/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_74b.cpp Label Definition File: CWE78_OS_Command_Injection.strings.label.xml Template File: sources-sink-74b.tmpl.cpp */ /* * @description * CWE: 78 OS Command Injection * BadSource: listen_socket Read data using a listen socket (server side) * GoodSource: Fixed string * Sinks: w32_spawnvp * BadSink : execute command with wspawnvp * Flow Variant: 74 Data flow: data passed in a map from one function to another in different source files * * */ #include "std_testcase.h" #include #include #ifdef _WIN32 #define COMMAND_INT_PATH L"%WINDIR%\\system32\\cmd.exe" #define COMMAND_INT L"cmd.exe" #define COMMAND_ARG1 L"/c" #define COMMAND_ARG2 L"dir " #define COMMAND_ARG3 data #else /* NOT _WIN32 */ #include #define COMMAND_INT_PATH L"/bin/sh" #define COMMAND_INT L"sh" #define COMMAND_ARG1 L"-c" #define COMMAND_ARG2 L"ls " #define COMMAND_ARG3 data #endif #include using namespace std; namespace CWE78_OS_Command_Injection__wchar_t_listen_socket_w32_spawnvp_74 { #ifndef OMITBAD void badSink(map dataMap) { /* copy data out of dataMap */ wchar_t * data = dataMap[2]; { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG3, NULL}; /* wspawnvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ _wspawnvp(_P_WAIT, COMMAND_INT, args); } } #endif /* OMITBAD */ #ifndef OMITGOOD /* goodG2B uses the GoodSource with the BadSink */ void goodG2BSink(map dataMap) { wchar_t * data = dataMap[2]; { wchar_t *args[] = {COMMAND_INT_PATH, COMMAND_ARG1, COMMAND_ARG3, NULL}; /* wspawnvp - searches for the location of the command among * the directories specified by the PATH environment variable */ /* POTENTIAL FLAW: Execute command without validating input possibly leading to command injection */ _wspawnvp(_P_WAIT, COMMAND_INT, args); } } #endif /* OMITGOOD */ } /* close namespace */