CWE-78¶

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’). [Data-Neutralization-Issues, Improper-Neutralization, Top25-2024-7]

Required inputs: IR, StaticSemanticAnalysis

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.

There are at least two subtypes of OS command injection:

The application intends to execute a single, fixed program that is under its own control. It intends to use externally-supplied inputs as arguments to that program. For example, the program might use system("nslookup [HOSTNAME]") to run nslookup and allow the user to supply a HOSTNAME, which is used as an argument. Attackers cannot prevent nslookup from executing. However, if the program does not remove command separators from the HOSTNAME argument, attackers could place the separators into the arguments, which allows them to execute their own program after nslookup has finished executing.
The application accepts an input that it uses to fully select which program to run, as well as which commands to use. The application simply redirects this entire command to the operating system. For example, the program might use "exec([COMMAND])" to execute the [COMMAND] that was supplied by the user. If the COMMAND is under attacker control, then the attacker can execute arbitrary commands or programs. If the command is being executed using functions like exec() and CreateProcess(), the attacker might not be able to combine multiple commands together in the same line.

From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.

Demonstrative Examples Functional Areas

Example 1

This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.

Example Language:PHP (Unsupported language for documentation only)
    $userName = $_POST["user"];
    $command = 'ls -l /home/' . $userName;
    system($command);

The $userName variable is not checked for malicious input. An attacker could set the $userName variable to an arbitrary OS command such as:

(attack code)

    ;rm -rf /

Which would result in $command being:

(result)

    ls -l /home/;rm -rf /

Since the semi-colon is a command separator in Unix, the OS would first execute the ls command, then the rm command, deleting the entire file system.

Also note that this example code is vulnerable to Path Traversal (CWE-22) and Untrusted Search Path (CWE-426) attacks.

Example 2

The following simple program accepts a filename as a command line argument and displays the contents of the file back to the user. The program is installed setuid root because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.

Example Language:C
    int main(int argc, char** argv) {
        char cmd[CMD_MAX] = "/usr/bin/cat ";
        strcat(cmd, argv[1]);
        system(cmd);
    }

Because the program runs with root privileges, the call to system() also executes with root privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /", then the call to system() fails to execute cat due to a lack of arguments and then plows on to recursively delete the contents of the root partition.

Note that if argv[1] is a very long argument, then this issue might also be subject to a buffer overflow (CWE-120).

Example 3

This example is a web application that intends to perform a DNS lookup of a user-supplied domain name. It is subject to the first variant of OS command injection.

Example Language:Perl (Unsupported language for documentation only)
    use CGI qw(:standard);
    $name = param('name');
    $nslookup = "/path/to/nslookup";
    print header;
    if (open($fh, "$nslookup $name|")) {
        while (<$fh>) {
            print escapeHTML($_);
            print "<br>\n";
        }
        close($fh);
    }

Suppose an attacker provides a domain name like this:

(attack code)

    cwe.mitre.org%20%3B%20/bin/ls%20-l

The "%3B" sequence decodes to the ";" character, and the %20 decodes to a space. The open() statement would then process a string like this:

(result)

    /path/to/nslookup cwe.mitre.org ; /bin/ls -l

As a result, the attacker executes the "/bin/ls -l" command and gets a list of all the files in the program's working directory. The input could be replaced with much more dangerous commands, such as installing a malicious program on the server.

Example 4

The example below reads the name of a shell script to execute from the system properties. It is subject to the second variant of OS command injection.

Example Language:Java (Unsupported language for documentation only)
    String script = System.getProperty("SCRIPTNAME");
    if (script != null)
        System.exec(script);

If an attacker has control over this property, then they could modify the property to point to a dangerous program.

Example 5

In the example below, a method is used to transform geographic coordinates from latitude and longitude format to UTM format. The method gets the input coordinates from a user through a HTTP request and executes a program local to the application server that performs the transformation. The method passes the latitude and longitude coordinates as a command-line option to the external program and will perform some processing to retrieve the results of the transformation and return the resulting UTM coordinates.

Example Language:Java (Unsupported language for documentation only)
    public String coordinateTransformLatLonToUTM(String coordinates)
    {
        String utmCoords = null;
        try {
            String latlonCoords = coordinates;
            Runtime rt = Runtime.getRuntime();
            Process exec = rt.exec("cmd.exe /C latlon2utm.exe -" + latlonCoords);
            // process results of coordinate transform

            // ...
        }
        catch(Exception e) {...}
        return utmCoords;
    }

However, the method does not verify that the contents of the coordinates input parameter includes only correctly-formatted latitude and longitude coordinates. If the input coordinates were not validated prior to the call to this method, a malicious user could execute another program local to the application server by appending '&' followed by the command for another program to the end of the coordinate string. The '&' instructs the Windows operating system to execute another program.

Example 6

The following code is from an administrative web application designed to allow users to kick off a backup of an Oracle database using a batch-file wrapper around the rman utility and then run a cleanup.bat script to delete some temporary files. The script rmanDB.bat accepts a single command line parameter, which specifies what type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.

Example Language:Java (Unsupported language for documentation only)
    ...
    String btype = request.getParameter("backuptype");
    String cmd = new String("cmd.exe /K \"
        c:\\util\\rmanDB.bat "
        +btype+
        "&&c:\\utl\\cleanup.bat\"")

    System.Runtime.getRuntime().exec(cmd);
    ...

The problem here is that the program does not do any validation on the backuptype parameter read from the user. Typically the Runtime.exec() function will not execute multiple commands, but in this case the program first runs the cmd.exe shell in order to run multiple commands with a single call to Runtime.exec(). Once the shell is invoked, it will happily execute multiple commands separated by two ampersands. If an attacker passes a string of the form "& del c:\\dbms\\*.*", then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.

Demonstrative Examples Functional Areas

Program Invocation

Possible Messages

Key	Text	Severity	Disabled
unchecked_external_value	Executing OS command without neutralization of special elements.	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

all_external_functions_as_sinks¶

all_external_functions_as_sinks : bool = False

If true, consider all external functions as possible sinks, for which consuming unchecked inputs of interest shall be reported. To exclude particular external functions, please use the sinks option.

all_external_functions_as_sources¶

all_external_functions_as_sources : bool = True

If true, consider all external functions as possible origin of values whose unchecked consumption by sinks shall be reported. To exclude particular external functions, please use the external_sources option.

external_sources¶

Description of the possible sources of external values.

external_sources.arguments_of

Description of functions for which pointer arguments should be treated as an external value that must be checked after calling the function. For each function, an argument specifier needs to be set that describes a selection of argument numbers that shall be considered. A number x is considered iff (x >= argument_range_min and x <= argument_range_max and argument_numbers_set.empty()) or x in argument_numbers_set. If the table is empty, all non-const pointer parameters of external functions are checked.

external_sources.arguments_of.excluded

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   '__axivion_add_local_static__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_array_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_polymorphic_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcat_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcpy_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin_memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__sigsetjmp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'bcopy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'confstr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'ferror':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fflush':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fgetc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fileno':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fstat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getcwd':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getgroups':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'gethostname':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrlimit':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrusage':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memmove':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'mremap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'munmap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete[]':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pipe':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'printf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_lock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_trylock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_unlock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_settype':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'putc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'qsort':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'read':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'realloc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'regfree':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigaddset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigdelset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigemptyset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigfillset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'std::operator<<':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'tcgetattr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'time':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'vsnprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'waitpid':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'wmemset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be exempt from the set of functions for which the arguments should be checked before using them.

external_sources.arguments_of.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   'fgets':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fread':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fscanf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=2
   ),
   'fscanf_s':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=2
   ),
   'recv':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'scanf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   ),
   'scanf_s':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   )
}

Table of functions and argument specifiers where the function sets the matched arguments to an external value that must be checked before use. If the table is empty, all non-const pointer parameters of external functions are checked, except for functions listed in the arguments_of.excluded option.

external_sources.parameters_of

Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

external_sources.parameters_of.excluded : set[bauhaus.analysis.config.QualifiedName] = set()
Functions which should be exempt from the set of functions for which the parameters should be checked before using them.

external_sources.parameters_of.functions : set[bauhaus.analysis.config.QualifiedName] = set()
Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

external_sources.return_values_of

Functions for which the return value should be considered an external value that must be checked before use.

external_sources.return_values_of.excluded

Type: set[bauhaus.analysis.config.QualifiedName]

Default: {'__acrt_iob_func', '__builtin_alloca', '__builtin_ctz', '__builtin_ia32_pblendw128', '__builtin_ia32_pshufd', '__builtin_ia32_pshufhw', '__builtin_ia32_pshuflw', '__builtin_ia32_pslldqi128', '__builtin_ia32_psrldqi128', '__builtin_ia32_shufps', '__builtin_isinf', '__builtin_isinff', '__builtin_isnan', '__builtin_isnanf', '__ctype_b_loc', '__ctype_get_mb_cur_max', '__errno_location', '__iob_func', '__sigsetjmp', '_mm256_abs_epi16', '_mm256_abs_epi32', '_mm256_abs_epi8', '_mm256_add_epi16', '_mm256_add_epi32', '_mm256_add_epi64', '_mm256_add_epi8', '_mm256_add_pd', '_mm256_add_ps', '_mm256_adds_epi16', '_mm256_adds_epi8', '_mm256_adds_epu16', '_mm256_adds_epu8', '_mm256_alignr_epi8', '_mm256_and_pd', '_mm256_and_ps', '_mm256_and_si256', '_mm256_blend_epi32', '_mm256_blend_pd', '_mm256_blend_ps', '_mm256_blendv_epi8', '_mm256_blendv_pd', '_mm256_blendv_ps', '_mm256_broadcastsi128_si256', '_mm256_castpd128_pd256', '_mm256_castpd256_pd128', '_mm256_castpd_ps', '_mm256_castpd_si256', '_mm256_castps128_ps256', '_mm256_castps256_ps128', '_mm256_castps_pd', '_mm256_castps_si256', '_mm256_castsi128_si256', '_mm256_castsi256_pd', '_mm256_castsi256_ps', '_mm256_castsi256_si128', '_mm256_cmp_pd', '_mm256_cmp_ps', '_mm256_cmpeq_epi16', '_mm256_cmpeq_epi32', '_mm256_cmpeq_epi64', '_mm256_cmpeq_epi8', '_mm256_cmpgt_epi16', '_mm256_cmpgt_epi32', '_mm256_cmpgt_epi8', '_mm256_cvtepi16_epi32', '_mm256_cvtepi32_epi64', '_mm256_cvtepi32_pd', '_mm256_cvtepi32_ps', '_mm256_cvtepi8_epi16', '_mm256_cvtepi8_epi32', '_mm256_cvtepu16_epi32', '_mm256_cvtepu32_epi64', '_mm256_cvtepu8_epi16', '_mm256_cvtepu8_epi32', '_mm256_cvtpd_epi32', '_mm256_cvtpd_ps', '_mm256_cvtph_ps', '_mm256_cvtps_epi32', '_mm256_cvtps_pd', '_mm256_cvtps_ph', '_mm256_cvttpd_epi32', '_mm256_cvttps_epi32', '_mm256_div_pd', '_mm256_div_ps', '_mm256_extractf128_pd', '_mm256_extractf128_ps', '_mm256_extracti128_si256', '_mm256_fmadd_pd', '_mm256_fmadd_ps', '_mm256_hadd_epi32', '_mm256_hadd_ps', '_mm256_i32gather_epi32', '_mm256_i32gather_epi64', '_mm256_i32gather_pd', '_mm256_i32gather_ps', '_mm256_insertf128_pd', '_mm256_insertf128_ps', '_mm256_inserti128_si256', '_mm256_load_pd', '_mm256_load_ps', '_mm256_load_si256', '_mm256_loadu_pd', '_mm256_loadu_ps', '_mm256_loadu_si256', '_mm256_madd_epi16', '_mm256_max_epi16', '_mm256_max_epi32', '_mm256_max_epi8', '_mm256_max_epu16', '_mm256_max_epu32', '_mm256_max_epu8', '_mm256_max_pd', '_mm256_max_ps', '_mm256_min_epi16', '_mm256_min_epi32', '_mm256_min_epi8', '_mm256_min_epu16', '_mm256_min_epu32', '_mm256_min_epu8', '_mm256_min_pd', '_mm256_min_ps', '_mm256_movemask_epi8', '_mm256_movemask_pd', '_mm256_movemask_ps', '_mm256_mul_epi32', '_mm256_mul_epu32', '_mm256_mul_pd', '_mm256_mul_ps', '_mm256_mulhi_epi16', '_mm256_mulhi_epu16', '_mm256_mullo_epi16', '_mm256_mullo_epi32', '_mm256_or_pd', '_mm256_or_ps', '_mm256_or_si256', '_mm256_packs_epi32', '_mm256_packus_epi32', '_mm256_permute2f128_pd', '_mm256_permute2f128_ps', '_mm256_permute2x128_si256', '_mm256_permute4x64_epi64', '_mm256_permute4x64_pd', '_mm256_permute_ps', '_mm256_permutevar8x32_epi32', '_mm256_permutevar8x32_ps', '_mm256_round_pd', '_mm256_round_ps', '_mm256_rsqrt_ps', '_mm256_sad_epu8', '_mm256_set1_epi16', '_mm256_set1_epi32', '_mm256_set1_epi64x', '_mm256_set1_epi8', '_mm256_set1_pd', '_mm256_set1_ps', '_mm256_set_epi64x', '_mm256_setr_epi16', '_mm256_setr_epi32', '_mm256_setr_epi8', '_mm256_setzero_pd', '_mm256_setzero_ps', '_mm256_setzero_si256', '_mm256_shuffle_epi32', '_mm256_shuffle_epi8', '_mm256_shuffle_pd', '_mm256_slli_epi16', '_mm256_slli_epi32', '_mm256_slli_epi64', '_mm256_slli_si256', '_mm256_sqrt_pd', '_mm256_sqrt_ps', '_mm256_srai_epi16', '_mm256_srai_epi32', '_mm256_srli_epi16', '_mm256_srli_epi32', '_mm256_srli_epi64', '_mm256_srli_si256', '_mm256_sub_epi16', '_mm256_sub_epi32', '_mm256_sub_epi64', '_mm256_sub_epi8', '_mm256_sub_pd', '_mm256_sub_ps', '_mm256_subs_epi16', '_mm256_subs_epi8', '_mm256_subs_epu16', '_mm256_subs_epu8', '_mm256_unpackhi_epi16', '_mm256_unpackhi_epi32', '_mm256_unpackhi_epi64', '_mm256_unpackhi_epi8', '_mm256_unpackhi_pd', '_mm256_unpackhi_ps', '_mm256_unpacklo_epi16', '_mm256_unpacklo_epi32', '_mm256_unpacklo_epi64', '_mm256_unpacklo_epi8', '_mm256_unpacklo_pd', '_mm256_unpacklo_ps', '_mm256_xor_pd', '_mm256_xor_ps', '_mm256_xor_si256', '_mm_add_epi16', '_mm_add_epi32', '_mm_add_epi64', '_mm_add_epi8', '_mm_add_pd', '_mm_add_ps', '_mm_adds_epi16', '_mm_adds_epi8', '_mm_adds_epu16', '_mm_adds_epu8', '_mm_addsub_ps', '_mm_and_pd', '_mm_and_ps', '_mm_and_si128', '_mm_andnot_si128', '_mm_blend_epi16', '_mm_blendv_epi8', '_mm_blendv_pd', '_mm_blendv_ps', '_mm_castpd_ps', '_mm_castpd_si128', '_mm_castps_pd', '_mm_castps_si128', '_mm_castsi128_pd', '_mm_castsi128_ps', '_mm_cmpeq_epi16', '_mm_cmpeq_epi32', '_mm_cmpeq_epi64', '_mm_cmpeq_epi8', '_mm_cmpeq_pd', '_mm_cmpeq_ps', '_mm_cmpge_pd', '_mm_cmpge_ps', '_mm_cmpgt_epi16', '_mm_cmpgt_epi32', '_mm_cmpgt_epi8', '_mm_cmpgt_pd', '_mm_cmpgt_ps', '_mm_cmple_pd', '_mm_cmple_ps', '_mm_cmplt_pd', '_mm_cmplt_ps', '_mm_cmpneq_pd', '_mm_cmpneq_ps', '_mm_cmpord_pd', '_mm_cmpord_ps', '_mm_cvt_ss2si', '_mm_cvtepi16_epi32', '_mm_cvtepi32_epi64', '_mm_cvtepi32_pd', '_mm_cvtepi32_ps', '_mm_cvtepi8_epi16', '_mm_cvtepi8_epi32', '_mm_cvtepu16_epi32', '_mm_cvtepu32_epi64', '_mm_cvtepu8_epi16', '_mm_cvtepu8_epi32', '_mm_cvtpd_epi32', '_mm_cvtpd_ps', '_mm_cvtph_ps', '_mm_cvtps_epi32', '_mm_cvtps_pd', '_mm_cvtps_ph', '_mm_cvtsd_f64', '_mm_cvtsd_si32', '_mm_cvtsi128_si32', '_mm_cvtsi128_si64', '_mm_cvtss_f32', '_mm_cvttpd_epi32', '_mm_cvttps_epi32', '_mm_div_pd', '_mm_div_ps', '_mm_fmadd_pd', '_mm_fmadd_ps', '_mm_hadd_ps', '_mm_load_pd', '_mm_load_ps', '_mm_load_si128', '_mm_load_ss', '_mm_loadh_pi', '_mm_loadl_epi64', '_mm_loadl_pi', '_mm_loadu_pd', '_mm_loadu_ps', '_mm_loadu_si128', '_mm_madd_epi16', '_mm_max_epi16', '_mm_max_epi32', '_mm_max_epi8', '_mm_max_epu16', '_mm_max_epu32', '_mm_max_epu8', '_mm_max_pd', '_mm_max_ps', '_mm_min_epi16', '_mm_min_epi32', '_mm_min_epi8', '_mm_min_epu16', '_mm_min_epu32', '_mm_min_epu8', '_mm_min_pd', '_mm_min_ps', '_mm_movehdup_ps', '_mm_movehl_ps', '_mm_moveldup_ps', '_mm_movelh_ps', '_mm_movemask_epi8', '_mm_movemask_pd', '_mm_movemask_ps', '_mm_mul_epi32', '_mm_mul_epu32', '_mm_mul_pd', '_mm_mul_ps', '_mm_mulhi_epi16', '_mm_mulhi_epu16', '_mm_mullo_epi16', '_mm_mullo_epi32', '_mm_or_pd', '_mm_or_ps', '_mm_or_si128', '_mm_packs_epi16', '_mm_packs_epi32', '_mm_packus_epi16', '_mm_packus_epi32', '_mm_permute_ps', '_mm_popcnt_u32', '_mm_popcnt_u64', '_mm_rsqrt_ps', '_mm_sad_epu8', '_mm_set1_epi16', '_mm_set1_epi32', '_mm_set1_epi64x', '_mm_set1_epi8', '_mm_set1_pd', '_mm_set_epi32', '_mm_set_epi64x', '_mm_set_ps', '_mm_set_ps1', '_mm_set_sd', '_mm_set_ss', '_mm_setr_epi16', '_mm_setr_epi32', '_mm_setr_epi8', '_mm_setr_pd', '_mm_setr_ps', '_mm_setzero_pd', '_mm_setzero_ps', '_mm_setzero_si128', '_mm_shuffle_epi32', '_mm_shuffle_epi8', '_mm_shuffle_ps', '_mm_shufflehi_epi16', '_mm_shufflelo_epi16', '_mm_sll_epi32', '_mm_slli_epi16', '_mm_slli_epi32', '_mm_slli_epi64', '_mm_slli_si128', '_mm_sqrt_pd', '_mm_sqrt_ps', '_mm_srai_epi16', '_mm_srai_epi32', '_mm_srli_epi16', '_mm_srli_epi32', '_mm_srli_epi64', '_mm_srli_si128', '_mm_sub_epi16', '_mm_sub_epi32', '_mm_sub_epi64', '_mm_sub_epi8', '_mm_sub_pd', '_mm_sub_ps', '_mm_subs_epi16', '_mm_subs_epi8', '_mm_subs_epu16', '_mm_subs_epu8', '_mm_unpackhi_epi16', '_mm_unpackhi_epi32', '_mm_unpackhi_epi64', '_mm_unpackhi_epi8', '_mm_unpackhi_pd', '_mm_unpackhi_ps', '_mm_unpacklo_epi16', '_mm_unpacklo_epi32', '_mm_unpacklo_epi64', '_mm_unpacklo_epi8', '_mm_unpacklo_pd', '_mm_unpacklo_ps', '_mm_xor_pd', '_mm_xor_ps', '_mm_xor_si128', 'a64l', 'abs', 'acos', 'atan', 'atan2', 'atof', 'atoi', 'atol', 'calloc', 'close', 'cos', 'cvAlloc', 'dup', 'dup2', 'exp', 'fabs', 'fastMalloc', 'fchmod', 'fchown', 'fcntl', 'fileno', 'floor', 'fork', 'fputs', 'ftell', 'ftruncate', 'fwrite', 'getaddrinfo', 'getdtablesize', 'getegid', 'geteuid', 'getgid', 'getgrent', 'getgroups', 'getpagesize', 'getpgrp', 'getpid', 'getppid', 'getpwent', 'getpwnam', 'getpwuid', 'getservent', 'gettext', 'getuid', 'htonl', 'htons', 'iconv_open', 'inet_addr', 'ippicvMalloc_L', 'iswctype', 'localtime', 'log', 'log10', 'lseek', 'malloc', 'mblen', 'mbrlen', 'mbrtowc', 'mbsnrtowcs', 'mbstowcs', 'memcmp', 'memcpy', 'mmap', 'mremap', 'munmap', 'ntohl', 'ntohs', 'operator new', 'operator new[]', 'operator=', 'pow', 'printf', 'pthread_self', 'rand', 'readlink', 'realloc', 'rmdir', 'sbrk', 'setlocale', 'sigprocmask', 'sin', 'socket', 'sqrt', 'std::abs', 'std::acos', 'std::atan', 'std::atan2', 'std::basic_ostream::operator<<', 'std::floor', 'std::make_error_code', 'std::operator<<', 'std::operator|', 'strchr', 'strchrnul', 'strcmp', 'strcpy', 'strdup', 'strerror', 'strlen', 'strncasecmp', 'strncmp', 'strncpy', 'strnlen', 'strpbrk', 'strrchr', 'strsignal', 'strstr', 'strtod', 'strtoimax', 'strtol', 'strtold', 'strtoul', 'strtoull', 'strtoumax', 'strtouq', 'sysconf', 'tcgetpgrp', 'tcsetattr', 'time', 'tmpnam', 'tolower', 'toupper', 'towlower', 'towupper', 'ttyname', 'umask', 'unlink', 'vsnprintf', 'wcrtomb', 'wcscat', 'wcscpy', 'wcsdup', 'wcslen', 'wcsrtombs', 'wcswidth', 'wctob', 'wctomb', 'wctype', 'wcwidth', 'write'}

Functions which should be exempt from the set of functions for which the return value should be treated as an external value.

external_sources.return_values_of.functions : set[bauhaus.analysis.config.QualifiedName] = {'getc', 'getchar', 'getenv'}
Functions for which the return value should be considered an external value that must be checked before use. If the set is empty, all return values of external functions are checked.

is_acceptable_use_in_condition¶

is_acceptable_use_in_condition

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in whose condition the external value is used, or a Relational_Operator using it inside the operands val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True iff the use of the external value inside this condition is ok (e.g. because that's a check validating the value).

is_relevant_usage¶

is_relevant_usage

Type: typing.Callable[[bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check if a usage of tainted input is relevant for the analysis. This can be used to restrict the analysis to certain types of usages only. The predicate receives the following arguments: val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True if the use of the external value inside this condition is relevant, i.e., if an error message should be issued by the rule. If the return value is False, the message is discarded.

is_sufficient_preceding_check¶

is_sufficient_preceding_check

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node, _iranalysis.Basic_Block], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source and which happens before the use being checked. It should also check whether the right branch was taken. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in which's condition the external value is used val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value inside the condition use: The LIR node for the use being checked (after the condition) branch: The iranalysis block representing the branch taken at the condition The return value should be True iff the condition is sufficiently checking the validity of this external value.

maximum_reports_per_source_location¶

maximum_reports_per_source_location : int = 10

Maximum number of reported sinks per source location. For no limitation of reported sinks per source, set to 0. Caution: no limitation here may lead to a substantial amount of reported issues.

omit_implicitly_passed_this¶

omit_implicitly_passed_this : bool = True

If true, do not report implicitly passed this arguments.

only_report_arguments¶

only_report_arguments : bool = True

If true, only report arguments to sink functions. Otherwise, report all usages of tainted values.

sanitizer_functions¶

sanitizer_functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing functions with the number of the sanitized argument.

sanitizer_macros¶

sanitizer_macros

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing macros with the number of the sanitized argument.

sinks¶

Description of the possible sinks for which flows of unchecked external values are reported

sinks.excluded
Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:
{
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   )
}
Functions which should be exempt from the set of functions considered as sinks

sinks.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   'CreateProcess':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'CreateProcessA':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'CreateProcessW':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_exec':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_execl':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_execle':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_execlp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_execv':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_execvp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_execvpe':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_popen':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_spawnl':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_spawnlp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_spawnv':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_spawnvp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wexec':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wexecl':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wexecle':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wexeclp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wexecv':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wexecvp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wexecvpe':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wpopen':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wspawnl':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wspawnlp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wspawnv':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '_wspawnvp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'exec':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'execl':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'execle':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'execlp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'execv':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'execvp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'execvpe':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'popen':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'system':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be in the set of functions considered as sinks

Option Types¶

These types are used by options listed above:

ArgumentSpecifier¶

Specification of which argument positions to consider: An argument at position x is included if ALL of the following conditions are met: * x is within the specified range: argument_range_min ≤ x ≤ argument_range_max * Either no specific arguments are listed (argument_numbers_set is empty), OR x is explicitly listed in argument_numbers_set Examples: * To target the first 5 variadic arguments of sscanf (positions 2-6): set argument_range_min = 2, argument_range_max = 6, leave argument_numbers_set empty * To target only the format string of sscanf (position 1): set argument_numbers_set = {1} and keep default values for argument_range_min and argument_range_max

argument_numbers_set : set[int] = set()

Explicit set of argument numbers to be considered. If empty, all numbers of the interval defined by [argument_range_min; argument_range_max] are considered.

argument_range_max : int = 4294967295

Maximum of the interval of numbers to be considered.

argument_range_min : int = 0

Minimum of the interval of numbers to be considered.

Axivion Suite 7.12.0

Navigation

CWE-78¶

Demonstrative Examples Functional Areas

Example 1

Example 2

Example 3

Example 4

Example 5

Example 6

Demonstrative Examples Functional Areas

Options¶

all_external_functions_as_sinks¶

all_external_functions_as_sources¶

external_sources¶

is_acceptable_use_in_condition¶

is_relevant_usage¶

is_sufficient_preceding_check¶

maximum_reports_per_source_location¶

omit_implicitly_passed_this¶

only_report_arguments¶

sanitizer_functions¶

sanitizer_macros¶

sinks¶

Option Types¶

ArgumentSpecifier¶