-
Notifications
You must be signed in to change notification settings - Fork 81
Expand file tree
/
Copy pathformat-string-bugs.yaml
More file actions
119 lines (119 loc) · 4.63 KB
/
format-string-bugs.yaml
File metadata and controls
119 lines (119 loc) · 4.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
rules:
- id: raptor-format-string-bugs
metadata:
author: Marco Ivaldi <raptor@0xdeadbeef.info>
category: security
subcategory: vuln
vulnerability_class: Memory Issues
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
technology:
- c
- cpp
cwe:
- "CWE-134: Use of Externally-Controlled Format String"
references:
- https://julianor.tripod.com/bc/formatstring-1.2.pdf
- http://phrack.org/issues/70/13.html#article
- https://g.co/kgs/PCHQjJ
- https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
message: >-
The software uses a function that accepts a format string as an argument,
but the format string originates from an external source. This can lead
to buffer overflows, denial of service, or data representation problems.
severity: ERROR
languages:
- c
- cpp
# NOTE: generic `va_list` matching for custom wrappers is not covered.
# NOTE: `dprintf` in C++ has a different signature; this rule may cause false positives with it.
# NOTE: `#define` format specifiers are not excluded due to Semgrep limitations; perhaps we could implement this with symbolic propagation (Semgrep Pro experimental feature)?
# NOTE: some obsolete Microsoft-specific functions, such as `_ftprintf`, `_sntprintf`, `_snwprintf`, `_sntscanf`, etc., are not covered.
pattern-either:
# format string in 1st arg
- patterns:
- pattern-either:
# printf family
- pattern: printf(...)
- pattern: vprintf(...)
- pattern: wprintf(...)
- pattern: vwprintf(...)
- pattern: vcprintf(...)
- pattern: vcwprintf(...)
- pattern: vscprintf(...)
- pattern: vscwprintf(...)
- pattern: printk(...)
# scanf family
- pattern: scanf(...)
- pattern: __isoc99_scanf(...)
- pattern: vscanf(...)
- pattern: __isoc99_vscanf(...)
- pattern: wscanf(...)
- pattern: vwscanf(...)
# err/warn family
- pattern: warn(...)
- pattern: vwarn(...)
- pattern: warnx(...)
- pattern: vwarnx(...)
- pattern-not: $_("...", ...)
- pattern-not: $_(gettext(...), ...)
- pattern-not: $_(dgettext(...), ...)
- pattern-not: $_(dcgettext(...), ...)
# format string in 2nd arg
- patterns:
- pattern-either:
# printf family
- pattern: fprintf(...)
- pattern: vfprintf(...)
- pattern: fwprintf(...)
- pattern: vfwprintf(...)
- pattern: sprintf(...)
- pattern: vsprintf(...)
- pattern: asprintf(...)
- pattern: vasprintf(...)
- pattern: dprintf(...)
- pattern: vdprintf(...)
- pattern: wsprintf(...)
# scanf family
- pattern: fscanf(...)
- pattern: __isoc99_fscanf(...)
- pattern: vfscanf(...)
- pattern: __isoc99_vfscanf(...)
- pattern: fwscanf(...)
- pattern: vfwscanf(...)
- pattern: sscanf(...)
- pattern: __isoc99_sscanf(...)
- pattern: vsscanf(...)
- pattern: __isoc99_vsscanf(...)
- pattern: swscanf(...)
- pattern: vswscanf(...)
# syslog family
- pattern: syslog(...)
- pattern: vsyslog(...)
# err/warn family
- pattern: err(...)
- pattern: verr(...)
- pattern: errx(...)
- pattern: verrx(...)
- pattern: warnc(...)
- pattern: vwarnc(...)
- pattern-not: $_($_, "...", ...)
- pattern-not: $_($_, gettext(...), ...)
- pattern-not: $_($_, dgettext(...), ...)
- pattern-not: $_($_, dcgettext(...), ...)
# format string in 3rd arg
- patterns:
- pattern-either:
# printf family
- pattern: snprintf(...)
- pattern: vsnprintf(...)
- pattern: swprintf(...)
- pattern: vswprintf(...)
# err/warn family
- pattern: errc(...)
- pattern: verrc(...)
- pattern-not: $_($_, $_, "...", ...)
- pattern-not: $_($_, $_, gettext(...), ...)
- pattern-not: $_($_, $_, dgettext(...), ...)
- pattern-not: $_($_, $_, dcgettext(...), ...)