Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

implement package io5#886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
MichaelRFairhurst wants to merge10 commits intomain
base:main
Choose a base branch
Loading
frommichalerfairhurst/implement-package-io5
Open
Show file tree
Hide file tree
Changes fromall commits
Commits
Show all changes
10 commits
Select commitHold shift + click to select a range
35cfb0f
Add additional CERT-C rules to rules.csv
MichaelRFairhurstMar 29, 2025
3152769
Update obligation level of new CERT-C rules
MichaelRFairhurstApr 10, 2025
64ad8fb
Add new query suites for CERT-C recommendations
MichaelRFairhurstApr 10, 2025
ad55446
Merge remote-tracking branch 'origin/main' into michaelrfairhurt/add-…
MichaelRFairhurstApr 10, 2025
8843822
Add 'recommendation' to CERT schema
MichaelRFairhurstApr 10, 2025
d39ec8d
Fix, move 'recommendation' from CERT-C++ to CERT-C in schema
MichaelRFairhurstApr 10, 2025
14bd937
Update cert-help-extraction.py to support CERT-C optional (recommenda…
MichaelRFairhurstMar 31, 2025
adb15c7
Implement package IO5, with new CERT-C recommendation and support for…
MichaelRFairhurstMar 31, 2025
aebfe0e
Improve performance of expr print in fopen mode string
MichaelRFairhurstApr 10, 2025
0cd373c
Format codeql files
MichaelRFairhurstApr 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletionsc/cert/src/codeql-suites/cert-c-default.qls
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
- description: CERT C 2016 (Default)
- qlpack: codeql/cert-c-coding-standards
- include:
kind:
- problem
- path-problem
- external/cert/obligation/rule
- exclude:
tags contain:
- external/cert/default-disabled
10 changes: 10 additions & 0 deletionsc/cert/src/codeql-suites/cert-c-recommendation.qls
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
- description: CERT C 2016 (Recommendations)
- qlpack: codeql/cert-c-coding-standards
- include:
kind:
- problem
- path-problem
- external/cert/obligation/recommendation
- exclude:
tags contain:
- external/cert/default-disabled
11 changes: 2 additions & 9 deletionsc/cert/src/codeql-suites/cert-default.qls
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,2 @@
- description: CERT C 2016 (Default)
- qlpack: codeql/cert-c-coding-standards
- include:
kind:
- problem
- path-problem
- exclude:
tags contain:
- external/cert/default-disabled
- description: "DEPRECATED - CERT C 2016 - use cert-c-default.qls instead"
- import: codeql-suites/cert-c-default.qls
1 change: 1 addition & 0 deletionsc/cert/src/qlpack.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3,6 +3,7 @@ version: 2.44.0-dev
description: CERT C 2016
suites: codeql-suites
license: MIT
default-suite-file: codeql-suites/cert-c-default.qls
dependencies:
codeql/common-c-coding-standards: '*'
codeql/cpp-all: 2.1.1
166 changes: 166 additions & 0 deletionsc/cert/src/rules/FIO03-C/FopenWithNonExclusiveFileCreationMode.md
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,166 @@
# FIO03-C: Do not make assumptions about fopen() and file creation

This query implements the CERT-C rule FIO03-C:

> Do not make assumptions about fopen() and file creation


## Description

The C `fopen()` function is used to open an existing file or create a new one. The C11 version of the `fopen()` and `fopen_s()` functions provides a mode flag, `x`, that provides the mechanism needed to determine if the file that is to be opened exists. Not using this mode flag can lead to a program overwriting or accessing an unintended file.

## Noncompliant Code Example (fopen())

In this noncompliant code example, the file referenced by `file_name` is opened for writing. This example is noncompliant if the programmer's intent was to create a new file, but the referenced file already exists.

```cpp
char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "w");
if (!fp) {
/* Handle error */
}

```

## Noncompliant Code Example (fopen_s(), C11 Annex K)

The C11 Annex K `fopen_s()` function is designed to improve the security of the `fopen()` function. Like the `fopen()` function, `fopen_s()` provides a mechanism to determine whether the file exists. See below for use of the exclusive mode flag.

```cpp
char *file_name;
FILE *fp;

/* Initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
/* Handle error */
}

```

## Compliant Solution (fopen_s(), C11 Annex K)

The C Standard provides a new flag to address this problem. Subclause 7.21.5.3, paragraph 5 \[[ISO/IEC 9899:2011](https://www.securecoding.cert.org/confluence/display/seccode/AA.+Bibliography#AABibliography-ISOIEC9899-2011)\], states:

> Opening a file with exclusive mode ('x' as the last character in the mode argument) fails if the file already exists or cannot be created. Otherwise, the file is created with exclusive (also known as non-shared) access to the extent that the underlying system supports exclusive access.


This option is also provided by the GNU C library \[[Loosemore 2007](https://wiki.sei.cmu.edu/confluence/display/c/AA.+Bibliography#AA.Bibliography-Loosemore07)\].

This compliant solution uses the `x` mode character to instruct `fopen_s()` to fail rather than open an existing file:

```cpp
char *file_name;

/* Initialize file_name */
FILE *fp;
errno_t res = fopen_s(&fp, file_name, "wx");
if (res != 0) {
/* Handle error */
}

```
Use of this option allows for the easy remediation of legacy code. However, note that Microsoft Visual Studio 2012 and earlier do not support the `x` mode character \[[MSDN](http://msdn.microsoft.com/en-us/library/z5hh6ee9(v=vs.110).aspx)\].

## Compliant Solution (open(), POSIX)

The `open()` function, as defined in the *Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 7* \[[IEEE Std 1003.1:2013](https://wiki.sei.cmu.edu/confluence/display/c/AA.+Bibliography#AA.Bibliography-IEEEStd1003.1-2013)\], is available on many platforms and provides finer control than `fopen()`. In particular, `open()` accepts the `O_CREAT` and `O_EXCL` flags. When used together, these flags instruct the `open()` function to fail if the file specified by `file_name` already exists.

```cpp
char *file_name;
int new_file_mode;

/* Initialize file_name and new_file_mode */

int fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle error */
}

```
Care should be taken when using `O_EXCL` with remote file systems because it does not work with NFS version 2. NFS version 3 added support for `O_EXCL` mode in `open()`. IETF RFC 1813 \[[Callaghan 1995](https://wiki.sei.cmu.edu/confluence/display/c/AA.+Bibliography#AA.Bibliography-Callaghan95)\] defines the `EXCLUSIVE` value to the `mode` argument of `CREATE`:

> `EXCLUSIVE` specifies that the server is to follow exclusive creation semantics, using the verifier to ensure exclusive creation of the target. No attributes may be provided in this case, since the server may use the target file metadata to store the createverf3 verifier.


For examples of how to check for the existence of a file without opening it, see recommendation [FIO10-C. Take care when using the rename() function](https://wiki.sei.cmu.edu/confluence/display/c/FIO10-C.+Take+care+when+using+the+rename%28%29+function).

## Compliant Solution (fdopen(), POSIX)

For code that operates on `FILE` pointers and not file descriptors, the POSIX `fdopen()` function can be used to associate an open stream with the file descriptor returned by `open()`, as shown in this compliant solution \[[IEEE Std 1003.1:2013](https://wiki.sei.cmu.edu/confluence/display/c/AA.+Bibliography#AA.Bibliography-IEEEStd1003.1-2013)\]:

```cpp
char *file_name;
int new_file_mode;
FILE *fp;
int fd;

/* Initialize file_name and new_file_mode */

fd = open(file_name, O_CREAT | O_EXCL | O_WRONLY, new_file_mode);
if (fd == -1) {
/* Handle error */
}

fp = fdopen(fd, "w");
if (fp == NULL) {
/* Handle error */
}

```

## Compliant Solution (Windows)

The Win32 API `[CreateFile()](http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx)` allows a programmer to create or open a file depending on the flags passed in. Passing in the `CREATE_NEW` flag ensures the call fails if the file already exists. This compliant solution demonstrates how to open a file for reading and writing without sharing access to the file such that the call fails if the file already exists.

```cpp
TCHAR *file_name;
HANDLE hFile = CreateFile(file_name, GENERIC_READ | GENERIC_WRITE, 0, 0,
CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0);
if (INVALID_HANDLE_VALUE == hFile) {
DWORD err = GetLastError();
if (ERROR_FILE_EXISTS == err) {
/* Handle file exists error */
} else {
/* Handle other error */
}
}
```

## Risk Assessment

The ability to determine whether an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted upon.

<table> <tbody> <tr> <th> Recommendation </th> <th> Severity </th> <th> Likelihood </th> <th> Remediation Cost </th> <th> Priority </th> <th> Level </th> </tr> <tr> <td> FIO03-C </td> <td> Medium </td> <td> Probable </td> <td> High </td> <td> <strong>P4</strong> </td> <td> <strong>L3</strong> </td> </tr> </tbody> </table>


## Automated Detection

<table> <tbody> <tr> <th> Tool </th> <th> Version </th> <th> Checker </th> <th> Description </th> </tr> <tr> <td> <a> Coverity </a> </td> <td> 6.5 </td> <td> <strong>OPEN_ARGS</strong> </td> <td> Fully implemented </td> </tr> <tr> <td> <a> Helix QAC </a> </td> <td> 2024.4 </td> <td> <strong>C5012</strong> </td> <td> </td> </tr> <tr> <td> <a> LDRA tool suite </a> </td> <td> 9.7.1 </td> <td> <strong>44 S</strong> </td> <td> Enhanced Enforcement </td> </tr> <tr> <td> <a> Polyspace Bug Finder </a> </td> <td> R2024b </td> <td> <a> CERT C: Rec. FIO03-C </a> </td> <td> Checks for file not opened in exclusive mode </td> </tr> </tbody> </table>


## Related Vulnerabilities

Search for [vulnerabilities](https://wiki.sei.cmu.edu/confluence/display/c/BB.+Definitions#BB.Definitions-vulnerability) resulting from the violation of this rule on the [CERT website](https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+FIO03-C).

**Related Guidelines**

<table> <tbody> <tr> <td> <a> SEI CERT C++ Coding Standard </a> </td> <td> <a> VOID FIO03-CPP. Do not make assumptions about fopen() and file creation </a> </td> </tr> <tr> <td> <a> ISO/IEC TR 24731-1:2007 </a> </td> <td> Section 6.5.2.1, "The <code>fopen_s</code> Function" </td> </tr> </tbody> </table>


## Bibliography

<table> <tbody> <tr> <td> \[ <a> Callaghan 1995 </a> \] </td> <td> <a> IETF RFC 1813 NFS Version 3 Protocol Specification </a> </td> </tr> <tr> <td> \[ <a> IEEE Std 1003.1:2013 </a> \] </td> <td> System Interfaces: <code>open</code> </td> </tr> <tr> <td> \[ <a> ISO/IEC 9899:2011 </a> \] </td> <td> Subclause 7.21.5.3, "The <code>fopen</code> Function" Subclause K.3.5.2.1, "The <code>fopen_s</code> Function" </td> </tr> <tr> <td> \[ <a> Loosemore 2007 </a> \] </td> <td> <a> Section 12.3, "Opening Streams" </a> </td> </tr> <tr> <td> \[ <a> Seacord 2013 </a> \] </td> <td> Chapter 8, "File I/O" </td> </tr> </tbody> </table>


## Implementation notes

None

## References

* CERT-C: [FIO03-C: Do not make assumptions about fopen() and file creation](https://wiki.sei.cmu.edu/confluence/display/c)
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
/**
* @id c/cert/fopen-with-non-exclusive-file-creation-mode
* @name FIO03-C: Do not make assumptions about fopen() and file creation
* @description Usage of fopen() without the proper exclusion mode can lead to a program overwriting
* over accessing an unintended file.
* @kind problem
* @precision high
* @problem.severity error
* @tags external/cert/id/fio03-c
* correctness
* security
* external/cert/obligation/recommendation
*/

import cpp
import codingstandards.c.cert
import codingstandards.cpp.alertreporting.PrintExpr
import codingstandards.cpp.standardlibrary.FileAccess

class PrettyPrintExpr extends Expr {
PrettyPrintExpr() {
exists(FOpenCall fopen | this.getParent*() = fopen.getMode()) and
(
this instanceof BinaryOperation
or
this instanceof Literal
)
}
}

from FOpenCall fopen, string modeStr
where
not isExcluded(fopen, IO5Package::fopenWithNonExclusiveFileCreationModeQuery()) and
fopen.mayCreate() and
not fopen.isExclusiveMode() and
modeStr = PrintExpr<PrettyPrintExpr>::print(fopen.getMode())
select fopen, "Call to create file with non-exclusive creation mode '" + modeStr + "'."
Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp