/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61a.c Label Definition File: CWE78_OS_Command_Injection.strings.label.xml Template File: sources-sink-61a.tmpl.c */ /* * @description * CWE: 78 OS Command Injection * BadSource: listen_socket Read data using a listen socket (server side) * GoodSource: Fixed string * Sinks: w32_spawnvp * BadSink : execute command with wspawnvp * Flow Variant: 61 Data flow: data returned from one function to another in different source files * * */ #include "std_testcase.h" #include #ifdef _WIN32 #define COMMAND_INT_PATH L"%WINDIR%\\system32\\cmd.exe" #define COMMAND_INT L"cmd.exe" #define COMMAND_ARG1 L"/c" #define COMMAND_ARG2 L"dir " #define COMMAND_ARG3 data #else /* NOT _WIN32 */ #include #define COMMAND_INT_PATH L"/bin/sh" #define COMMAND_INT L"sh" #define COMMAND_ARG1 L"-c" #define COMMAND_ARG2 L"ls " #define COMMAND_ARG3 data #endif #ifdef _WIN32 #include #include #include #pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */ #define CLOSE_SOCKET closesocket #else #include #include #include #include #define INVALID_SOCKET -1 #define SOCKET_ERROR -1 #define CLOSE_SOCKET close #define SOCKET int #endif #define TCP_PORT 27015 #define LISTEN_BACKLOG 5 #include #ifndef OMITBAD /* bad function declaration */ wchar_t * CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61b_badSource(wchar_t * data); void CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61_bad() { wchar_t * data; wchar_t dataBuffer[100] = COMMAND_ARG2; data = dataBuffer; data = CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61b_badSource(data); { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG3, NULL}; /* wspawnvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ _wspawnvp(_P_WAIT, COMMAND_INT, args); } } #endif /* OMITBAD */ #ifndef OMITGOOD /* goodG2B uses the GoodSource with the BadSink */ wchar_t * CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61b_goodG2BSource(wchar_t * data); static void goodG2B() { wchar_t * data; wchar_t dataBuffer[100] = COMMAND_ARG2; data = dataBuffer; data = CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61b_goodG2BSource(data); { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG3, NULL}; /* wspawnvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ _wspawnvp(_P_WAIT, COMMAND_INT, args); } } void CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61_good() { goodG2B(); } #endif /* OMITGOOD */ /* Below is the main(). It is only used when building this testcase on * its own for testing or for building a binary to use in testing binary * analysis tools. It is not used when compiling all the testcases as one * application, which is how source code analysis tools are tested. */ #ifdef INCLUDEMAIN int main(int argc, char * argv[]) { /* seed randomness */ srand( (unsigned)time(NULL) ); #ifndef OMITGOOD printLine("Calling good()..."); CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61_good(); printLine("Finished good()"); #endif /* OMITGOOD */ #ifndef OMITBAD printLine("Calling bad()..."); CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_61_bad(); printLine("Finished bad()"); #endif /* OMITBAD */ return 0; } #endif