Skip to content

Commit 58ed498

Browse files
ESS-ENNgatsby003
ESS-ENN
authored and
gatsby003
committed
Rules - file-stat-before-action c/cpp (#27)
1 parent 1243715 commit 58ed498

File tree

5 files changed

+544
-0
lines changed

5 files changed

+544
-0
lines changed

rules/c/security/file-stat-before-action-c.yml

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
id: file-stat-before-action-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
A check is done with `stat` and then the file is used. There is no
6+
guarantee that the status of the file has not changed since the call to
7+
`stat` which may allow attackers to bypass permission checks.
8+
note: >-
9+
[CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition
10+
[REFERENCES]
11+
- https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files
12+
utils:
13+
match_fopen_identifier:
14+
kind: identifier
15+
regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File
16+
all:
17+
- inside:
18+
kind: call_expression
19+
inside:
20+
stopBy: end
21+
kind: expression_statement
22+
inside:
23+
kind: compound_statement
24+
inside:
25+
kind: if_statement
26+
has:
27+
stopBy: end
28+
kind: call_expression
29+
all:
30+
- has:
31+
kind: identifier
32+
regex: ^(fstatat|_fstatat)$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
all:
37+
- has:
38+
stopBy: neighbor
39+
kind: identifier
40+
- has:
41+
stopBy: neighbor
42+
kind: call_expression
43+
all:
44+
- has:
45+
stopBy: neighbor
46+
kind: field_expression
47+
- has:
48+
stopBy: neighbor
49+
kind: argument_list
50+
51+
match_fopen_identifier_2:
52+
kind: identifier
53+
regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File
54+
all:
55+
- inside:
56+
kind: call_expression
57+
inside:
58+
stopBy: end
59+
kind: expression_statement
60+
inside:
61+
kind: compound_statement
62+
inside:
63+
kind: if_statement
64+
has:
65+
stopBy: end
66+
kind: call_expression
67+
all:
68+
- has:
69+
stopBy: neighbor
70+
kind: identifier
71+
regex: "^stat|_stat|lstat|_lstat$"
72+
- has:
73+
stopBy: neighbor
74+
kind: argument_list
75+
has:
76+
stopBy: neighbor
77+
kind: call_expression
78+
79+
rule:
80+
any:
81+
- matches: match_fopen_identifier
82+
- matches: match_fopen_identifier_2

rules/cpp/security/file-stat-before-action-cpp.yml

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
id: file-stat-before-action-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
A check is done with `stat` and then the file is used. There is no
6+
guarantee that the status of the file has not changed since the call to
7+
`stat` which may allow attackers to bypass permission checks.
8+
note: >-
9+
[CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition
10+
[REFERENCES]
11+
- https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files
12+
utils:
13+
match_fopen_identifier:
14+
kind: identifier
15+
regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File
16+
all:
17+
- inside:
18+
kind: call_expression
19+
inside:
20+
stopBy: end
21+
kind: expression_statement
22+
inside:
23+
kind: compound_statement
24+
inside:
25+
kind: if_statement
26+
has:
27+
stopBy: end
28+
kind: call_expression
29+
all:
30+
- has:
31+
kind: identifier
32+
regex: ^(fstatat|_fstatat)$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
all:
37+
- has:
38+
stopBy: neighbor
39+
kind: identifier
40+
- has:
41+
stopBy: neighbor
42+
kind: call_expression
43+
all:
44+
- has:
45+
stopBy: neighbor
46+
kind: field_expression
47+
- has:
48+
stopBy: neighbor
49+
kind: argument_list
50+
51+
match_fopen_identifier_2:
52+
kind: identifier
53+
regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File
54+
all:
55+
- inside:
56+
kind: call_expression
57+
inside:
58+
stopBy: end
59+
kind: expression_statement
60+
inside:
61+
kind: compound_statement
62+
inside:
63+
kind: if_statement
64+
has:
65+
stopBy: end
66+
kind: call_expression
67+
all:
68+
- has:
69+
stopBy: neighbor
70+
kind: identifier
71+
regex: "^stat|_stat|lstat|_lstat$"
72+
- has:
73+
stopBy: neighbor
74+
kind: argument_list
75+
has:
76+
stopBy: neighbor
77+
kind: call_expression
78+
79+
rule:
80+
any:
81+
- matches: match_fopen_identifier
82+
- matches: match_fopen_identifier_2

0 commit comments

Comments
 (0)