V1

Author: am0o0

cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/Bombs.ql

@@ -0,0 +1,69 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision medium
+ * @id cpp/user-controlled-file-decompression
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.security.FlowSources
+
+/**
+ * The `gzopen` function, which can perform command substitution.
+ */
+private class GzopenFunction extends Function {
+  GzopenFunction() { hasGlobalName("gzopen") }
+}
+
+/**
+ * The `gzread` function, which can perform command substitution.
+ */
+private class GzreadFunction extends Function {
+  GzreadFunction() { hasGlobalName("gzread") }
+}
+
+module ZlibTaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(FunctionCall fc | fc.getTarget() instanceof GzopenFunction |
+      fc.getArgument(0) = source.asExpr()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall fc | fc.getTarget() instanceof GzreadFunction |
+      fc.getArgument(0) = sink.asExpr() and
+      not sanitizer(fc)
+    )
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(FunctionCall fc | fc.getTarget() instanceof GzopenFunction |
+      node1.asExpr() = fc.getArgument(0) and
+      node2.asExpr() = fc
+    )
+  }
+}
+
+predicate sanitizer(FunctionCall fc) {
+  exists(Expr e | fc.getTarget() instanceof GzreadFunction |
+    // a RelationalOperation which isn't compared with a Literal that using for end of read
+    TaintTracking::localExprTaint(fc, e.(RelationalOperation).getAChild*()) and
+    not e.getAChild*().(Literal).getValue() = ["0", "1", "-1"]
+  )
+}
+
+module ZlibTaint = TaintTracking::Global<ZlibTaintConfig>;
+
+import ZlibTaint::PathGraph
+
+from ZlibTaint::PathNode source, ZlibTaint::PathNode sink
+where ZlibTaint::flowPath(source, sink)
+select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+  "potentially untrusted source"

cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/DecompressionBomb.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks.</p>
+<p>Attackers can compress a huge file which created by repeated similiar byte and convert it to a small compressed file.</p>
+
+</overview>
+<recommendation>
+
+<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
+
+</recommendation>
+<example>
+
+<p>
+Reading uncompressed Gzip file within a loop and check for a threshold size in each cycle.
+</p>
+<sample src="example_good.cpp"/>
+
+<p>
+An Unsafe Approach can be this example which we don't check for uncompressed size.
+</p>
+<sample src="example_bad.cpp" />
+
+</example>
+<references>
+
+<li>
+<a href="https://www.bamsoftware.com/hacks/zipbomb/">A great research to gain more impact by this kind of attacks</a>
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/example_bad.cpp

@@ -0,0 +1,30 @@
+#include <iostream>
+#include <vector>
+#include "zlib.h"
+int UnsafeRead() {
+    std::cout << "enter compressed file name!\n" << std::endl;
+    char fileName[100];
+    std::cin >> fileName;
+    gzFile inFileZ = gzopen(fileName, "rb");
+    if (inFileZ == nullptr) {
+        printf("Error: Failed to gzopen %s\n", fileName);
+        exit(0);
+    }
+    unsigned char unzipBuffer[8192];
+    unsigned int unzippedBytes;
+    std::vector<unsigned char> unzippedData;
+    while (true) {
+        unzippedBytes = gzread(inFileZ, unzipBuffer, 8192);
+        if (unzippedBytes > 0) {
+            unzippedData.insert(unzippedData.end(), unzipBuffer, unzipBuffer + unzippedBytes);
+        } else {
+            break;
+        }
+    }
+
+   for ( auto &&i: unzippedData)
+       std::cout << i;
+    gzclose(inFileZ);
+
+    return 0;
+}

cpp/ql/src/experimental/Security/CWE/CWE-409-DecompressionBomb/example_good.cpp

@@ -0,0 +1,38 @@
+#include <iostream>
+#include <vector>
+#include "zlib.h"
+int SafeRead() {
+    std::cout << "enter compressed file name!\n" << std::endl;
+    char fileName[100];
+    std::cin >> fileName;
+    gzFile inFileZ = gzopen(fileName, "rb");
+    if (inFileZ == nullptr) {
+        printf("Error: Failed to gzopen %s\n", fileName);
+        exit(0);
+    }
+    unsigned char unzipBuffer[8192];
+    unsigned int unzippedBytes;
+    uint totalRead = 0;
+    std::vector<unsigned char> unzippedData;
+    while (true) {
+        unzippedBytes = gzread(inFileZ, unzipBuffer, 8192);
+        totalRead += unzippedBytes;
+        if (unzippedBytes > 0) {
+            unzippedData.insert(unzippedData.end(), unzipBuffer, unzipBuffer + unzippedBytes);
+            if (totalRead > 1024 * 1024 * 4) {
+                std::cout << "Bombs!" << totalRead;
+                exit(1);
+            } else {
+                std::cout << "not Bomb yet!!" << totalRead << std::endl;
+            }
+        } else {
+            break;
+        }
+    }
+
+    for (auto &&i: unzippedData)
+        std::cout << i;
+    gzclose(inFileZ);
+
+    return 0;
+}

csharp/ql/src/experimental/CWE-502-DecompressionBombs/DecompressionBomb.ql

@@ -0,0 +1,121 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision medium
+ * @id cs/user-controlled-file-decompression
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-409
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+
+/**
+ * A data flow source for unsafe Decompression extraction.
+ */
+abstract class DecompressionSource extends DataFlow::Node { }
+
+class ZipOpenReadSource extends DecompressionSource {
+  ZipOpenReadSource() {
+    exists(MethodCall mc |
+      mc.getTarget().hasQualifiedName("System.IO.Compression", "ZipFile", ["OpenRead", "Open"]) and
+      this.asExpr() = mc.getArgument(0) and
+      not mc.getArgument(0).getType().isConst()
+    )
+  }
+}
+
+/** A path argument to a call to the `ZipArchive` constructor call. */
+class ZipArchiveArgSource extends DecompressionSource {
+  ZipArchiveArgSource() {
+    exists(ObjectCreation oc |
+      oc.getTarget().getDeclaringType().hasQualifiedName("System.IO.Compression", "ZipArchive")
+    |
+      this.asExpr() = oc.getArgument(0)
+    )
+  }
+}
+
+/**
+ * A data flow sink for unsafe zip extraction.
+ */
+abstract class DecompressionSink extends DataFlow::Node { }
+
+/** A Caller of the `ExtractToFile` method. */
+class ExtractToFileCallSink extends DecompressionSink {
+  ExtractToFileCallSink() {
+    exists(MethodCall mc |
+      mc.getTarget().hasQualifiedName("System.IO.Compression", "ZipFileExtensions", "ExtractToFile") and
+      this.asExpr() = mc.getArgumentForName("source")
+    )
+  }
+}
+
+/** A Qualifier of the `Open()` method. */
+class OpenCallSink extends DecompressionSink {
+  OpenCallSink() {
+    exists(MethodCall mc |
+      mc.getTarget().hasQualifiedName("System.IO.Compression", "ZipArchiveEntry", "Open") and
+      this.asExpr() = mc.getQualifier()
+    )
+  }
+}
+
+/** A Call to the `GZipStreamSink` first arugument of Constructor Call . */
+class GZipStreamSink extends DecompressionSink, DecompressionSource {
+  GZipStreamSink() {
+    exists(Constructor mc |
+      mc.getDeclaringType().hasQualifiedName("System.IO.Compression", "GZipStream") and
+      this.asExpr() = mc.getACall().getArgument(0)
+    )
+  }
+}
+
+/**
+ * A taint tracking configuration for Decompression Bomb.
+ */
+private module DecompressionBombConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source instanceof DecompressionSource
+    or
+    source instanceof RemoteFlowSource
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // var node2 = new ZipArchive(node1, ZipArchiveMode.Read);
+    exists(ObjectCreation oc |
+      oc.getTarget().getDeclaringType().hasQualifiedName("System.IO.Compression", "ZipArchive") and
+      node2.asExpr() = oc and
+      node1.asExpr() = oc.getArgumentForName("stream")
+    )
+    or
+    // var node2 = node1.ExtractToFile("./output.txt", true)
+    exists(MethodCall mc |
+      mc.getTarget().hasQualifiedName("System.IO.Compression", "ZipFileExtensions", "ExtractToFile") and
+      node2.asExpr() = mc and
+      node1.asExpr() = mc.getArgumentForName("source")
+    )
+    or
+    // var node2 = node1.OpenReadStream()
+    exists(MethodCall mc |
+      mc.getTarget().hasQualifiedName("Microsoft.AspNetCore.Http", "IFormFile", "OpenReadStream") and
+      node2.asExpr() = mc and
+      node1.asExpr() = mc.getQualifier()
+    )
+  }
+}
+
+module DecompressionBomb = TaintTracking::Global<DecompressionBombConfig>;
+
+import DecompressionBomb::PathGraph
+
+from DecompressionBomb::PathNode source, DecompressionBomb::PathNode sink
+where DecompressionBomb::flowPath(source, sink)
+select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(),
+  "potentially untrusted source"

csharp/ql/src/experimental/CWE-502-DecompressionBombs/DecompressionBombs.qhelp

@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks.</p>
+<p>Attackers can compress a huge file which created by repeated similiar byte and convert it to a small compressed file.</p>
+
+</overview>
+<recommendation>
+
+<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
+
+</recommendation>
+<example>
+
+<p>A good Blog Post about decompression bombs and recommended method is already written by Gérald Barré in <a href="https://www.meziantou.net/prevent-zip-bombs-in-dotnet.htm">this</a> blog post</p>
+
+<references>
+
+<li>
+<a href="https://www.bamsoftware.com/hacks/zipbomb/">A great research to gain more impact by this kind of attack</a>
+</li>
+
+</references>
+</qhelp>

csharp/ql/src/experimental/CWE-502-DecompressionBombs/RemoteFlowSource.qll

@@ -0,0 +1,62 @@
+import csharp
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+
+/** A data flow source of remote user input by Form File (ASP.NET unvalidated request data). */
+class FormFile extends AspNetRemoteFlowSource {
+  FormFile() {
+    exists(MethodCall mc |
+      mc.getTarget()
+          .hasQualifiedName(["Microsoft.AspNetCore.Http", "Microsoft.AspNetCore.Http.Features"],
+            "IFormFile", ["OpenReadStream", "ContentType", "ContentDisposition", "Name", "FileName"]) and
+      this.asExpr() = mc
+    )
+    or
+    exists(MethodCall mc |
+      mc.getTarget()
+          .hasQualifiedName(["Microsoft.AspNetCore.Http", "Microsoft.AspNetCore.Http.Features"],
+            "IFormFile", "CopyTo") and
+      this.asParameter() = mc.getTarget().getParameter(0)
+    )
+    or
+    exists(Property fa |
+      fa.getDeclaringType()
+          .hasQualifiedName(["Microsoft.AspNetCore.Http", "Microsoft.AspNetCore.Http.Features"],
+            "IFormFile") and
+      fa.hasName(["ContentType", "ContentDisposition", "Name", "FileName"]) and
+      this.asExpr() = fa.getAnAccess()
+    )
+  }
+
+  override string getSourceType() {
+    result = "ASP.NET unvalidated request data from multipart request"
+  }
+}
+
+/** A data flow source of remote user input by Form (ASP.NET unvalidated request data). */
+class FormCollection extends AspNetRemoteFlowSource {
+  FormCollection() {
+    exists(Property fa |
+      fa.getDeclaringType().hasQualifiedName("Microsoft.AspNetCore.Http", "IFormCollection") and
+      fa.hasName("Keys") and
+      this.asExpr() = fa.getAnAccess()
+    )
+  }
+
+  override string getSourceType() {
+    result = "ASP.NET unvalidated request data from multipart request Form Keys"
+  }
+}
+
+/** A data flow source of remote user input by Headers (ASP.NET unvalidated request data). */
+class HeaderDictionary extends AspNetRemoteFlowSource {
+  HeaderDictionary() {
+    exists(Property fa |
+      fa.getDeclaringType().hasQualifiedName("Microsoft.AspNetCore.Http", "IHeaderDictionary") and
+      this.asExpr() = fa.getAnAccess()
+    )
+  }
+
+  override string getSourceType() {
+    result = "ASP.NET unvalidated request data from Headers of request"
+  }
+}