Add dangling pointer traits detection (#700)

* Add dangling pointer tratis detection * improve the regex * fix the rule * refine the regex and add more tests * use generic parser instead of cpp
brave · Nov 1, 2024 · fa0db64 · fa0db64
1 parent 7410953
commit fa0db64
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 0 deletions.
diff --git a/assets/semgrep_rules/client/dangling-pointer-trait.cc b/assets/semgrep_rules/client/dangling-pointer-trait.cc
@@ -0,0 +1,35 @@
+// ruleid: dangling-pointer-trait
+raw_ptr<BrowserView, DanglingUntriaged> browser_view_ = nullptr;
+// ruleid: dangling-pointer-trait
+raw_ptr<content::WebContents, DisableDanglingPtrDetection> actual_ui_web_contents_ = nullptr;
+// ruleid: dangling-pointer-trait
+const raw_ptr<Delegate, FlakyDanglingUntriaged> delegate_;
+// ruleid: dangling-pointer-trait
+raw_ptr<ImageContextImpl, AcrossTasksDanglingUntriaged> context_ = nullptr;
+// ruleid: dangling-pointer-trait
+raw_ptr<MachPortsExtraHeader, AllowPtrArithmetic> mach_ports_header_ = nullptr;
+// ruleid: dangling-pointer-trait
+raw_ptr<Test, AllowUninitialized> test;
+// ruleid: dangling-pointer-trait
+raw_ptr<TestAshTraceDestinationIORegistry::IOStatus, LeakedDanglingUntriaged> status_;
+// ruleid: dangling-pointer-trait
+std::vector<raw_ptr<views::View, VectorExperimental>> panes;
+// ruleid: dangling-pointer-trait
+for (std::set<raw_ptr<aura::Window, SetExperimental>>::iterator iter =
+           removed_windows.begin();
+       iter != removed_windows.end(); ++iter) {
+    WindowState::Get(*iter)->Unminimize();
+    RemoveObserverIfUnreferenced(*iter);
+}
+// ruleid: dangling-pointer-trait
+outgoing_queue_ = std::queue<raw_ptr<FakeV4L2Buffer, CtnExperimental>>();
+// ruleid: dangling-pointer-trait
+const raw_ref<const AppListConfig, DanglingUntriaged> app_list_config_;
+// ruleid: dangling-pointer-trait
+const raw_ref<base::WaitableEvent, AcrossTasksDanglingUntriaged> on_destroyed_;
+// ruleid: dangling-pointer-trait
+const raw_ref<AshProxy, LeakedDanglingUntriaged> ash_;
+// ruleid: dangling-pointer-trait
+const raw_ptr<Delegate, AllowPtrArithmetic | FlakyDanglingUntriaged | LeakedDanglingUntriaged> delegate_;
+// ruleid: dangling-pointer-trait
+const raw_ptr<Delegate, AllowPtrArithmetic | FlakyDanglingUntriaged> delegate_;
diff --git a/assets/semgrep_rules/client/dangling-pointer-trait.yaml b/assets/semgrep_rules/client/dangling-pointer-trait.yaml
@@ -0,0 +1,38 @@
+rules:
+  - id: dangling-pointer-trait
+    metadata:
+      author: Artem Chaikin
+      references:
+        - https://chromium.googlesource.com/chromium/src.git/+/main/docs/dangling_ptr.md
+      source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/dangling-pointer-trait.yaml
+      assignees: |
+        stoletheminerals
+        thypon
+        cdesouza-chromium
+    patterns:
+      - pattern-either:
+        - pattern-inside: raw_ptr<...>
+        - pattern-inside: raw_ref<...>          
+      - pattern-either:
+        - pattern: DanglingUntriaged
+        - pattern: DisableDanglingPtrDetection
+        - pattern: FlakyDanglingUntriaged
+        - pattern: AcrossTasksDanglingUntriaged
+        - pattern: AllowPtrArithmetic
+        - pattern: AllowUninitialized
+        - pattern: LeakedDanglingUntriaged
+        - pattern: VectorExperimental
+        - pattern: SetExperimental
+        - pattern: CtnExperimental
+    message: "Detected use of a trait that disables dangling pointer checks. This requires security team approval."
+    severity: WARNING
+    languages:
+      - generic
+    paths:
+      include:
+        - "*.c"
+        - "*.cpp"
+        - "*.cc"
+        - "*.h"
+        - "*.hh"
+        - "*.hcc"