diff --git a/assets/semgrep_rules/client/reinterpret_cast.cpp b/assets/semgrep_rules/client/reinterpret_cast.cpp new file mode 100644 index 00000000..a0a4f47a --- /dev/null +++ b/assets/semgrep_rules/client/reinterpret_cast.cpp @@ -0,0 +1,12 @@ +// ruleid: reinterpret_cast +std::string_view der_cert(reinterpret_cast(cert->pbCertEncoded), cert->cbCertEncoded); +// ruleid: reinterpret_cast +const uint8_t* string_data =reinterpret_cast(response_body.data()); +// ruleid: reinterpret_cast +uint32_t value = *reinterpret_cast(bytes.data()); +// ruleid: reinterpret_cast +int rv = PKCS5_PBKDF2_HMAC(mnemonic.data(), mnemonic.length(), reinterpret_cast(salt.data()), salt.length(), 2048, EVP_sha512(),seed->size(), seed->data()); +// ruleid: reinterpret_cast +float* float_data = reinterpret_cast(const_cast(data)); +// ok: reinterpret_cast +auto orig_fn = reinterpret_cast(g_originals.functions[GET_MODULE_FILENAME_EX_W_ID]); diff --git a/assets/semgrep_rules/client/reinterpret_cast.yaml b/assets/semgrep_rules/client/reinterpret_cast.yaml new file mode 100644 index 00000000..310689b6 --- /dev/null +++ b/assets/semgrep_rules/client/reinterpret_cast.yaml @@ -0,0 +1,19 @@ +rules: + - id: reinterpret_cast + metadata: + author: Artem Chaikin + references: + - https://chromium.googlesource.com/chromium/src/+/main/docs/unsafe_buffers.md#Avoid-reinterpret_cast + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/reinterpret_casts.yaml + assignees: | + stoletheminerals + thypon + cdesouza-chromium + languages: [cpp] + message: "Using `reinterpret_cast` against some data types may lead to undefined bheaviour. In general, when needing to do these conversions, check how Chromium upstream does them. Most of the times a reinterpret_cast is wrong and there's no guarantee the compiler will generate the code that you thought it would." + severity: WARNING + patterns: + - pattern: reinterpret_cast<$T>($ARG) + - metavariable-regex: + metavariable: $T + regex: ^(.*int.*|.*double.*|.*float.*|.*char.*)$ # this probably needs to be tweaked diff --git a/assets/semgrep_rules/client/unsafe-cpp-constructs.cpp b/assets/semgrep_rules/client/unsafe-cpp-constructs.cpp new file mode 100644 index 00000000..1259ee8c --- /dev/null +++ b/assets/semgrep_rules/client/unsafe-cpp-constructs.cpp @@ -0,0 +1,14 @@ +// ruleid: unsafe_cpp_constructs +UNSAFE_BUFFERS(data()); +// ruleid: unsafe_cpp_constructs +UNSAFE_TODO(base::make_span(&web_script_source, 1u)); +// ruleid: unsafe_cpp_constructs +std::next(it); +// ruleid: unsafe_cpp_constructs +std::advance(cert_iter, cert_idx); +// ruleid: unsafe_cpp_constructs +std::prev(it); +// ruleid: unsafe_cpp_constructs +const void* const kUserDataKey = &kUserDataKey; +// ok: unsafe_cpp_constructs +static void RegisterCallback(AtExitCallbackType func, uint8_t param); diff --git a/assets/semgrep_rules/client/unsafe-cpp-constructs.yaml b/assets/semgrep_rules/client/unsafe-cpp-constructs.yaml new file mode 100644 index 00000000..bf8d70c7 --- /dev/null +++ b/assets/semgrep_rules/client/unsafe-cpp-constructs.yaml @@ -0,0 +1,22 @@ +rules: + - id: unsafe_cpp_constructs + metadata: + author: Artem Chaikin + references: + - https://github.com/brave/brave-browser/wiki/Security-reviews + source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/unsafe_cpp_constructs.yaml + assignees: | + stoletheminerals + thypon + cdesouza-chromium + languages: [cpp] + message: "Potentially unsafe C++ construct detected" + severity: WARNING + patterns: + - pattern-either: + - pattern: "UNSAFE_TODO(...)" + - pattern: "UNSAFE_BUFFERS(...)" + - pattern: "std::next(...)" + - pattern: "std::advance(...)" + - pattern: "std::prev(...)" + - pattern-regex: "void\\*"