Skip to content

Commit 5f251d6

Browse files
ESS-ENNESS-ENN
committed
dont-call-system-c
1 parent b622bca commit 5f251d6

File tree

5 files changed

+271
-0
lines changed

5 files changed

+271
-0
lines changed

rules/c/security/dont-call-system-c.yml

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
id: dont-call-system-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
Don't call `system`. It's a high-level wrapper that allows for stacking
6+
multiple commands. Always prefer a more restrictive API such as calling
7+
`execve` from the `exec` family.
8+
note: >-
9+
[CWE-78] Improper Neutralization of Special Elements used in an OS
10+
Command ('OS Command Injection').
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A03_2021-Injection
13+
14+
ast-grep-essentials: true
15+
16+
utils:
17+
PATTERN_SYSTEM_INSIDE_IF_STATEMENT:
18+
kind: call_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: identifier
23+
regex: '^system$'
24+
- has:
25+
stopBy: neighbor
26+
kind: argument_list
27+
- inside:
28+
stopBy: end
29+
kind: parenthesized_expression
30+
inside:
31+
kind: if_statement
32+
PATTERN_SYSTEM:
33+
any:
34+
- kind: expression_statement
35+
- kind: return_statement
36+
- kind: field_declaration
37+
has:
38+
stopBy: neighbor
39+
kind: call_expression
40+
all:
41+
- has:
42+
stopBy: neighbor
43+
kind: identifier
44+
regex: '^system$'
45+
- has:
46+
stopBy: neighbor
47+
kind: argument_list
48+
rule:
49+
any:
50+
- matches: PATTERN_SYSTEM_INSIDE_IF_STATEMENT
51+
- matches: PATTERN_SYSTEM
52+
not:
53+
all:
54+
- has:
55+
stopBy: end
56+
kind: ERROR
57+
- inside:
58+
has:
59+
stopBy: end
60+
kind: ERROR
61+

tests/__snapshots__/dont-call-system-c-snapshot.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
id: dont-call-system-c
2+
snapshots:
3+
? |
4+
void test_002(const char *input)
5+
{
6+
char cmdbuf[BUFFERSIZE];
7+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
8+
"any_cmd '%s'", input);
9+
system(cmdbuf);
10+
}
11+
void test_001(const char *input)
12+
{
13+
char cmdbuf[BUFFERSIZE];
14+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
15+
"any_cmd '%s'", input);
16+
if (len_wanted >= BUFFERSIZE)
17+
{
18+
/* Handle error */
19+
}
20+
else if (len_wanted < 0)
21+
{
22+
/* Handle error */
23+
}
24+
else if (system(cmdbuf) == -1)
25+
{
26+
/* Handle error */
27+
}
28+
}
29+
: labels:
30+
- source: system(cmdbuf);
31+
style: primary
32+
start: 156
33+
end: 171
34+
- source: system
35+
style: secondary
36+
start: 156
37+
end: 162
38+
- source: (cmdbuf)
39+
style: secondary
40+
start: 162
41+
end: 170
42+
- source: system(cmdbuf)
43+
style: secondary
44+
start: 156
45+
end: 170

tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: insecure-binaryformatter-deserialization-csharp
2+
snapshots:
3+
? "using System.Runtime.Serialization.Formatters.Binary; \nnamespace InsecureDeserialization\n{\n public class InsecureBinaryFormatterDeserialization\n {\n public void BinaryFormatterDeserialization(string json)\n {\n try\n {\n BinaryFormatter binaryFormatter = new BinaryFormatter();\n\n MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));\n binaryFormatter.Deserialize(memoryStream);\n memoryStream.Close();\n }\n catch (Exception e)\n {\n Console.WriteLine(e);\n }\n }\n}\n}\n"
4+
: labels:
5+
- source: new BinaryFormatter()
6+
style: primary
7+
start: 281
8+
end: 302
9+
- source: using System.Runtime.Serialization.Formatters.Binary;
10+
style: secondary
11+
start: 0
12+
end: 53
13+
- source: using System.Runtime.Serialization.Formatters.Binary;
14+
style: secondary
15+
start: 0
16+
end: 53

tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
id: ruby-cassandra-hardcoded-secret-ruby
2+
snapshots:
3+
? |
4+
require 'cassandra'
5+
cluster = Cassandra.cluster( username: 'user',password: 'password')
6+
: labels:
7+
- source: 'Cassandra.cluster( username: ''user'',password: ''password'')'
8+
style: primary
9+
start: 30
10+
end: 87
11+
- source: Cassandra
12+
style: secondary
13+
start: 30
14+
end: 39
15+
- source: .
16+
style: secondary
17+
start: 39
18+
end: 40
19+
- source: cluster
20+
style: secondary
21+
start: 40
22+
end: 47
23+
- source: password
24+
style: secondary
25+
start: 66
26+
end: 74
27+
- source: password
28+
style: secondary
29+
start: 77
30+
end: 85
31+
- source: '''password'''
32+
style: secondary
33+
start: 76
34+
end: 86
35+
- source: 'password: ''password'''
36+
style: secondary
37+
start: 66
38+
end: 86
39+
- source: '( username: ''user'',password: ''password'')'
40+
style: secondary
41+
start: 47
42+
end: 87
43+
- source: require 'cassandra'
44+
style: secondary
45+
start: 0
46+
end: 19
47+
- source: require 'cassandra'
48+
style: secondary
49+
start: 0
50+
end: 19
51+
? |
52+
require 'cassandra'
53+
password = 'password'
54+
cluster = Cassandra.cluster( username: 'user',password: password)
55+
: labels:
56+
- source: 'Cassandra.cluster( username: ''user'',password: password)'
57+
style: primary
58+
start: 52
59+
end: 107
60+
- source: Cassandra
61+
style: secondary
62+
start: 52
63+
end: 61
64+
- source: .
65+
style: secondary
66+
start: 61
67+
end: 62
68+
- source: cluster
69+
style: secondary
70+
start: 62
71+
end: 69
72+
- source: password
73+
style: secondary
74+
start: 88
75+
end: 96
76+
- source: password
77+
style: secondary
78+
start: 98
79+
end: 106
80+
- source: 'password: password'
81+
style: secondary
82+
start: 88
83+
end: 106
84+
- source: '( username: ''user'',password: password)'
85+
style: secondary
86+
start: 69
87+
end: 107
88+
- source: require 'cassandra'
89+
style: secondary
90+
start: 0
91+
end: 19
92+
- source: require 'cassandra'
93+
style: secondary
94+
start: 0
95+
end: 19
96+
- source: password
97+
style: secondary
98+
start: 20
99+
end: 28
100+
- source: password
101+
style: secondary
102+
start: 32
103+
end: 40
104+
- source: '''password'''
105+
style: secondary
106+
start: 31
107+
end: 41
108+
- source: password = 'password'
109+
style: secondary
110+
start: 20
111+
end: 41
112+
- source: password = 'password'
113+
style: secondary
114+
start: 20
115+
end: 41

tests/java/dont-call-system-c-test.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
id: dont-call-system-c
2+
valid:
3+
- |
4+
void test_003(const char *input)
5+
{
6+
storer->store_binary(Clocks->system());
7+
}
8+
invalid:
9+
- |
10+
void test_002(const char *input)
11+
{
12+
char cmdbuf[BUFFERSIZE];
13+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
14+
"any_cmd '%s'", input);
15+
system(cmdbuf);
16+
}
17+
void test_001(const char *input)
18+
{
19+
char cmdbuf[BUFFERSIZE];
20+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
21+
"any_cmd '%s'", input);
22+
if (len_wanted >= BUFFERSIZE)
23+
{
24+
/* Handle error */
25+
}
26+
else if (len_wanted < 0)
27+
{
28+
/* Handle error */
29+
}
30+
else if (system(cmdbuf) == -1)
31+
{
32+
/* Handle error */
33+
}
34+
}

0 commit comments

Comments
 (0)