-
Notifications
You must be signed in to change notification settings - Fork 75
Expand file tree
/
Copy pathToctouRaceConditionsWhileAccessingFiles.ql
More file actions
48 lines (45 loc) · 1.65 KB
/
ToctouRaceConditionsWhileAccessingFiles.ql
File metadata and controls
48 lines (45 loc) · 1.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/**
* @id c/cert/toctou-race-conditions-while-accessing-files
* @name FIO45-C: Avoid TOCTOU race conditions while accessing files
* @description TOCTOU race conditions when accessing files can lead to vulnerability.
* @kind problem
* @precision high
* @problem.severity error
* @tags external/cert/id/fio45-c
* correctness
* security
* external/cert/obligation/rule
*/
import cpp
import codingstandards.c.cert
import codingstandards.cpp.standardlibrary.FileAccess
import codingstandards.cpp.ReadErrorsAndEOF
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
/**
* A function call that opens a file as read-only
* but does not read the content of the file.
*/
class EmptyFOpenCall extends FOpenCall {
EmptyFOpenCall() {
this.isReadOnlyMode() and
// the FILE is only used as argument to close or in a NULL check
not exists(Expr x |
this != x and
DataFlow::localExprFlow(this, x) and
not closed(x) and
exists(EQExpr eq |
eq.getAnOperand() = x and eq.getAnOperand() = any(NULLMacro m).getAnInvocation().getExpr()
)
)
}
}
// The same file is opened multiple times in different modes
from EmptyFOpenCall emptyFopen, FOpenCall fopen
where
not isExcluded(emptyFopen, IO4Package::toctouRaceConditionsWhileAccessingFilesQuery()) and
not fopen.isReadOnlyMode() and
globalValueNumber(emptyFopen.getFilenameExpr()) = globalValueNumber(fopen.getFilenameExpr())
select emptyFopen,
"This call is trying to prevent an exsisting file to be overwritten by $@. An attacker might be able to exploit the race window between the two calls.",
fopen, "another call"