Merge pull request #6949 from ihsinme/ihsinme-patch-073

CPP: Add query for CWE-266 Incorrect Privilege Assignment
2026-04-22 07:15:15 +02:00 · 2022-01-04 11:37:17 +00:00
parent a2c1995b9b 0f0bd34958
commit 344e380fa3
6 changed files with 178 additions and 0 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.cpp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.cpp
@@ -0,0 +1,16 @@
+...
+  umask(0); // BAD
+...
+  maskOut = S_IRWXG | S_IRWXO;
+  umask(maskOut); // GOOD
+  ...
+  fchmod(fileno(fp), 0555 - maskOut); // BAD 
+  ...
+  fchmod(fileno(fp), 0555 & ~maskOut); // GOOD
+...
+  umask(0666);
+  chmod(pathname, 0666); // BAD
+...
+  umask(0022);
+  chmod(pathname, 0666); // GOOD
+...
--- a/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.qhelp
@@ -0,0 +1,23 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Finding  for function calls that set file permissions that may have errors in use. Incorrect arithmetic for calculating the resolution mask, using the same mask in opposite functions, using a mask that is too wide.</p>
+
+</overview>
+
+<example>
+<p>The following example demonstrates erroneous and fixed ways to use functions.</p>
+<sample src="IncorrectPrivilegeAssignment.cpp" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions">FIO06-C. Create files with appropriate access permissions</a>.
+</li>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
@@ -0,0 +1,87 @@
+/**
+ * @name Find the wrong use of the umask function.
+ * @description Incorrectly evaluated argument to the umask function may have security implications.
+ * @kind problem
+ * @id cpp/wrong-use-of-the-umask
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       maintainability
+ *       security
+ *       external/cwe/cwe-266
+ *       external/cwe/cwe-264
+ *       external/cwe/cwe-200
+ *       external/cwe/cwe-560
+ *       external/cwe/cwe-687
+ */
+
+import cpp
+import semmle.code.cpp.exprs.BitwiseOperation
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * An expression that is either a `BinaryArithmeticOperation` or the result of one or more `BinaryBitwiseOperation`s on a `BinaryArithmeticOperation`. For example `1 | (2 + 3)`.
+ */
+class ContainsArithmetic extends Expr {
+  ContainsArithmetic() {
+    this instanceof BinaryArithmeticOperation
+    or
+    // recursive search into `Operation`s
+    this.(BinaryBitwiseOperation).getAnOperand() instanceof ContainsArithmetic
+  }
+}
+
+/** Holds for a function `f` that has an argument at index `apos` used to set file permissions. */
+predicate numberArgumentModFunctions(Function f, int apos) {
+  f.hasGlobalOrStdName("umask") and apos = 0
+  or
+  f.hasGlobalOrStdName("fchmod") and apos = 1
+  or
+  f.hasGlobalOrStdName("chmod") and apos = 1
+}
+
+from FunctionCall fc, string msg, FunctionCall fcsnd
+where
+  fc.getTarget().hasGlobalOrStdName("umask") and
+  fc.getArgument(0).getValue() = "0" and
+  not exists(FunctionCall fctmp |
+    fctmp.getTarget().hasGlobalOrStdName("umask") and
+    not fctmp.getArgument(0).getValue() = "0"
+  ) and
+  exists(FunctionCall fctmp |
+    (
+      fctmp.getTarget().hasGlobalOrStdName("fopen") or
+      fctmp.getTarget().hasGlobalOrStdName("open")
+    ) and
+    not fctmp.getArgument(1).getValue().matches("r%") and
+    fctmp.getNumberOfArguments() = 2 and
+    not fctmp.getArgument(0).getValue() = "/dev/null" and
+    fcsnd = fctmp
+  ) and
+  not exists(FunctionCall fctmp |
+    fctmp.getTarget().hasGlobalOrStdName("chmod") or
+    fctmp.getTarget().hasGlobalOrStdName("fchmod")
+  ) and
+  msg = "Using umask(0) may not be safe with call $@."
+  or
+  fc.getTarget().hasGlobalOrStdName("umask") and
+  exists(FunctionCall fctmp |
+    (
+      fctmp.getTarget().hasGlobalOrStdName("chmod") or
+      fctmp.getTarget().hasGlobalOrStdName("fchmod")
+    ) and
+    (
+      globalValueNumber(fc.getArgument(0)) = globalValueNumber(fctmp.getArgument(1)) and
+      fc.getArgument(0).getValue() != "0"
+    ) and
+    msg = "Not use equal argument in umask and $@ functions." and
+    fcsnd = fctmp
+  )
+  or
+  exists(ContainsArithmetic exptmp, int i |
+    numberArgumentModFunctions(fc.getTarget(), i) and
+    globalValueNumber(exptmp) = globalValueNumber(fc.getArgument(i)) and
+    msg = "Using arithmetic to compute the mask in $@ may not be safe." and
+    fcsnd = fc
+  )
+select fc, msg, fcsnd, fcsnd.getTarget().getName()