• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Defines basic, non-domain-specific mechanisms for tracking tainted values.
10 //
11 //===----------------------------------------------------------------------===//
12 
13 #ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
14 #define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
15 
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
18 
19 namespace clang {
20 namespace ento {
21 namespace taint {
22 
23 /// The type of taint, which helps to differentiate between different types of
24 /// taint.
25 using TaintTagType = unsigned;
26 
27 static constexpr TaintTagType TaintTagGeneric = 0;
28 
29 /// Create a new state in which the value of the statement is marked as tainted.
30 LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
31                                         const LocationContext *LCtx,
32                                         TaintTagType Kind = TaintTagGeneric);
33 
34 /// Create a new state in which the value is marked as tainted.
35 LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SVal V,
36                                         TaintTagType Kind = TaintTagGeneric);
37 
38 /// Create a new state in which the symbol is marked as tainted.
39 LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
40                                         TaintTagType Kind = TaintTagGeneric);
41 
42 /// Create a new state in which the pointer represented by the region
43 /// is marked as tainted.
44 LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State,
45                                         const MemRegion *R,
46                                         TaintTagType Kind = TaintTagGeneric);
47 
48 LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
49 
50 LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
51                                            const MemRegion *R);
52 
53 LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State,
54                                            SymbolRef Sym);
55 
56 /// Create a new state in a which a sub-region of a given symbol is tainted.
57 /// This might be necessary when referring to regions that can not have an
58 /// individual symbol, e.g. if they are represented by the default binding of
59 /// a LazyCompoundVal.
60 LLVM_NODISCARD ProgramStateRef addPartialTaint(
61     ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion,
62     TaintTagType Kind = TaintTagGeneric);
63 
64 /// Check if the statement has a tainted value in the given state.
65 bool isTainted(ProgramStateRef State, const Stmt *S,
66                const LocationContext *LCtx,
67                TaintTagType Kind = TaintTagGeneric);
68 
69 /// Check if the value is tainted in the given state.
70 bool isTainted(ProgramStateRef State, SVal V,
71                TaintTagType Kind = TaintTagGeneric);
72 
73 /// Check if the symbol is tainted in the given state.
74 bool isTainted(ProgramStateRef State, SymbolRef Sym,
75                TaintTagType Kind = TaintTagGeneric);
76 
77 /// Check if the pointer represented by the region is tainted in the given
78 /// state.
79 bool isTainted(ProgramStateRef State, const MemRegion *Reg,
80                TaintTagType Kind = TaintTagGeneric);
81 
82 void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
83                 const char *sep = "");
84 
85 LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
86 
87 /// The bug visitor prints a diagnostic message at the location where a given
88 /// variable was tainted.
89 class TaintBugVisitor final : public BugReporterVisitor {
90 private:
91   const SVal V;
92 
93 public:
TaintBugVisitor(const SVal V)94   TaintBugVisitor(const SVal V) : V(V) {}
Profile(llvm::FoldingSetNodeID & ID)95   void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }
96 
97   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
98                                    BugReporterContext &BRC,
99                                    PathSensitiveBugReport &BR) override;
100 };
101 
102 } // namespace taint
103 } // namespace ento
104 } // namespace clang
105 
106 #endif
107