0xdea / semgrep-rules Goto Github PK

First of all, @0xdea, you have done great work there with the coverage, also if the support offered by semgrep is still limited.

I found that some C/CPP functions are flagged as vulnerable code in multiple rules, I will go through the one I faced and propose a fix to reduce the rumor produced by the ruleset.

Take the following call vsnprintf(NULL, 0, fmt, string);, this call has a deterministic behavior. Since an amount of 0 bytes is copied to the destination buffer, the first argument of the vsnprintf can be a NULL pointer. The length of the potentially copied data (in the destination buffer if it was big enough) is returned and can be used for other purses (e.g., allocating an appropriate buffer).
I think that the rule format-string-bugs.yaml should not match this case since it's eventually caught by the rule unsafe-ret-snprintf-vsnprintf.yaml.

Suggested change to the "format-string-bugs" rule (I can make the PR if I receive positive feedback):

- pattern-not: vsnprintf($ARG1, 0, ...)
- pattern-not: snprintf($ARG1, 0, ...)

I don't know if eventually could be interesting to have a rule for undefined behavior e.g., vsnprintf(NULL, 100, fmt, string), since this will result in writing some data to a NULL pointer, I didn't investigate it but someone can delight me regarding this 😄. More generally speaking, catch some undefined behavior could be interesting from a security perspective IMHO.

References:

• ISO/IEC 9899:201x
  • chapter 7.21.6.12 - The vsnprintf function
  • chapter 7.21.6.5 - The snprintf function

The raptor-ret-stack-address rule checks if we are returning a pointer to a stack variable.

It returns a false positive if we are returning a static variable.

static SomeObject* getObject()
{
	static SomeObject o;
	return &o;
}

This usually happens inside a static function.

Adding all the edge cases will be a pain, we basically have to add a pattern-not-inside for each pattern-inside.

I tried filtering the $TYPE metavariable and filtering with metavariable-regex. But $TYPE only contains the type (e.g., SomeObject here) and not static.

You could also decide that the false positives are worth keeping the rule simple which is definitely a good tradeoff.

Is it possible to add a check item for misuse of cryptography, such as MD5, which has been regarded as insecure, the check method may be an insecure-api-MD5_Init.yaml

Hi, what does the double brackets (( used here mean, I have not found a similar usage description?

    pattern-either:
      # type-based patterns (some types are missing)
      - patterns:
        - pattern: sizeof((char * $PTR))
        - pattern-not: sizeof("...")
      - pattern: sizeof((int * $PTR))
      - pattern: sizeof((float * $PTR))
      - pattern: sizeof((double * $PTR))