[clang] [clang][analyzer] Add taintedness to argv (PR #178054)
Balázs Benics via cfe-commits
cfe-commits at lists.llvm.org
Tue Jan 27 12:23:56 PST 2026
================
@@ -827,8 +831,40 @@ void GenericTaintChecker::initTaintRules(CheckerContext &C) const {
std::make_move_iterator(Rules.end()));
}
+// The incoming parameters of the main function get tainted
+// if the program called in an untrusted environment.
+void GenericTaintChecker::checkBeginFunction(CheckerContext &C) const {
+ if (!C.inTopFrame() || C.getAnalysisManager()
+ .getAnalyzerOptions()
+ .ShouldAssumeControlledEnvironment)
+ return;
+
+ const auto *FD = dyn_cast<FunctionDecl>(C.getLocationContext()->getDecl());
+ if (!FD || !FD->isMain() || FD->param_size() < 2)
----------------
steakhal wrote:
BTW there is a 3 parameter main, that also takes the envp.
And on windows, `FunctionDecl::isMSVCRTEntryPoint()` has some other patterns that resemble "main-like" functions. I wonder if we could/should handle them too.
And how about `argc`. That should be also tainted, right?
https://github.com/llvm/llvm-project/pull/178054
More information about the cfe-commits
mailing list