From 39aa8fe05fbf45ca4f37fc72a60dcba93fd82dd7 Mon Sep 17 00:00:00 2001 From: Luca Guerra Date: Thu, 19 Oct 2023 07:36:34 +0000 Subject: [PATCH] new(ci): add semgrep to check for banned functions Signed-off-by: Luca Guerra --- .github/workflows/insecure-api.yaml | 26 ++++++++ semgrep/insecure-api-gets.yaml | 44 ++++++++++++++ semgrep/insecure-api-sprintf-vsprintf.yaml | 57 ++++++++++++++++++ .../insecure-api-strcpy-stpcpy-strcat.yaml | 59 +++++++++++++++++++ semgrep/insecure-api-strn.yaml | 18 ++++++ 5 files changed, 204 insertions(+) create mode 100644 .github/workflows/insecure-api.yaml create mode 100644 semgrep/insecure-api-gets.yaml create mode 100644 semgrep/insecure-api-sprintf-vsprintf.yaml create mode 100644 semgrep/insecure-api-strcpy-stpcpy-strcat.yaml create mode 100644 semgrep/insecure-api-strn.yaml diff --git a/.github/workflows/insecure-api.yaml b/.github/workflows/insecure-api.yaml new file mode 100644 index 00000000..8fbf02aa --- /dev/null +++ b/.github/workflows/insecure-api.yaml @@ -0,0 +1,26 @@ +name: Insecure API check +on: + pull_request: + branches: + - master + - 'release/**' + - 'maintainers/**' + +jobs: + insecure-api: + name: check-insecure-api + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep:1.41.0@sha256:85956fbe795a0e8a3825d5252f175887c0e0c6ce7a766a07062c0fb68415cd67 + steps: + - name: Checkout Falco ⤵️ + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + - name: Scan PR for insecure API usage 🕵️ + run: | + semgrep scan \ + --error \ + --metrics=off \ + --baseline-commit ${{ github.event.pull_request.base.sha }} \ + --config=./semgrep diff --git a/semgrep/insecure-api-gets.yaml b/semgrep/insecure-api-gets.yaml new file mode 100644 index 00000000..c393e679 --- /dev/null +++ b/semgrep/insecure-api-gets.yaml @@ -0,0 +1,44 @@ +# MIT License +# +# Copyright (c) 2022 raptor +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +rules: + - id: raptor-insecure-api-gets + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/242 + - https://cwe.mitre.org/data/definitions/120 + confidence: HIGH + message: >- + The program calls a function that can never be guaranteed to work + safely. + Certain functions behave in dangerous ways regardless of how they are + used. Functions in this category were often implemented without + taking security concerns into account. The gets() function is unsafe + because it does not perform bounds checking on the size of its input. + An attacker can easily send arbitrarily-sized input to gets() and + overflow the destination buffer. + severity: ERROR + languages: + - c + - cpp + pattern: gets(...) diff --git a/semgrep/insecure-api-sprintf-vsprintf.yaml b/semgrep/insecure-api-sprintf-vsprintf.yaml new file mode 100644 index 00000000..b5a6f59f --- /dev/null +++ b/semgrep/insecure-api-sprintf-vsprintf.yaml @@ -0,0 +1,57 @@ +# MIT License +# +# Copyright (c) 2022 raptor +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +rules: + - id: raptor-insecure-api-sprintf-vsprintf + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/676 + - https://cwe.mitre.org/data/definitions/120 + - https://cwe.mitre.org/data/definitions/787 + - https://g.co/kgs/PCHQjJ + confidence: HIGH + message: >- + The program invokes a potentially dangerous function that could + introduce a vulnerability if it is used incorrectly, but the function + can also be used safely. + A buffer overflow condition exists when a program attempts to put + more data in a buffer than it can hold, or when a program attempts to + put data in a memory area outside of the boundaries of a buffer. The + simplest type of error, and the most common cause of buffer + overflows, is the classic case in which the program copies the buffer + without restricting how much is copied. Other variants exist, but the + existence of a classic overflow strongly suggests that the programmer + is not considering even the most basic of security protections. + severity: ERROR + languages: + - c + - cpp + patterns: + - pattern-either: + - pattern: sprintf($BUF, $FMT, ...) + - pattern: vsprintf($BUF, $FMT, ...) + # swprintf() and vswprintf() should have a size parameter + - metavariable-regex: + metavariable: $FMT + # NOTE: some format string modifiers are not handled + regex: '(".*%l?s.*"|".*%S.*"|[a-zA-Z_][a-zA-Z0-9_]*)' diff --git a/semgrep/insecure-api-strcpy-stpcpy-strcat.yaml b/semgrep/insecure-api-strcpy-stpcpy-strcat.yaml new file mode 100644 index 00000000..f662c535 --- /dev/null +++ b/semgrep/insecure-api-strcpy-stpcpy-strcat.yaml @@ -0,0 +1,59 @@ +# MIT License +# +# Copyright (c) 2022 raptor +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +rules: + - id: raptor-insecure-api-strcpy-stpcpy-strcat + metadata: + author: Marco Ivaldi + references: + - https://cwe.mitre.org/data/definitions/676 + - https://cwe.mitre.org/data/definitions/120 + - https://cwe.mitre.org/data/definitions/787 + - https://g.co/kgs/PCHQjJ + confidence: HIGH + message: >- + The program invokes a potentially dangerous function that could + introduce a vulnerability if it is used incorrectly, but the function + can also be used safely. + A buffer overflow condition exists when a program attempts to put + more data in a buffer than it can hold, or when a program attempts to + put data in a memory area outside of the boundaries of a buffer. The + simplest type of error, and the most common cause of buffer + overflows, is the classic case in which the program copies the buffer + without restricting how much is copied. Other variants exist, but the + existence of a classic overflow strongly suggests that the programmer + is not considering even the most basic of security protections. + + In the Falco codebase you can use the safer alternative strlcpy(). + severity: ERROR + languages: + - c + - cpp + patterns: + - pattern-either: + - pattern: strcpy(...) + - pattern: stpcpy(...) + - pattern: strcat(...) + - pattern: wcscpy(...) + - pattern: wcpcpy(...) + - pattern: wcscat(...) + - pattern-not: $FUN($BUF, "...", ...) diff --git a/semgrep/insecure-api-strn.yaml b/semgrep/insecure-api-strn.yaml new file mode 100644 index 00000000..0f532e98 --- /dev/null +++ b/semgrep/insecure-api-strn.yaml @@ -0,0 +1,18 @@ +rules: + - id: falco-insecure-api-strn + metadata: + references: + - https://cwe.mitre.org/data/definitions/120 + confidence: HIGH + message: >- + The libc function strncpy and strncat are not used in the Falco codebase as they are error prone. + Read more: https://www.cisa.gov/uscert/bsi/articles/knowledge/coding-practices/strncpy-and-strncat . + In the Falco codebase you can use the safer alternatives strlcpy() and strlcat(). + severity: ERROR + languages: + - c + - cpp + patterns: + - pattern-either: + - pattern: strncpy(...) + - pattern: strncat(...)