mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-22 10:22:01 +00:00
new(ci): add semgrep to check for banned functions
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
parent
1e38967b18
commit
39aa8fe05f
26
.github/workflows/insecure-api.yaml
vendored
Normal file
26
.github/workflows/insecure-api.yaml
vendored
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
name: Insecure API check
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
- 'release/**'
|
||||||
|
- 'maintainers/**'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
insecure-api:
|
||||||
|
name: check-insecure-api
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
container:
|
||||||
|
image: returntocorp/semgrep:1.41.0@sha256:85956fbe795a0e8a3825d5252f175887c0e0c6ce7a766a07062c0fb68415cd67
|
||||||
|
steps:
|
||||||
|
- name: Checkout Falco ⤵️
|
||||||
|
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
- name: Scan PR for insecure API usage 🕵️
|
||||||
|
run: |
|
||||||
|
semgrep scan \
|
||||||
|
--error \
|
||||||
|
--metrics=off \
|
||||||
|
--baseline-commit ${{ github.event.pull_request.base.sha }} \
|
||||||
|
--config=./semgrep
|
44
semgrep/insecure-api-gets.yaml
Normal file
44
semgrep/insecure-api-gets.yaml
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
# MIT License
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 raptor
|
||||||
|
#
|
||||||
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
# of this software and associated documentation files (the "Software"), to deal
|
||||||
|
# in the Software without restriction, including without limitation the rights
|
||||||
|
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
# copies of the Software, and to permit persons to whom the Software is
|
||||||
|
# furnished to do so, subject to the following conditions:
|
||||||
|
#
|
||||||
|
# The above copyright notice and this permission notice shall be included in all
|
||||||
|
# copies or substantial portions of the Software.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
# SOFTWARE.
|
||||||
|
|
||||||
|
rules:
|
||||||
|
- id: raptor-insecure-api-gets
|
||||||
|
metadata:
|
||||||
|
author: Marco Ivaldi <raptor@0xdeadbeef.info>
|
||||||
|
references:
|
||||||
|
- https://cwe.mitre.org/data/definitions/242
|
||||||
|
- https://cwe.mitre.org/data/definitions/120
|
||||||
|
confidence: HIGH
|
||||||
|
message: >-
|
||||||
|
The program calls a function that can never be guaranteed to work
|
||||||
|
safely.
|
||||||
|
Certain functions behave in dangerous ways regardless of how they are
|
||||||
|
used. Functions in this category were often implemented without
|
||||||
|
taking security concerns into account. The gets() function is unsafe
|
||||||
|
because it does not perform bounds checking on the size of its input.
|
||||||
|
An attacker can easily send arbitrarily-sized input to gets() and
|
||||||
|
overflow the destination buffer.
|
||||||
|
severity: ERROR
|
||||||
|
languages:
|
||||||
|
- c
|
||||||
|
- cpp
|
||||||
|
pattern: gets(...)
|
57
semgrep/insecure-api-sprintf-vsprintf.yaml
Normal file
57
semgrep/insecure-api-sprintf-vsprintf.yaml
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
# MIT License
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 raptor
|
||||||
|
#
|
||||||
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
# of this software and associated documentation files (the "Software"), to deal
|
||||||
|
# in the Software without restriction, including without limitation the rights
|
||||||
|
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
# copies of the Software, and to permit persons to whom the Software is
|
||||||
|
# furnished to do so, subject to the following conditions:
|
||||||
|
#
|
||||||
|
# The above copyright notice and this permission notice shall be included in all
|
||||||
|
# copies or substantial portions of the Software.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
# SOFTWARE.
|
||||||
|
|
||||||
|
rules:
|
||||||
|
- id: raptor-insecure-api-sprintf-vsprintf
|
||||||
|
metadata:
|
||||||
|
author: Marco Ivaldi <raptor@0xdeadbeef.info>
|
||||||
|
references:
|
||||||
|
- https://cwe.mitre.org/data/definitions/676
|
||||||
|
- https://cwe.mitre.org/data/definitions/120
|
||||||
|
- https://cwe.mitre.org/data/definitions/787
|
||||||
|
- https://g.co/kgs/PCHQjJ
|
||||||
|
confidence: HIGH
|
||||||
|
message: >-
|
||||||
|
The program invokes a potentially dangerous function that could
|
||||||
|
introduce a vulnerability if it is used incorrectly, but the function
|
||||||
|
can also be used safely.
|
||||||
|
A buffer overflow condition exists when a program attempts to put
|
||||||
|
more data in a buffer than it can hold, or when a program attempts to
|
||||||
|
put data in a memory area outside of the boundaries of a buffer. The
|
||||||
|
simplest type of error, and the most common cause of buffer
|
||||||
|
overflows, is the classic case in which the program copies the buffer
|
||||||
|
without restricting how much is copied. Other variants exist, but the
|
||||||
|
existence of a classic overflow strongly suggests that the programmer
|
||||||
|
is not considering even the most basic of security protections.
|
||||||
|
severity: ERROR
|
||||||
|
languages:
|
||||||
|
- c
|
||||||
|
- cpp
|
||||||
|
patterns:
|
||||||
|
- pattern-either:
|
||||||
|
- pattern: sprintf($BUF, $FMT, ...)
|
||||||
|
- pattern: vsprintf($BUF, $FMT, ...)
|
||||||
|
# swprintf() and vswprintf() should have a size parameter
|
||||||
|
- metavariable-regex:
|
||||||
|
metavariable: $FMT
|
||||||
|
# NOTE: some format string modifiers are not handled
|
||||||
|
regex: '(".*%l?s.*"|".*%S.*"|[a-zA-Z_][a-zA-Z0-9_]*)'
|
59
semgrep/insecure-api-strcpy-stpcpy-strcat.yaml
Normal file
59
semgrep/insecure-api-strcpy-stpcpy-strcat.yaml
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
# MIT License
|
||||||
|
#
|
||||||
|
# Copyright (c) 2022 raptor
|
||||||
|
#
|
||||||
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
# of this software and associated documentation files (the "Software"), to deal
|
||||||
|
# in the Software without restriction, including without limitation the rights
|
||||||
|
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
# copies of the Software, and to permit persons to whom the Software is
|
||||||
|
# furnished to do so, subject to the following conditions:
|
||||||
|
#
|
||||||
|
# The above copyright notice and this permission notice shall be included in all
|
||||||
|
# copies or substantial portions of the Software.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
# SOFTWARE.
|
||||||
|
|
||||||
|
rules:
|
||||||
|
- id: raptor-insecure-api-strcpy-stpcpy-strcat
|
||||||
|
metadata:
|
||||||
|
author: Marco Ivaldi <raptor@0xdeadbeef.info>
|
||||||
|
references:
|
||||||
|
- https://cwe.mitre.org/data/definitions/676
|
||||||
|
- https://cwe.mitre.org/data/definitions/120
|
||||||
|
- https://cwe.mitre.org/data/definitions/787
|
||||||
|
- https://g.co/kgs/PCHQjJ
|
||||||
|
confidence: HIGH
|
||||||
|
message: >-
|
||||||
|
The program invokes a potentially dangerous function that could
|
||||||
|
introduce a vulnerability if it is used incorrectly, but the function
|
||||||
|
can also be used safely.
|
||||||
|
A buffer overflow condition exists when a program attempts to put
|
||||||
|
more data in a buffer than it can hold, or when a program attempts to
|
||||||
|
put data in a memory area outside of the boundaries of a buffer. The
|
||||||
|
simplest type of error, and the most common cause of buffer
|
||||||
|
overflows, is the classic case in which the program copies the buffer
|
||||||
|
without restricting how much is copied. Other variants exist, but the
|
||||||
|
existence of a classic overflow strongly suggests that the programmer
|
||||||
|
is not considering even the most basic of security protections.
|
||||||
|
|
||||||
|
In the Falco codebase you can use the safer alternative strlcpy().
|
||||||
|
severity: ERROR
|
||||||
|
languages:
|
||||||
|
- c
|
||||||
|
- cpp
|
||||||
|
patterns:
|
||||||
|
- pattern-either:
|
||||||
|
- pattern: strcpy(...)
|
||||||
|
- pattern: stpcpy(...)
|
||||||
|
- pattern: strcat(...)
|
||||||
|
- pattern: wcscpy(...)
|
||||||
|
- pattern: wcpcpy(...)
|
||||||
|
- pattern: wcscat(...)
|
||||||
|
- pattern-not: $FUN($BUF, "...", ...)
|
18
semgrep/insecure-api-strn.yaml
Normal file
18
semgrep/insecure-api-strn.yaml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
rules:
|
||||||
|
- id: falco-insecure-api-strn
|
||||||
|
metadata:
|
||||||
|
references:
|
||||||
|
- https://cwe.mitre.org/data/definitions/120
|
||||||
|
confidence: HIGH
|
||||||
|
message: >-
|
||||||
|
The libc function strncpy and strncat are not used in the Falco codebase as they are error prone.
|
||||||
|
Read more: https://www.cisa.gov/uscert/bsi/articles/knowledge/coding-practices/strncpy-and-strncat .
|
||||||
|
In the Falco codebase you can use the safer alternatives strlcpy() and strlcat().
|
||||||
|
severity: ERROR
|
||||||
|
languages:
|
||||||
|
- c
|
||||||
|
- cpp
|
||||||
|
patterns:
|
||||||
|
- pattern-either:
|
||||||
|
- pattern: strncpy(...)
|
||||||
|
- pattern: strncat(...)
|
Loading…
Reference in New Issue
Block a user