Skip to content

Remove obsolete C rule; add C++ static check for UAF and vector issues #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 33 commits into from
Mar 21, 2025
Merged

Remove obsolete C rule; add C++ static check for UAF and vector issues #177

merged 33 commits into from
Mar 21, 2025

Conversation

ESS-ENN
Copy link
Contributor

@ESS-ENN ESS-ENN commented Mar 20, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • New Features

    • Introduced enhanced static analysis capabilities for C++ that detect potential memory safety issues, including risks tied to unsafe string handling and iterator invalidation during vector modifications.

  • Tests

    • Added comprehensive test cases and snapshots demonstrating both safe and unsafe coding scenarios, ensuring the robustness of the new analysis rules.

Sakshis and others added 30 commits December 16, 2024 13:09
removed missing-secure-java
bb7b8e1
@ESS-ENN
Merge branch 'coderabbitai:main' into main
308e947
@ESS-ENN
Merge branch 'coderabbitai:main' into main
46efd55
@ESS-ENN
Merge branch 'coderabbitai:main' into main
3ac0204
@ESS-ENN
Merge branch 'coderabbitai:main' into main
7caba92
@ESS-ENN
Merge branch 'coderabbitai:main' into main
d3a2776
@ESS-ENN
Merge branch 'coderabbitai:main' into main
2e86380
@ESS-ENN
Merge branch 'coderabbitai:main' into main
b072db7
@ESS-ENN
Merge branch 'coderabbitai:main' into main
65dce29
@ESS-ENN
httponly-false-csharp
12bb3aa
@ESS-ENN
use-of-md5-digest-utils-java
2c5ea88
@ESS-ENN
removing use-of-md5-digest-utils and httponly-false-csharp
d3067f1
@ESS-ENN
Merge branch 'coderabbitai:main' into main
56d4011
@ESS-ENN
Merge branch 'coderabbitai:main' into main
f7f1d72
@ESS-ENN
Merge branch 'coderabbitai:main' into main
0d53f8e
@ESS-ENN
Merge branch 'coderabbitai:main' into main
b622bca
@ESS-ENN
Merge branch 'coderabbitai:main' into main
67459bf
@ESS-ENN
Merge branch 'coderabbitai:main' into main
b8b2adb
@ESS-ENN
Merge branch 'coderabbitai:main' into main
9b29d0a
@ESS-ENN
Merge branch 'coderabbitai:main' into main
24510d4
@ESS-ENN
Merge remote-tracking branch 'upstream/main' into main
6c6d229
@ESS-ENN
Merge branch 'main' of https://github.com/ESS-ENN/ast-grep-essentials
c5f0d85 
…into main
@ESS-ENN
Merge branch 'coderabbitai:main' into main
4104e61
@ESS-ENN
Merge remote-tracking branch 'upstream/main' into main
36b1114
@ESS-ENN
Merge branch 'main' of https://github.com/ESS-ENN/ast-grep-essentials
befc6b0 
…into main
@ESS-ENN
Merge branch 'coderabbitai:main' into main
7bc886d
@ESS-ENN
Merge remote-tracking branch 'upstream/main' into main
fc13546
@ESS-ENN
Merge branch 'main' of https://github.com/ESS-ENN/ast-grep-essentials
e4a1853 
…into main
@ESS-ENN
Merge branch 'coderabbitai:main' into main
b6203b0
@ESS-ENN
Merge remote-tracking branch 'upstream/main' into main
5327545
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Mar 20, 2025
edited
Loading

Walkthrough

This pull request removes an obsolete C rule for C++ pointer returns and introduces new C++ static analysis rules. The new rules detect use-after-free risks when returning pointers from string objects and vector container issues during iteration. Additionally, snapshot files and YAML test cases have been added to validate both the new use-after-free and vector invalidation patterns.

Changes

File(s) Change Summary
rules/c/security/return-c-str-c.yml Removed the return-c-str-cpp rule configuration for C++ use-after-free detection.
rules/cpp/security/return-c-str-cpp.yml Added a new rule to detect unsafe return of pointers from string objects, with detailed pattern matching and context conditions.
rules/cpp/security/std-return-data-cpp.yml Added a new rule to flag returning pointers to vector data that may become invalid, incorporating specific type checks and conditions.
rules/cpp/security/std-vector-invalidation-cpp.yml Introduced a rule to detect modifications of std::vector during iteration that could lead to iterator invalidation and memory issues.
tests/.../std-return-data-cpp-snapshot.yml, tests/.../std-vector-invalidation-cpp-snapshot.yml Added snapshot files demonstrating function examples for both vector data pointer returns and vector invalidation scenarios.
tests/cpp/std-return-data-cpp-test.yml, tests/cpp/std-vector-invalidation-cpp-test.yml Introduced test cases validating correct and incorrect usage patterns for returning vector pointers and vector iteration modifications.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant Analyzer as Static Analyzer
    participant RuleEngine as Rule Engine
    participant Warning as Warning System
    Dev->>Analyzer: Submit C++ code for analysis
    Analyzer->>RuleEngine: Apply new return-pointer & vector rules
    RuleEngine->>Analyzer: Return unsafe pattern matches
    Analyzer->>Warning: Generate warnings (use-after-free, vector invalidation)
    Warning->>Dev: Deliver warnings for code review
Loading

Possibly related PRs

Suggested reviewers

  • ganeshpatro321

Poem

In code’s vast burrow I begin my hop,
Sniffing for bugs that make resources drop.
With rules so fresh for strings and vectors too,
I bound through code to find what's untrue.
A happy rabbit, clever and spry,
Guarding memory with a keen, watchful eye!
🐰✨

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ ESS-ENN
❌ Sakshis

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@coderabbitai coderabbitai bot changed the title @coderabbitai Remove obsolete C rule; add C++ static check for UAF and vector issues Mar 20, 2025
coderabbitai[bot]
coderabbitai bot requested changes Mar 20, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (9)
tests/__snapshots__/std-return-data-cpp-snapshot.yml (1)

8-48: Labeling Details Verification
The labels provide a comprehensive breakdown of the source code elements (e.g., the return statement, variable declarations, and the overall function block). Ensure that the specified byte offsets (start and end values) align exactly with the corresponding code segments.

tests/cpp/std-return-data-cpp-test.yml (1)

8-8: Remove Trailing Whitespace
Line 8 contains trailing spaces. Removing these extra characters will help you pass YAML linting and maintain a clean format.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 8-8: trailing spaces

(trailing-spaces)

tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml (1)

4-31: Label Annotations for Invalidation Patterns
The label annotations effectively highlight critical segments, such as the vec.erase(it) call and iterator initializations. Double-check that the specified start and end positions match the intended code fragments for clarity.

rules/cpp/security/return-c-str-cpp.yml (1)

16-111: Comprehensive Pattern Matching
The rule block presents an extensive set of patterns that capture multiple variations of returning string internal pointers. Although complex, the nested conditions appear to cover a wide range of cases. Consider adding inline comments or supplementary documentation for future maintainability.

rules/cpp/security/std-return-data-cpp.yml (2)

1-7: Rule Message Typo Correction
There's a minor formatting issue in the warning message. The placeholder for the function name ($FUNC) is not enclosed in matching backticks. It is currently written as:

- $FUNC` returns a pointer to the memory owned by `$VAR`. This pointer
+ `$FUNC` returns a pointer to the memory owned by `$VAR`. This pointer

Correcting this improves readability and consistency with other rules.

15-86: Thorough Pattern Matching for Local Container Data Return
This rule is well-crafted to detect return statements that expose data pointers from local containers, which can lead to use-after-free errors. The various nested conditions ensure that only the dangerous patterns are matched. Extensive testing is recommended to ensure the rule avoids false positives in complex codebases.

rules/cpp/security/std-vector-invalidation-cpp.yml (2)

4-12: Clear Warning Message with Detailed References

The message and note sections provide detailed guidance and useful references. One minor observation: the note text on line 8 ([CWE-416: Use After Free.) appears to have an unclosed bracket. Please verify if it should be "[CWE-416: Use After Free]" for clarity.

38-47: Duplicate Pattern for resize Detected

Within the rule patterns, the pattern for $CONTAINER.resize($$$) is defined twice (once on line 42 and again on line 46). To avoid redundant matching, consider removing the duplicate entry.

tests/cpp/std-vector-invalidation-cpp-test.yml (1)

91-91: Remove Trailing Spaces

Static analysis has detected trailing spaces on line 91. Please remove any extraneous whitespace to comply with YAML formatting standards.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 91-91: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f6f63a8 and 1991bb3.

📒 Files selected for processing (8)
  • rules/c/security/return-c-str-c.yml (0 hunks)
  • rules/cpp/security/return-c-str-cpp.yml (1 hunks)
  • rules/cpp/security/std-return-data-cpp.yml (1 hunks)
  • rules/cpp/security/std-vector-invalidation-cpp.yml (1 hunks)
  • tests/__snapshots__/std-return-data-cpp-snapshot.yml (1 hunks)
  • tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml (1 hunks)
  • tests/cpp/std-return-data-cpp-test.yml (1 hunks)
  • tests/cpp/std-vector-invalidation-cpp-test.yml (1 hunks)
💤 Files with no reviewable changes (1)
  • rules/c/security/return-c-str-c.yml
🧰 Additional context used
🪛 YAMLlint (1.35.1)
tests/cpp/std-return-data-cpp-test.yml

[error] 8-8: trailing spaces

(trailing-spaces)

tests/cpp/std-vector-invalidation-cpp-test.yml

[error] 91-91: trailing spaces

(trailing-spaces)

🔇 Additional comments (12)
tests/__snapshots__/std-return-data-cpp-snapshot.yml (1)

1-7: Snapshot Definition Validity
The snapshot correctly captures the problematic pattern of returning a pointer to a local vector’s data in the function return_vector_data(). Please verify that the defined start/end positions (offsets) accurately match the intended snippet.

tests/cpp/std-return-data-cpp-test.yml (2)

1-9: Valid Scenario Test Coverage
The valid test case using the Wrapper class is well defined and correctly returns the data pointer from the member vector. This demonstrates proper usage that should not trigger the error rule.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 8-8: trailing spaces

(trailing-spaces)

10-15: Invalid Scenario Test Coverage
The invalid test case—where a function returns a pointer to the data of a locally defined vector—is correctly highlighted. This scenario is expected to trigger the use-after-free rule.

tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml (1)

1-3: Snapshot for Vector Invalidation Patterns
The snapshot includes a diverse set of loop variants that expose unsafe operations (e.g., erasing an element during iteration). This robust set of examples will greatly aid in testing the new vector invalidation rule.

rules/cpp/security/return-c-str-cpp.yml (3)

1-7: Rule Metadata Clarity
The metadata—including the rule ID, language, severity, and the descriptive warning message—is clearly defined. The message uses placeholders ($FUNC and $STR) appropriately. Verify that these placeholders are substituted correctly during analysis.

8-14: Reference Information Provided
The note section effectively includes CWE references and documentation links, which will help developers understand the potential use-after-free risk when returning internal string pointers.

120-124: Constraint Definitions Verification
The constraints that restrict the allowed methods (c_str and data) and the string types are correctly formulated, reducing the chance of false positives. Please double-check the regex patterns for any edge case scenarios.

rules/cpp/security/std-return-data-cpp.yml (1)

8-13: Additional Context Provided
The note section effectively provides context regarding the CWE-416 issue and includes references for further reading. This additional context is valuable for developers addressing the warning.

rules/cpp/security/std-vector-invalidation-cpp.yml (2)

1-3: Rule Metadata is Clear and Correct

The header containing the rule ID, language, and severity follows the expected schema and naming conventions.

15-151: Comprehensive AST Pattern Definitions

The AST pattern definitions are thorough and cover various iterator initialization and update scenarios—including both forward and reverse iterations—while also filtering out safe cases (e.g., when a for_statement includes break, continue, return, or goto). For maintainability, you might consider adding inline comments to explain the more complex nested conditions.

tests/cpp/std-vector-invalidation-cpp-test.yml (2)

27-91: Invalid Test Cases Effectively Demonstrate Iterator Invalidation

The invalid test cases for functions loop_variant_5 through loop_variant_12 clearly illustrate unsafe iterator practices, such as:

  • Not updating the iterator after calling erase (e.g., in loop_variant_5, loop_variant_6, and loop_variant_9loop_variant_10).
  • Incorrect usage of reverse iterators (e.g., in loop_variant_7, loop_variant_8, loop_variant_11, and loop_variant_12) when passed directly to erase, which expects a forward iterator.

These examples will help ensure that the static analysis rule triggers as expected. Just ensure that these snapshots remain in sync with the rule’s intent.

🧰 Tools
🪛 YAMLlint (1.35.1)

[error] 91-91: trailing spaces

(trailing-spaces)

92-103: Correct Cross-Container Modification Example

The function:

void f(std::vector<int> &vec, std::vector<int> &other_vec) {
  for(std::vector<int>::iterator it = vec.begin(); it != vec.end(); it++) {
    if (foo()) {
      // ruleid: std-vector-invalidation
      vec.push_back(0);

      // Modifying a different container is OK
      // ok: std-vector-invalidation
      other_vec.push_back(0);
    }
  }
}

demonstrates that modifying a different container (other_vec) while iterating over vec does not raise the vector invalidation error. This example is clear and aligns well with the rule’s intent.

@ganeshpatro321 ganeshpatro321 merged commit 5d3542b into coderabbitai:main Mar 21, 2025
1 of 2 checks passed
gatsby003 pushed a commit that referenced this pull request Jul 24, 2025
@ESS-ENN @gatsby003
Remove obsolete C rule; add C++ static check for UAF and vector issues (
d731822 
#177)

* removed missing-secure-java

* httponly-false-csharp

* use-of-md5-digest-utils-java

* removing use-of-md5-digest-utils and httponly-false-csharp

* std-return-data-cpp

* std-vector-invalidation-cpp

* return-c-str-cpp

---------

Co-authored-by: Sakshis <sakshil@abc.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ganeshpatro321 ganeshpatro321 ganeshpatro321 approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ESS-ENN @CLAassistant @ganeshpatro321