Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CPP: Add query for CWE-377 Insecure Temporary File #6947

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@ihsinme
Copy link
Contributor

@ihsinme ihsinme commented Oct 25, 2021

Our request is looking for situations of unsafe work with files. use validation functions in the first place without guaranteeing that the file will not be created later. in the second case, he looks for places to work with the file, when his name is predictable and there are no restrictions on access rights.

CVE-2012-0786
CVE-2018-6198
CVE-2007-5936

links to real work results, I will add later. I am currently working on them with developers.

@ihsinme ihsinme requested a review from as a code owner Oct 25, 2021
@MathiasVP MathiasVP self-assigned this Oct 25, 2021
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Thanks for another contribution, @ihsinme. Here is my first round of comments.

where
(
fc.getTarget().hasGlobalOrStdName("tmpnam") or
fc.getTarget().hasGlobalOrStdName("tmpnam_s") or
fc.getTarget().hasGlobalOrStdName("tmpnam_r")
) and
not exists(FunctionCall fctmp |
fctmp.getTarget().hasGlobalOrStdName("mktemp") or
fctmp.getTarget().hasGlobalOrStdName("mkstemp") or
fctmp.getTarget().hasGlobalOrStdName("mkstemps") or
fctmp.getTarget().hasGlobalOrStdName("mkdtemp")
) and
msg =
"Finding the name of a file that does not exist does not mean that it will not be exist at the next operation."
Copy link
Contributor

@MathiasVP MathiasVP Oct 26, 2021

Having a single call to mktemp (or any of the other related functions) anywhere in the codebase will mean that none of the calls to tmpnam (or any of the other related functions) will raise an alert. Is that really what you want?

Copy link
Contributor Author

@ihsinme ihsinme Oct 28, 2021

You're right.
but I always try to reduce the number of false positives.
if there are no calls at all, this is definitely an error.

but if you think otherwise, I'll add broader rules

Copy link
Contributor

@MathiasVP MathiasVP Oct 28, 2021

Reducing the number of false positives is a great goal! See my comment here regarding this. You don't have to fix it, but I think it might be valuable to revisit this condition and make it more precise (if you feel like it).

not exists(FunctionCall fctmp |
fctmp.getTarget().hasGlobalOrStdName("umask") or
fctmp.getTarget().hasGlobalOrStdName("fchmod") or
fctmp.getTarget().hasGlobalOrStdName("chmod")
) and
Copy link
Contributor

@MathiasVP MathiasVP Oct 26, 2021

Like above: Any call to umask (or the other related functions) anywhere in the codebase means that this query won't raise an alert. Is that the intention?

Copy link
Contributor Author

@ihsinme ihsinme Oct 28, 2021

You're right.
but I always try to reduce the number of false positives.
if there are no calls at all, this is definitely an error.

but if you think otherwise, I'll add broader rules

Copy link
Contributor

@MathiasVP MathiasVP Oct 28, 2021

Reducing the number of false positives is good. This code could lead to missing a lot of genuine results, though. It could also potentially lead to a false sense of security. Let's say I had a bunch of genuine security issues found by this query. Suddenly, I add a call to umask that is totally unrelated to the security issues (for instance, I started to use umask in some unit test). Now all the genuine security vulnerabilities won't be flagged anymore.

One simple fix is to require that the call to umask (or the related functions) is in the same function as the call to open (or the related functions). Although you may also be able to connect the two calls better by using local dataflow.

Copy link
Contributor Author

@ihsinme ihsinme Oct 29, 2021

this is a very difficult question for me.

your example of a sense of false security.
firstly, if the developer is using the wrong mask, we will also inform him that everything is fine. (especially if the mask will not be calculated trivially)
Secondly, if he uses a permission call far enough from the investigated place, we also cannot understand whether he wanted to extend these permissions to all calls or only to one distant one.

this is a very difficult question for me.

in my first requests to you, I believed that an experimental request should draw the attention of developers to possible problems, even having false positives (after all, if the developer decided to use experimental ones, he wants to see his code wider). but I realized that it is better to show a narrower problem, more precisely than a broader one with false positives (here I am operating on your assessment rules).

@@ -0,0 +1,98 @@
/**
* @name Find insecure work with the file name.
* @description The file can be used to influence the correct operation of the program.
Copy link
Contributor

@MathiasVP MathiasVP Oct 26, 2021

I'm not sure I understand what this description is saying. Can you rewrite it to better explain:

  1. What this query is looking for
  2. Why the results are problematic

Copy link
Contributor Author

@ihsinme ihsinme Oct 28, 2021

I'm looking for situations where a file can be replaced (including using a temporary link) and influence third-party files on behalf of the program, as well as situations where it is possible to access (including the ability to change data) to files.

what do you think about
Finding for predictable, spoofed filenames before you start working on the file.

Copy link
Contributor

@MathiasVP MathiasVP Oct 28, 2021

Why is a spoofed filename problematic? I was thinking about something along the lines of:

Using a predictable filename when creating a temporary file can lead to an attacker-controlled input.

Does something like that capture the spirit of your query?

Copy link
Contributor Author

@ihsinme ihsinme Oct 29, 2021

Yes, you are right.
but the predictable filename is vulnerable for several reasons.
1.if you create a file with a symbolic link to another file you can cause it to be deleted or corrupted (accessibility)
2. If rights are broad, information can be accessed (confidentiality)
3.If it is possible to write, change the content (integrity)

all this is achievable and important. but in my opinion the most common use of attackers is 1. so I wanted to focus on it.
but your suggestion is absolutely correct, and if you think it fits better, I will insert it.

Thanks.

@MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented Oct 26, 2021

It looks like our CI is failing with a couple of errors:

  • First:
File "ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql" contains a non-ASCII character at the location marked with `|` in:
2021-10-26T10:38:41.8453269Z ```
2021-10-26T10:38:41.8454787Z etTarget().hasGlobalOrStdName("chmod")
2021-10-26T10:38:41.8455619Z   ) and
2021-10-26T10:38:41.8456395Z   msg =
2021-10-26T10:38:41.8456832Z     "|
2021-10-26T10:38:41.8457197Z ```

Sounds like there's a hidden non-ASCII character around line 94.

  • Second:
ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.qhelp:8:3: The element type "overview" must be terminated by the matching end-tag "</overview>".

@ihsinme
Copy link
Contributor Author

@ihsinme ihsinme commented Oct 27, 2021

Good afternoon.
thanks for your comments.
I apologize for the delay in my response.
I will try to answer in the coming days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment