1//=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-// 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===----------------------------------------------------------------------===// 8// 9// Defines basic, non-domain-specific mechanisms for tracking tainted values. 10// 11//===----------------------------------------------------------------------===// 12 13#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 14#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H 15 16#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 18 19namespace clang { 20namespace ento { 21namespace taint { 22 23/// The type of taint, which helps to differentiate between different types of 24/// taint. 25using TaintTagType = unsigned; 26 27static constexpr TaintTagType TaintTagGeneric = 0; 28 29/// Create a new state in which the value of the statement is marked as tainted. 30LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S, 31 const LocationContext *LCtx, 32 TaintTagType Kind = TaintTagGeneric); 33 34/// Create a new state in which the value is marked as tainted. 35LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SVal V, 36 TaintTagType Kind = TaintTagGeneric); 37 38/// Create a new state in which the symbol is marked as tainted. 39LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym, 40 TaintTagType Kind = TaintTagGeneric); 41 42/// Create a new state in which the pointer represented by the region 43/// is marked as tainted. 44LLVM_NODISCARD ProgramStateRef addTaint(ProgramStateRef State, 45 const MemRegion *R, 46 TaintTagType Kind = TaintTagGeneric); 47 48LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, SVal V); 49 50LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, 51 const MemRegion *R); 52 53LLVM_NODISCARD ProgramStateRef removeTaint(ProgramStateRef State, 54 SymbolRef Sym); 55 56/// Create a new state in a which a sub-region of a given symbol is tainted. 57/// This might be necessary when referring to regions that can not have an 58/// individual symbol, e.g. if they are represented by the default binding of 59/// a LazyCompoundVal. 60LLVM_NODISCARD ProgramStateRef addPartialTaint( 61 ProgramStateRef State, SymbolRef ParentSym, const SubRegion *SubRegion, 62 TaintTagType Kind = TaintTagGeneric); 63 64/// Check if the statement has a tainted value in the given state. 65bool isTainted(ProgramStateRef State, const Stmt *S, 66 const LocationContext *LCtx, 67 TaintTagType Kind = TaintTagGeneric); 68 69/// Check if the value is tainted in the given state. 70bool isTainted(ProgramStateRef State, SVal V, 71 TaintTagType Kind = TaintTagGeneric); 72 73/// Check if the symbol is tainted in the given state. 74bool isTainted(ProgramStateRef State, SymbolRef Sym, 75 TaintTagType Kind = TaintTagGeneric); 76 77/// Check if the pointer represented by the region is tainted in the given 78/// state. 79bool isTainted(ProgramStateRef State, const MemRegion *Reg, 80 TaintTagType Kind = TaintTagGeneric); 81 82void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n", 83 const char *sep = ""); 84 85LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State); 86 87/// The bug visitor prints a diagnostic message at the location where a given 88/// variable was tainted. 89class TaintBugVisitor final : public BugReporterVisitor { 90private: 91 const SVal V; 92 93public: 94 TaintBugVisitor(const SVal V) : V(V) {} 95 void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); } 96 97 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 98 BugReporterContext &BRC, 99 PathSensitiveBugReport &BR) override; 100}; 101 102} // namespace taint 103} // namespace ento 104} // namespace clang 105 106#endif 107