Skip to content

CPP: Add query for CWE-552 Files Accessible to External Parties when using rename #9090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 18 commits into from
Closed

CPP: Add query for CWE-552 Files Accessible to External Parties when using rename #9090

wants to merge 18 commits into from

Conversation

ihsinme
Copy link
Contributor

@ihsinme ihsinme commented May 9, 2022
edited
Loading

this query is looking for a mishandling situation rename. when a file is torn off from the program name and overwritten, this situation can lead to various actions, such as using links.

CVE-2012-0787

@ihsinme ihsinme requested a review from a team as a code owner May 9, 2022 13:22
@jketema jketema self-assigned this May 11, 2022
jketema
jketema reviewed May 11, 2022
View reviewed changes
Copy link
Contributor

@jketema jketema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ihsinme,

Thanks for your contribution. A first few questions from my side.

jketema
jketema reviewed May 17, 2022
View reviewed changes
jketema
jketema reviewed May 23, 2022
View reviewed changes
jketema
jketema reviewed May 23, 2022
View reviewed changes
jketema
jketema reviewed May 23, 2022
View reviewed changes
jketema
jketema reviewed May 25, 2022
View reviewed changes
cpp/ql/src/experimental/Security/CWE/CWE-552/DangerousUseRename.ql
Comment on lines +42 to +45
ec.getValue() = "0" and
ecd.(EQExpr).hasOperands(_, ec) and
forall(Expr st | st = ifst.getThen().getASuccessor*() | st != readCall) and
forall(Expr st | st = ifst.getThen().getASuccessor*() | st != writeCall)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which of your test cases covers this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test5 test6 test7 test8

Copy link
Contributor

@jketema jketema May 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see this. If we look at test5 for example:

  if (rename(from,to)==0) // BAD
    return;
  f1 = fopen(from, "r");
  count = fread(data, 1, 1000, f1);
  fclose(f1);
  remove(to);
  f2 = fopen(to, "w");
  fwrite(data, count, 1, f2);
  fclose(f2);

Then, ifst.getThen().getASuccessor*() gives you all the statements and expressions textually below if (rename(from,to)==0), including fopen(from, "r") and fopen(to, "w"), so the forall does not hold.

@jketema
Copy link
Contributor

jketema commented May 25, 2022
edited
Loading

Two general comments, which also apply to most of your other queries:

  • I would help reviewers if you pick informative names for variables. For example, looking at this PR, from a reviewer's perspective it's hard to understand what variables like ec, ecd and ecv are supposed to represent. I'm not even sure if this is totally consistent throughout the query, we leads me to my other point.
  • I would help if things that logically belong together in your queries occur textually close and to separate them from cases that are actually different. For example, in your current query, when I read this first part, I expect this following part to apply to both cases described in that first part. However, that is clearly not the case, as this rules out that ecd is a ComparisonOperator, while that is actually needed here.

@jketema
Copy link
Contributor

jketema commented May 25, 2022

To add to the above: this would allow us to give faster and better feedback, which is important, especially when there's a large number of PRs open.

@ihsinme
Copy link
Contributor Author

ihsinme commented May 29, 2022

You are absolutely right, I will try to follow the rules in the future.
Thanks.

@jketema
Copy link
Contributor

jketema commented May 30, 2022

Note by the way that cpp/world-writable-file-creation exists. Which should capture most, if not all cases here. That query just checks whether a file is created (using fopen, e.g.) using very lax permissions.

@ihsinme
Copy link
Contributor Author

ihsinme commented Jun 2, 2022

I apologize for the wasted time.

I am very serious about de-duplicates in my PRs, but in this case my review system failed and I didn't notice this request.

Sorry again, I'll try to be more careful in the future.

@ihsinme ihsinme closed this Jun 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jketema jketema jketema left review comments

Assignees

@jketema jketema

Labels
C++ documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ihsinme @jketema