Skip to content

Add security static analysis rules for C, Java, and Swift #129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Merged
131 changes: 131 additions & 0 deletions rules/c/security/sizeof-this-c.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
id: sizeof-this-c
language: c
severity: warning
message: >-
Do not use `sizeof(this)` to get the number of bytes of the object in
memory. It returns the size of the pointer, not the size of the object.
note: >-
[CWE-467]: Use of sizeof() on a Pointer Type
[REFERENCES]
- https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array

rule:
not:
has:
stopBy: end
any:
- kind: ERROR
- kind: pointer_expression
- kind: sizeof_expression
- kind: expression_statement
any:
- kind: macro_type_specifier
all:
- has:
stopBy: end
kind: identifier
nthChild: 1
regex: ^sizeof$
- has:
stopBy: end
kind: type_descriptor
nthChild: 2
not:
has:
nthChild: 2
has:
kind: type_identifier
pattern: $THIS
- not:
has:
kind: function_declarator
nthChild: 1

- kind: function_declarator
all:
- has:
stopBy: end
kind: field_identifier
regex: ^sizeof$
nthChild: 1
- has:
stopBy: end
kind: parameter_list
nthChild: 2
not:
has:
nthChild: 2
has:
kind: parameter_declaration
pattern: $THIS
- not:
has:
kind: function_declarator
nthChild: 1
# - not:
# inside:
# has:
# nthChild: 1

- kind: parameter_declaration
all:
- has:
kind: type_identifier
nthChild: 1
regex: ^sizeof$
- any:
- has:
kind: abstract_function_declarator
has:
kind: parameter_list
not:
has:
nthChild: 2
has:
kind: parameter_declaration
pattern: $THIS
- has:
kind: abstract_parenthesized_declarator
not:
has:
stopBy: end
nthChild: 2
has:
stopBy: end
kind: parameter_list
has:
kind: parameter_declaration
pattern: $THIS

- kind: sizeof_expression
not:
has:
any:
- nthChild: 2
- kind: parameter_declaration
has:
stopBy: end
kind: identifier
pattern: $THIS

- kind: type_descriptor
all:
- has:
kind: type_identifier
regex: ^sizeof$
- has:
stopBy: end
kind: abstract_function_declarator
has:
kind: parameter_list
not:
has:
stopBy: end
nthChild: 2
has:
kind: parameter_declaration
pattern: $THIS

constraints:
THIS:
regex: ^this$
47 changes: 47 additions & 0 deletions rules/swift/security/insecure-biometrics-swift.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
id: insecure-biometrics-swift
language: swift
severity: info
message: >-
The application was observed to leverage biometrics via Local
Authentication, which returns a simple boolean result for authentication.
This design is subject to bypass with runtime tampering tools such as
Frida, Substrate, and others. Although this is limited to rooted
(jailbroken) devices, consider implementing biometric authentication the
reliable way - via Keychain Services.
note: >-
[CWE-305] Authentication Bypass by Primary Weakness
[REFERENCES]
- https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication
- https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df

rule:
any:
- kind: navigation_expression
pattern: $X.evaluatePolicy
not:
has:
stopBy: end
kind: tuple_expression
has:
nthChild: 2

- kind: navigation_expression
has:
kind: navigation_suffix
regex: \.evaluatePolicy$
nthChild:
position: 1
reverse: true
not:
has:
stopBy: end
kind: tuple_expression
has:
nthChild: 2

- pattern: '.evaluatePolicy'

not:
has:
stopBy: end
kind: ERROR
8 changes: 8 additions & 0 deletions tests/__snapshots__/insecure-biometrics-swift-snapshot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
id: insecure-biometrics-swift
snapshots:
abc.evaluatePolicy():
labels:
- source: abc.evaluatePolicy
style: primary
start: 0
end: 18
2 changes: 2 additions & 0 deletions tests/__snapshots__/sizeof-this-c-snapshot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
id: sizeof-this-c
snapshots: {}
13 changes: 12 additions & 1 deletion tests/__snapshots__/sizeof-this-cpp-snapshot.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,13 @@
id: sizeof-this-cpp
snapshots: {}
snapshots:
? |
return sizeof(this);
: labels:
- source: sizeof(this)
style: primary
start: 7
end: 19
- source: this
style: secondary
start: 14
end: 18
12 changes: 12 additions & 0 deletions tests/c/sizeof-this-c-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
id: sizeof-this-c
valid:
- |
sizeof(*this);
invalid:
- |
struct Foo {
uint64_t a;
uint8_t b;
size_t get_size() const {
return sizeof(this);
}
7 changes: 7 additions & 0 deletions tests/swift/insecure-biometrics-swift-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
id: insecure-biometrics-swift
valid:
- |
abc.anyFunc()
invalid:
- |
abc.evaluatePolicy()