Cpp

This page curates a list of example ast-grep rules to check and to rewrite Cpp code.

Reuse Cpp rules with C

Cpp is a superset of C, so you can reuse Cpp rules with C code. The languageGlobs option can force ast-grep to parse .c files as Cpp.

Fix Format String Vulnerability Has Fix

• Playground Link

Description

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application.

For example, using sprintf(s, var) can lead to format string vulnerabilities if var contains user-controlled data. This can be exploited to execute arbitrary code. By explicitly specifying the format string as "%s", you ensure that var is treated as a string, mitigating this risk.

YAML

id: fix-format-security-error
language: Cpp
rule:
  pattern: $PRINTF($S, $VAR)
constraints:
  PRINTF: # a format string function
    { regex: "^sprintf|fprintf$" }
  VAR: # not a literal string
    not:
      any:
      - { kind: string_literal }
      - { kind: concatenated_string }
fix: $PRINTF($S, "%s", $VAR)

Example

// Error
fprintf(stderr, out);
sprintf(&buffer[2], obj->Text);
sprintf(buf1, Text_String(TXT_WAITING_FOR_CONNECTIONS));
// OK
fprintf(stderr, "%s", out);
sprintf(&buffer[2], "%s", obj->Text);
sprintf(buf1, "%s", Text_String(TXT_WAITING_FOR_CONNECTIONS));

Diff

// Error
fprintf(stderr, out); 
fprintf(stderr, "%s", out); 
sprintf(&buffer[2], obj->Text); 
sprintf(&buffer[2], "%s", obj->Text); 
sprintf(buf1, Text_String(TXT_WAITING_FOR_CONNECTIONS)); 
sprintf(buf1, "%s", Text_String(TXT_WAITING_FOR_CONNECTIONS)); 
// OK
fprintf(stderr, "%s", out);
sprintf(&buffer[2], "%s", obj->Text);
sprintf(buf1, "%s", Text_String(TXT_WAITING_FOR_CONNECTIONS));

Contributed by

xiaoxiangmoe