Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rules update #8

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 61 additions & 1 deletion c/command-injection.c
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,66 @@ void invoke2(char *string)
popen(string, "r");
}

void invoke2(char *string)
{
// ok: raptor-command-injection
execl("/bin/ls", "ls", "-l", "/home", (char *)0);
// ruleid: raptor-command-injection
execl("/bin/ls", "ls", "-l", string, (char *)0);

// ok: raptor-command-injection
execlp("ls", "ls", "-l", "/home", (char *)0);
// ruleid: raptor-command-injection
execlp("ls", "ls", "-l", string, (char *)0);

char *envp[] = { "MY_VAR=42", NULL };
// ok: raptor-command-injection
execle("/bin/ls", "ls", "-l", "/home", (char *)0, envp);
// ruleid: raptor-command-injection
execle("/bin/ls", "ls", "-l", string, (char *)0, envp);

char *envp[] = { "MY_VAR=42", NULL };
// ok: raptor-command-injection
execlpe("ls", "ls", "-l", "/home", (char *)0, envp);
// ruleid: raptor-command-injection
execlpe("ls", "ls", "-l", string, (char *)0, envp);

char *argv[] = { "ls", "-l", "/home", NULL };
// ok: raptor-command-injection
execv("/bin/ls", argv);
// ruleid: raptor-command-injection
char *argv[] = { "ls", "-l", string, NULL };
execv("/bin/ls", argv);

char buf[] = "/home"
// ok: raptor-command-injection
char *argv[] = { "ls", "-l", buf, NULL };
execvp("ls", argv);
// ruleid: raptor-command-injection
char *argv[] = { "ls", "-l", string, NULL };
execvp("ls", argv);

char *argv[] = { "ls", "-l", "/home", NULL };
char *envp[] = { "MY_VAR=42", NULL };
// ok: raptor-command-injection
execve("/bin/ls", argv, envp);

char *argv[] = { "ls", "-l", string, NULL };
char *envp[] = { "MY_VAR=42", NULL };
// ruleid: raptor-command-injection
execve("/bin/ls", argv, envp);

char *argv[] = { "ls", "-l", "/home", NULL };
char *envp[] = { "MY_VAR=42", NULL };
// ok: raptor-command-injection
execvpe("ls", argv, envp);

char *argv[] = { "ls", "-l", string, NULL };
char *envp[] = { "MY_VAR=42", NULL };
// ruleid: raptor-command-injection
execvpe("ls", argv, envp);
}

int send_mail(char *user)
{
char buf[1024];
Expand All @@ -42,7 +102,7 @@ int send_mail(char *user)
fp = popen(buf, "w");

if (fp == NULL)
return 1;
return 1;
// ...
}

Expand Down
44 changes: 39 additions & 5 deletions c/command-injection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,42 @@ rules:
languages:
- c
- cpp
patterns:
- pattern-either:
- pattern: system(...)
- pattern: popen(...)
- pattern-not: $FUN("...", ...)
options:
symbolic_propagation: true
pattern-either:
- patterns:
- pattern-either:
- pattern: system(...)
- pattern: popen(...)
- pattern-not: $FUN("...", ...)
- patterns:
- pattern-either:
- pattern: execl(..., $P, ..., $NULL)
- pattern: execlp(..., $P, ..., $NULL)
- pattern: execle(..., $P, ..., $NULL, $ENV)
- pattern: execlpe(..., $P, ..., $NULL, $ENV)
- pattern: execv($P, ...)
- pattern: execvp($P, ...)
- pattern: execve($P, ..., $ENV)
- pattern: execvpe($P, ..., $ENV)
- metavariable-pattern:
metavariable: $P
patterns:
- pattern-not: (string $X)
- patterns:
- pattern-either:
- pattern: |
$ARGV = {..., $PP ,..., $NULL};
...
$FUNC(..., $ARGV);
- pattern: |
$ARGV = {..., $PP ,..., $NULL};
...
$FUNC(..., $ARGV, $ENV);
- metavariable-regex:
metavariable: $FUNC
regex: (execv|execvp|execve|execvpe)
- metavariable-pattern:
metavariable: $PP
patterns:
- pattern-not: (string $X)
26 changes: 23 additions & 3 deletions c/double-free.c
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,24 @@ void alloc_and_free2()
// ok: raptor-double-free
free(ptr);
}
void loop_and_free()
{
char *ptr = (char *)malloc(MEMSIZE);
int i=0;
for(i=0;i<10; i++){
// ok: raptor-double-free
free(ptr[i]);
// ruleid: raptor-double-free
free(ptr);
}
}

void alloc_and_free3()
{
char *ptr = (char *)malloc(MEMSIZE);

free(ptr);
ptr = (char *)malloc(MEMSIZE);
ptr = malloc(MEMSIZE);
// ok: raptor-double-free
free(ptr);
}
Expand All @@ -56,14 +67,23 @@ void double_free(int argc, char **argv)
free(buf1R2);
}

void double_free2(){
char *s1;
char *s2;
s1 = s2;
free(s1);
// ruleid: raptor-double-free
free(s2);
}

int Packet *getNextPacket()
{
Packet *y = (Packet *) malloc(1024);
retval = waitForPacket(y);
if(retval == OK) {
return y;
} else {
return NULL;
return NULL;
}
}

Expand All @@ -72,7 +92,7 @@ int bad()
free(logData);
pkt = getNextPacket();
if(!pkt) {
return NULL;
return NULL;
}
logPktData(pkt);
// ruleid: raptor-double-free
Expand Down
66 changes: 55 additions & 11 deletions c/double-free.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,18 +21,62 @@ rules:
- c
- cpp
patterns:
- pattern: |
free($PTR);
...
$FREE($PTR);
- pattern-not: |
free($PTR);
...
$PTR = $EXPR;
...
free($PTR);
- pattern-either:
- patterns:
- pattern: |
free($PTR);
...
$FREE($PTR);
- pattern-not: |
free($PTR);
...
$PTR = $EXPR;
...
free($PTR);
- patterns:
- pattern: |
{ ...
free($PTR1);
...
$FREE($PTR2);
... }
- pattern-either:
- pattern: |
{...
$PTR1 = $PTR2;
...}
- pattern: |
{...
$PTR2 = $PTR1;
...}
- pattern-not: |
{ ...
free($PTR);
...
$PTR = $EXPR;
...
free($PTR);
... }
- patterns:
- pattern-either:
- pattern: |
for(...; ...; ...){ ...
$FREE($PTR);
... }
- pattern: |
while(...){ ...
$FREE($PTR);
... }
- pattern: |
do{ ...
$FREE($PTR);
... }while(...);
- metavariable-pattern:
metavariable: $PTR
patterns:
- pattern-not: ...[...]
- metavariable-pattern:
metavariable: $FREE
pattern: free
# improve output readability
- focus-metavariable: $FREE
- focus-metavariable: $FREE
12 changes: 12 additions & 0 deletions c/incorrect-use-of-free.c
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,18 @@ int check_auth(char *login, char *passwd)
return(stat);
}

int free_after_return(){
// ruleid: raptor-incorrect-use-of-free
char *s = (char*)malloc(STRING_SIZE);
int i = 0;
for(i=0;i<strlen(s); i++){
if(s[i]=='x')
return 1;
}
free(s);
return 0;
}

int main()
{
printf("Hello, World!");
Expand Down
14 changes: 14 additions & 0 deletions c/incorrect-use-of-free.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,17 @@ rules:
- pattern-inside: |
$TYPE * $VAR = $EXPR;
...
- patterns:
- pattern: |
$P = $EXPR;
...
return ...;
...
free($P);
- pattern-not: |
$P = $EXPR;
...
free($P);
...
return ...;
...
6 changes: 4 additions & 2 deletions c/incorrect-use-of-strncat.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ rules:
quite easy to misuse. The first common mistake is supplying the size of
the entire buffer instead of the size remaining in the buffer. A more
subtle mistake can be made: the size parameter needs to be the amount of
space left in the buffer less one; otherwise, the NUL byte is written
space left in the buffer less one; otherwise, the NULL byte is written
one byte past the end of the buffer.
severity: ERROR
languages:
Expand All @@ -31,8 +31,10 @@ rules:
...
# sizeof operator
- pattern: strncat($DST, $SRC, sizeof($DST))
# strlen function
# strlen and strnlen functions
- pattern: strncat($DST, $SRC, strlen($DST))
- pattern: strncat($DST, $SRC, strnlen($DST, ...))
# off-by-one
# see also off-by-one.yaml for a slightly different pattern
- pattern: strncat($DST, $SRC, sizeof($DST) - strlen($DST))
- pattern: strncat($DST, $SRC, sizeof($DST) - strnlen($DST, ...))
55 changes: 55 additions & 0 deletions c/insecure-random-seed.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int example1() {
// ruleid: raptor-insecure-random-seed
srand(1234);
printf("Random number: %d\n", rand());
return 0;
}

int example2() {
time_t t;
time(&t);
// ruleid: raptor-insecure-random-seed
srand((unsigned int)t);
printf("Random number: %d\n", rand());
return 0;
}


int example3() {
// ruleid: raptor-insecure-random-seed
srand((unsigned int)getpid());
printf("Random number: %d\n", rand());
return 0;
}

int example4() {
// ruleid: raptor-insecure-random-seed
srand((unsigned int)time(NULL));
for (int i = 0; i < 5; i++) {
printf("Random number: %d\n", rand());
}
return 0;
}
int example5() {
int seed = 42 * 42;
// ruleid: raptor-insecure-random-seed
srand(seed);
printf("Random number: %d\n", rand());
return 0;
}

void example6(void) {
struct timespec ts;
if (timespec_get(&ts, TIME_UTC) == 0) {
/* Handle error */
} else {
// ruleid: raptor-insecure-random-seed
srandom(ts.tv_nsec ^ ts.tv_sec);
for (unsigned int i = 0; i < 10; ++i) {
printf("%ld, ", random());
}
}
Loading