New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CPP: Add query for CWE-377 Insecure Temporary File #6947
base: main
Are you sure you want to change the base?
Conversation
| where | ||
| ( | ||
| fc.getTarget().hasGlobalOrStdName("tmpnam") or | ||
| fc.getTarget().hasGlobalOrStdName("tmpnam_s") or | ||
| fc.getTarget().hasGlobalOrStdName("tmpnam_r") | ||
| ) and | ||
| not exists(FunctionCall fctmp | | ||
| fctmp.getTarget().hasGlobalOrStdName("mktemp") or | ||
| fctmp.getTarget().hasGlobalOrStdName("mkstemp") or | ||
| fctmp.getTarget().hasGlobalOrStdName("mkstemps") or | ||
| fctmp.getTarget().hasGlobalOrStdName("mkdtemp") | ||
| ) and | ||
| msg = | ||
| "Finding the name of a file that does not exist does not mean that it will not be exist at the next operation." |
Having a single call to mktemp (or any of the other related functions) anywhere in the codebase will mean that none of the calls to tmpnam (or any of the other related functions) will raise an alert. Is that really what you want?
You're right.
but I always try to reduce the number of false positives.
if there are no calls at all, this is definitely an error.
but if you think otherwise, I'll add broader rules
Reducing the number of false positives is a great goal! See my comment here regarding this. You don't have to fix it, but I think it might be valuable to revisit this condition and make it more precise (if you feel like it).
| not exists(FunctionCall fctmp | | ||
| fctmp.getTarget().hasGlobalOrStdName("umask") or | ||
| fctmp.getTarget().hasGlobalOrStdName("fchmod") or | ||
| fctmp.getTarget().hasGlobalOrStdName("chmod") | ||
| ) and |
Like above: Any call to umask (or the other related functions) anywhere in the codebase means that this query won't raise an alert. Is that the intention?
You're right.
but I always try to reduce the number of false positives.
if there are no calls at all, this is definitely an error.
but if you think otherwise, I'll add broader rules
Reducing the number of false positives is good. This code could lead to missing a lot of genuine results, though. It could also potentially lead to a false sense of security. Let's say I had a bunch of genuine security issues found by this query. Suddenly, I add a call to umask that is totally unrelated to the security issues (for instance, I started to use umask in some unit test). Now all the genuine security vulnerabilities won't be flagged anymore.
One simple fix is to require that the call to umask (or the related functions) is in the same function as the call to open (or the related functions). Although you may also be able to connect the two calls better by using local dataflow.
this is a very difficult question for me.
your example of a sense of false security.
firstly, if the developer is using the wrong mask, we will also inform him that everything is fine. (especially if the mask will not be calculated trivially)
Secondly, if he uses a permission call far enough from the investigated place, we also cannot understand whether he wanted to extend these permissions to all calls or only to one distant one.
this is a very difficult question for me.
in my first requests to you, I believed that an experimental request should draw the attention of developers to possible problems, even having false positives (after all, if the developer decided to use experimental ones, he wants to see his code wider). but I realized that it is better to show a narrower problem, more precisely than a broader one with false positives (here I am operating on your assessment rules).
cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,98 @@ | |||
| /** | |||
| * @name Find insecure work with the file name. | |||
| * @description The file can be used to influence the correct operation of the program. | |||
I'm not sure I understand what this description is saying. Can you rewrite it to better explain:
- What this query is looking for
- Why the results are problematic
I'm looking for situations where a file can be replaced (including using a temporary link) and influence third-party files on behalf of the program, as well as situations where it is possible to access (including the ability to change data) to files.
what do you think about
Finding for predictable, spoofed filenames before you start working on the file.
Why is a spoofed filename problematic? I was thinking about something along the lines of:
Using a predictable filename when creating a temporary file can lead to an attacker-controlled input.
Does something like that capture the spirit of your query?
Yes, you are right.
but the predictable filename is vulnerable for several reasons.
1.if you create a file with a symbolic link to another file you can cause it to be deleted or corrupted (accessibility)
2. If rights are broad, information can be accessed (confidentiality)
3.If it is possible to write, change the content (integrity)
all this is achievable and important. but in my opinion the most common use of attackers is 1. so I wanted to focus on it.
but your suggestion is absolutely correct, and if you think it fits better, I will insert it.
Thanks.
cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
Outdated
Show resolved
Hide resolved
|
It looks like our CI is failing with a couple of errors:
Sounds like there's a hidden non-ASCII character around line 94.
|
|
Good afternoon. |
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Our request is looking for situations of unsafe work with files. use validation functions in the first place without guaranteeing that the file will not be created later. in the second case, he looks for places to work with the file, when his name is predictable and there are no restrictions on access rights.
CVE-2012-0786
CVE-2018-6198
CVE-2007-5936
links to real work results, I will add later. I am currently working on them with developers.
The text was updated successfully, but these errors were encountered: