From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 1FA213858429; Fri, 29 Jul 2022 13:21:50 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1FA213858429
From: "tlange at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/106007] RFE: analyzer should complain about
 exec/system/putenv of tainted args
Date: Fri, 29 Jul 2022 13:21:49 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: 12.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: tlange at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-106007-4-qhrcUoO8Vs@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-106007-4@http.gcc.gnu.org/bugzilla/>
References: <bug-106007-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 13:21:50 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106007

Tim Lange <tlange at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tlange at gcc dot gnu.org

--- Comment #3 from Tim Lange <tlange at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #2)
> Currently the taint analysis only has handling for numeric arguments being
> bounds-checked.
>=20
> How can string arguments transition to a "sanitized" state?  Or are string
> arguments always tainted once they've acquired taint?

Many papers introduce sanitizers/taint killers/... besides sources and sink=
s,
which are also manually-defined methods. Two prime examples in webdev are X=
SS
and SQL query escaping methods that do replace special characters such that=
 the
user input is not interpreted.

I don't think you can automatically find out that a method is a sanitizer
unless you would track the interesting part of the string on a byte-level.=