Skip to content

Commit 1cb4625

Browse files
ESS-ENNESS-ENN
authored
More Rules
1 parent 5c87db3 commit 1cb4625

File tree

92 files changed

+3637
-81
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

92 files changed

+3637
-81
lines changed

rules/c/security/small-key-size-c.yml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
id: small-key-size-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
$KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is
6+
less than the recommended key size of 2048 bits.
7+
note: >-
8+
[CWE-326]: Inadequate Encryption Strength
9+
[OWASP A02:2021]: Cryptographic Failures
10+
[OWASP A03:2017]: Sensitive Data Exposure
11+
[REFERENCES]
12+
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
13+
https://owasp.org/Top10/A02_2021-Cryptographic_Failures
14+
utils:
15+
Match_pattern_with_prefix_statement:
16+
kind: expression_statement
17+
all:
18+
- has:
19+
stopBy: end
20+
kind: call_expression
21+
all:
22+
- has:
23+
stopBy: end
24+
kind: identifier
25+
pattern: $AST
26+
- has:
27+
stopBy: end
28+
kind: argument_list
29+
has:
30+
stopby: end
31+
kind: identifier
32+
pattern: $Q
33+
- follows:
34+
stopBy: end
35+
kind: declaration
36+
has:
37+
stopBy: end
38+
kind: init_declarator
39+
all:
40+
- has:
41+
stopBy: end
42+
kind: identifier
43+
pattern: $Q
44+
- has:
45+
stopBy: end
46+
kind: number_literal
47+
pattern: $AASS
48+
49+
rule:
50+
kind: expression_statement
51+
matches: Match_pattern_with_prefix_statement
52+
constraints:
53+
AST:
54+
regex: (DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)
55+
AASS:
56+
regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'

rules/c/security/std-return-data-c.yml

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
id: std-return-data-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
$FUNC` returns a pointer to the memory owned by `$VAR`. This pointer
6+
is invalid after `$VAR` goes out of scope, which can trigger a use after
7+
free.
8+
note: >-
9+
[CWE-416: Use After Free.
10+
[REFERENCES]
11+
- https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations
12+
utils:
13+
MATCH_RETURN_STATEMENT_WITH_STD:
14+
kind: return_statement
15+
all:
16+
- has:
17+
stopBy: end
18+
kind: call_expression
19+
has:
20+
stopBy: end
21+
kind: field_expression
22+
has:
23+
stopBy: end
24+
kind: identifier
25+
pattern: $R
26+
- follows:
27+
stopBy: end
28+
kind: labeled_statement
29+
all:
30+
- has:
31+
stopBy: end
32+
kind: statement_identifier
33+
regex: ^std
34+
- has:
35+
stopBy: end
36+
kind: expression_statement
37+
has:
38+
stopBy: end
39+
kind: binary_expression
40+
all:
41+
- has:
42+
stopBy: end
43+
kind: binary_expression
44+
all:
45+
- has:
46+
stopBy: end
47+
kind: identifier
48+
regex: (vector|array|deque|forward_list|list|map|multimap|multiset|set|unordered_map|unordered_multimap|unordered_multiset|unordered_set)
49+
- has:
50+
stopBy: end
51+
kind: identifier
52+
- has:
53+
stopBy: end
54+
kind: identifier
55+
pattern: $R
56+
inside:
57+
stopBy: end
58+
kind: function_definition
59+
has:
60+
stopBy: end
61+
kind: primitive_type
62+
63+
MATCH_RETURN_STATEMENT_WITHOUT_STD:
64+
kind: return_statement
65+
all:
66+
- has:
67+
stopBy: end
68+
kind: call_expression
69+
has:
70+
stopBy: end
71+
kind: field_expression
72+
has:
73+
stopBy: end
74+
kind: identifier
75+
pattern: $R
76+
- follows:
77+
stopBy: end
78+
kind: expression_statement
79+
has:
80+
stopBy: end
81+
kind: binary_expression
82+
all:
83+
- has:
84+
stopBy: end
85+
kind: binary_expression
86+
all:
87+
- has:
88+
stopBy: end
89+
kind: identifier
90+
regex: (vector|array|deque|forward_list|list|map|multimap|multiset|set|unordered_map|unordered_multimap|unordered_multiset|unordered_set)
91+
- has:
92+
stopBy: end
93+
kind: identifier
94+
- has:
95+
stopBy: end
96+
kind: identifier
97+
pattern: $R
98+
inside:
99+
stopBy: end
100+
kind: function_definition
101+
has:
102+
stopBy: end
103+
kind: primitive_type
104+
105+
rule:
106+
kind: return_statement
107+
any:
108+
- matches: MATCH_RETURN_STATEMENT_WITH_STD
109+
- matches: MATCH_RETURN_STATEMENT_WITHOUT_STD

rules/cpp/security/return-c-str-cpp.yml

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
id: return-c-str-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
"`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer
6+
is invalid after `$STR` goes out of scope, which can trigger a use after
7+
free."
8+
note: >-
9+
[CWE-416] Use After Free
10+
[REFERENCES]
11+
- https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations
12+
- https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime
13+
14+
utils:
15+
util_for_declaration_inside_function:
16+
kind: return_statement
17+
pattern: return $STR.$METHOD();
18+
follows:
19+
kind: declaration
20+
stopBy: end
21+
any:
22+
- pattern: string $STR;
23+
- pattern: wstring $STR;
24+
- pattern: basic_string $STR;
25+
- pattern: std::string $STR;
26+
- pattern: std::wstring $STR;
27+
- pattern: std::basic_string<$TYPE> $STR;
28+
29+
util_for_assignment_inside_function:
30+
kind: return_statement
31+
pattern: return $STR.$METHOD();
32+
follows:
33+
kind: declaration
34+
stopBy: end
35+
any:
36+
- pattern: string $STR = string($STRING);
37+
- pattern: wstring $STR = wstring($STRING);
38+
- pattern: basic_string<$TYPE> $STR = basic_string<$TYPE>($STRING);
39+
- pattern: std::string $STR = std::string($STRING);
40+
- pattern: std::wstring $STR = std::wstring($STRING);
41+
- pattern: std::basic_string<$TYPE> $STR = std::basic_string<$TYPE>($STRING);
42+
43+
util_for_func_params:
44+
kind: return_statement
45+
pattern: return $STR.$METHOD();
46+
inside:
47+
stopBy: end
48+
kind: function_definition
49+
has:
50+
stopBy: end
51+
kind: parameter_list
52+
has:
53+
stopBy: end
54+
kind: parameter_declaration
55+
has:
56+
stopBy: end
57+
kind: identifier
58+
field: declarator
59+
pattern: $STR
60+
any:
61+
- has:
62+
any:
63+
- kind: type_identifier
64+
pattern: $IDENTIFIFER
65+
- kind: qualified_identifier
66+
any:
67+
- all:
68+
- has:
69+
kind: namespace_identifier
70+
pattern: $NAMESPACE_IDEN
71+
- has:
72+
kind: template_type
73+
all:
74+
- has:
75+
kind: type_identifier
76+
field: name
77+
pattern: $BASIC_STR
78+
precedes:
79+
kind: template_argument_list
80+
- pattern: $IDENTIFIFER
81+
- kind: template_type
82+
has:
83+
kind: type_identifier
84+
field: name
85+
pattern: $BASIC_STR
86+
precedes:
87+
kind: template_argument_list
88+
89+
rule:
90+
any:
91+
- matches: util_for_declaration_inside_function
92+
- matches: util_for_assignment_inside_function
93+
- matches: util_for_func_params
94+
- pattern: return basic_string<$TYPE>($$$).$METHOD();
95+
- pattern: return std::basic_string<$TYPE>($$$).$METHOD();
96+
- pattern: return string($$$).$METHOD();
97+
- pattern: return std::string($$$).$METHOD();
98+
- pattern: return wstring($$$).$METHOD();
99+
- pattern: return std::wstring($$$).$METHOD();
100+
101+
constraints:
102+
METHOD:
103+
regex: ^(c_str|data)$
104+
IDENTIFIFER:
105+
regex: ^(string|wstring|std::string|std::wstring)$
106+
BASIC_STR:
107+
regex: ^(basic_string)$
108+
NAMESPACE_IDEN:
109+
regex: ^(std)$

rules/cpp/security/sizeof-this-cpp.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: sizeof-this-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
Do not use `sizeof(this)` to get the number of bytes of the object in
6+
memory. It returns the size of the pointer, not the size of the object.
7+
note: >-
8+
[CWE-467]: Use of sizeof() on a Pointer Type
9+
[REFERENCES]
10+
- https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
11+
rule:
12+
any:
13+
- pattern: "sizeof(this)"

rules/cpp/security/small-key-size-cpp.yml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
id: small-key-size-cpp
2+
language: cpp
3+
severity: warning
4+
message: >-
5+
$KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is
6+
less than the recommended key size of 2048 bits.
7+
note: >-
8+
[CWE-326]: Inadequate Encryption Strength
9+
[OWASP A02:2021]: Cryptographic Failures
10+
[OWASP A03:2017]: Sensitive Data Exposure
11+
[REFERENCES]
12+
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
13+
https://owasp.org/Top10/A02_2021-Cryptographic_Failures
14+
utils:
15+
Match_pattern_with_prefix_statement:
16+
kind: expression_statement
17+
all:
18+
- has:
19+
stopBy: end
20+
kind: call_expression
21+
all:
22+
- has:
23+
stopBy: end
24+
kind: identifier
25+
pattern: $AST
26+
- has:
27+
stopBy: end
28+
kind: argument_list
29+
has:
30+
stopby: end
31+
kind: identifier
32+
pattern: $Q
33+
- follows:
34+
stopBy: end
35+
kind: declaration
36+
has:
37+
stopBy: end
38+
kind: init_declarator
39+
all:
40+
- has:
41+
stopBy: end
42+
kind: identifier
43+
pattern: $Q
44+
- has:
45+
stopBy: end
46+
kind: number_literal
47+
pattern: $AASS
48+
49+
rule:
50+
kind: expression_statement
51+
matches: Match_pattern_with_prefix_statement
52+
constraints:
53+
AST:
54+
regex: (DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)
55+
AASS:
56+
regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'

0 commit comments

Comments
 (0)