(root)/
gcc-13.2.0/
gcc/
testsuite/
gcc.dg/
analyzer/
sensitive-1.c
       1  #include <stdio.h>
       2  
       3  /* Solaris needs this for <unistd.h> to declare getpass.  */
       4  #define __EXTENSIONS__
       5  #include <unistd.h>
       6  
       7  #include <string.h>
       8  
       9  /* Declare getpass, in case unistd doesn't declare it.
      10     Parenthesize it, in case it's a macro.
      11     Don't use a prototype, to avoid const mismatches.  */
      12  extern char *(getpass) ();
      13  
      14  char test_1 (FILE *logfile)
      15  {
      16    char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
      17    fprintf (logfile, "got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" "warning" } */
      18    /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
      19  }
      20  
      21  char test_2 (FILE *logfile, int i)
      22  {
      23    char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
      24    fprintf (logfile, "got password[%i]: %s\n", i, password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
      25    /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
      26  }
      27  
      28  char test_3 (FILE *logfile)
      29  {
      30    char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
      31    printf ("got password %s\n", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" "warning" } */
      32    /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
      33  }
      34  
      35  char test_4 (FILE *logfile)
      36  {
      37    char *password = getpass (">"); /* { dg-message "\\(1\\) sensitive value acquired here" } */
      38    fwrite (password, strlen (password), 1, logfile); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" "warning" } */
      39    /* { dg-message "\\(2\\) sensitive value 'password' written to output file; acquired at \\(1\\)" "event" { target *-*-* } .-1 } */
      40  }
      41  
      42  static void called_by_test_5 (const char *value)
      43  {
      44    printf ("%s", value); /* { dg-warning "sensitive value 'value' written to output file \\\[CWE-532\\\]" } */
      45  }
      46  
      47  char test_5 (FILE *logfile)
      48  {
      49    char *password = getpass (">");
      50    called_by_test_5 (password); /* { dg-message "passing sensitive value 'password' in call to 'called_by_test_5' from 'test_5'" } */
      51  }
      52  
      53  static char *called_by_test_6 (void)
      54  {
      55    return getpass (">"); /* { dg-message "sensitive value acquired here" } */
      56  }
      57  
      58  char test_6 (FILE *logfile)
      59  {
      60    char *password = called_by_test_6 (); /* { dg-message "returning sensitive value to 'test_6' from 'called_by_test_6'" } */
      61    printf ("%s", password); /* { dg-warning "sensitive value 'password' written to output file \\\[CWE-532\\\]" } */
      62  }
      63  
      64  /* TODO: strdup etc, strcpy, memcpy, etc.  */