flawfinder icon indicating copy to clipboard operation
flawfinder copied to clipboard

Published 20 hours ago verified publisher icon david-a-wheeler

std::istream::read() reports security issue, false alert?

Open oneiric opened this issue 3 years ago • 4 comments

Hi Expert,

I noticed that flawfinder will report security issue when using modern C++ std::istream::read(). https://en.cppreference.com/w/cpp/io/basic_istream/read

https://github.com/OpenAPITools/openapi-generator/issues/10349

The check rule in Flawfinder is as below:

https://github.com/david-a-wheeler/flawfinder/blob/d9ddc06b7efea4c626205e5d39157255d112bfe4/flawfinder.py#L1282~L1287

    # fread not included here; in practice I think it's rare to mistake it.
    "getchar|fgetc|getc|read|_gettc":
    (normal, 1,
     "Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20)",
     "",
     "buffer", "dangers-c", {'input': 1}, "FF1029"),

Is this a false alert when using modern C++ std::istream::read() function? If no, how to fix this issue? https://github.com/OpenAPITools/openapi-generator/blob/master/samples/client/petstore/cpp-restsdk/client/ModelBase.cpp#L519

Regards, Alex

oneiric avatar Sep 09 '21 09:09 oneiric

By the way, the read() API is not in the latest microsoft banned functions.

https://github.com/x509cert/banned/blob/master/banned.h

oneiric avatar Sep 09 '21 09:09 oneiric

@david-a-wheeler

oneiric avatar Sep 26 '21 02:09 oneiric

For your specific challenge, just use a flawfinder: ignore comment.

The problem is that flawfinder doesn't understand C++ namespace references. It's completely possible to add that functionality. Patches welcome.

david-a-wheeler avatar Sep 26 '21 17:09 david-a-wheeler

Thanks for the suggestions, David.

oneiric avatar Sep 27 '21 08:09 oneiric