CWE-22¶

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). [File-Handling-Issues, Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-5]

Required inputs: IR, StaticSemanticAnalysis

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Many file operations are intended to take place within a restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the "../" sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as "/usr/local/bin", which may also be useful in accessing unexpected files. This is referred to as absolute path traversal.

In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the product may add ".txt" to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction.

Demonstrative Examples Functional Areas

Example 1

The following code could be for a social networking application in which each user's profile information is stored in a separate file. All files are stored in a single directory.

Example Language:Perl (Unsupported language for documentation only)
    my $dataPath = "/users/cwe/profiles";
    my $username = param("user");
    my $profilePath = $dataPath . "/" . $username;

    open(my $fh, "<", $profilePath) || ExitError("profile read error: $profilePath");
    print "<ul>\n";
    while (<$fh>) {
        print "<li>$_</li>\n";
    }
    print "</ul>\n";

While the programmer intends to access files such as "/users/cwe/profiles/alice" or "/users/cwe/profiles/bob", there is no verification of the incoming user parameter. An attacker could provide a string such as:

(attack code)

    ../../../etc/passwd

The program would generate a profile pathname like this:

(result)

    /users/cwe/profiles/../../../etc/passwd

When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file:

(result)

    /etc/passwd

As a result, the attacker could read the entire text of the password file.

Notice how this code also contains an error message information leak (CWE-209) if the user parameter does not produce a file that exists: the full pathname is provided. Because of the lack of output encoding of the file that is retrieved, there might also be a cross-site scripting problem (CWE-79) if profile contains any HTML, but other code would need to be examined.

Example 2

In the example below, the path to a dictionary file is read from a system property and used to initialize a File object.

Example Language:Java (Unsupported language for documentation only)
    String filename = System.getProperty("com.domain.application.dictionaryFile");
    File dictionaryFile = new File(filename);

However, the path is not validated or modified to prevent it from containing relative or absolute path sequences before creating the File object. This allows anyone who can control the system property to determine what file is used. Ideally, the path should be resolved relative to some kind of application or user home directory.

Example 3

The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.

Example Language:Perl (Unsupported language for documentation only)
    my $Username = GetUntrustedInput();
    $Username =~ s/\.\.\///;
    my $filename = "/home/user/" . $Username;
    ReadAndSendFile($filename);

Since the regular expression does not have the /g global match modifier, it only removes the first instance of "../" it comes across. So an input value such as:

(attack code)

    ../../../etc/passwd

will have the first "../" stripped, resulting in:

(result)

    ../../etc/passwd

This value is then concatenated with the /home/user/ directory:

(result)

    /home/user/../../etc/passwd

which causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (CWE-23).

Example 4

The following code attempts to validate a given input path by checking it against an allowlist and once validated delete the given file. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".

Example Language:Java (Unsupported language for documentation only)
    String path = getInputPath();
    if (path.startsWith("/safe_dir/"))
    {
        File f = new File(path);
        f.delete()
    }

An attacker could provide an input such as this:

(attack code)

    /safe_dir/../important.dat

The software assumes that the path is valid because it starts with the "/safe_path/" sequence, but the "../" sequence will cause the program to delete the important.dat file in the parent directory

Example 5

The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.

Example Language:HTML (Unsupported language for documentation only)
    <form action="FileUploadServlet" method="post" enctype="multipart/form-data">

    Choose a file to upload:
    <input type="file" name="filename"/>
    <br/>
    <input type="submit" name="submit" value="Submit"/>

    </form>

When submitted the Java servlet's doPost method will receive the request, extract the name of the file from the Http request header, read the file contents from the request and output the file to the local upload directory.

Example Language:Java (Unsupported language for documentation only)
    public class FileUploadServlet extends HttpServlet {

        ...

        protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

            response.setContentType("text/html");
            PrintWriter out = response.getWriter();
            String contentType = request.getContentType();

            // the starting position of the boundary header
            int ind = contentType.indexOf("boundary=");
            String boundary = contentType.substring(ind+9);

            String pLine = new String();
            String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value

            // verify that content type is multipart form data
            if (contentType != null && contentType.indexOf("multipart/form-data") != -1) {

                // extract the filename from the Http header
                BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
                ...
                pLine = br.readLine();
                String filename = pLine.substring(pLine.lastIndexOf("\\"), pLine.lastIndexOf("\""));
                ...

                // output the file to the local upload directory
                try {
                    BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true));
                    for (String line; (line=br.readLine())!=null; ) {
                        if (line.indexOf(boundary) == -1) {
                            bw.write(line);
                            bw.newLine();
                            bw.flush();
                        }
                    } //end of for loop
                    bw.close();


                } catch (IOException ex) {...}
                // output successful upload response HTML page
            }
            // output unsuccessful upload response HTML page
            else
            {...}
        }
            ...
    }

This code does not perform a check on the type of the file being uploaded (CWE-434). This could allow an attacker to upload any executable file or other file with malicious code.

Additionally, the creation of the BufferedWriter object is subject to relative path traversal (CWE-23). Since the code does not check the filename that is provided in the header, an attacker can use "../" sequences to write to files outside of the intended directory. Depending on the executing environment, the attacker may be able to specify arbitrary files to write to, leading to a wide variety of consequences, from code execution, XSS (CWE-79), or system crash.

Example 6

This script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user.

Example Language:Python (Unsupported language for documentation only)
    import os
    import sys
    def main():

        filename = sys.argv[1]
        path = os.path.join(os.getcwd(), filename)
        try:

            with open(path, 'r') as f:

                file_data = f.read()
        except FileNotFoundError as e:

            print("Error - file not found")
    main()

However, if the user supplies an absolute path, the os.path.join() function will discard the path to the current working directory and use only the absolute path provided. For example, if the current working directory is /home/user/documents, but the user inputs /etc/passwd, os.path.join() will use only /etc/passwd, as it is considered an absolute path. In the above scenario, this would cause the script to access and read the /etc/passwd file.

Example Language:Python (Unsupported language for documentation only)
    import os
    import sys
    def main():

        filename = sys.argv[1]
        path = os.path.normpath(f"{os.getcwd()}{os.sep}{filename}")
        try:

            with open(path, 'r') as f:

                file_data = f.read()
        except FileNotFoundError as e:

            print("Error - file not found")
    main()

The constructed path string uses os.sep to add the appropriate separation character for the given operating system (e.g. '\' or '/') and the call to os.path.normpath() removes any additional slashes that may have been entered - this may occur particularly when using a Windows path. By putting the pieces of the path string together in this fashion, the script avoids a call to os.path.join() and any potential issues that might arise if an absolute path is entered. With this version of the script, if the current working directory is /home/user/documents, and the user inputs /etc/passwd, the resulting path will be /home/user/documents/etc/passwd. The user is therefore contained within the current working directory as intended.

Demonstrative Examples Functional Areas

File Processing

Possible Messages

Key	Text	Severity	Disabled
unchecked_external_value	Opening a file without checking the path for unintended traversals.	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

all_external_functions_as_sinks¶

all_external_functions_as_sinks : bool = False

If true, consider all external functions as possible sinks, for which consuming unchecked inputs of interest shall be reported. To exclude particular external functions, please use the sinks option.

all_external_functions_as_sources¶

all_external_functions_as_sources : bool = True

If true, consider all external functions as possible origin of values whose unchecked consumption by sinks shall be reported. To exclude particular external functions, please use the external_sources option.

external_sources¶

Description of the possible sources of external values.

external_sources.arguments_of

Description of functions for which pointer arguments should be treated as an external value that must be checked after calling the function. For each function, an argument specifier needs to be set that describes a selection of argument numbers that shall be considered. A number x is considered iff (x >= argument_range_min and x <= argument_range_max and argument_numbers_set.empty()) or x in argument_numbers_set. If the table is empty, all non-const pointer parameters of external functions are checked.

external_sources.arguments_of.excluded

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   '__axivion_add_local_static__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_array_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_polymorphic_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcat_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcpy_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin_memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__sigsetjmp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'bcopy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'confstr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'ferror':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fflush':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fgetc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fileno':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fstat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getcwd':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getgroups':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'gethostname':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrlimit':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrusage':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memmove':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'mremap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'munmap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete[]':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pipe':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'printf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_lock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_trylock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_unlock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_settype':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'putc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'qsort':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'read':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'realloc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'regfree':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigaddset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigdelset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigemptyset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigfillset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'std::operator<<':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'tcgetattr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'time':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'vsnprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'waitpid':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'wmemset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be exempt from the set of functions for which the arguments should be checked before using them.

external_sources.arguments_of.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   'fread':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   ),
   'fscanf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=2
   ),
   'fscanf_s':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=2
   ),
   'scanf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   ),
   'scanf_s':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=1
   )
}

Table of functions and argument specifiers where the function sets the matched arguments to an external value that must be checked before use. If the table is empty, all non-const pointer parameters of external functions are checked, except for functions listed in the arguments_of.excluded option.

external_sources.parameters_of

Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

external_sources.parameters_of.excluded : set[bauhaus.analysis.config.QualifiedName] = set()
Functions which should be exempt from the set of functions for which the parameters should be checked before using them.

external_sources.parameters_of.functions : set[bauhaus.analysis.config.QualifiedName] = set()
Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

external_sources.return_values_of

Functions for which the return value should be considered an external value that must be checked before use.

external_sources.return_values_of.excluded

Type: set[bauhaus.analysis.config.QualifiedName]

Default: {'__acrt_iob_func', '__builtin_alloca', '__builtin_ctz', '__builtin_ia32_pblendw128', '__builtin_ia32_pshufd', '__builtin_ia32_pshufhw', '__builtin_ia32_pshuflw', '__builtin_ia32_pslldqi128', '__builtin_ia32_psrldqi128', '__builtin_ia32_shufps', '__builtin_isinf', '__builtin_isinff', '__builtin_isnan', '__builtin_isnanf', '__ctype_b_loc', '__ctype_get_mb_cur_max', '__errno_location', '__iob_func', '__sigsetjmp', '_mm256_abs_epi16', '_mm256_abs_epi32', '_mm256_abs_epi8', '_mm256_add_epi16', '_mm256_add_epi32', '_mm256_add_epi64', '_mm256_add_epi8', '_mm256_add_pd', '_mm256_add_ps', '_mm256_adds_epi16', '_mm256_adds_epi8', '_mm256_adds_epu16', '_mm256_adds_epu8', '_mm256_alignr_epi8', '_mm256_and_pd', '_mm256_and_ps', '_mm256_and_si256', '_mm256_blend_epi32', '_mm256_blend_pd', '_mm256_blend_ps', '_mm256_blendv_epi8', '_mm256_blendv_pd', '_mm256_blendv_ps', '_mm256_broadcastsi128_si256', '_mm256_castpd128_pd256', '_mm256_castpd256_pd128', '_mm256_castpd_ps', '_mm256_castpd_si256', '_mm256_castps128_ps256', '_mm256_castps256_ps128', '_mm256_castps_pd', '_mm256_castps_si256', '_mm256_castsi128_si256', '_mm256_castsi256_pd', '_mm256_castsi256_ps', '_mm256_castsi256_si128', '_mm256_cmp_pd', '_mm256_cmp_ps', '_mm256_cmpeq_epi16', '_mm256_cmpeq_epi32', '_mm256_cmpeq_epi64', '_mm256_cmpeq_epi8', '_mm256_cmpgt_epi16', '_mm256_cmpgt_epi32', '_mm256_cmpgt_epi8', '_mm256_cvtepi16_epi32', '_mm256_cvtepi32_epi64', '_mm256_cvtepi32_pd', '_mm256_cvtepi32_ps', '_mm256_cvtepi8_epi16', '_mm256_cvtepi8_epi32', '_mm256_cvtepu16_epi32', '_mm256_cvtepu32_epi64', '_mm256_cvtepu8_epi16', '_mm256_cvtepu8_epi32', '_mm256_cvtpd_epi32', '_mm256_cvtpd_ps', '_mm256_cvtph_ps', '_mm256_cvtps_epi32', '_mm256_cvtps_pd', '_mm256_cvtps_ph', '_mm256_cvttpd_epi32', '_mm256_cvttps_epi32', '_mm256_div_pd', '_mm256_div_ps', '_mm256_extractf128_pd', '_mm256_extractf128_ps', '_mm256_extracti128_si256', '_mm256_fmadd_pd', '_mm256_fmadd_ps', '_mm256_hadd_epi32', '_mm256_hadd_ps', '_mm256_i32gather_epi32', '_mm256_i32gather_epi64', '_mm256_i32gather_pd', '_mm256_i32gather_ps', '_mm256_insertf128_pd', '_mm256_insertf128_ps', '_mm256_inserti128_si256', '_mm256_load_pd', '_mm256_load_ps', '_mm256_load_si256', '_mm256_loadu_pd', '_mm256_loadu_ps', '_mm256_loadu_si256', '_mm256_madd_epi16', '_mm256_max_epi16', '_mm256_max_epi32', '_mm256_max_epi8', '_mm256_max_epu16', '_mm256_max_epu32', '_mm256_max_epu8', '_mm256_max_pd', '_mm256_max_ps', '_mm256_min_epi16', '_mm256_min_epi32', '_mm256_min_epi8', '_mm256_min_epu16', '_mm256_min_epu32', '_mm256_min_epu8', '_mm256_min_pd', '_mm256_min_ps', '_mm256_movemask_epi8', '_mm256_movemask_pd', '_mm256_movemask_ps', '_mm256_mul_epi32', '_mm256_mul_epu32', '_mm256_mul_pd', '_mm256_mul_ps', '_mm256_mulhi_epi16', '_mm256_mulhi_epu16', '_mm256_mullo_epi16', '_mm256_mullo_epi32', '_mm256_or_pd', '_mm256_or_ps', '_mm256_or_si256', '_mm256_packs_epi32', '_mm256_packus_epi32', '_mm256_permute2f128_pd', '_mm256_permute2f128_ps', '_mm256_permute2x128_si256', '_mm256_permute4x64_epi64', '_mm256_permute4x64_pd', '_mm256_permute_ps', '_mm256_permutevar8x32_epi32', '_mm256_permutevar8x32_ps', '_mm256_round_pd', '_mm256_round_ps', '_mm256_rsqrt_ps', '_mm256_sad_epu8', '_mm256_set1_epi16', '_mm256_set1_epi32', '_mm256_set1_epi64x', '_mm256_set1_epi8', '_mm256_set1_pd', '_mm256_set1_ps', '_mm256_set_epi64x', '_mm256_setr_epi16', '_mm256_setr_epi32', '_mm256_setr_epi8', '_mm256_setzero_pd', '_mm256_setzero_ps', '_mm256_setzero_si256', '_mm256_shuffle_epi32', '_mm256_shuffle_epi8', '_mm256_shuffle_pd', '_mm256_slli_epi16', '_mm256_slli_epi32', '_mm256_slli_epi64', '_mm256_slli_si256', '_mm256_sqrt_pd', '_mm256_sqrt_ps', '_mm256_srai_epi16', '_mm256_srai_epi32', '_mm256_srli_epi16', '_mm256_srli_epi32', '_mm256_srli_epi64', '_mm256_srli_si256', '_mm256_sub_epi16', '_mm256_sub_epi32', '_mm256_sub_epi64', '_mm256_sub_epi8', '_mm256_sub_pd', '_mm256_sub_ps', '_mm256_subs_epi16', '_mm256_subs_epi8', '_mm256_subs_epu16', '_mm256_subs_epu8', '_mm256_unpackhi_epi16', '_mm256_unpackhi_epi32', '_mm256_unpackhi_epi64', '_mm256_unpackhi_epi8', '_mm256_unpackhi_pd', '_mm256_unpackhi_ps', '_mm256_unpacklo_epi16', '_mm256_unpacklo_epi32', '_mm256_unpacklo_epi64', '_mm256_unpacklo_epi8', '_mm256_unpacklo_pd', '_mm256_unpacklo_ps', '_mm256_xor_pd', '_mm256_xor_ps', '_mm256_xor_si256', '_mm_add_epi16', '_mm_add_epi32', '_mm_add_epi64', '_mm_add_epi8', '_mm_add_pd', '_mm_add_ps', '_mm_adds_epi16', '_mm_adds_epi8', '_mm_adds_epu16', '_mm_adds_epu8', '_mm_addsub_ps', '_mm_and_pd', '_mm_and_ps', '_mm_and_si128', '_mm_andnot_si128', '_mm_blend_epi16', '_mm_blendv_epi8', '_mm_blendv_pd', '_mm_blendv_ps', '_mm_castpd_ps', '_mm_castpd_si128', '_mm_castps_pd', '_mm_castps_si128', '_mm_castsi128_pd', '_mm_castsi128_ps', '_mm_cmpeq_epi16', '_mm_cmpeq_epi32', '_mm_cmpeq_epi64', '_mm_cmpeq_epi8', '_mm_cmpeq_pd', '_mm_cmpeq_ps', '_mm_cmpge_pd', '_mm_cmpge_ps', '_mm_cmpgt_epi16', '_mm_cmpgt_epi32', '_mm_cmpgt_epi8', '_mm_cmpgt_pd', '_mm_cmpgt_ps', '_mm_cmple_pd', '_mm_cmple_ps', '_mm_cmplt_pd', '_mm_cmplt_ps', '_mm_cmpneq_pd', '_mm_cmpneq_ps', '_mm_cmpord_pd', '_mm_cmpord_ps', '_mm_cvt_ss2si', '_mm_cvtepi16_epi32', '_mm_cvtepi32_epi64', '_mm_cvtepi32_pd', '_mm_cvtepi32_ps', '_mm_cvtepi8_epi16', '_mm_cvtepi8_epi32', '_mm_cvtepu16_epi32', '_mm_cvtepu32_epi64', '_mm_cvtepu8_epi16', '_mm_cvtepu8_epi32', '_mm_cvtpd_epi32', '_mm_cvtpd_ps', '_mm_cvtph_ps', '_mm_cvtps_epi32', '_mm_cvtps_pd', '_mm_cvtps_ph', '_mm_cvtsd_f64', '_mm_cvtsd_si32', '_mm_cvtsi128_si32', '_mm_cvtsi128_si64', '_mm_cvtss_f32', '_mm_cvttpd_epi32', '_mm_cvttps_epi32', '_mm_div_pd', '_mm_div_ps', '_mm_fmadd_pd', '_mm_fmadd_ps', '_mm_hadd_ps', '_mm_load_pd', '_mm_load_ps', '_mm_load_si128', '_mm_load_ss', '_mm_loadh_pi', '_mm_loadl_epi64', '_mm_loadl_pi', '_mm_loadu_pd', '_mm_loadu_ps', '_mm_loadu_si128', '_mm_madd_epi16', '_mm_max_epi16', '_mm_max_epi32', '_mm_max_epi8', '_mm_max_epu16', '_mm_max_epu32', '_mm_max_epu8', '_mm_max_pd', '_mm_max_ps', '_mm_min_epi16', '_mm_min_epi32', '_mm_min_epi8', '_mm_min_epu16', '_mm_min_epu32', '_mm_min_epu8', '_mm_min_pd', '_mm_min_ps', '_mm_movehdup_ps', '_mm_movehl_ps', '_mm_moveldup_ps', '_mm_movelh_ps', '_mm_movemask_epi8', '_mm_movemask_pd', '_mm_movemask_ps', '_mm_mul_epi32', '_mm_mul_epu32', '_mm_mul_pd', '_mm_mul_ps', '_mm_mulhi_epi16', '_mm_mulhi_epu16', '_mm_mullo_epi16', '_mm_mullo_epi32', '_mm_or_pd', '_mm_or_ps', '_mm_or_si128', '_mm_packs_epi16', '_mm_packs_epi32', '_mm_packus_epi16', '_mm_packus_epi32', '_mm_permute_ps', '_mm_popcnt_u32', '_mm_popcnt_u64', '_mm_rsqrt_ps', '_mm_sad_epu8', '_mm_set1_epi16', '_mm_set1_epi32', '_mm_set1_epi64x', '_mm_set1_epi8', '_mm_set1_pd', '_mm_set_epi32', '_mm_set_epi64x', '_mm_set_ps', '_mm_set_ps1', '_mm_set_sd', '_mm_set_ss', '_mm_setr_epi16', '_mm_setr_epi32', '_mm_setr_epi8', '_mm_setr_pd', '_mm_setr_ps', '_mm_setzero_pd', '_mm_setzero_ps', '_mm_setzero_si128', '_mm_shuffle_epi32', '_mm_shuffle_epi8', '_mm_shuffle_ps', '_mm_shufflehi_epi16', '_mm_shufflelo_epi16', '_mm_sll_epi32', '_mm_slli_epi16', '_mm_slli_epi32', '_mm_slli_epi64', '_mm_slli_si128', '_mm_sqrt_pd', '_mm_sqrt_ps', '_mm_srai_epi16', '_mm_srai_epi32', '_mm_srli_epi16', '_mm_srli_epi32', '_mm_srli_epi64', '_mm_srli_si128', '_mm_sub_epi16', '_mm_sub_epi32', '_mm_sub_epi64', '_mm_sub_epi8', '_mm_sub_pd', '_mm_sub_ps', '_mm_subs_epi16', '_mm_subs_epi8', '_mm_subs_epu16', '_mm_subs_epu8', '_mm_unpackhi_epi16', '_mm_unpackhi_epi32', '_mm_unpackhi_epi64', '_mm_unpackhi_epi8', '_mm_unpackhi_pd', '_mm_unpackhi_ps', '_mm_unpacklo_epi16', '_mm_unpacklo_epi32', '_mm_unpacklo_epi64', '_mm_unpacklo_epi8', '_mm_unpacklo_pd', '_mm_unpacklo_ps', '_mm_xor_pd', '_mm_xor_ps', '_mm_xor_si128', 'a64l', 'abs', 'acos', 'atan', 'atan2', 'atof', 'atoi', 'atol', 'calloc', 'close', 'cos', 'cvAlloc', 'dup', 'dup2', 'exp', 'fabs', 'fastMalloc', 'fchmod', 'fchown', 'fcntl', 'fileno', 'floor', 'fork', 'fputs', 'ftell', 'ftruncate', 'fwrite', 'getaddrinfo', 'getdtablesize', 'getegid', 'geteuid', 'getgid', 'getgrent', 'getgroups', 'getpagesize', 'getpgrp', 'getpid', 'getppid', 'getpwent', 'getpwnam', 'getpwuid', 'getservent', 'gettext', 'getuid', 'htonl', 'htons', 'iconv_open', 'inet_addr', 'ippicvMalloc_L', 'iswctype', 'localtime', 'log', 'log10', 'lseek', 'malloc', 'mblen', 'mbrlen', 'mbrtowc', 'mbsnrtowcs', 'mbstowcs', 'memcmp', 'memcpy', 'mmap', 'mremap', 'munmap', 'ntohl', 'ntohs', 'operator new', 'operator new[]', 'operator=', 'pow', 'printf', 'pthread_self', 'rand', 'readlink', 'realloc', 'rmdir', 'sbrk', 'setlocale', 'sigprocmask', 'sin', 'socket', 'sqrt', 'std::abs', 'std::acos', 'std::atan', 'std::atan2', 'std::basic_ostream::operator<<', 'std::floor', 'std::make_error_code', 'std::operator<<', 'std::operator|', 'strchr', 'strchrnul', 'strcmp', 'strcpy', 'strdup', 'strerror', 'strlen', 'strncasecmp', 'strncmp', 'strncpy', 'strnlen', 'strpbrk', 'strrchr', 'strsignal', 'strstr', 'strtod', 'strtoimax', 'strtol', 'strtold', 'strtoul', 'strtoull', 'strtoumax', 'strtouq', 'sysconf', 'tcgetpgrp', 'tcsetattr', 'time', 'tmpnam', 'tolower', 'toupper', 'towlower', 'towupper', 'ttyname', 'umask', 'unlink', 'vsnprintf', 'wcrtomb', 'wcscat', 'wcscpy', 'wcsdup', 'wcslen', 'wcsrtombs', 'wcswidth', 'wctob', 'wctomb', 'wctype', 'wcwidth', 'write'}

Functions which should be exempt from the set of functions for which the return value should be treated as an external value.

external_sources.return_values_of.functions : set[bauhaus.analysis.config.QualifiedName] = set()
Functions for which the return value should be considered an external value that must be checked before use. If the set is empty, all return values of external functions are checked.

is_acceptable_use_in_condition¶

is_acceptable_use_in_condition

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in whose condition the external value is used, or a Relational_Operator using it inside the operands val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True iff the use of the external value inside this condition is ok (e.g. because that's a check validating the value).

is_relevant_usage¶

is_relevant_usage

Type: typing.Callable[[bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check if a usage of tainted input is relevant for the analysis. This can be used to restrict the analysis to certain types of usages only. The predicate receives the following arguments: val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True if the use of the external value inside this condition is relevant, i.e., if an error message should be issued by the rule. If the return value is False, the message is discarded.

is_sufficient_preceding_check¶

is_sufficient_preceding_check

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node, _iranalysis.Basic_Block], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source and which happens before the use being checked. It should also check whether the right branch was taken. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in which's condition the external value is used val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value inside the condition use: The LIR node for the use being checked (after the condition) branch: The iranalysis block representing the branch taken at the condition The return value should be True iff the condition is sufficiently checking the validity of this external value.

maximum_reports_per_source_location¶

maximum_reports_per_source_location : int = 10

Maximum number of reported sinks per source location. For no limitation of reported sinks per source, set to 0. Caution: no limitation here may lead to a substantial amount of reported issues.

omit_implicitly_passed_this¶

omit_implicitly_passed_this : bool = True

If true, do not report implicitly passed this arguments.

only_report_arguments¶

only_report_arguments : bool = True

If true, only report arguments to sink functions. Otherwise, report all usages of tainted values.

sanitizer_functions¶

sanitizer_functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing functions with the number of the sanitized argument.

sanitizer_macros¶

sanitizer_macros

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing macros with the number of the sanitized argument.

sinks¶

Description of the possible sinks for which flows of unchecked external values are reported

sinks.excluded
Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:
{
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   )
}
Functions which should be exempt from the set of functions considered as sinks

sinks.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   'fopen':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'std::basic_ifstream::open':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'std::basic_ofstream::open':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be in the set of functions considered as sinks

Option Types¶

These types are used by options listed above:

ArgumentSpecifier¶

Specification of which argument positions to consider: An argument at position x is included if ALL of the following conditions are met: * x is within the specified range: argument_range_min ≤ x ≤ argument_range_max * Either no specific arguments are listed (argument_numbers_set is empty), OR x is explicitly listed in argument_numbers_set Examples: * To target the first 5 variadic arguments of sscanf (positions 2-6): set argument_range_min = 2, argument_range_max = 6, leave argument_numbers_set empty * To target only the format string of sscanf (position 1): set argument_numbers_set = {1} and keep default values for argument_range_min and argument_range_max

argument_numbers_set : set[int] = set()

Explicit set of argument numbers to be considered. If empty, all numbers of the interval defined by [argument_range_min; argument_range_max] are considered.

argument_range_max : int = 4294967295

Maximum of the interval of numbers to be considered.

argument_range_min : int = 0

Minimum of the interval of numbers to be considered.

Axivion Suite 7.12.0

Navigation

CWE-22¶

Demonstrative Examples Functional Areas

Example 1

Example 2

Example 3

Example 4

Example 5

Example 6

Demonstrative Examples Functional Areas

Options¶

all_external_functions_as_sinks¶

all_external_functions_as_sources¶

external_sources¶

is_acceptable_use_in_condition¶

is_relevant_usage¶

is_sufficient_preceding_check¶

maximum_reports_per_source_location¶

omit_implicitly_passed_this¶

only_report_arguments¶

sanitizer_functions¶

sanitizer_macros¶

sinks¶

Option Types¶

ArgumentSpecifier¶