0xdea / semgrep-rules Goto Github PK
View Code? Open in Web Editor NEWA collection of my Semgrep rules to facilitate vulnerability research.
Home Page: https://semgrep.dev
License: MIT License
A collection of my Semgrep rules to facilitate vulnerability research.
Home Page: https://semgrep.dev
License: MIT License
First of all, @0xdea, you have done great work there with the coverage, also if the support offered by semgrep is still limited.
I found that some C/CPP functions are flagged as vulnerable code in multiple rules, I will go through the one I faced and propose a fix to reduce the rumor produced by the ruleset.
Take the following call vsnprintf(NULL, 0, fmt, string);
, this call has a deterministic behavior. Since an amount of 0 bytes is copied to the destination buffer, the first argument of the vsnprintf
can be a NULL pointer. The length of the potentially copied data (in the destination buffer if it was big enough) is returned and can be used for other purses (e.g., allocating an appropriate buffer).
I think that the rule format-string-bugs.yaml
should not match this case since it's eventually caught by the rule unsafe-ret-snprintf-vsnprintf.yaml
.
Suggested change to the "format-string-bugs" rule (I can make the PR if I receive positive feedback):
- pattern-not: vsnprintf($ARG1, 0, ...)
- pattern-not: snprintf($ARG1, 0, ...)
I don't know if eventually could be interesting to have a rule for undefined behavior e.g., vsnprintf(NULL, 100, fmt, string)
, since this will result in writing some data to a NULL pointer, I didn't investigate it but someone can delight me regarding this ๐. More generally speaking, catch some undefined behavior could be interesting from a security perspective IMHO.
References:
The raptor-ret-stack-address
rule checks if we are returning a pointer to a stack variable.
It returns a false positive if we are returning a static variable.
static SomeObject* getObject()
{
static SomeObject o;
return &o;
}
This usually happens inside a static function.
Adding all the edge cases will be a pain, we basically have to add a pattern-not-inside
for each pattern-inside
.
I tried filtering the $TYPE
metavariable and filtering with metavariable-regex
. But $TYPE
only contains the type (e.g., SomeObject
here) and not static
.
You could also decide that the false positives are worth keeping the rule simple which is definitely a good tradeoff.
Is it possible to add a check item for misuse of cryptography, such as MD5, which has been regarded as insecure, the check method may be an insecure-api-MD5_Init.yaml
Hi, what does the double brackets (( used here mean, I have not found a similar usage description?
pattern-either:
# type-based patterns (some types are missing)
- patterns:
- pattern: sizeof((char * $PTR))
- pattern-not: sizeof("...")
- pattern: sizeof((int * $PTR))
- pattern: sizeof((float * $PTR))
- pattern: sizeof((double * $PTR))
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.