Skip to content

Commit ee25e84

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add AST rules for detecting world-writable file creation in C/C++ (#191)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * world-writable-file-c * world-writable-file-cpp --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 289aa26 commit ee25e84

6 files changed

+889
-0
lines changed

rules/c/security/world-writable-file-c.yml

Lines changed: 328 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,328 @@
1+
id: world-writable-file-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file.
6+
note: >-
7+
[CWE-732]: Incorrect Permission Assignment for Critical Resource
8+
[REFERENCES]
9+
- https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions
10+
11+
ast-grep-essentials: true
12+
13+
utils:
14+
follows_umask:
15+
follows:
16+
stopBy: end
17+
kind: expression_statement
18+
has:
19+
kind: call_expression
20+
nthChild: 1
21+
all:
22+
- has:
23+
nthChild: 1
24+
kind: identifier
25+
field: function
26+
regex: ^umask$
27+
- has:
28+
nthChild: 2
29+
kind: argument_list
30+
field: arguments
31+
32+
AND_2_EQUALS_2_&_S_IXXXX:
33+
any:
34+
- kind: number_literal
35+
regex: ^-?([2367]|[0-9]*(0[2367]|1[014589]|2[2367]|3[014589]|4[2367]|5[014589]|6[2367]|7[014589]|8[2367]|9[014589]))$
36+
- all:
37+
- any:
38+
- kind: binary_expression
39+
- kind: identifier
40+
- regex: (\s*S_I[A-Z]{4}\s*\|)*S_I[A-Z]{4}
41+
- regex: .*\bS_IWOTH\b.*
42+
43+
rule:
44+
any:
45+
# chmod/fchmod/creat
46+
- any:
47+
- matches: AND_2_EQUALS_2_&_S_IXXXX
48+
- kind: identifier
49+
pattern: $MODE
50+
inside:
51+
stopBy: end
52+
follows:
53+
stopBy: end
54+
any:
55+
- kind: declaration
56+
all:
57+
- has:
58+
kind: init_declarator
59+
all:
60+
- has:
61+
kind: identifier
62+
field: declarator
63+
pattern: $MODE
64+
- has:
65+
nthChild: 2
66+
matches: AND_2_EQUALS_2_&_S_IXXXX
67+
- kind: expression_statement
68+
any:
69+
- has:
70+
kind: assignment_expression
71+
all:
72+
- has:
73+
nthChild: 1
74+
kind: identifier
75+
pattern: $MODE
76+
- has:
77+
nthChild: 2
78+
matches: AND_2_EQUALS_2_&_S_IXXXX
79+
- has:
80+
kind: comma_expression
81+
has:
82+
kind: assignment_expression
83+
all:
84+
- has:
85+
nthChild: 1
86+
kind: identifier
87+
pattern: $MODE
88+
- has:
89+
nthChild: 2
90+
matches: AND_2_EQUALS_2_&_S_IXXXX
91+
nthChild:
92+
position: 2
93+
ofRule:
94+
not:
95+
kind: comment
96+
inside:
97+
kind: argument_list
98+
nthChild: 2
99+
not:
100+
has:
101+
nthChild:
102+
position: 3
103+
ofRule:
104+
not:
105+
kind: comment
106+
follows:
107+
kind: identifier
108+
regex: ^(chmod|fchmod|creat)$
109+
inside:
110+
kind: call_expression
111+
not:
112+
any:
113+
- matches: follows_umask
114+
- inside:
115+
stopBy: end
116+
matches: follows_umask
117+
118+
# fchmodat
119+
- any:
120+
- matches: AND_2_EQUALS_2_&_S_IXXXX
121+
- kind: identifier
122+
pattern: $MODE
123+
inside:
124+
stopBy: end
125+
follows:
126+
stopBy: end
127+
any:
128+
- kind: declaration
129+
all:
130+
- has:
131+
kind: init_declarator
132+
all:
133+
- has:
134+
kind: identifier
135+
field: declarator
136+
pattern: $MODE
137+
- has:
138+
nthChild: 2
139+
matches: AND_2_EQUALS_2_&_S_IXXXX
140+
- kind: expression_statement
141+
any:
142+
- has:
143+
kind: assignment_expression
144+
all:
145+
- has:
146+
nthChild: 1
147+
kind: identifier
148+
pattern: $MODE
149+
- has:
150+
nthChild: 2
151+
matches: AND_2_EQUALS_2_&_S_IXXXX
152+
- has:
153+
kind: comma_expression
154+
has:
155+
kind: assignment_expression
156+
all:
157+
- has:
158+
nthChild: 1
159+
kind: identifier
160+
pattern: $MODE
161+
- has:
162+
nthChild: 2
163+
matches: AND_2_EQUALS_2_&_S_IXXXX
164+
nthChild:
165+
position: 3
166+
ofRule:
167+
not:
168+
kind: comment
169+
inside:
170+
kind: argument_list
171+
nthChild: 2
172+
follows:
173+
kind: identifier
174+
regex: ^(fchmodat)$
175+
inside:
176+
kind: call_expression
177+
not:
178+
any:
179+
- matches: follows_umask
180+
- inside:
181+
stopBy: end
182+
matches: follows_umask
183+
184+
# open
185+
- any:
186+
- matches: AND_2_EQUALS_2_&_S_IXXXX
187+
- kind: identifier
188+
pattern: $MODE
189+
inside:
190+
stopBy: end
191+
follows:
192+
stopBy: end
193+
any:
194+
- kind: declaration
195+
all:
196+
- has:
197+
kind: init_declarator
198+
all:
199+
- has:
200+
kind: identifier
201+
field: declarator
202+
pattern: $MODE
203+
- has:
204+
nthChild: 2
205+
matches: AND_2_EQUALS_2_&_S_IXXXX
206+
- kind: expression_statement
207+
any:
208+
- has:
209+
kind: assignment_expression
210+
all:
211+
- has:
212+
nthChild: 1
213+
kind: identifier
214+
pattern: $MODE
215+
- has:
216+
nthChild: 2
217+
matches: AND_2_EQUALS_2_&_S_IXXXX
218+
- has:
219+
kind: comma_expression
220+
has:
221+
kind: assignment_expression
222+
all:
223+
- has:
224+
nthChild: 1
225+
kind: identifier
226+
pattern: $MODE
227+
- has:
228+
nthChild: 2
229+
matches: AND_2_EQUALS_2_&_S_IXXXX
230+
nthChild:
231+
position: 3
232+
ofRule:
233+
not:
234+
kind: comment
235+
inside:
236+
kind: argument_list
237+
nthChild: 2
238+
not:
239+
has:
240+
nthChild:
241+
position: 4
242+
ofRule:
243+
not:
244+
kind: comment
245+
follows:
246+
kind: identifier
247+
regex: ^(open)$
248+
inside:
249+
kind: call_expression
250+
not:
251+
any:
252+
- matches: follows_umask
253+
- inside:
254+
stopBy: end
255+
matches: follows_umask
256+
257+
# openat
258+
- any:
259+
- matches: AND_2_EQUALS_2_&_S_IXXXX
260+
- kind: identifier
261+
pattern: $MODE
262+
inside:
263+
stopBy: end
264+
follows:
265+
stopBy: end
266+
any:
267+
- kind: declaration
268+
all:
269+
- has:
270+
kind: init_declarator
271+
all:
272+
- has:
273+
kind: identifier
274+
field: declarator
275+
pattern: $MODE
276+
- has:
277+
nthChild: 2
278+
matches: AND_2_EQUALS_2_&_S_IXXXX
279+
- kind: expression_statement
280+
any:
281+
- has:
282+
kind: assignment_expression
283+
all:
284+
- has:
285+
nthChild: 1
286+
kind: identifier
287+
pattern: $MODE
288+
- has:
289+
nthChild: 2
290+
matches: AND_2_EQUALS_2_&_S_IXXXX
291+
- has:
292+
kind: comma_expression
293+
has:
294+
kind: assignment_expression
295+
all:
296+
- has:
297+
nthChild: 1
298+
kind: identifier
299+
pattern: $MODE
300+
- has:
301+
nthChild: 2
302+
matches: AND_2_EQUALS_2_&_S_IXXXX
303+
nthChild:
304+
position: 4
305+
ofRule:
306+
not:
307+
kind: comment
308+
inside:
309+
kind: argument_list
310+
nthChild: 2
311+
not:
312+
has:
313+
nthChild:
314+
position: 5
315+
ofRule:
316+
not:
317+
kind: comment
318+
follows:
319+
kind: identifier
320+
regex: ^(openat)$
321+
inside:
322+
kind: call_expression
323+
not:
324+
any:
325+
- matches: follows_umask
326+
- inside:
327+
stopBy: end
328+
matches: follows_umask

0 commit comments

Comments
 (0)