semgrep-rules

"Humans are more suited to recognize food than to keep large graphs in their head."

-- Halvar Flake

A collection of my Semgrep rules to facilitate vulnerability research.

Blog post: https://security.humanativaspa.it/semgrep-ruleset-for-c-c-vulnerability-research

See also: https://semgrep.dev/r

Setup and usage instructions

1. Install Semgrep.
2. Clone this github repo.
3. To use these rules, run:

semgrep --config PATH/TO/RULES_DIR/OR/RULE_FILE PATH/TO/FILE/FOR/SCANNING

C/C++

buffer overflows

• insecure-api-gets. Use of the insecure API function gets().
• insecure-api-strcpy-stpcpy-strcat. Use of potentially insecure API functions strcpy(), stpcpy(), strcat().
• insecure-api-sprintf-vsprintf. Use of potentially insecure API functions sprintf() and vsprintf().
• insecure-api-scanf-etc. Use of potentially insecure API functions in the scanf() family.
• incorrect-use-of-strncat. Wrong size argument passed to strncat().
• incorrect-use-of-strncpy-stpncpy-strlcpy. Wrong size argument passed to strncpy(), stpncpy(), strlcpy().
• incorrect-use-of-sizeof. Accidental use of the sizeof() operator on a pointer instead of its target.
• unterminated-string-strncpy-stpncpy. Lack of explicit null-termination after strncpy() and stpncpy().
• off-by-one. Potential off-by-one error.
• pointer-subtraction. Potential use of pointer subtraction to determine size.
• unsafe-ret-strlcpy-strlcat. Potentially unsafe use of the return value of strlcpy() and strlcat().
• unsafe-ret-snprintf-vsnprintf. Potentially unsafe use of the return value of snprintf() and vsnprintf().
• write-into-stack-buffer. Direct writes into buffers allocated on the stack.

integer overflows

• incorrect-unsigned-comparison. Checking if an unsigned variable is negative.
• signed-unsigned-conversion. Potential signed/unsigned conversion errors.
• integer-truncation. Potential integer truncation errors.
• integer-wraparound. Potential integer wraparound errors.
• unsafe-strlen. Casting the return value of strlen() to short might be dangerous.

format strings

• format-string-bugs. Potential format string bugs.

memory management

• insecure-api-alloca. Use of the potentially insecure API function alloca().
• use-after-free. Potential use after free().
• double-free. Potential double free().
• unchecked-ret-malloc-calloc-realloc. Unchecked return code of malloc(), calloc(), realloc().
• ret-stack-address. Potential return of the address of a stack variable.
• memory-address-exposure. Potential exposure of underlying memory addresses.
• mismatched-memory-management. Potentially mismatched C memory management routines.
• mismatched-memory-management-cpp. Potentially mismatched C++ memory management routines.

command injection

• command-injection. Potential OS command injection via system() or popen().

race conditions

• insecure-api-access-stat-lstat. Use of insecure API functions access(), stat(), lstat().
• insecure-api-mktemp-tmpnam-tempnam. Use of insecure API functions mktemp(), tmpnam(), tempnam().

privilege management

• incorrect-order-setuid-setgid-etc. Privilege management functions called in the wrong order.
• unchecked-ret-setuid-seteuid. Unchecked return code of setuid() and seteuid().

miscellaneous

• insecure-api-rand-srand. Use of potentially insecure API functions rand() and srand().
• insecure-api-atoi-atol-atof. Use of potentially insecure API functions atoi(), atol(), atof().
• interesting-api-calls. Calls to interesting and potentially insecure API functions.
• typos. Potential typos with security implications.

Generic

miscellaneous

• bad-words. Keywords and comments that suggest the presence of bugs.