From b3bb9e4c1291b17ed92f9619b1bf20e09c06fe55 Mon Sep 17 00:00:00 2001 From: bcaller Date: Tue, 3 Oct 2023 22:57:14 +0100 Subject: [PATCH 1/2] Integer truncation false positive Now you can do `char oops = 3458079` if you must --- assets/semgrep_rules/blocklist.txt | 1 + .../semgrep_rules/client/integer-truncation.c | 51 +++++++++ .../client/integer-truncation.yaml | 100 ++++++++++++++++++ 3 files changed, 152 insertions(+) create mode 100644 assets/semgrep_rules/client/integer-truncation.c create mode 100644 assets/semgrep_rules/client/integer-truncation.yaml diff --git a/assets/semgrep_rules/blocklist.txt b/assets/semgrep_rules/blocklist.txt index 08d72b0c..eb3e93e5 100644 --- a/assets/semgrep_rules/blocklist.txt +++ b/assets/semgrep_rules/blocklist.txt @@ -23,3 +23,4 @@ https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring https://semgrep.dev/r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha +https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml \ No newline at end of file diff --git a/assets/semgrep_rules/client/integer-truncation.c b/assets/semgrep_rules/client/integer-truncation.c new file mode 100644 index 00000000..bd58f644 --- /dev/null +++ b/assets/semgrep_rules/client/integer-truncation.c @@ -0,0 +1,51 @@ +// Marco Ivaldi + +#include + +int assign_int(int int_var) +{ + // ruleid: integer-truncation + char char_var = int_var; + short short_var; + + // ruleid: integer-truncation + short_var = int_var; +} + +int assign_long(long long_var) +{ + short short_var; + // ruleid: integer-truncation + int int_var = long_var + 1; + + // ruleid: integer-truncation + short_var = long_var; +} + +int test_func() +{ + int intPrimitive; + short shortPrimitive; + intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1))); + // ruleid: integer-truncation + shortPrimitive = intPrimitive; + printf("Int MAXINT: %d\nShort MAXINT: %d\n", intPrimitive, shortPrimitive); + // ok: integer-truncation + char c = 0x0; + // ok: integer-truncation + char cc = 127; + printf("Chars: %c %c\n", c, cc); +} + +// ruleid: integer-truncation +char func(void) +{ + int a = 42; + return a; +} + +int main() +{ + printf("Hello, World!"); + return 0; +} \ No newline at end of file diff --git a/assets/semgrep_rules/client/integer-truncation.yaml b/assets/semgrep_rules/client/integer-truncation.yaml new file mode 100644 index 00000000..55b6f193 --- /dev/null +++ b/assets/semgrep_rules/client/integer-truncation.yaml @@ -0,0 +1,100 @@ +rules: +- id: integer-truncation + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/197 + - https://cwe.mitre.org/data/definitions/681 + - https://g.co/kgs/PCHQjJ + - https://github.com/struct/mms + - https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml + confidence: MEDIUM + license: MIT + category: security + subcategory: + - audit + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/integer-truncation.yaml + message: Truncation errors occur when a primitive is cast to a primitive of a smaller + size and data is lost in the conversion. The value cannot be trusted and the + application will be in an undefined state. + severity: WARNING + languages: + - c + - cpp + patterns: + - pattern-either: + - pattern: (char $NARROW) = <... (short $LARGE) ...> + - pattern: (char $NARROW) = <... (short int $LARGE) ...> + - pattern: (char $NARROW) = <... (unsigned short $LARGE) ...> + - pattern: (char $NARROW) = <... (unsigned short int $LARGE) ...> + - pattern: (char $NARROW) = <... (int $LARGE) ...> + - pattern: (char $NARROW) = <... (unsigned $LARGE) ...> + - pattern: (char $NARROW) = <... (unsigned int $LARGE) ...> + - pattern: (char $NARROW) = <... (long $LARGE) ...> + - pattern: (char $NARROW) = <... (long int $LARGE) ...> + - pattern: (char $NARROW) = <... (unsigned long $LARGE) ...> + - pattern: (char $NARROW) = <... (unsigned long int $LARGE) ...> + - pattern: | + char $FUN(...) + { + ... + return (short $LARGE); + } + - pattern: | + char $FUN(...) + { + ... + return (int $LARGE); + } + - pattern: | + char $FUN(...) + { + ... + return (long $LARGE); + } + - pattern: (short $NARROW) = <... (unsigned short $LARGE) ...> + - pattern: (short int $NARROW) = <... (unsigned short int $LARGE) ...> + - pattern: (short $NARROW) = <... (int $LARGE) ...> + - pattern: (short $NARROW) = <... (unsigned $LARGE) ...> + - pattern: (short int $NARROW) = <... (unsigned int $LARGE) ...> + - pattern: (short $NARROW) = <... (long $LARGE) ...> + - pattern: (short int $NARROW) = <... (long int $LARGE) ...> + - pattern: (short $NARROW) = <... (unsigned long $LARGE) ...> + - pattern: (short int $NARROW) = <... (unsigned long int $LARGE) ...> + - pattern: (unsigned short $NARROW) = <... (int $LARGE) ...> + - pattern: (unsigned short $NARROW) = <... (unsigned $LARGE) ...> + - pattern: (unsigned short int $NARROW) = <... (unsigned int $LARGE) ...> + - pattern: (unsigned short $NARROW) = <... (long $LARGE) ...> + - pattern: (unsigned short int $NARROW) = <... (long int $LARGE) ...> + - pattern: (unsigned short $NARROW) = <... (unsigned long $LARGE) ...> + - pattern: (unsigned short int $NARROW) = <... (unsigned long int $LARGE) ...> + - pattern: | + short $FUN(...) + { + ... + return (int $LARGE); + } + - pattern: | + short $FUN(...) + { + ... + return (long $LARGE); + } + - pattern: (int $NARROW) = <... (unsigned $LARGE) ...> + - pattern: (int $NARROW) = <... (unsigned int $LARGE) ...> + - pattern: (int $NARROW) = <... (long $LARGE) ...> + - pattern: (int $NARROW) = <... (long int $LARGE) ...> + - pattern: (int $NARROW) = <... (unsigned long $LARGE) ...> + - pattern: (int $NARROW) = <... (unsigned long int $LARGE) ...> + - pattern: | + int $FUN(...) + { + ... + return (long $LARGE); + } + - pattern: (long $NARROW) = <... (unsigned long $LARGE) ...> + - pattern: (long int $NARROW) = <... (unsigned long int $LARGE) ...> + # (Ben Caller) Prevent false positive with `char x = 0;` by using regex: + - metavariable-regex: + metavariable: $LARGE + regex: '\A[^0-9]' \ No newline at end of file From d6f61a2d24fec991a59f47cb926ceba419511eb2 Mon Sep 17 00:00:00 2001 From: bcaller Date: Tue, 3 Oct 2023 22:57:53 +0100 Subject: [PATCH 2/2] :%sort --- assets/semgrep_rules/blocklist.txt | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/assets/semgrep_rules/blocklist.txt b/assets/semgrep_rules/blocklist.txt index eb3e93e5..1d30829e 100644 --- a/assets/semgrep_rules/blocklist.txt +++ b/assets/semgrep_rules/blocklist.txt @@ -1,26 +1,26 @@ -https://semgrep.dev/r/python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe -https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var -https://semgrep.dev/r/generic.html-templates.security.var-in-href.var-in-href -https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal -https://semgrep.dev/r/generic.html-templates.security.var-in-script-tag.var-in-script-tag -https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag -https://semgrep.dev/r/python.django.security.audit.xss.template-href-var.template-href-var -https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.var-in-href.var-in-href -https://semgrep.dev/r/generic.html-templates.security.var-in-script-src.var-in-script-src -https://semgrep.dev/r/typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer -https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity -https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key -https://github.com/0xdea/semgrep-rules/blob/main/c/typos.yaml +https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml https://github.com/0xdea/semgrep-rules/blob/main/c/interesting-api-calls.yaml +https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml +https://github.com/0xdea/semgrep-rules/blob/main/c/missing-break-in-switch.yaml +https://github.com/0xdea/semgrep-rules/blob/main/c/missing-default-in-switch.yaml https://github.com/0xdea/semgrep-rules/blob/main/c/signed-unsigned-conversion.yaml +https://github.com/0xdea/semgrep-rules/blob/main/c/typos.yaml https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var -https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity -https://github.com/0xdea/semgrep-rules/blob/main/c/missing-default-in-switch.yaml -https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value +https://semgrep.dev/r/generic.html-templates.security.var-in-href.var-in-href +https://semgrep.dev/r/generic.html-templates.security.var-in-script-src.var-in-script-src +https://semgrep.dev/r/generic.html-templates.security.var-in-script-tag.var-in-script-tag +https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal https://semgrep.dev/r/generic.secrets.gitleaks.aws-access-token.aws-access-token -https://github.com/0xdea/semgrep-rules/blob/main/c/missing-break-in-switch.yaml -https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled -https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml +https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key +https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value +https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity +https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity +https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.var-in-href.var-in-href https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring +https://semgrep.dev/r/python.django.security.audit.xss.template-href-var.template-href-var +https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag +https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var +https://semgrep.dev/r/python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe +https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled +https://semgrep.dev/r/typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer https://semgrep.dev/r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha -https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml \ No newline at end of file