Integer truncation false positive

bcaller · bcaller · commit b3bb9e4c1291 · 2023-10-03T22:57:14.000+01:00
Now you can do `char oops = 3458079` if you must
diff --git a/assets/semgrep_rules/blocklist.txt b/assets/semgrep_rules/blocklist.txt
@@ -23,3 +23,4 @@ https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws
 https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml
 https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
 https://semgrep.dev/r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
+https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml
diff --git a/assets/semgrep_rules/client/integer-truncation.c b/assets/semgrep_rules/client/integer-truncation.c
@@ -0,0 +1,51 @@
+// Marco Ivaldi <raptor@0xdeadbeef.info>
+
+#include <stdio.h>
+
+int assign_int(int int_var)
+{
+	// ruleid: integer-truncation
+	char char_var = int_var;
+	short short_var;
+
+	// ruleid: integer-truncation
+	short_var = int_var;
+}
+
+int assign_long(long long_var)
+{
+	short short_var;
+	// ruleid: integer-truncation
+	int int_var = long_var + 1;
+
+	// ruleid: integer-truncation
+	short_var = long_var;
+}
+
+int test_func()
+{
+	int intPrimitive;
+	short shortPrimitive;
+	intPrimitive = (int)(~((int)0) ^ (1 << (sizeof(int)*8-1)));
+	// ruleid: integer-truncation
+	shortPrimitive = intPrimitive;
+	printf("Int MAXINT: %d\nShort MAXINT: %d\n", intPrimitive, shortPrimitive);
+	// ok: integer-truncation
+	char c = 0x0;
+	// ok: integer-truncation
+	char cc = 127;
+	printf("Chars: %c %c\n", c, cc);
+}
+
+// ruleid: integer-truncation
+char func(void)
+{
+	int a = 42;
+	return a; 
+}
+
+int main() 
+{
+	printf("Hello, World!");
+	return 0;
+}
diff --git a/assets/semgrep_rules/client/integer-truncation.yaml b/assets/semgrep_rules/client/integer-truncation.yaml
@@ -0,0 +1,100 @@
+rules:
+- id: integer-truncation
+  metadata:
+    author: Marco Ivaldi <raptor@0xdeadbeef.info>
+    references:
+    - https://cwe.mitre.org/data/definitions/197
+    - https://cwe.mitre.org/data/definitions/681
+    - https://g.co/kgs/PCHQjJ
+    - https://github.com/struct/mms
+    - https://github.com/0xdea/semgrep-rules/blob/main/c/integer-truncation.yaml
+    confidence: MEDIUM
+    license: MIT
+    category: security
+    subcategory:
+    - audit
+    source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/integer-truncation.yaml
+  message: Truncation errors occur when a primitive is cast to a primitive of a  smaller
+    size and data is lost in the conversion. The value cannot be  trusted and the
+    application will be in an undefined state.
+  severity: WARNING
+  languages:
+  - c
+  - cpp
+  patterns:
+    - pattern-either:
+      - pattern: (char $NARROW) = <... (short $LARGE) ...>
+      - pattern: (char $NARROW) = <... (short int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned short $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned short int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (long $LARGE) ...>
+      - pattern: (char $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (char $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: |
+          char $FUN(...)
+          {
+          ...
+          return (short $LARGE);
+          }
+      - pattern: |
+          char $FUN(...)
+          {
+          ...
+          return (int $LARGE);
+          }
+      - pattern: |
+          char $FUN(...)
+          {
+          ...
+          return (long $LARGE);
+          }
+      - pattern: (short $NARROW) = <... (unsigned short $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (unsigned short int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (long $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (short $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (short int $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (unsigned short int $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (long $LARGE) ...>
+      - pattern: (unsigned short int $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (unsigned short $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (unsigned short int $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: |
+          short $FUN(...)
+          {
+          ...
+          return (int $LARGE);
+          }
+      - pattern: |
+          short $FUN(...)
+          {
+          ...
+          return (long $LARGE);
+          }
+      - pattern: (int $NARROW) = <... (unsigned $LARGE) ...>
+      - pattern: (int $NARROW) = <... (unsigned int $LARGE) ...>
+      - pattern: (int $NARROW) = <... (long $LARGE) ...>
+      - pattern: (int $NARROW) = <... (long int $LARGE) ...>
+      - pattern: (int $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (int $NARROW) = <... (unsigned long int $LARGE) ...>
+      - pattern: |
+          int $FUN(...)
+          {
+          ...
+          return (long $LARGE);
+          }
+      - pattern: (long $NARROW) = <... (unsigned long $LARGE) ...>
+      - pattern: (long int $NARROW) = <... (unsigned long int $LARGE) ...>
+    # (Ben Caller) Prevent false positive with `char x = 0;` by using regex:
+    - metavariable-regex:
+        metavariable: $LARGE
+        regex: '\A[^0-9]'
