From 9b6455316f31d367462b259555ca3931e7711ef0 Mon Sep 17 00:00:00 2001 From: aastha Date: Mon, 6 May 2024 17:51:35 +0530 Subject: [PATCH 1/5] Added missing samples for cpp --- .../compliant.cpp | 20 +++++++++++++++++++ .../non-compliant.cpp | 17 ++++++++++++++++ .../compliant.cpp | 17 ++++++++++++++++ .../non-compliant.cpp | 16 +++++++++++++++ .../insecure-cryptography/compliant.cpp | 16 +++++++++++++++ .../insecure-cryptography/non-compliant.cpp | 16 +++++++++++++++ 6 files changed, 102 insertions(+) create mode 100644 cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp create mode 100644 cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp create mode 100644 cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp create mode 100644 cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp create mode 100644 cpp/src/detectors/insecure-cryptography/compliant.cpp create mode 100644 cpp/src/detectors/insecure-cryptography/non-compliant.cpp diff --git a/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp b/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp new file mode 100644 index 0000000..6512171 --- /dev/null +++ b/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp @@ -0,0 +1,20 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +// {fact rule=do-not-disable-html-autoescape@v1.0 defects=0} +#include + +void compliant1() { + char* query = getenv("QUERY_STRING"); + puts("

Query results for "); + // Compliant: Escape HTML characters before adding to a page + char* query_escaped = escape_html(query); + puts(query_escaped); + free(query_escaped); + + puts("\n

\n"); + puts(do_search(query)); + } +// {/fact} \ No newline at end of file diff --git a/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp b/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp new file mode 100644 index 0000000..4a1b0ff --- /dev/null +++ b/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp @@ -0,0 +1,17 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +// {fact rule=do-not-disable-html-autoescape@v1.0 defects=1} +#include + +void noncompliant1() { + char* query = getenv("QUERY_STRING"); + puts("

Query results for "); + // Noncompliant: Printing out an HTTP parameter with no escaping + puts(query); + puts("\n

\n"); + puts(do_search(query)); + } +// {/fact} \ No newline at end of file diff --git a/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp b/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp new file mode 100644 index 0000000..e9eeed7 --- /dev/null +++ b/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp @@ -0,0 +1,17 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +// {fact rule=improper-restriction-on-memory-buffer@v1.0 defects=0} +#include + + void compliantTest1() { + char buffer[20]; + const char* data = "ThisIsALongString"; + // Compliant: `strncpy` used to prevent buffer overflow + strncpy(buffer, data, sizeof(buffer) - 1); + buffer[sizeof(buffer) - 1] = '\0'; // Null-terminate the string + } + +// {/fact} \ No newline at end of file diff --git a/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp new file mode 100644 index 0000000..b24356e --- /dev/null +++ b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp @@ -0,0 +1,16 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +// {fact rule=improper-restriction-on-memory-buffer@v1.0 defects=1} +#include + + void nonCompliantTest1() { + char buffer[10]; + const char* data = "ThisIsALongString"; + // Non-compliant: Buffer overflow may occur no size check + strcpy(buffer, data); + } + +// {/fact} \ No newline at end of file diff --git a/cpp/src/detectors/insecure-cryptography/compliant.cpp b/cpp/src/detectors/insecure-cryptography/compliant.cpp new file mode 100644 index 0000000..72cef24 --- /dev/null +++ b/cpp/src/detectors/insecure-cryptography/compliant.cpp @@ -0,0 +1,16 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +// {fact rule=insecure-cryptography@v1.0 defects=0} +#include + + void compliant1(EVP_PKEY_CTX *ctx) + { + + // compliaint: 2048 bits for an RSA key + EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048); + + } +// {/fact} \ No newline at end of file diff --git a/cpp/src/detectors/insecure-cryptography/non-compliant.cpp b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp new file mode 100644 index 0000000..802cf84 --- /dev/null +++ b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp @@ -0,0 +1,16 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + +// {fact rule=insecure-cryptography@v1.0 defects=1} +#include + + void noncompliant1(EVP_PKEY_CTX *ctx) + { + + // Noncompiat: only 1024 bits for an RSA key + EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024); + } + +// {/fact} \ No newline at end of file From b597fc2a2dbe2fda5ea752961bca4fd6667c7385 Mon Sep 17 00:00:00 2001 From: aastha Date: Mon, 6 May 2024 18:20:05 +0530 Subject: [PATCH 2/5] Spelling --- .../improper-restriction-on-memory-buffer/non-compliant.cpp | 2 +- cpp/src/detectors/insecure-cryptography/compliant.cpp | 2 +- cpp/src/detectors/insecure-cryptography/non-compliant.cpp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp index b24356e..9a547bd 100644 --- a/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp +++ b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp @@ -9,7 +9,7 @@ void nonCompliantTest1() { char buffer[10]; const char* data = "ThisIsALongString"; - // Non-compliant: Buffer overflow may occur no size check + // Noncompliant: Buffer overflow may occur no size check strcpy(buffer, data); } diff --git a/cpp/src/detectors/insecure-cryptography/compliant.cpp b/cpp/src/detectors/insecure-cryptography/compliant.cpp index 72cef24..67ab028 100644 --- a/cpp/src/detectors/insecure-cryptography/compliant.cpp +++ b/cpp/src/detectors/insecure-cryptography/compliant.cpp @@ -9,7 +9,7 @@ void compliant1(EVP_PKEY_CTX *ctx) { - // compliaint: 2048 bits for an RSA key + // Compliant: 2048 bits for an RSA key EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048); } diff --git a/cpp/src/detectors/insecure-cryptography/non-compliant.cpp b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp index 802cf84..53ca865 100644 --- a/cpp/src/detectors/insecure-cryptography/non-compliant.cpp +++ b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp @@ -9,7 +9,7 @@ void noncompliant1(EVP_PKEY_CTX *ctx) { - // Noncompiat: only 1024 bits for an RSA key + // Noncompiant: only 1024 bits for an RSA key EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024); } From eeb07bc63ca2c2b5cfa5067736e5927db5c08984 Mon Sep 17 00:00:00 2001 From: aastha Date: Mon, 6 May 2024 18:55:42 +0530 Subject: [PATCH 3/5] corrected --- .../improper-restriction-on-memory-buffer/compliant.cpp | 3 +-- .../improper-restriction-on-memory-buffer/non-compliant.cpp | 3 +-- cpp/src/detectors/insecure-cryptography/non-compliant.cpp | 5 ++--- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp b/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp index e9eeed7..39bafb1 100644 --- a/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp +++ b/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp @@ -12,6 +12,5 @@ // Compliant: `strncpy` used to prevent buffer overflow strncpy(buffer, data, sizeof(buffer) - 1); buffer[sizeof(buffer) - 1] = '\0'; // Null-terminate the string - } - + } // {/fact} \ No newline at end of file diff --git a/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp index 9a547bd..e1b939b 100644 --- a/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp +++ b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp @@ -11,6 +11,5 @@ const char* data = "ThisIsALongString"; // Noncompliant: Buffer overflow may occur no size check strcpy(buffer, data); - } - + } // {/fact} \ No newline at end of file diff --git a/cpp/src/detectors/insecure-cryptography/non-compliant.cpp b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp index 53ca865..57e216e 100644 --- a/cpp/src/detectors/insecure-cryptography/non-compliant.cpp +++ b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp @@ -9,8 +9,7 @@ void noncompliant1(EVP_PKEY_CTX *ctx) { - // Noncompiant: only 1024 bits for an RSA key + // Noncompliant: only 1024 bits for an RSA key EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024); - } - + } // {/fact} \ No newline at end of file From 8eab57c0809bd9ab48108aa6634551397a669a4d Mon Sep 17 00:00:00 2001 From: aastha Date: Wed, 15 May 2024 15:16:52 +0530 Subject: [PATCH 4/5] Corrected samples --- cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp | 2 +- .../detectors/do-not-disable-html-autoescape/non-compliant.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp b/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp index 6512171..fdfdf8c 100644 --- a/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp +++ b/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=do-not-disable-html-autoescape@v1.0 defects=0} #include -void compliant1() { +void HTMLAuoescape() { char* query = getenv("QUERY_STRING"); puts("

Query results for "); // Compliant: Escape HTML characters before adding to a page diff --git a/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp b/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp index 4a1b0ff..4ba614c 100644 --- a/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp +++ b/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=do-not-disable-html-autoescape@v1.0 defects=1} #include -void noncompliant1() { +void DisabledHTMLAutoEscape() { char* query = getenv("QUERY_STRING"); puts("

Query results for "); // Noncompliant: Printing out an HTTP parameter with no escaping From 6528ddbc5654d1d7e94d0f7ea3ee82f84f1e6b42 Mon Sep 17 00:00:00 2001 From: aastha Date: Tue, 28 May 2024 10:44:37 +0530 Subject: [PATCH 5/5] Addressed cosmetic comments --- cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp | 2 +- .../detectors/do-not-disable-html-autoescape/non-compliant.cpp | 2 +- .../improper-restriction-on-memory-buffer/compliant.cpp | 2 +- .../improper-restriction-on-memory-buffer/non-compliant.cpp | 2 +- cpp/src/detectors/insecure-cryptography/compliant.cpp | 2 +- cpp/src/detectors/insecure-cryptography/non-compliant.cpp | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp b/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp index fdfdf8c..dea2aa8 100644 --- a/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp +++ b/cpp/src/detectors/do-not-disable-html-autoescape/compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=do-not-disable-html-autoescape@v1.0 defects=0} #include -void HTMLAuoescape() { +void doNotDisableHtmlAutoEscapeComplaint() { char* query = getenv("QUERY_STRING"); puts("

Query results for "); // Compliant: Escape HTML characters before adding to a page diff --git a/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp b/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp index 4ba614c..081c98d 100644 --- a/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp +++ b/cpp/src/detectors/do-not-disable-html-autoescape/non-compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=do-not-disable-html-autoescape@v1.0 defects=1} #include -void DisabledHTMLAutoEscape() { +void doNotDisableHtmlAutoEscapeNoncomplaint() { char* query = getenv("QUERY_STRING"); puts("

Query results for "); // Noncompliant: Printing out an HTTP parameter with no escaping diff --git a/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp b/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp index 39bafb1..aa69347 100644 --- a/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp +++ b/cpp/src/detectors/improper-restriction-on-memory-buffer/compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=improper-restriction-on-memory-buffer@v1.0 defects=0} #include - void compliantTest1() { + void improperRestrictionOnMemoryBufferCompliant() { char buffer[20]; const char* data = "ThisIsALongString"; // Compliant: `strncpy` used to prevent buffer overflow diff --git a/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp index e1b939b..6aabc66 100644 --- a/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp +++ b/cpp/src/detectors/improper-restriction-on-memory-buffer/non-compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=improper-restriction-on-memory-buffer@v1.0 defects=1} #include - void nonCompliantTest1() { + void improperRestrictionOnMemoryBufferNoncompliant() { char buffer[10]; const char* data = "ThisIsALongString"; // Noncompliant: Buffer overflow may occur no size check diff --git a/cpp/src/detectors/insecure-cryptography/compliant.cpp b/cpp/src/detectors/insecure-cryptography/compliant.cpp index 67ab028..d8bbc74 100644 --- a/cpp/src/detectors/insecure-cryptography/compliant.cpp +++ b/cpp/src/detectors/insecure-cryptography/compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=insecure-cryptography@v1.0 defects=0} #include - void compliant1(EVP_PKEY_CTX *ctx) + void insecureCryptographyCompliant1(EVP_PKEY_CTX *ctx) { // Compliant: 2048 bits for an RSA key diff --git a/cpp/src/detectors/insecure-cryptography/non-compliant.cpp b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp index 57e216e..f10d552 100644 --- a/cpp/src/detectors/insecure-cryptography/non-compliant.cpp +++ b/cpp/src/detectors/insecure-cryptography/non-compliant.cpp @@ -6,7 +6,7 @@ // {fact rule=insecure-cryptography@v1.0 defects=1} #include - void noncompliant1(EVP_PKEY_CTX *ctx) + void insecureCryptographyNoncompliant1(EVP_PKEY_CTX *ctx) { // Noncompliant: only 1024 bits for an RSA key