Add test for -P (patch) option, which tests diff handling

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
2017-08-26 15:42:35 -04:00 · 2017-08-26 15:42:35 -04:00 · 608bc45b6d
parent 203115edc3
commit 608bc45b6d
3 changed files with 142 additions and 1 deletions
--- a/9
+++ b/9
@ -151,10 +151,16 @@ test_004: flawfinder test.c
 	  test-results-004.txt
 	@diff -u correct-results-004.txt test-results-004.txt

+test_005: flawfinder test-diff-0005.patch test-patched.c
+	@echo 'test_005 (diff)'
+	@$(PYTHON) ./flawfinder -SQDC -P test-diff-0005.patch \
+	  test-patched.c > test-results-005.txt
+	@diff -u correct-results-005.txt test-results-005.txt
+
 # Run all tests; output shows differences from expected results.
 # If everything works as expected, it just prints test numbers.
 # Set PYTHON as needed, including to ""
-test: test_001 test_002 test_003 test_004
+test: test_001 test_002 test_003 test_004 test_005
 	@echo 'All tests pass!'

 check: test
@ -165,6 +171,7 @@ test-is-correct: test-results.txt
 	mv test-results.html correct-results.html
 	mv test-results.csv correct-results.csv
 	mv test-results-004.txt correct-results-004.txt
+	mv test-results-005.txt correct-results-005.txt

 profile:
 	/usr/lib/python1.5/profile.py ./flawfinder > profile-results $(SAMPLE_DIR)/*/*.[ch] > profile-results 
--- a/test-diff-0005.patch
+++ b/test-diff-0005.patch
@ -0,0 +1,13 @@
+--- test.c	2017-08-26 15:33:59.480235200 -0400
+++ test-patched.c	2017-08-23 22:20:22.458331500 -0400
+@@ -9,6 +9,10 @@
+  printf("hello\n");
+ }
+ 
+int bad(char *a, char *b) {
+ strcpy(b, a);
+}
+
+ /* This is a strcpy test. */
+ 
+ int demo(char *a, char *b) {
--- a/test-patched.c
+++ b/test-patched.c
@ -0,0 +1,121 @@
+/* Test flawfinder.  This program won't compile or run; that's not necessary
+   for this to be a useful test. */
+
+#include <stdio.h>
+#define hello(x) goodbye(x)
+#define WOKKA "stuff"
+
+main() {
+ printf("hello\n");
+}
+
+int bad(char *a, char *b) {
+ strcpy(b, a);
+}
+
+/* This is a strcpy test. */
+
+int demo(char *a, char *b) {
+ strcpy(a, "\n"); // Did this work?
+ strcpy(a, gettext("Hello there")); // Did this work?
+ strcpy(b, a);
+ sprintf(s, "\n");
+ sprintf(s, "hello");
+ sprintf(s, "hello %s", bug);
+ sprintf(s, gettext("hello %s"), bug);
+ sprintf(s, unknown, bug);
+ printf(bf, x);
+ scanf("%d", &x);
+ scanf("%s", s);
+ scanf("%10s", s);
+ scanf("%s", s);
+ gets(f); // Flawfinder: ignore
+ printf("\\");
+ /* Flawfinder: ignore */
+ gets(f);
+ gets(f);
+ /* These are okay, but flawfinder version < 0.20 incorrectly used
+    the first parameter as the parameter for the format string */
+ syslog(LOG_ERR,"cannot open config file (%s): %s",filename,strerror(errno))
+ syslog(LOG_CRIT,"malloc() failed");
+ /* But this one SHOULD trigger a warning. */
+ syslog(LOG_ERR, attacker_string);
+
+}
+
+
+
+demo2() {
+  char d[20];
+  char s[20];
+  int n;
+
+  _mbscpy(d,s); /* like strcpy, this doesn't check for buffer overflow */
+  memcpy(d,s);
+  CopyMemory(d,s);
+  lstrcat(d,s);
+  strncpy(d,s);
+  _tcsncpy(d,s);
+  strncat(d,s,10);
+  strncat(d,s,sizeof(d)); /* Misuse - this should be flagged as riskier. */
+  _tcsncat(d,s,sizeof(d)); /* Misuse - flag as riskier */
+  n = strlen(d);
+  /* This is wrong, and should be flagged as risky: */
+  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));
+  /* This is also wrong, and should be flagged as risky: */
+  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName);
+  /* This is much better: */
+  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));
+  /* This is much better: */
+  MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName /sizeof(wszUserName[0]));
+  /* This is an example of bad code - the third paramer is NULL, so it creates
+     a NULL ACL.  Note that Flawfinder can't detect when a
+     SECURITY_DESCRIPTOR structure is manually created with a NULL value
+     as the ACL; doing so would require a tool that handles C/C++
+     and knows about types more that flawfinder currently does.
+     Anyway, this needs to be detected: */
+  SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
+  /* This one is a bad idea - first param shouldn't be NULL */
+  CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
+  /* Test interaction of quote characters */
+  printf("%c\n", 'x');
+  printf("%c\n", '"');
+  printf("%c\n", '\"');
+  printf("%c\n", '\'');
+  printf("%c\n", '\177');
+  printf("%c\n", '\xfe');
+  printf("%c\n", '\xd');
+  printf("%c\n", '\n');
+  printf("%c\n", '\\');
+  printf("%c\n", "'");
+}
+
+
+int getopt_example(int argc,char *argv[]) {
+    while ((optc = getopt_long (argc, argv, "a",longopts, NULL )) != EOF) {
+    }
+}
+
+int testfile() {
+  FILE *f;
+  f = fopen("/etc/passwd", "r"); 
+  fclose(f);
+}
+
+/* Regression test: handle \\\n after end of string */
+
+#define assert(x) {\
+ if (!(x)) {\
+ fprintf(stderr,"Assertion failed.\n"\
+ "File: %s\nLine: %d\n"\
+ "Assertion: %s\n\n"\
+ ,__FILE__,__LINE__,#x);\
+ exit(1);\
+ };\
+ }
+
+int accesstest() {
+  int access = 0; /* Not a function call.  Should be caught by the
+                     false positive test, and NOT labelled as a problem. */
+}
+