/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61a.c Label Definition File: CWE78_OS_Command_Injection.no_path.label.xml Template File: sources-sink-61a.tmpl.c */ /* * @description * CWE: 78 OS Command Injection * BadSource: listen_socket Read data using a listen socket (server side) * GoodSource: Benign input * Sinks: w32spawnvp * BadSink : execute command with wspawnvp * Flow Variant: 61 Data flow: data returned from one function to another in different source files * * */ #include "std_testcase.h" #include #ifdef _WIN32 # define COMMAND_INT_PATH L"%WINDIR%\\system32\\cmd.exe" # define COMMAND_INT L"cmd.exe" # define COMMAND_ARG1 L"/c" # define COMMAND_ARG2 L"dir" # define COMMAND_ARG3 data #else /* NOT _WIN32 */ # define COMMAND_INT L"sh" # define COMMAND_ARG1 L"ls" # define COMMAND_ARG2 data # define COMMAND_ARG3 NULL #endif #ifdef _WIN32 # include # include # include # define PATH_SZ 100 # pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */ # define CLOSE_SOCKET closesocket #else # define PATH_SZ PATH_MAX # define INVALID_SOCKET -1 # define SOCKET_ERROR -1 # define CLOSE_SOCKET close # define SOCKET int #endif #define TCP_PORT 27015 #define LISTEN_BACKLOG 5 #include #ifndef OMITBAD /* bad function declaration */ wchar_t * CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61b_bad_source(wchar_t * data); void CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61_bad() { wchar_t * data; wchar_t data_buf[100] = L""; data = data_buf; data = CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61b_bad_source(data); { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wspawnvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POSSIBLE FLAW: Execute command without validating input possibly leading to command injection */ _wspawnvp(_P_WAIT, COMMAND_INT, args); } } #endif /* OMITBAD */ #ifndef OMITGOOD /* goodG2B uses the GoodSource with the BadSink */ wchar_t * CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61b_goodG2B_source(wchar_t * data); static void goodG2B() { wchar_t * data; wchar_t data_buf[100] = L""; data = data_buf; data = CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61b_goodG2B_source(data); { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG2, COMMAND_ARG3, NULL}; /* wspawnvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POSSIBLE FLAW: Execute command without validating input possibly leading to command injection */ _wspawnvp(_P_WAIT, COMMAND_INT, args); } } void CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61_good() { goodG2B(); } #endif /* OMITGOOD */ /* Below is the main(). It is only used when building this testcase on its own for testing or for building a binary to use in testing binary analysis tools. It is not used when compiling all the testcases as one application, which is how source code analysis tools are tested. */ #ifdef INCLUDEMAIN int main(int argc, char * argv[]) { /* seed randomness */ srand( (unsigned)time(NULL) ); #ifndef OMITGOOD printLine("Calling good()..."); CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61_good(); printLine("Finished good()"); #endif /* OMITGOOD */ #ifndef OMITBAD printLine("Calling bad()..."); CWE78_OS_Command_Injection__wchar_t_listen_socket_w32spawnvp_61_bad(); printLine("Finished bad()"); #endif /* OMITBAD */ return 0; } #endif