1//=== Taint.h - Taint tracking and basic propagation rules. --------*- C++ -*-//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// Defines basic, non-domain-specific mechanisms for tracking tainted values.
10//
11//===----------------------------------------------------------------------===//
12
13#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
14#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_TAINT_H
15
16#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
18
19namespace clang {
20namespace ento {
21namespace taint {
22
23/// The type of taint, which helps to differentiate between different types of
24/// taint.
25using TaintTagType = unsigned;
26
27static constexpr TaintTagType TaintTagGeneric = 0;
28
29/// Create a new state in which the value of the statement is marked as tainted.
30[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, const Stmt *S,
31                                       const LocationContext *LCtx,
32                                       TaintTagType Kind = TaintTagGeneric);
33
34/// Create a new state in which the value is marked as tainted.
35[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SVal V,
36                                       TaintTagType Kind = TaintTagGeneric);
37
38/// Create a new state in which the symbol is marked as tainted.
39[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State, SymbolRef Sym,
40                                       TaintTagType Kind = TaintTagGeneric);
41
42/// Create a new state in which the pointer represented by the region
43/// is marked as tainted.
44[[nodiscard]] ProgramStateRef addTaint(ProgramStateRef State,
45                                       const MemRegion *R,
46                                       TaintTagType Kind = TaintTagGeneric);
47
48[[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SVal V);
49
50[[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State,
51                                          const MemRegion *R);
52
53[[nodiscard]] ProgramStateRef removeTaint(ProgramStateRef State, SymbolRef Sym);
54
55/// Create a new state in a which a sub-region of a given symbol is tainted.
56/// This might be necessary when referring to regions that can not have an
57/// individual symbol, e.g. if they are represented by the default binding of
58/// a LazyCompoundVal.
59[[nodiscard]] ProgramStateRef
60addPartialTaint(ProgramStateRef State, SymbolRef ParentSym,
61                const SubRegion *SubRegion,
62                TaintTagType Kind = TaintTagGeneric);
63
64/// Check if the statement has a tainted value in the given state.
65bool isTainted(ProgramStateRef State, const Stmt *S,
66               const LocationContext *LCtx,
67               TaintTagType Kind = TaintTagGeneric);
68
69/// Check if the value is tainted in the given state.
70bool isTainted(ProgramStateRef State, SVal V,
71               TaintTagType Kind = TaintTagGeneric);
72
73/// Check if the symbol is tainted in the given state.
74bool isTainted(ProgramStateRef State, SymbolRef Sym,
75               TaintTagType Kind = TaintTagGeneric);
76
77/// Check if the pointer represented by the region is tainted in the given
78/// state.
79bool isTainted(ProgramStateRef State, const MemRegion *Reg,
80               TaintTagType Kind = TaintTagGeneric);
81
82/// Returns the tainted Symbols for a given Statement and state.
83std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, const Stmt *S,
84                                         const LocationContext *LCtx,
85                                         TaintTagType Kind = TaintTagGeneric);
86
87/// Returns the tainted Symbols for a given SVal and state.
88std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SVal V,
89                                         TaintTagType Kind = TaintTagGeneric);
90
91/// Returns the tainted Symbols for a SymbolRef and state.
92std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State, SymbolRef Sym,
93                                         TaintTagType Kind = TaintTagGeneric);
94
95/// Returns the tainted (index, super/sub region, symbolic region) symbols
96/// for a given memory region.
97std::vector<SymbolRef> getTaintedSymbols(ProgramStateRef State,
98                                         const MemRegion *Reg,
99                                         TaintTagType Kind = TaintTagGeneric);
100
101std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
102                                             const Stmt *S,
103                                             const LocationContext *LCtx,
104                                             TaintTagType Kind,
105                                             bool returnFirstOnly);
106
107std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State, SVal V,
108                                             TaintTagType Kind,
109                                             bool returnFirstOnly);
110
111std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
112                                             SymbolRef Sym, TaintTagType Kind,
113                                             bool returnFirstOnly);
114
115std::vector<SymbolRef> getTaintedSymbolsImpl(ProgramStateRef State,
116                                             const MemRegion *Reg,
117                                             TaintTagType Kind,
118                                             bool returnFirstOnly);
119
120void printTaint(ProgramStateRef State, raw_ostream &Out, const char *nl = "\n",
121                const char *sep = "");
122
123LLVM_DUMP_METHOD void dumpTaint(ProgramStateRef State);
124} // namespace taint
125} // namespace ento
126} // namespace clang
127
128#endif
129