This is an archive of the discontinued LLVM Phabricator instance.

Differential D17447

Add check for CERT ENV33-C
ClosedPublic

Authored by aaron.ballman on Feb 19 2016, 7:33 AM.

Details

Reviewers
alexfh
sbenza
Summary

This patch adds a check for the CERT secure coding rule: ENV33-C. Do not call system(). It flags any call expression that calls a system command processor (system(), popen(), _popen()).

https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=2130132

Diff Detail

Event Timeline

aaron.ballman updated this revision to Diff 48492.Feb 19 2016, 7:33 AM
aaron.ballman retitled this revision from to Add check for CERT ENV33-C.
aaron.ballman updated this object.
aaron.ballman added reviewers: alexfh, sbenza.
aaron.ballman added a subscriber: cfe-commits.
sbenza added inline comments.Feb 19 2016, 7:57 AM
clang-tidy/cert/CommandProcessorCheck.cpp
23

Should we check that it is calling ::system and not any function called system?

clang-tidy/cert/CommandProcessorCheck.h
20

typo: is can

aaron.ballman updated this revision to Diff 48499.Feb 19 2016, 8:18 AM
aaron.ballman marked an inline comment as done.
aaron.ballman added inline comments.
clang-tidy/cert/CommandProcessorCheck.cpp
23

Hmm, that's not a bad idea. Same for popen and _popen().

clang-tidy/cert/CommandProcessorCheck.h
20

Good catch.

sbenza added inline comments.Feb 19 2016, 12:00 PM
clang-tidy/cert/CommandProcessorCheck.cpp
37

You could move this into the matcher.
It could use the brand new nullPointerConstant()

unless(callExpr(callee(functionDecl(hasName("::system"))),
       argumentCountIs(1), hasArgument(0, nullPointerConstant())))

Seems simpler.

aaron.ballman updated this revision to Diff 48674.Feb 22 2016, 7:16 AM

Updated based on review feedback.

aaron.ballman marked 4 inline comments as done.Feb 22 2016, 7:17 AM
sbenza accepted this revision.Feb 22 2016, 7:40 AM
sbenza edited edge metadata.
This revision is now accepted and ready to land.Feb 22 2016, 7:40 AM
aaron.ballman closed this revision.Feb 22 2016, 8:06 AM

Thanks! I've commit in r261530.

Revision Contents

PathSize
clang-tidy/
cert/
CERTTidyModule.cpp
CERTTidyModule.cpp (revision 261521)
4 lines
CMakeLists.txt
CMakeLists.txt (revision 261521)
1 line
CommandProcessorCheck.h
CommandProcessorCheck.h (nonexistent)
38 lines
CommandProcessorCheck.cpp
CommandProcessorCheck.cpp (nonexistent)
45 lines
docs/
clang-tidy/
checks/
cert-env33-c.rst
cert-env33-c.rst (nonexistent)
13 lines
list.rst
list.rst (revision 261521)
1 line
test/
clang-tidy/
cert-env33-c.c
cert-env33-c.c (nonexistent)
20 lines

Diff 48674

clang-tidy/cert/CERTTidyModule.cpp

Context not available.
#include "../misc/NonCopyableObjects.h" #include "../misc/NonCopyableObjects.h"
#include "../misc/StaticAssertCheck.h" #include "../misc/StaticAssertCheck.h"
#include "../misc/ThrowByValueCatchByReferenceCheck.h" #include "../misc/ThrowByValueCatchByReferenceCheck.h"
#include "CommandProcessorCheck.h"
#include "FloatLoopCounter.h" #include "FloatLoopCounter.h"
#include "SetLongJmpCheck.h" #include "SetLongJmpCheck.h"
#include "StaticObjectExceptionCheck.h" #include "StaticObjectExceptionCheck.h"
Context not available.
// DCL // DCL
CheckFactories.registerCheck<StaticAssertCheck>( CheckFactories.registerCheck<StaticAssertCheck>(
"cert-dcl03-c"); "cert-dcl03-c");
// ENV
CheckFactories.registerCheck<CommandProcessorCheck>(
"cert-env33-c");
// FLP // FLP
CheckFactories.registerCheck<FloatLoopCounter>( CheckFactories.registerCheck<FloatLoopCounter>(
"cert-flp30-c"); "cert-flp30-c");
Context not available.

clang-tidy/cert/CMakeLists.txt

Context not available.
add_clang_library(clangTidyCERTModule add_clang_library(clangTidyCERTModule
CERTTidyModule.cpp CERTTidyModule.cpp
CommandProcessorCheck.cpp
FloatLoopCounter.cpp FloatLoopCounter.cpp
SetLongJmpCheck.cpp SetLongJmpCheck.cpp
StaticObjectExceptionCheck.cpp StaticObjectExceptionCheck.cpp
Context not available.

clang-tidy/cert/CommandProcessorCheck.h

//===--- CommandInterpreterCheck.h - clang-tidy------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_COMMAND_PROCESSOR_CHECK_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_COMMAND_PROCESSOR_CHECK_H
#include "../ClangTidy.h"
namespace clang {
namespace tidy {
namespace cert {
/// Execution of a command processor can lead to security vulnerabilities,
/// and is generally not required. Instead, prefer to launch executables
sbenzaUnsubmitted
Done
ReplyInline Actions

typo: is can

sbenza: typo: is can
aaron.ballmanAuthorUnsubmitted
Done
ReplyInline Actions

Good catch.

aaron.ballman: Good catch.
/// directly via mechanisms that give you more control over what executable is
/// actually launched.
///
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/cert-env33-c.html
class CommandProcessorCheck : public ClangTidyCheck {
public:
CommandProcessorCheck(StringRef Name, ClangTidyContext *Context)
: ClangTidyCheck(Name, Context) {}
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
};
} // namespace cert
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_CERT_COMMAND_PROCESSOR_CHECK_H

clang-tidy/cert/CommandProcessorCheck.cpp

//===--- Env33CCheck.cpp - clang-tidy--------------------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "CommandProcessorCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
using namespace clang::ast_matchers;
namespace clang {
namespace tidy {
namespace cert {
void CommandProcessorCheck::registerMatchers(MatchFinder *Finder) {
Finder->addMatcher(
callExpr(
callee(functionDecl(anyOf(hasName("::system"), hasName("::popen"),
sbenzaUnsubmitted
Done
ReplyInline Actions

Should we check that it is calling ::system and not any function called system?

sbenza: Should we check that it is calling ::system and not any function called system?
aaron.ballmanAuthorUnsubmitted
Done
ReplyInline Actions

Hmm, that's not a bad idea. Same for popen and _popen().

aaron.ballman: Hmm, that's not a bad idea. Same for `popen` and `_popen()`.
hasName("::_popen")))
.bind("func")),
// Do not diagnose when the call expression passes a null pointer
// constant to system(); that only checks for the presence of a
// command processor, which is not a security risk by itself.
unless(callExpr(callee(functionDecl(hasName("::system"))),
argumentCountIs(1),
hasArgument(0, nullPointerConstant()))))
.bind("expr"),
this);
}
void CommandProcessorCheck::check(const MatchFinder::MatchResult &Result) {
const auto *Fn = Result.Nodes.getNodeAs<FunctionDecl>("func");
sbenzaUnsubmitted
Done
ReplyInline Actions

You could move this into the matcher.
It could use the brand new nullPointerConstant()

unless(callExpr(callee(functionDecl(hasName("::system"))),
       argumentCountIs(1), hasArgument(0, nullPointerConstant())))

Seems simpler.

sbenza: You could move this into the matcher. It could use the brand new nullPointerConstant()…
const auto *E = Result.Nodes.getNodeAs<CallExpr>("expr");
diag(E->getExprLoc(), "calling %0 uses a command processor") << Fn;
}
} // namespace cert
} // namespace tidy
} // namespace clang

docs/clang-tidy/checks/cert-env33-c.rst

.. title:: clang-tidy - cert-env33-c
cert-env33-c
============
This check flags calls to ``system()``, ``popen()``, and ``_popen()``, which
execute a command processor. It does not flag calls to ``system()`` with a null
pointer argument, as such a call checks for the presence of a command processor
but does not actually attempt to execute a command.
This check corresponds to the CERT C Coding Standard rule
`ENV33-C. Do not call system()
<https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=2130132>`_.

docs/clang-tidy/checks/list.rst

Context not available.
cert-dcl50-cpp cert-dcl50-cpp
cert-dcl54-cpp (redirects to misc-new-delete-overloads) <cert-dcl54-cpp> cert-dcl54-cpp (redirects to misc-new-delete-overloads) <cert-dcl54-cpp>
cert-dcl59-cpp (redirects to google-build-namespaces) <cert-dcl59-cpp> cert-dcl59-cpp (redirects to google-build-namespaces) <cert-dcl59-cpp>
cert-env33-c
cert-err52-cpp cert-err52-cpp
cert-err58-cpp cert-err58-cpp
cert-err60-cpp cert-err60-cpp
Context not available.

test/clang-tidy/cert-env33-c.c

// RUN: %check_clang_tidy %s cert-env33-c %t
typedef struct FILE {} FILE;
extern int system(const char *);
extern FILE *popen(const char *, const char *);
extern FILE *_popen(const char *, const char *);
void f(void) {
// It is permissible to check for the presence of a command processor.
system(0);
system("test");
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'system' uses a command processor [cert-env33-c]
popen("test", "test");
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'popen' uses a command processor
_popen("test", "test");
// CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling '_popen' uses a command processor
}