Status update October 2019

October 20, 2019

This is will be my first update of monthly updates of contributions to open-source software. Inspired by similar updates by Drew, these posts should give pretty good overview on what I’m working on each month.

I rebased the upstream OWASP NodeGoat training environment with my changes — mainly XML external entities and insecure deserialization support. I also removed the ‘Research’ page which appeared in upstream. This page contained a server side request forgery (SSRF) vulnerability which does not exist in Top 10 2017. While SSRF is an important class of vulnerabilities, my goal is to keep the vulnerable software as simple and focused as possible for the students.

Last month I enabled LGTM support for Cute Chess. For the past years Cute Chess has been using Clang static analyzer, Clazy (also based on Clang) and Coverity for analysis. The default LGTM rules did not uncover anything which was not that surprising given that we have already run different analyzers against the code base. The power of LGTM is in custom queries. I wanted to try whether I could replicate some simple tests Clazy has with LGTM.

Clazy has a test that searches for uses of QFileInfo("filename").exists instead of QFileInfo::exists("filename") for slightly better performance.

Here’s the same test in QL:

import cpp

from FunctionCall fc, Function fn
where
  fc.getTarget() = fn and
  fn.getDeclaringType().getSimpleName() = "QFileInfo" and
  fn.hasName("exists") and
  not fn.isStatic()
select fc

This yields 4 results in the Cute Chess master branch.

Another test in Clazy searches for returning void expressions. Here’s my attempt of using QL to do the same:

import cpp

predicate voidExpr(Expr e) {
  e.getType() instanceof VoidType
}

class VoidReturnStmt extends ReturnStmt {
  VoidReturnStmt() { voidExpr(this.getExpr()) }
}

from VoidReturnStmt r
  where not (r.getExpr() instanceof ConstructorCall)
select r

It uses predicate and class to limit the search only for return statements that have an expression returning void. The query returns 19 results in the master branch which have already been flagged by Clazy.

That’s all that I have in this month. See you in the next one!