I am using Parasoft to analyze my code. I go this violation:
Tainted parameter of entry point method ("inFileName") has been printed on the console
This is the code where the error is:
static void printUsage(char *inFileName)
{
printf("Usage: %s %s\n", inFileName, "[-h|-help|-usage]\n");
}
int main(int argc, char **argv)
{
printUsage(argv[0]);
return 0;
}
where inFileNAme is actually argv[0].
How can I fix the violation or at least make Parasoft satisfied?
You're probably getting this warning because you don't sanitize your program parameter properly. For instance, if you would get a non-terminated string, the %s specifier in your printf would make your program keep reading (and printing) memory, causing undefined behavior and security concerns.
As to what a "Tainted parameter" is:
In software security analysis, a value is said to be tainted if it comes from an untrusted source (outside of the program’s control) and has not been sanitized to ensure that it conforms to any constraints on its value that consumers of the value require — for example, that all strings are null-terminated.
(source) (emphasis mine)
In order to ensure that your input value is proper, you can use a function like strdup.... :
static void printUsage(char *inFileName)
{
char *inFile = strdup(inFileName);
if (inFile == 0) {
printf("Error with program Argument.");
}else{
printf("Usage: %s %s\n", inFile, "[-h|-help|-usage]\n");
free(inFile);}
}
int main(int argc, char **argv)
{
printUsage(argv[0]);
return 0;
}