CWE-502¶

Deserialization of Untrusted Data. [Resource-Management-Errors, Improper-Control-Of-A-Resource-Through-Its-Lifetime, Top25-2024-16]

Required inputs: IR, StaticSemanticAnalysis

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Background Details Demonstrative Examples

Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization").

Background Details Demonstrative Examples

Example 1

This code snippet deserializes an object from a file and uses it as a UI button:

Example Language:Java (Unsupported language for documentation only)
    try {
        File file = new File("object.obj");
        ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
        javax.swing.JButton button = (javax.swing.JButton) in.readObject();
        in.close();
    }

This code does not attempt to verify the source or contents of the file before deserializing it. An attacker may be able to replace the intended file with a file that contains arbitrary malicious code which will be executed when the button is pressed.

To mitigate this, explicitly define final readObject() to prevent deserialization. An example of this is:

Example Language:Java (Unsupported language for documentation only)
    private final void readObject(ObjectInputStream in) throws java.io.IOException {
    throw new java.io.IOException("Cannot be deserialized"); }

Example 2

In Python, the Pickle library handles the serialization and deserialization processes. In this example derived from [REF-467], the code receives and parses data, and afterwards tries to authenticate a user based on validating a token.

Example Language:Python (Unsupported language for documentation only)
    try {
        class ExampleProtocol(protocol.Protocol):
        def dataReceived(self, data):

        # Code that would be here would parse the incoming data
        # After receiving headers, call confirmAuth() to authenticate

        def confirmAuth(self, headers):
        try:
        token = cPickle.loads(base64.b64decode(headers['AuthToken']))
        if not check_hmac(token['signature'], token['data'], getSecretKey()):
        raise AuthFail
        self.secure_data = token['data']
        except:
        raise AuthFail
    }

Unfortunately, the code does not verify that the incoming data is legitimate. An attacker can construct a illegitimate, serialized object "AuthToken" that instantiates one of Python's subprocesses to execute arbitrary commands. For instance,the attacker could construct a pickle that leverages Python's subprocess module, which spawns new processes and includes a number of arguments for various uses. Since Pickle allows objects to define the process for how they should be unpickled, the attacker can direct the unpickle process to call Popen in the subprocess module and execute /bin/sh.

Possible Messages

Key	Text	Severity	Disabled
unchecked_external_value	Deserialization of Untrusted Data.	None	False

Options¶

This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity
The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

all_external_functions_as_sinks¶

all_external_functions_as_sinks : bool = True

If true, consider all external functions as possible sinks, for which consuming unchecked inputs of interest shall be reported. To exclude particular external functions, please use the sinks option.

all_external_functions_as_sources¶

all_external_functions_as_sources : bool = True

If true, consider all external functions as possible origin of values whose unchecked consumption by sinks shall be reported. To exclude particular external functions, please use the external_sources option.

external_sources¶

Description of the possible sources of external values.

external_sources.arguments_of

Description of functions for which pointer arguments should be treated as an external value that must be checked after calling the function. For each function, an argument specifier needs to be set that describes a selection of argument numbers that shall be considered. A number x is considered iff (x >= argument_range_min and x <= argument_range_max and argument_numbers_set.empty()) or x in argument_numbers_set. If the table is empty, all non-const pointer parameters of external functions are checked.

external_sources.arguments_of.excluded

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   '__axivion_add_local_static__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_array_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__axivion_get_polymorphic_size__':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcat_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin___strcpy_chk':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__builtin_memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   '__sigsetjmp':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'bcopy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'confstr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'ferror':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fflush':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fgetc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fileno':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'fstat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getcwd':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getgroups':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'gethostname':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrlimit':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'getrusage':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memmove':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'memset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'mremap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'munmap':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'operator delete[]':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pclose':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pipe':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'printf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_lock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_trylock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutex_unlock':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_destroy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_init':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'pthread_mutexattr_settype':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'putc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'qsort':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'read':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'realloc':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'regfree':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigaddset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigdelset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigemptyset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sigfillset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'sprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'std::operator<<':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strcpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncat':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'strncpy':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0, 1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'tcgetattr':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'time':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'vsnprintf':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'waitpid':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={1},
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'wmemset':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be exempt from the set of functions for which the arguments should be checked before using them.

external_sources.arguments_of.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Table of functions and argument specifiers where the function sets the matched arguments to an external value that must be checked before use. If the table is empty, all non-const pointer parameters of external functions are checked, except for functions listed in the arguments_of.excluded option.

external_sources.parameters_of

Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

external_sources.parameters_of.excluded : set[bauhaus.analysis.config.QualifiedName] = set()
Functions which should be exempt from the set of functions for which the parameters should be checked before using them.

external_sources.parameters_of.functions : set[bauhaus.analysis.config.QualifiedName] = set()
Functions configured as entry points (including main) for which the parameters should be checked before using them. If the set is empty, all entry points are checked.

external_sources.return_values_of

Functions for which the return value should be considered an external value that must be checked before use.

external_sources.return_values_of.excluded

Type: set[bauhaus.analysis.config.QualifiedName]

Default: {'__acrt_iob_func', '__builtin_alloca', '__builtin_ctz', '__builtin_ia32_pblendw128', '__builtin_ia32_pshufd', '__builtin_ia32_pshufhw', '__builtin_ia32_pshuflw', '__builtin_ia32_pslldqi128', '__builtin_ia32_psrldqi128', '__builtin_ia32_shufps', '__builtin_isinf', '__builtin_isinff', '__builtin_isnan', '__builtin_isnanf', '__ctype_b_loc', '__ctype_get_mb_cur_max', '__errno_location', '__iob_func', '__sigsetjmp', '_mm256_abs_epi16', '_mm256_abs_epi32', '_mm256_abs_epi8', '_mm256_add_epi16', '_mm256_add_epi32', '_mm256_add_epi64', '_mm256_add_epi8', '_mm256_add_pd', '_mm256_add_ps', '_mm256_adds_epi16', '_mm256_adds_epi8', '_mm256_adds_epu16', '_mm256_adds_epu8', '_mm256_alignr_epi8', '_mm256_and_pd', '_mm256_and_ps', '_mm256_and_si256', '_mm256_blend_epi32', '_mm256_blend_pd', '_mm256_blend_ps', '_mm256_blendv_epi8', '_mm256_blendv_pd', '_mm256_blendv_ps', '_mm256_broadcastsi128_si256', '_mm256_castpd128_pd256', '_mm256_castpd256_pd128', '_mm256_castpd_ps', '_mm256_castpd_si256', '_mm256_castps128_ps256', '_mm256_castps256_ps128', '_mm256_castps_pd', '_mm256_castps_si256', '_mm256_castsi128_si256', '_mm256_castsi256_pd', '_mm256_castsi256_ps', '_mm256_castsi256_si128', '_mm256_cmp_pd', '_mm256_cmp_ps', '_mm256_cmpeq_epi16', '_mm256_cmpeq_epi32', '_mm256_cmpeq_epi64', '_mm256_cmpeq_epi8', '_mm256_cmpgt_epi16', '_mm256_cmpgt_epi32', '_mm256_cmpgt_epi8', '_mm256_cvtepi16_epi32', '_mm256_cvtepi32_epi64', '_mm256_cvtepi32_pd', '_mm256_cvtepi32_ps', '_mm256_cvtepi8_epi16', '_mm256_cvtepi8_epi32', '_mm256_cvtepu16_epi32', '_mm256_cvtepu32_epi64', '_mm256_cvtepu8_epi16', '_mm256_cvtepu8_epi32', '_mm256_cvtpd_epi32', '_mm256_cvtpd_ps', '_mm256_cvtph_ps', '_mm256_cvtps_epi32', '_mm256_cvtps_pd', '_mm256_cvtps_ph', '_mm256_cvttpd_epi32', '_mm256_cvttps_epi32', '_mm256_div_pd', '_mm256_div_ps', '_mm256_extractf128_pd', '_mm256_extractf128_ps', '_mm256_extracti128_si256', '_mm256_fmadd_pd', '_mm256_fmadd_ps', '_mm256_hadd_epi32', '_mm256_hadd_ps', '_mm256_i32gather_epi32', '_mm256_i32gather_epi64', '_mm256_i32gather_pd', '_mm256_i32gather_ps', '_mm256_insertf128_pd', '_mm256_insertf128_ps', '_mm256_inserti128_si256', '_mm256_load_pd', '_mm256_load_ps', '_mm256_load_si256', '_mm256_loadu_pd', '_mm256_loadu_ps', '_mm256_loadu_si256', '_mm256_madd_epi16', '_mm256_max_epi16', '_mm256_max_epi32', '_mm256_max_epi8', '_mm256_max_epu16', '_mm256_max_epu32', '_mm256_max_epu8', '_mm256_max_pd', '_mm256_max_ps', '_mm256_min_epi16', '_mm256_min_epi32', '_mm256_min_epi8', '_mm256_min_epu16', '_mm256_min_epu32', '_mm256_min_epu8', '_mm256_min_pd', '_mm256_min_ps', '_mm256_movemask_epi8', '_mm256_movemask_pd', '_mm256_movemask_ps', '_mm256_mul_epi32', '_mm256_mul_epu32', '_mm256_mul_pd', '_mm256_mul_ps', '_mm256_mulhi_epi16', '_mm256_mulhi_epu16', '_mm256_mullo_epi16', '_mm256_mullo_epi32', '_mm256_or_pd', '_mm256_or_ps', '_mm256_or_si256', '_mm256_packs_epi32', '_mm256_packus_epi32', '_mm256_permute2f128_pd', '_mm256_permute2f128_ps', '_mm256_permute2x128_si256', '_mm256_permute4x64_epi64', '_mm256_permute4x64_pd', '_mm256_permute_ps', '_mm256_permutevar8x32_epi32', '_mm256_permutevar8x32_ps', '_mm256_round_pd', '_mm256_round_ps', '_mm256_rsqrt_ps', '_mm256_sad_epu8', '_mm256_set1_epi16', '_mm256_set1_epi32', '_mm256_set1_epi64x', '_mm256_set1_epi8', '_mm256_set1_pd', '_mm256_set1_ps', '_mm256_set_epi64x', '_mm256_setr_epi16', '_mm256_setr_epi32', '_mm256_setr_epi8', '_mm256_setzero_pd', '_mm256_setzero_ps', '_mm256_setzero_si256', '_mm256_shuffle_epi32', '_mm256_shuffle_epi8', '_mm256_shuffle_pd', '_mm256_slli_epi16', '_mm256_slli_epi32', '_mm256_slli_epi64', '_mm256_slli_si256', '_mm256_sqrt_pd', '_mm256_sqrt_ps', '_mm256_srai_epi16', '_mm256_srai_epi32', '_mm256_srli_epi16', '_mm256_srli_epi32', '_mm256_srli_epi64', '_mm256_srli_si256', '_mm256_sub_epi16', '_mm256_sub_epi32', '_mm256_sub_epi64', '_mm256_sub_epi8', '_mm256_sub_pd', '_mm256_sub_ps', '_mm256_subs_epi16', '_mm256_subs_epi8', '_mm256_subs_epu16', '_mm256_subs_epu8', '_mm256_unpackhi_epi16', '_mm256_unpackhi_epi32', '_mm256_unpackhi_epi64', '_mm256_unpackhi_epi8', '_mm256_unpackhi_pd', '_mm256_unpackhi_ps', '_mm256_unpacklo_epi16', '_mm256_unpacklo_epi32', '_mm256_unpacklo_epi64', '_mm256_unpacklo_epi8', '_mm256_unpacklo_pd', '_mm256_unpacklo_ps', '_mm256_xor_pd', '_mm256_xor_ps', '_mm256_xor_si256', '_mm_add_epi16', '_mm_add_epi32', '_mm_add_epi64', '_mm_add_epi8', '_mm_add_pd', '_mm_add_ps', '_mm_adds_epi16', '_mm_adds_epi8', '_mm_adds_epu16', '_mm_adds_epu8', '_mm_addsub_ps', '_mm_and_pd', '_mm_and_ps', '_mm_and_si128', '_mm_andnot_si128', '_mm_blend_epi16', '_mm_blendv_epi8', '_mm_blendv_pd', '_mm_blendv_ps', '_mm_castpd_ps', '_mm_castpd_si128', '_mm_castps_pd', '_mm_castps_si128', '_mm_castsi128_pd', '_mm_castsi128_ps', '_mm_cmpeq_epi16', '_mm_cmpeq_epi32', '_mm_cmpeq_epi64', '_mm_cmpeq_epi8', '_mm_cmpeq_pd', '_mm_cmpeq_ps', '_mm_cmpge_pd', '_mm_cmpge_ps', '_mm_cmpgt_epi16', '_mm_cmpgt_epi32', '_mm_cmpgt_epi8', '_mm_cmpgt_pd', '_mm_cmpgt_ps', '_mm_cmple_pd', '_mm_cmple_ps', '_mm_cmplt_pd', '_mm_cmplt_ps', '_mm_cmpneq_pd', '_mm_cmpneq_ps', '_mm_cmpord_pd', '_mm_cmpord_ps', '_mm_cvt_ss2si', '_mm_cvtepi16_epi32', '_mm_cvtepi32_epi64', '_mm_cvtepi32_pd', '_mm_cvtepi32_ps', '_mm_cvtepi8_epi16', '_mm_cvtepi8_epi32', '_mm_cvtepu16_epi32', '_mm_cvtepu32_epi64', '_mm_cvtepu8_epi16', '_mm_cvtepu8_epi32', '_mm_cvtpd_epi32', '_mm_cvtpd_ps', '_mm_cvtph_ps', '_mm_cvtps_epi32', '_mm_cvtps_pd', '_mm_cvtps_ph', '_mm_cvtsd_f64', '_mm_cvtsd_si32', '_mm_cvtsi128_si32', '_mm_cvtsi128_si64', '_mm_cvtss_f32', '_mm_cvttpd_epi32', '_mm_cvttps_epi32', '_mm_div_pd', '_mm_div_ps', '_mm_fmadd_pd', '_mm_fmadd_ps', '_mm_hadd_ps', '_mm_load_pd', '_mm_load_ps', '_mm_load_si128', '_mm_load_ss', '_mm_loadh_pi', '_mm_loadl_epi64', '_mm_loadl_pi', '_mm_loadu_pd', '_mm_loadu_ps', '_mm_loadu_si128', '_mm_madd_epi16', '_mm_max_epi16', '_mm_max_epi32', '_mm_max_epi8', '_mm_max_epu16', '_mm_max_epu32', '_mm_max_epu8', '_mm_max_pd', '_mm_max_ps', '_mm_min_epi16', '_mm_min_epi32', '_mm_min_epi8', '_mm_min_epu16', '_mm_min_epu32', '_mm_min_epu8', '_mm_min_pd', '_mm_min_ps', '_mm_movehdup_ps', '_mm_movehl_ps', '_mm_moveldup_ps', '_mm_movelh_ps', '_mm_movemask_epi8', '_mm_movemask_pd', '_mm_movemask_ps', '_mm_mul_epi32', '_mm_mul_epu32', '_mm_mul_pd', '_mm_mul_ps', '_mm_mulhi_epi16', '_mm_mulhi_epu16', '_mm_mullo_epi16', '_mm_mullo_epi32', '_mm_or_pd', '_mm_or_ps', '_mm_or_si128', '_mm_packs_epi16', '_mm_packs_epi32', '_mm_packus_epi16', '_mm_packus_epi32', '_mm_permute_ps', '_mm_popcnt_u32', '_mm_popcnt_u64', '_mm_rsqrt_ps', '_mm_sad_epu8', '_mm_set1_epi16', '_mm_set1_epi32', '_mm_set1_epi64x', '_mm_set1_epi8', '_mm_set1_pd', '_mm_set_epi32', '_mm_set_epi64x', '_mm_set_ps', '_mm_set_ps1', '_mm_set_sd', '_mm_set_ss', '_mm_setr_epi16', '_mm_setr_epi32', '_mm_setr_epi8', '_mm_setr_pd', '_mm_setr_ps', '_mm_setzero_pd', '_mm_setzero_ps', '_mm_setzero_si128', '_mm_shuffle_epi32', '_mm_shuffle_epi8', '_mm_shuffle_ps', '_mm_shufflehi_epi16', '_mm_shufflelo_epi16', '_mm_sll_epi32', '_mm_slli_epi16', '_mm_slli_epi32', '_mm_slli_epi64', '_mm_slli_si128', '_mm_sqrt_pd', '_mm_sqrt_ps', '_mm_srai_epi16', '_mm_srai_epi32', '_mm_srli_epi16', '_mm_srli_epi32', '_mm_srli_epi64', '_mm_srli_si128', '_mm_sub_epi16', '_mm_sub_epi32', '_mm_sub_epi64', '_mm_sub_epi8', '_mm_sub_pd', '_mm_sub_ps', '_mm_subs_epi16', '_mm_subs_epi8', '_mm_subs_epu16', '_mm_subs_epu8', '_mm_unpackhi_epi16', '_mm_unpackhi_epi32', '_mm_unpackhi_epi64', '_mm_unpackhi_epi8', '_mm_unpackhi_pd', '_mm_unpackhi_ps', '_mm_unpacklo_epi16', '_mm_unpacklo_epi32', '_mm_unpacklo_epi64', '_mm_unpacklo_epi8', '_mm_unpacklo_pd', '_mm_unpacklo_ps', '_mm_xor_pd', '_mm_xor_ps', '_mm_xor_si128', 'a64l', 'abs', 'acos', 'atan', 'atan2', 'atof', 'atoi', 'atol', 'calloc', 'close', 'cos', 'cvAlloc', 'dup', 'dup2', 'exp', 'fabs', 'fastMalloc', 'fchmod', 'fchown', 'fcntl', 'fileno', 'floor', 'fork', 'fputs', 'ftell', 'ftruncate', 'fwrite', 'getaddrinfo', 'getdtablesize', 'getegid', 'geteuid', 'getgid', 'getgrent', 'getgroups', 'getpagesize', 'getpgrp', 'getpid', 'getppid', 'getpwent', 'getpwnam', 'getpwuid', 'getservent', 'gettext', 'getuid', 'htonl', 'htons', 'iconv_open', 'inet_addr', 'ippicvMalloc_L', 'iswctype', 'localtime', 'log', 'log10', 'lseek', 'malloc', 'mblen', 'mbrlen', 'mbrtowc', 'mbsnrtowcs', 'mbstowcs', 'memcmp', 'memcpy', 'mmap', 'mremap', 'munmap', 'ntohl', 'ntohs', 'operator new', 'operator new[]', 'operator=', 'pow', 'printf', 'pthread_self', 'rand', 'readlink', 'realloc', 'rmdir', 'sbrk', 'setlocale', 'sigprocmask', 'sin', 'socket', 'sqrt', 'std::abs', 'std::acos', 'std::atan', 'std::atan2', 'std::basic_ostream::operator<<', 'std::floor', 'std::make_error_code', 'std::operator<<', 'std::operator|', 'strchr', 'strchrnul', 'strcmp', 'strcpy', 'strdup', 'strerror', 'strlen', 'strncasecmp', 'strncmp', 'strncpy', 'strnlen', 'strpbrk', 'strrchr', 'strsignal', 'strstr', 'strtod', 'strtoimax', 'strtol', 'strtold', 'strtoul', 'strtoull', 'strtoumax', 'strtouq', 'sysconf', 'tcgetpgrp', 'tcsetattr', 'time', 'tmpnam', 'tolower', 'toupper', 'towlower', 'towupper', 'ttyname', 'umask', 'unlink', 'vsnprintf', 'wcrtomb', 'wcscat', 'wcscpy', 'wcsdup', 'wcslen', 'wcsrtombs', 'wcswidth', 'wctob', 'wctomb', 'wctype', 'wcwidth', 'write'}

Functions which should be exempt from the set of functions for which the return value should be treated as an external value.

external_sources.return_values_of.functions : set[bauhaus.analysis.config.QualifiedName] = set()
Functions for which the return value should be considered an external value that must be checked before use. If the set is empty, all return values of external functions are checked.

is_acceptable_use_in_condition¶

is_acceptable_use_in_condition

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in whose condition the external value is used, or a Relational_Operator using it inside the operands val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True iff the use of the external value inside this condition is ok (e.g. because that's a check validating the value).

is_relevant_usage¶

is_relevant_usage

Type: typing.Callable[[bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node], bool] | None

Default: None

If given, this predicate is used to check if a usage of tainted input is relevant for the analysis. This can be used to restrict the analysis to certain types of usages only. The predicate receives the following arguments: val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value use: The LIR node corresponding to the use The return value should be True if the use of the external value inside this condition is relevant, i.e., if an error message should be issued by the rule. If the return value is False, the message is discarded.

is_sufficient_preceding_check¶

is_sufficient_preceding_check

Type: typing.Callable[[bauhaus.ir.Node, bauhaus.rules.axivion.expressions.generic.taint_analysis.ExternalValue, bauhaus.ir.Node, bauhaus.ir.Node, _iranalysis.Basic_Block], bool] | None

Default: None

If given, this predicate is used to check a condition further that involves the value received from an external source and which happens before the use being checked. It should also check whether the right branch was taken. The predicate receives the following arguments: check: The PIR node of type Conditional_Interface in which's condition the external value is used val: The ExternalValue object representing the value received from an external source node: The PIR node representing the use of the external value inside the condition use: The LIR node for the use being checked (after the condition) branch: The iranalysis block representing the branch taken at the condition The return value should be True iff the condition is sufficiently checking the validity of this external value.

maximum_reports_per_source_location¶

maximum_reports_per_source_location : int = 10

Maximum number of reported sinks per source location. For no limitation of reported sinks per source, set to 0. Caution: no limitation here may lead to a substantial amount of reported issues.

omit_implicitly_passed_this¶

omit_implicitly_passed_this : bool = True

If true, do not report implicitly passed this arguments.

only_report_arguments¶

only_report_arguments : bool = True

If true, only report arguments to sink functions. Otherwise, report all usages of tainted values.

sanitizer_functions¶

sanitizer_functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing functions with the number of the sanitized argument.

sanitizer_macros¶

sanitizer_macros

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default: {}

Description of sanitizing macros with the number of the sanitized argument.

sinks¶

Description of the possible sinks for which flows of unchecked external values are reported

sinks.excluded
Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:
{
   'free':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set={0},
      argument_range_max=4294967295,
      argument_range_min=0
   )
}
Functions which should be exempt from the set of functions considered as sinks

sinks.functions

Type: dict[bauhaus.analysis.config.QualifiedName, ArgumentSpecifier]

Default:

{
   'boost::archive::text_iarchive::text_iarchive':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   ),
   'nlohmann::basic_json::parse':    bauhaus.rules.axivion.expressions.generic.taint_analysis.ArgumentSpecifier(
      argument_numbers_set=set(),
      argument_range_max=4294967295,
      argument_range_min=0
   )
}

Functions which should be in the set of functions considered as sinks

Option Types¶

These types are used by options listed above:

ArgumentSpecifier¶

Specification of which argument positions to consider: An argument at position x is included if ALL of the following conditions are met: * x is within the specified range: argument_range_min ≤ x ≤ argument_range_max * Either no specific arguments are listed (argument_numbers_set is empty), OR x is explicitly listed in argument_numbers_set Examples: * To target the first 5 variadic arguments of sscanf (positions 2-6): set argument_range_min = 2, argument_range_max = 6, leave argument_numbers_set empty * To target only the format string of sscanf (position 1): set argument_numbers_set = {1} and keep default values for argument_range_min and argument_range_max

argument_numbers_set : set[int] = set()

Explicit set of argument numbers to be considered. If empty, all numbers of the interval defined by [argument_range_min; argument_range_max] are considered.

argument_range_max : int = 4294967295

Maximum of the interval of numbers to be considered.

argument_range_min : int = 0

Minimum of the interval of numbers to be considered.

Axivion Suite 7.12.0

Navigation

CWE-502¶

Background Details Demonstrative Examples

Background Details Demonstrative Examples

Example 1

Example 2

Options¶

all_external_functions_as_sinks¶

all_external_functions_as_sources¶

external_sources¶

is_acceptable_use_in_condition¶

is_relevant_usage¶

is_sufficient_preceding_check¶

maximum_reports_per_source_location¶

omit_implicitly_passed_this¶

only_report_arguments¶

sanitizer_functions¶

sanitizer_macros¶

sinks¶

Option Types¶

ArgumentSpecifier¶