diff --git a/assets/semgrep_rules/c/chromium-uaf.yaml b/assets/semgrep_rules/c/chromium-uaf.yaml index 02b71b49..23f729a1 100644 --- a/assets/semgrep_rules/c/chromium-uaf.yaml +++ b/assets/semgrep_rules/c/chromium-uaf.yaml @@ -4,6 +4,11 @@ rules: - pattern: base::Unretained(...) - pattern-not-inside: web_ui()->RegisterMessageCallback(...) - pattern-not-inside: pref_change_registrar_.Add(...) + - pattern-not-inside: receiver_.set_disconnect_handler(...) + - pattern-not-inside: receiver_.set_disconnect_with_reason_handler(...) + - pattern-not-inside: remote_.set_disconnect_handler(...) + - pattern-not-inside: remote_.set_disconnect_with_reason_handler(...) + metadata: author: Andrea Brancaleoni source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/c/chromium-uaf.yaml diff --git a/t3sts/semgrep_rules/uaf.cpp b/t3sts/semgrep_rules/uaf.cpp index 47dfd2d2..afd66005 100644 --- a/t3sts/semgrep_rules/uaf.cpp +++ b/t3sts/semgrep_rules/uaf.cpp @@ -50,4 +50,20 @@ v8::Local uaf(v8::Isolate* isolate) { prefs::kEnabled, base::BindRepeating(&AdsServiceImpl::OnEnabledPrefChanged, base::Unretained(this))); + + // ok: chromium-unretained-uaf + receiver_.set_disconnect_handler( + base::BindOnce(&LoggerImpl::OnError, base::Unretained(this))); + + // ok: chromium-unretained-uaf + remote_.set_disconnect_handler( + base::BindOnce(&LoggerImpl::OnError, base::Unretained(this))); + + // ok: chromium-unretained-uaf + receiver_.set_disconnect_with_reason_handler( + base::BindOnce(&LoggerImpl::OnError, base::Unretained(this))); + + // ok: chromium-unretained-uaf + remote_.set_disconnect_with_reason_handler( + base::BindOnce(&LoggerImpl::OnError, base::Unretained(this))); }