-
Notifications
You must be signed in to change notification settings - Fork 0
/
cwe787.c
47 lines (41 loc) · 1.35 KB
/
cwe787.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
// Based on MITRE's CWE-787, demonstrative example 4
// https://cwe.mitre.org/data/definitions/787.html
// Option "-eva-precision 1" reduces the number of "Unknown" alarms.
// Run with "-eva-precision 2" to obtain a "Red Alarm".
// Also, adding option "-eva-no-alloc-returns-null" allows focusing on this
// issue while ignoring the the fact that malloc() may fail (which would
// require an extra check).
#include <stdlib.h>
#include <string.h>
#define MAX_SIZE 16
char * copy_input(char *user_supplied_string) {
int i, dst_index;
char *dst_buf = (char*)malloc(4*sizeof(char) * MAX_SIZE);
if ( MAX_SIZE <= strlen(user_supplied_string) ){
exit(1);
}
dst_index = 0;
for ( i = 0; i < strlen(user_supplied_string); i++ ){
if( '&' == user_supplied_string[i] ){
dst_buf[dst_index++] = '&';
dst_buf[dst_index++] = 'a';
dst_buf[dst_index++] = 'm';
dst_buf[dst_index++] = 'p';
dst_buf[dst_index++] = ';';
}
else if ('<' == user_supplied_string[i] ){
dst_buf[dst_index++] = '&';
dst_buf[dst_index++] = 'l';
dst_buf[dst_index++] = 't';
}
else dst_buf[dst_index++] = user_supplied_string[i];
}
return dst_buf;
}
int main() {
char *benevolent_string = "<a href='ab&c'>";
copy_input(benevolent_string);
char *malicious_string = "&&&&&&&&&&&&&&&";
copy_input(malicious_string);
return 0;
}