Integer trunk

assets/semgrep_rules/blocklist.txt

@@ -1,25 +1,26 @@
-https://semgrep.dev/r/python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe
-https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var
-https://semgrep.dev/r/generic.html-templates.security.var-in-href.var-in-href
-https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal
-https://semgrep.dev/r/generic.html-templates.security.var-in-script-tag.var-in-script-tag
-https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag
-https://semgrep.dev/r/python.django.security.audit.xss.template-href-var.template-href-var
-https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.var-in-href.var-in-href
-https://semgrep.dev/r/generic.html-templates.security.var-in-script-src.var-in-script-src
-https://semgrep.dev/r/typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer
-https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity
-https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key
-https://github.com/0xdea/semgrep-rules/blob/main/c/typos.yaml
+https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml
 https://github.com/0xdea/semgrep-rules/blob/main/c/interesting-api-calls.yaml
+https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml
+https://github.com/0xdea/semgrep-rules/blob/main/c/missing-break-in-switch.yaml
+https://github.com/0xdea/semgrep-rules/blob/main/c/missing-default-in-switch.yaml
 https://github.com/0xdea/semgrep-rules/blob/main/c/signed-unsigned-conversion.yaml
+https://github.com/0xdea/semgrep-rules/blob/main/c/typos.yaml
 https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var
-https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity
-https://github.com/0xdea/semgrep-rules/blob/main/c/missing-default-in-switch.yaml
-https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value
+https://semgrep.dev/r/generic.html-templates.security.var-in-href.var-in-href
+https://semgrep.dev/r/generic.html-templates.security.var-in-script-src.var-in-script-src
+https://semgrep.dev/r/generic.html-templates.security.var-in-script-tag.var-in-script-tag
+https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal
 https://semgrep.dev/r/generic.secrets.gitleaks.aws-access-token.aws-access-token
-https://github.com/0xdea/semgrep-rules/blob/main/c/missing-break-in-switch.yaml
-https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled
-https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml
+https://semgrep.dev/r/generic.secrets.gitleaks.generic-api-key.generic-api-key
+https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value
+https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity
+https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity
+https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.var-in-href.var-in-href
 https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
+https://semgrep.dev/r/python.django.security.audit.xss.template-href-var.template-href-var
+https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag
+https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var
+https://semgrep.dev/r/python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe
+https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled
+https://semgrep.dev/r/typescript.react.security.audit.react-missing-noreferrer.react-missing-noreferrer
 https://semgrep.dev/r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha

assets/semgrep_rules/client/integer-truncation.c

@@ -0,0 +1,51 @@
+// Marco Ivaldi <[email protected]>
+
+#include <stdio.h>
+
+int assign_int(int int_var)
+{
+	// ruleid: integer-truncation
+	char char_var = int_var;
+	short short_var;
+
+	// ruleid: integer-truncation
+	short_var = int_var;
+}
+
+int assign_long(long long_var)
+{
+	short short_var;
+	// ruleid: integer-truncation
+	int int_var = long_var + 1;
+
+	// ruleid: integer-truncation
+	short_var = long_var;
+}
+
+int test_func()
+{
+	int intPrimitive;
+	short shortPrimitive;
+	intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1)));
+	// ruleid: integer-truncation
+	shortPrimitive = intPrimitive;
+	printf("Int MAXINT: %d\nShort MAXINT: %d\n", intPrimitive, shortPrimitive);
+	// ok: integer-truncation
+	char c = 0x0;
+	// ok: integer-truncation
+	char cc = 127;
+	printf("Chars: %c %c\n", c, cc);
+}
+
+// ruleid: integer-truncation
+char func(void)
+{
+	int a = 42;
+	return a; 
+}
+
+int main() 
+{
+	printf("Hello, World!");
+	return 0;
+}

assets/semgrep_rules/client/integer-truncation.yaml

@@ -0,0 +1,100 @@
+rules:
+- id: integer-truncation
+  metadata:
+    author: Marco Ivaldi <[email protected]>
+    references:
+    - https://cwe.mitre.org/data/definitions/197
+    - https://cwe.mitre.org/data/definitions/681
+    - https://g.co/kgs/PCHQjJ
+    - https://github.com/struct/mms
+    - https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml
+    confidence: MEDIUM
+    license: MIT
+    category: security
+    subcategory:
+    - audit
+    source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/integer-truncation.yaml
+  message: Truncation errors occur when a primitive is cast to a primitive of a  smaller
+    size and data is lost in the conversion. The value cannot be  trusted and the
+    application will be in an undefined state.
+  severity: WARNING
+  languages:
+  - c
+  - cpp
+  patterns:
+    - pattern-either:
+      - pattern: (char $NARROW) = <... (short $LARGE) ...>
+      - pattern: (char $NARROW) = <... (short int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned short $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned short int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (long $LARGE) ...>
+      - pattern: (char $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: |
+          char $FUN(...)
+          {
+          ...
+          return (short $LARGE);
+          }
+      - pattern: |
+          char $FUN(...)
+          {
+          ...
+          return (int $LARGE);
+          }
+      - pattern: |
+          char $FUN(...)
+          {
+          ...
+          return (long $LARGE);
+          }
+      - pattern: (short $NARROW) = <... (unsigned short $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (unsigned short int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (long $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (unsigned short int $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (long $LARGE) ...>
+      - pattern: (unsigned short int $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (unsigned short int $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: |
+          short $FUN(...)
+          {
+          ...
+          return (int $LARGE);
+          }
+      - pattern: |
+          short $FUN(...)
+          {
+          ...
+          return (long $LARGE);
+          }
+      - pattern: (int $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (int $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (int $NARROW) = <... (long $LARGE) ...>
+      - pattern: (int $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (int $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (int $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: |
+          int $FUN(...)
+          {
+          ...
+          return (long $LARGE);
+          }
+      - pattern: (long $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (long int $NARROW) = <... (unsigned long int $LARGE) ...>
+    # (Ben Caller) Prevent false positive with `char x = 0;` by using regex:
+    - metavariable-regex:
+        metavariable: $LARGE
+        regex: '\A[^0-9]'