Skip to content

Commit

Permalink
Add UB rules
Browse files Browse the repository at this point in the history
  • Loading branch information
stoletheminerals committed Oct 18, 2024
1 parent 567cada commit e803108
Show file tree
Hide file tree
Showing 4 changed files with 67 additions and 0 deletions.
12 changes: 12 additions & 0 deletions assets/semgrep_rules/client/reinterpret_cast.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
// ruleid: reinterpret_cast
std::string_view der_cert(reinterpret_cast<const char*>(cert->pbCertEncoded), cert->cbCertEncoded);
// ruleid: reinterpret_cast
const uint8_t* string_data =reinterpret_cast<const uint8_t*>(response_body.data());
// ruleid: reinterpret_cast
uint32_t value = *reinterpret_cast<const uint32_t*>(bytes.data());
// ruleid: reinterpret_cast
int rv = PKCS5_PBKDF2_HMAC(mnemonic.data(), mnemonic.length(), reinterpret_cast<const uint8_t*>(salt.data()), salt.length(), 2048, EVP_sha512(),seed->size(), seed->data());
// ruleid: reinterpret_cast
float* float_data = reinterpret_cast<float*>(const_cast<uint8_t*>(data));
// ok: reinterpret_cast
auto orig_fn = reinterpret_cast<GetModuleFileNameExWFunction>(g_originals.functions[GET_MODULE_FILENAME_EX_W_ID]);
19 changes: 19 additions & 0 deletions assets/semgrep_rules/client/reinterpret_cast.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
rules:
- id: reinterpret_cast
metadata:
author: Artem Chaikin
references:
- https://chromium.googlesource.com/chromium/src/+/main/docs/unsafe_buffers.md#Avoid-reinterpret_cast
source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/reinterpret_casts.yaml
assignees: |
stoletheminerals
thypon
cdesouza-chromium
languages: [cpp]
message: "Using `reinterpret_cast` against some data types may lead to undefined bheaviour. In general, when needing to do these conversions, check how Chromium upstream does them. Most of the times a reinterpret_cast is wrong and there's no guarantee the compiler will generate the code that you thought it would."
severity: WARNING
patterns:
- pattern: reinterpret_cast<$T>($ARG)
- metavariable-regex:
metavariable: $T
regex: ^(.*int.*|.*double.*|.*float.*|.*char.*)$ # this probably needs to be tweaked
14 changes: 14 additions & 0 deletions assets/semgrep_rules/client/unsafe-cpp-constructs.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// ruleid: unsafe_cpp_constructs
UNSAFE_BUFFERS(data());
// ruleid: unsafe_cpp_constructs
UNSAFE_TODO(base::make_span(&web_script_source, 1u));
// ruleid: unsafe_cpp_constructs
std::next(it);
// ruleid: unsafe_cpp_constructs
std::advance(cert_iter, cert_idx);
// ruleid: unsafe_cpp_constructs
std::prev(it);
// ruleid: unsafe_cpp_constructs
const void* const kUserDataKey = &kUserDataKey;
// ok: unsafe_cpp_constructs
static void RegisterCallback(AtExitCallbackType func, uint8_t param);
22 changes: 22 additions & 0 deletions assets/semgrep_rules/client/unsafe-cpp-constructs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
rules:
- id: unsafe_cpp_constructs
metadata:
author: Artem Chaikin
references:
- https://github.com/brave/brave-browser/wiki/Security-reviews
source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/unsafe_cpp_constructs.yaml
assignees: |
stoletheminerals
thypon
cdesouza-chromium
languages: [cpp]
message: "Potentially unsafe C++ construct detected"
severity: WARNING
patterns:
- pattern-either:
- pattern: "UNSAFE_TODO(...)"
- pattern: "UNSAFE_BUFFERS(...)"
- pattern: "std::next(...)"
- pattern: "std::advance(...)"
- pattern: "std::prev(...)"
- pattern-regex: "void\\*"

0 comments on commit e803108

Please sign in to comment.