Skip to content

Commit 5d3542b

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Remove obsolete C rule; add C++ static check for UAF and vector issues (#177)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * std-return-data-cpp * std-vector-invalidation-cpp * return-c-str-cpp --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent f6f63a8 commit 5d3542b

8 files changed

+555
-27
lines changed

rules/c/security/return-c-str-c.yml

Lines changed: 0 additions & 27 deletions
This file was deleted.

rules/cpp/security/return-c-str-cpp.yml

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
id: return-c-str-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
"`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer
6+
is invalid after `$STR` goes out of scope, which can trigger a use after
7+
free."
8+
note: >-
9+
[CWE-416] Use After Free
10+
[REFERENCES]
11+
- https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations
12+
- https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime
13+
14+
ast-grep-essentials: true
15+
16+
rule:
17+
any:
18+
- pattern: return basic_string<$TYPE>($$$).$METHOD();
19+
- pattern: return std::basic_string<$TYPE>($$$).$METHOD();
20+
- pattern: return string($$$).$METHOD();
21+
- pattern: return std::string($$$).$METHOD();
22+
- pattern: return wstring($$$).$METHOD();
23+
- pattern: return std::wstring($$$).$METHOD();
24+
- pattern: return $STR.$METHOD();
25+
any:
26+
- follows:
27+
stopBy: end
28+
all:
29+
- not:
30+
has:
31+
stopBy: end
32+
kind: storage_class_specifier
33+
- any:
34+
- kind: declaration
35+
not:
36+
pattern: $STR_VAL $STR = "$STRG";
37+
- has:
38+
pattern: $STR_VAL
39+
- has:
40+
stopBy: end
41+
pattern: $STR
42+
- inside:
43+
stopBy: end
44+
follows:
45+
stopBy: end
46+
all:
47+
- not:
48+
has:
49+
stopBy: end
50+
kind: storage_class_specifier
51+
- any:
52+
- kind: declaration
53+
not:
54+
pattern: $STR_VAL $STR = "$STRG";
55+
- has:
56+
pattern: $STR_VAL
57+
- has:
58+
pattern: $STR
59+
- inside:
60+
stopBy: end
61+
follows:
62+
stopBy: end
63+
all:
64+
- not:
65+
has:
66+
stopBy: end
67+
kind: storage_class_specifier
68+
- any:
69+
- kind: pointer_declarator
70+
not:
71+
has:
72+
stopBy: end
73+
pattern: $STR_VAL $STR = "$STRG";
74+
has:
75+
kind: function_declarator
76+
all:
77+
- has:
78+
stopBy: end
79+
any:
80+
- kind: qualified_identifier
81+
- kind: type_identifier
82+
regex: ^(basic_string<.*>|std::basic_string<.*>|string|std::string|wstring|std::wstring|string(.*)|std::string(.*)|wstring(.*)|std::wstring(.*)|basic_string<.*>(.*)|std::basic_string<.*>(.*))$
83+
- has:
84+
stopBy: end
85+
pattern: $STR
86+
- follows:
87+
stopBy: end
88+
all:
89+
- not:
90+
has:
91+
stopBy: end
92+
kind: storage_class_specifier
93+
- any:
94+
- kind: pointer_declarator
95+
has:
96+
kind: function_declarator
97+
all:
98+
- not:
99+
has:
100+
stopBy: end
101+
pattern: $STR_VAL $STR = "$STRG";
102+
- has:
103+
stopBy: end
104+
any:
105+
- kind: qualified_identifier
106+
- kind: type_identifier
107+
regex: ^(basic_string<.*>|std::basic_string<.*>|string|std::string|wstring|std::wstring|string(.*)|std::string(.*)|wstring(.*)|std::wstring(.*)|basic_string<.*>(.*)|std::basic_string<.*>(.*))$
108+
- has:
109+
stopBy: end
110+
pattern: $STR
111+
- pattern: return $STR_VAL.$METHOD();
112+
not:
113+
all:
114+
- has:
115+
stopBy: end
116+
kind: ERROR
117+
- inside:
118+
stopBy: end
119+
kind: ERROR
120+
constraints:
121+
METHOD:
122+
regex: ^(c_str|data)$
123+
STR_VAL:
124+
regex: ^(basic_string<.*>|std::basic_string<.*>|string|std::string|wstring|std::wstring|string(.*)|std::string(.*)|wstring(.*)|std::wstring(.*)|basic_string<.*>(.*)|std::basic_string<.*>(.*))$

rules/cpp/security/std-return-data-cpp.yml

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
id: std-return-data-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
$FUNC` returns a pointer to the memory owned by `$VAR`. This pointer
6+
is invalid after `$VAR` goes out of scope, which can trigger a use after
7+
free.
8+
note: >-
9+
[CWE-416: Use After Free.
10+
[REFERENCES]
11+
- https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations
12+
13+
ast-grep-essentials: true
14+
15+
rule:
16+
kind: return_statement
17+
pattern: return $VAR.data();
18+
all:
19+
- inside:
20+
stopBy: end
21+
kind: function_definition
22+
all:
23+
- has:
24+
nthChild: 1
25+
pattern: $RETURN_TYPE
26+
- has:
27+
kind: pointer_declarator
28+
- any:
29+
- follows:
30+
stopBy: end
31+
all:
32+
- has:
33+
nthChild: 1
34+
regex: ^(array<.*>|std::array<.*>|deque<.*>|std::deque<.*>|forward_list<.*>|std::forward_list<.*>|list<.*>|std::list<.*>|map<.*, .*>|std::map<.*, .*>|multimap<.*, .*>|std::multimap<.*, .*>|multiset<.*>|std::multiset<.*>|set<.*>|std::set<.*>|unordered_map<.*>|std::unordered_map<.*>|unordered_multimap<.*, .*>|std::unordered_multimap<.*, .*>|unordered_multiset<.*>|std::unordered_multiset<.*>|unordered_set<.*>|std::unordered_set<.*>|vector<.*>|std::vector<.*>)$
35+
- has:
36+
stopBy: end
37+
# nthChild: 2
38+
pattern: $VAR
39+
- not:
40+
inside:
41+
stopBy: end
42+
has:
43+
kind: storage_class_specifier
44+
- inside:
45+
stopBy: end
46+
kind: compound_statement
47+
- inside:
48+
stopBy: end
49+
follows:
50+
stopBy: end
51+
all:
52+
- has:
53+
nthChild: 1
54+
regex: ^(array<.*>|std::array<.*>|deque<.*>|std::deque<.*>|forward_list<.*>|std::forward_list<.*>|list<.*>|std::list<.*>|map<.*, .*>|std::map<.*, .*>|multimap<.*, .*>|std::multimap<.*, .*>|multiset<.*>|std::multiset<.*>|set<.*>|std::set<.*>|unordered_map<.*>|std::unordered_map<.*>|unordered_multimap<.*, .*>|std::unordered_multimap<.*, .*>|unordered_multiset<.*>|std::unordered_multiset<.*>|unordered_set<.*>|std::unordered_set<.*>|vector<.*>|std::vector<.*>)$
55+
- has:
56+
# nthChild: 2
57+
stopBy: end
58+
pattern: $VAR
59+
- not:
60+
inside:
61+
stopBy: end
62+
has:
63+
kind: storage_class_specifier
64+
- inside:
65+
stopBy: end
66+
kind: compound_statement
67+
- inside:
68+
stopBy: end
69+
follows:
70+
stopBy: end
71+
kind: pointer_declarator
72+
all:
73+
- has:
74+
stopBy: end
75+
nthChild: 1
76+
regex: ^(array<.*>|std::array<.*>|deque<.*>|std::deque<.*>|forward_list<.*>|std::forward_list<.*>|list<.*>|std::list<.*>|map<.*, .*>|std::map<.*, .*>|multimap<.*, .*>|std::multimap<.*, .*>|multiset<.*>|std::multiset<.*>|set<.*>|std::set<.*>|unordered_map<.*>|std::unordered_map<.*>|unordered_multimap<.*, .*>|std::unordered_multimap<.*, .*>|unordered_multiset<.*>|std::unordered_multiset<.*>|unordered_set<.*>|std::unordered_set<.*>|vector<.*>|std::vector<.*>)$
77+
- has:
78+
# nthChild: 2
79+
stopBy: end
80+
pattern: $VAR
81+
- not:
82+
inside:
83+
stopBy: end
84+
has:
85+
kind: storage_class_specifier

rules/cpp/security/std-vector-invalidation-cpp.yml

Lines changed: 150 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,150 @@
1+
id: std-vector-invalidation-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
Modifying an `std::vector` while iterating over it could cause the
6+
container to reallocate, triggering memory corruption.
7+
note: >-
8+
[CWE-416: Use After Free.
9+
[REFERENCES]
10+
- https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory
11+
- https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime
12+
13+
ast-grep-essentials: true
14+
15+
rule:
16+
kind: call_expression
17+
all:
18+
- any:
19+
- pattern: $CONTAINER.erase($IT)
20+
all:
21+
- all:
22+
- not:
23+
follows:
24+
stopBy: end
25+
pattern: $CONTAINER.erase($IT)
26+
- not:
27+
precedes:
28+
stopBy: end
29+
pattern: $CONTAINER.erase($IT)
30+
- not:
31+
inside:
32+
stopBy: end
33+
kind: assignment_expression
34+
has:
35+
kind: identifier
36+
pattern: $IT
37+
nthChild: 1
38+
- pattern: $CONTAINER.assign($$$)
39+
- pattern: $CONTAINER.clear($$$)
40+
- pattern: $CONTAINER.emplace_back($$$)
41+
- pattern: $CONTAINER.insert($$$)
42+
- pattern: $CONTAINER.resize($$$)
43+
- pattern: $CONTAINER.push_back($$$)
44+
- pattern: $CONTAINER.reserve($$$)
45+
- pattern: $CONTAINER.shrink_to_fit($$$)
46+
- pattern: $CONTAINER.resize($$$)
47+
- pattern: $CONTAINER.pop_back($$$)
48+
- not:
49+
inside:
50+
stopBy: end
51+
kind: for_statement
52+
has:
53+
stopBy: end
54+
any:
55+
- kind: break_statement
56+
- kind: continue_statement
57+
- kind: return_statement
58+
- kind: goto_statement
59+
- inside:
60+
stopBy: end
61+
kind: for_statement
62+
any:
63+
- all:
64+
- has:
65+
kind: declaration
66+
any:
67+
- pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin()
68+
- all:
69+
- has:
70+
kind: dependent_type
71+
has:
72+
stopBy: end
73+
pattern: std::vector<$TY>::$IT_TYPE
74+
- has:
75+
stopBy: end
76+
kind: init_declarator
77+
all:
78+
- has:
79+
pattern: $IT
80+
- has:
81+
pattern: $CONTAINER.begin()
82+
- has:
83+
kind: binary_expression
84+
any:
85+
- pattern: $IT != $CONTAINER.end()
86+
- has:
87+
kind: update_expression
88+
any:
89+
- pattern: ++$IT
90+
- pattern: $IT++
91+
- all:
92+
- has:
93+
kind: declaration
94+
any:
95+
- pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin()
96+
- has:
97+
stopBy: end
98+
pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin()
99+
- all:
100+
- has:
101+
kind: dependent_type
102+
has:
103+
stopBy: end
104+
pattern: std::vector<$TY>::$IT_TYPE
105+
- has:
106+
stopBy: end
107+
kind: init_declarator
108+
all:
109+
- has:
110+
pattern: $IT
111+
- has:
112+
pattern: $CONTAINER.rbegin()
113+
- has:
114+
kind: binary_expression
115+
any:
116+
- pattern: $IT != $CONTAINER.rend()
117+
- has:
118+
kind: update_expression
119+
any:
120+
- pattern: ++$IT
121+
- pattern: $IT++
122+
- all:
123+
- has:
124+
kind: declaration
125+
any:
126+
- pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(), $IT_END = $CONTAINER.end()
127+
- pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), $IT_END = $CONTAINER.rend()
128+
- has:
129+
stopBy: end
130+
any:
131+
- pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(), $IT_END = $CONTAINER.end()
132+
- pattern: std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), $IT_END = $CONTAINER.rend()
133+
- has:
134+
kind: binary_expression
135+
any:
136+
- pattern: $IT != $IT_END
137+
- has:
138+
kind: update_expression
139+
any:
140+
- pattern: ++$IT
141+
- pattern: $IT++
142+
- all:
143+
- not:
144+
has:
145+
stopBy: end
146+
kind: ERROR
147+
- not:
148+
inside:
149+
stopBy: end
150+
kind: ERROR

0 commit comments

Comments
 (0)