Skip to content

Commit f43b4ed

Browse files
ESS-ENNESS-ENN
authored
Rules - dont-call-system c/cpp (#17)
* dont-call-system-cpp * dont-call-system-c
1 parent c30bdb6 commit f43b4ed

6 files changed

+202
-0
lines changed

rules/c/security/dont-call-system-c.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
id: dont-call-system-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
Don't call `system`. It's a high-level wrapper that allows for stacking
6+
multiple commands. Always prefer a more restrictive API such as calling
7+
`execve` from the `exec` family.
8+
note: >-
9+
[CWE-78] Improper Neutralization of Special Elements used in an OS
10+
Command ('OS Command Injection').
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A03_2021-Injection
13+
utils:
14+
PATTERN_SYSTEM:
15+
kind: call_expression
16+
all:
17+
- has:
18+
stopBy: neighbor
19+
kind: identifier
20+
regex: "^system$"
21+
- has:
22+
stopBy: neighbor
23+
kind: argument_list
24+
rule:
25+
kind: call_expression
26+
matches: PATTERN_SYSTEM

rules/cpp/security/dont-call-system-cpp.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
id: dont-call-system-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
Don't call `system`. It's a high-level wrapper that allows for stacking
6+
multiple commands. Always prefer a more restrictive API such as calling
7+
`execve` from the `exec` family.
8+
note: >-
9+
[CWE-78] Improper Neutralization of Special Elements used in an OS
10+
Command ('OS Command Injection').
11+
[REFERENCES]
12+
- https://owasp.org/Top10/A03_2021-Injection
13+
utils:
14+
PATTERN_SYSTEM:
15+
kind: call_expression
16+
all:
17+
- has:
18+
stopBy: neighbor
19+
kind: identifier
20+
regex: "^system$"
21+
- has:
22+
stopBy: neighbor
23+
kind: argument_list
24+
rule:
25+
kind: call_expression
26+
matches: PATTERN_SYSTEM

tests/__snapshots__/dont-call-system-c-snapshot.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
id: dont-call-system-c
2+
snapshots:
3+
? |
4+
void test_002(const char *input)
5+
{
6+
char cmdbuf[BUFFERSIZE];
7+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
8+
"any_cmd '%s'", input);
9+
system(cmdbuf);
10+
}
11+
void test_001(const char *input)
12+
{
13+
char cmdbuf[BUFFERSIZE];
14+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
15+
"any_cmd '%s'", input);
16+
if (len_wanted >= BUFFERSIZE)
17+
{
18+
/* Handle error */
19+
}
20+
else if (len_wanted < 0)
21+
{
22+
/* Handle error */
23+
}
24+
else if (system(cmdbuf) == -1)
25+
{
26+
/* Handle error */
27+
}
28+
}
29+
: labels:
30+
- source: system(cmdbuf)
31+
style: primary
32+
start: 156
33+
end: 170
34+
- source: system
35+
style: secondary
36+
start: 156
37+
end: 162
38+
- source: (cmdbuf)
39+
style: secondary
40+
start: 162
41+
end: 170

tests/__snapshots__/dont-call-system-cpp-snapshot.yml

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
id: dont-call-system-cpp
2+
snapshots:
3+
? |
4+
void test_002(const char *input)
5+
{
6+
char cmdbuf[BUFFERSIZE];
7+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
8+
"any_cmd '%s'", input);
9+
system(cmdbuf);
10+
}
11+
void test_001(const char *input)
12+
{
13+
char cmdbuf[BUFFERSIZE];
14+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
15+
"any_cmd '%s'", input);
16+
if (len_wanted >= BUFFERSIZE)
17+
{
18+
/* Handle error */
19+
}
20+
else if (len_wanted < 0)
21+
{
22+
/* Handle error */
23+
}
24+
else if (system(cmdbuf) == -1)
25+
{
26+
/* Handle error */
27+
}
28+
}
29+
: labels:
30+
- source: system(cmdbuf)
31+
style: primary
32+
start: 156
33+
end: 170
34+
- source: system
35+
style: secondary
36+
start: 156
37+
end: 162
38+
- source: (cmdbuf)
39+
style: secondary
40+
start: 162
41+
end: 170

tests/c/dont-call-system-c-test.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
id: dont-call-system-c
2+
valid:
3+
- |
4+
void test_003(const char *input)
5+
{
6+
storer->store_binary(Clocks->system());
7+
}
8+
invalid:
9+
- |
10+
void test_002(const char *input)
11+
{
12+
char cmdbuf[BUFFERSIZE];
13+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
14+
"any_cmd '%s'", input);
15+
system(cmdbuf);
16+
}
17+
void test_001(const char *input)
18+
{
19+
char cmdbuf[BUFFERSIZE];
20+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
21+
"any_cmd '%s'", input);
22+
if (len_wanted >= BUFFERSIZE)
23+
{
24+
/* Handle error */
25+
}
26+
else if (len_wanted < 0)
27+
{
28+
/* Handle error */
29+
}
30+
else if (system(cmdbuf) == -1)
31+
{
32+
/* Handle error */
33+
}
34+
}

tests/cpp/dont-call-system-cpp-test.yml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
id: dont-call-system-cpp
2+
valid:
3+
- |
4+
void test_003(const char *input)
5+
{
6+
storer->store_binary(Clocks->system());
7+
}
8+
invalid:
9+
- |
10+
void test_002(const char *input)
11+
{
12+
char cmdbuf[BUFFERSIZE];
13+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
14+
"any_cmd '%s'", input);
15+
system(cmdbuf);
16+
}
17+
void test_001(const char *input)
18+
{
19+
char cmdbuf[BUFFERSIZE];
20+
int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
21+
"any_cmd '%s'", input);
22+
if (len_wanted >= BUFFERSIZE)
23+
{
24+
/* Handle error */
25+
}
26+
else if (len_wanted < 0)
27+
{
28+
/* Handle error */
29+
}
30+
else if (system(cmdbuf) == -1)
31+
{
32+
/* Handle error */
33+
}
34+
}

0 commit comments

Comments
 (0)