Skip to content

CPP: Add query for CWE-377 Insecure Temporary File #6947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Nov 11, 2021
Merged

CPP: Add query for CWE-377 Insecure Temporary File #6947

merged 11 commits into from
Nov 11, 2021

Conversation

ihsinme
Copy link
Contributor

@ihsinme ihsinme commented Oct 25, 2021

Our request is looking for situations of unsafe work with files. use validation functions in the first place without guaranteeing that the file will not be created later. in the second case, he looks for places to work with the file, when his name is predictable and there are no restrictions on access rights.

CVE-2012-0786
CVE-2018-6198
CVE-2007-5936

links to real work results, I will add later. I am currently working on them with developers.

@ihsinme ihsinme requested a review from a team as a code owner October 25, 2021 11:30
@MathiasVP MathiasVP self-assigned this Oct 25, 2021
MathiasVP
MathiasVP reviewed Oct 26, 2021
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for another contribution, @ihsinme. Here is my first round of comments.

@MathiasVP
Copy link
Contributor

MathiasVP commented Oct 26, 2021
edited
Loading

It looks like our CI is failing with a couple of errors:

  • First:
File "ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql" contains a non-ASCII character at the location marked with `|` in:
2021-10-26T10:38:41.8453269Z ```
2021-10-26T10:38:41.8454787Z etTarget().hasGlobalOrStdName("chmod")
2021-10-26T10:38:41.8455619Z   ) and
2021-10-26T10:38:41.8456395Z   msg =
2021-10-26T10:38:41.8456832Z     "|
2021-10-26T10:38:41.8457197Z ```

Sounds like there's a hidden non-ASCII character around line 94.

  • Second:
ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.qhelp:8:3: The element type "overview" must be terminated by the matching end-tag "</overview>".

@ihsinme
Copy link
Contributor Author

ihsinme commented Oct 27, 2021

Good afternoon.
thanks for your comments.
I apologize for the delay in my response.
I will try to answer in the coming days.

@ihsinme
Copy link
Contributor Author

ihsinme commented Nov 4, 2021

Good afternoon @MathiasVP.

Please tell me what the error is during the assembly. (I fixed the previous error)

@MathiasVP
Copy link
Contributor

It's still complaining about a non-ASCII character:

File "ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql" contains a non-ASCII character at the location marked with `|` in:
2021-11-04T21:45:50.6626257Z ```
2021-11-04T21:45:50.6626999Z etTarget().hasGlobalOrStdName("chmod")
2021-11-04T21:45:50.6627647Z   ) and
2021-11-04T21:45:50.6628063Z   msg =
2021-11-04T21:45:50.6628482Z     "|
2021-11-04T21:45:50.6628881Z ```

@ihsinme
Copy link
Contributor Author

ihsinme commented Nov 5, 2021

It's still complaining about a non-ASCII character:

File "ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql" contains a non-ASCII character at the location marked with `|` in:
2021-11-04T21:45:50.6626257Z ```
2021-11-04T21:45:50.6626999Z etTarget().hasGlobalOrStdName("chmod")
2021-11-04T21:45:50.6627647Z   ) and
2021-11-04T21:45:50.6628063Z   msg =
2021-11-04T21:45:50.6628482Z     "|
2021-11-04T21:45:50.6628881Z ```

please run the checks again.

@ihsinme ihsinme mentioned this pull request Nov 10, 2021
Closed
1 task
MathiasVP
MathiasVP approved these changes Nov 11, 2021
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@MathiasVP MathiasVP merged commit bf9b8cf into github:main Nov 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MathiasVP MathiasVP MathiasVP approved these changes

Assignees

@MathiasVP MathiasVP

Labels
C++ documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ihsinme @MathiasVP