From fa0db641602dec1681673a4b2b574898be2878e5 Mon Sep 17 00:00:00 2001 From: Artem Chaikin Date: Fri, 1 Nov 2024 22:44:10 +0000 Subject: [PATCH] Add dangling pointer traits detection (#700) * Add dangling pointer tratis detection * improve the regex * fix the rule * refine the regex and add more tests * use generic parser instead of cpp --- .../client/dangling-pointer-trait.cc | 35 +++++++++++++++++ .../client/dangling-pointer-trait.yaml | 38 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 assets/semgrep_rules/client/dangling-pointer-trait.cc create mode 100644 assets/semgrep_rules/client/dangling-pointer-trait.yaml diff --git a/assets/semgrep_rules/client/dangling-pointer-trait.cc b/assets/semgrep_rules/client/dangling-pointer-trait.cc new file mode 100644 index 00000000..e3c4e862 --- /dev/null +++ b/assets/semgrep_rules/client/dangling-pointer-trait.cc @@ -0,0 +1,35 @@ +// ruleid: dangling-pointer-trait +raw_ptr browser_view_ = nullptr; +// ruleid: dangling-pointer-trait +raw_ptr actual_ui_web_contents_ = nullptr; +// ruleid: dangling-pointer-trait +const raw_ptr delegate_; +// ruleid: dangling-pointer-trait +raw_ptr context_ = nullptr; +// ruleid: dangling-pointer-trait +raw_ptr mach_ports_header_ = nullptr; +// ruleid: dangling-pointer-trait +raw_ptr test; +// ruleid: dangling-pointer-trait +raw_ptr status_; +// ruleid: dangling-pointer-trait +std::vector> panes; +// ruleid: dangling-pointer-trait +for (std::set>::iterator iter = + removed_windows.begin(); + iter != removed_windows.end(); ++iter) { + WindowState::Get(*iter)->Unminimize(); + RemoveObserverIfUnreferenced(*iter); +} +// ruleid: dangling-pointer-trait +outgoing_queue_ = std::queue>(); +// ruleid: dangling-pointer-trait +const raw_ref app_list_config_; +// ruleid: dangling-pointer-trait +const raw_ref on_destroyed_; +// ruleid: dangling-pointer-trait +const raw_ref ash_; +// ruleid: dangling-pointer-trait +const raw_ptr delegate_; +// ruleid: dangling-pointer-trait +const raw_ptr delegate_; diff --git a/assets/semgrep_rules/client/dangling-pointer-trait.yaml b/assets/semgrep_rules/client/dangling-pointer-trait.yaml new file mode 100644 index 00000000..2ff716ab --- /dev/null +++ b/assets/semgrep_rules/client/dangling-pointer-trait.yaml @@ -0,0 +1,38 @@ +rules: + - id: dangling-pointer-trait + metadata: + author: Artem Chaikin + references: + - https://chromium.googlesource.com/chromium/src.git/+/main/docs/dangling_ptr.md + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/dangling-pointer-trait.yaml + assignees: | + stoletheminerals + thypon + cdesouza-chromium + patterns: + - pattern-either: + - pattern-inside: raw_ptr<...> + - pattern-inside: raw_ref<...> + - pattern-either: + - pattern: DanglingUntriaged + - pattern: DisableDanglingPtrDetection + - pattern: FlakyDanglingUntriaged + - pattern: AcrossTasksDanglingUntriaged + - pattern: AllowPtrArithmetic + - pattern: AllowUninitialized + - pattern: LeakedDanglingUntriaged + - pattern: VectorExperimental + - pattern: SetExperimental + - pattern: CtnExperimental + message: "Detected use of a trait that disables dangling pointer checks. This requires security team approval." + severity: WARNING + languages: + - generic + paths: + include: + - "*.c" + - "*.cpp" + - "*.cc" + - "*.h" + - "*.hh" + - "*.hcc"