BUILTINS -DVARIANT \ // RUN: -analyzer-checker=core \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=alpha.unix.cstring \ diff --git a/clang/test/Analysis/taint-checker-callback-order-has-definition.c b/clang/test/Analysis/taint-checker-callback-order-has-definition.c index eaf96cc675f06..9b7ad1f8ab50f 100644 --- a/clang/test/Analysis/taint-checker-callback-order-has-definition.c +++ b/clang/test/Analysis/taint-checker-callback-order-has-definition.c @@ -1,5 +1,5 @@ // RUN: %clang_analyze_cc1 %s \ -// RUN: -analyzer-checker=core,alpha.security.taint \ +// RUN: -analyzer-checker=core,optin.security.taint \ // RUN: -mllvm -debug-only=taint-checker \ // RUN: 2>&1 | FileCheck %s diff --git a/clang/test/Analysis/taint-checker-callback-order-without-definition.c b/clang/test/Analysis/taint-checker-callback-order-without-definition.c index 6de87f736926d..cc1d3b2b4dce6 100644 --- a/clang/test/Analysis/taint-checker-callback-order-without-definition.c +++ b/clang/test/Analysis/taint-checker-callback-order-without-definition.c @@ -1,5 +1,5 @@ // RUN: %clang_analyze_cc1 %s \ -// RUN: -analyzer-checker=core,alpha.security.taint \ +// RUN: -analyzer-checker=core,optin.security.taint \ // RUN: -mllvm -debug-only=taint-checker \ // RUN: 2>&1 | FileCheck %s diff --git a/clang/test/Analysis/taint-diagnostic-visitor.c b/clang/test/Analysis/taint-diagnostic-visitor.c index 8a7510177f3e4..94ab31de79018 100644 --- a/clang/test/Analysis/taint-diagnostic-visitor.c +++ b/clang/test/Analysis/taint-diagnostic-visitor.c @@ -1,4 +1,4 @@ -// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s +// RUN: %clang_cc1 -analyze -analyzer-checker=optin.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s // This file is for testing enhanced diagnostics produced by the GenericTaintChecker diff --git a/clang/test/Analysis/taint-dumps.c b/clang/test/Analysis/taint-dumps.c index 37fb6c2f2adf7..47c9059cb29c7 100644 --- a/clang/test/Analysis/taint-dumps.c +++ b/clang/test/Analysis/taint-dumps.c @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint\ +// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint\ // RUN: -analyzer-checker=debug.ExprInspection %s\ // RUN: 2>&1 | FileCheck %s diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c index c6a01594f15ab..f4c0d617bcb3a 100644 --- a/clang/test/Analysis/taint-generic.c +++ b/clang/test/Analysis/taint-generic.c @@ -1,57 +1,57 @@ // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \ // RUN: -Wno-incompatible-library-redeclaration -verify %s \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \ // RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-config \ -// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml +// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml // RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \ // RUN: -Wno-incompatible-library-redeclaration -verify %s \ // RUN: -DFILE_IS_STRUCT \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \ // RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-config \ -// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml +// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml // RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast \ // RUN: -Wno-incompatible-library-redeclaration -verify %s \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-config \ -// RUN: alpha.security.taint.TaintPropagation:Config=justguessit \ +// RUN: optin.security.taint.TaintPropagation:Config=justguessit \ // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE // CHECK-INVALID-FILE: (frontend): invalid input for checker option -// CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config', +// CHECK-INVALID-FILE-SAME: 'optin.security.taint.TaintPropagation:Config', // CHECK-INVALID-FILE-SAME: that expects a valid filename instead of // CHECK-INVALID-FILE-SAME: 'justguessit' // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \ // RUN: -verify %s \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-config \ -// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \ +// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \ // RUN: 2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED // CHECK-ILL-FORMED: (frontend): invalid input for checker option -// CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config', +// CHECK-ILL-FORMED-SAME: 'optin.security.taint.TaintPropagation:Config', // CHECK-ILL-FORMED-SAME: that expects a valid yaml file: [[MSG]] // RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \ // RUN: -verify %s \ -// RUN: -analyzer-checker=alpha.security.taint \ +// RUN: -analyzer-checker=optin.security.taint \ // RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-config \ -// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \ +// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \ // RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG // CHECK-INVALID-ARG: (frontend): invalid input for checker option -// CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config', +// CHECK-INVALID-ARG-SAME: 'optin.security.taint.TaintPropagation:Config', // CHECK-INVALID-ARG-SAME: that expects an argument number for propagation // CHECK-INVALID-ARG-SAME: rules greater or equal to -1 diff --git a/clang/test/Analysis/taint-generic.cpp b/clang/test/Analysis/taint-generic.cpp index c907c8f5eeb95..7c0b7e2555161 100644 --- a/clang/test/Analysis/taint-generic.cpp +++ b/clang/test/Analysis/taint-generic.cpp @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-config alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml -Wno-format-security -verify -std=c++11 %s +// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-config optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml -Wno-format-security -verify -std=c++11 %s #define BUFSIZE 10 int Buffer[BUFSIZE]; diff --git a/clang/test/Analysis/taint-tester.c b/clang/test/Analysis/taint-tester.c index ddfa91021825f..b500a70511fe2 100644 --- a/clang/test/Analysis/taint-tester.c +++ b/clang/test/Analysis/taint-tester.c @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -Wno-int-to-pointer-cast -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify +// RUN: %clang_analyze_cc1 -Wno-int-to-pointer-cast -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify #include "Inputs/system-header-simulator.h" diff --git a/clang/test/Analysis/taint-tester.cpp b/clang/test/Analysis/taint-tester.cpp index 23a92cc56d248..f91d10c1928b9 100644 --- a/clang/test/Analysis/taint-tester.cpp +++ b/clang/test/Analysis/taint-tester.cpp @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify +// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify // expected-no-diagnostics typedef struct _FILE FILE; diff --git a/clang/test/Analysis/taint-tester.m b/clang/test/Analysis/taint-tester.m index 531c21b5faf88..1340569184e6a 100644 --- a/clang/test/Analysis/taint-tester.m +++ b/clang/test/Analysis/taint-tester.m @@ -1,4 +1,4 @@ -// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify +// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify // expected-no-diagnostics #import @@ -14,8 +14,8 @@ void TestLog (NSString *format, ...) { va_list ap; va_start(ap, format); NSString *string = @"AAA: "; - + NSLogv([string stringByAppendingString:format], ap); - + va_end(ap); } \ No newline at end of file diff --git a/clang/utils/analyzer/SATestBuild.py b/clang/utils/analyzer/SATestBuild.py index bc86ed8b64e0e..17e0069f05acc 100644 --- a/clang/utils/analyzer/SATestBuild.py +++ b/clang/utils/analyzer/SATestBuild.py @@ -176,7 +176,7 @@ def stdout(message: str): CHECKERS = ",".join( [ "alpha.unix.SimpleStream", - "alpha.security.taint", + "optin.security.taint", "cplusplus.NewDeleteLeaks", "core", "cplusplus", diff --git a/clang/www/analyzer/alpha_checks.html b/clang/www/analyzer/alpha_checks.html index 181ce1b9de591..b7fb39128c98a 100644 --- a/clang/www/analyzer/alpha_checks.html +++ b/clang/www/analyzer/alpha_checks.html @@ -722,7 +722,7 @@

Security Alpha Checkers

} 
-// note: requires alpha.security.taint check turned on.
+// note: requires optin.security.taint check turned on.
 void test() {
   char s[] = "abc";
   int x = getchar();
@@ -781,8 +781,8 @@ 
Security Alpha Checkers
-