Status update October 2019
This is will be my first update of monthly updates of contributions to open-source software. Inspired by similar updates by Drew, these posts should give pretty good overview on what I’m working on each month.
I rebased the upstream OWASP NodeGoat training environment with my changes — mainly XML external entities and insecure deserialization support. I also removed the ‘Research’ page which appeared in upstream. This page contained a server side request forgery (SSRF) vulnerability which does not exist in Top 10 2017. While SSRF is an important class of vulnerabilities, my goal is to keep the vulnerable software as simple and focused as possible for the students.
Last month I enabled LGTM support for Cute Chess. For the past years Cute Chess has been using Clang static analyzer, Clazy (also based on Clang) and Coverity for analysis. The default LGTM rules did not uncover anything which was not that surprising given that we have already run different analyzers against the code base. The power of LGTM is in custom queries. I wanted to try whether I could replicate some simple tests Clazy has with LGTM.
Clazy has a test that searches for uses of
QFileInfo("filename").exists
instead of QFileInfo::exists("filename")
for slightly better performance.
Here’s the same test in QL:
import cpp
from FunctionCall fc, Function fn
where
fc.getTarget() = fn and
fn.getDeclaringType().getSimpleName() = "QFileInfo" and
fn.hasName("exists") and
not fn.isStatic()
select fc
This yields 4 results in the Cute Chess master
branch.
Another test in Clazy searches for returning void expressions. Here’s my attempt of using QL to do the same:
import cpp
predicate voidExpr(Expr e) {
e.getType() instanceof VoidType
}
class VoidReturnStmt extends ReturnStmt {
VoidReturnStmt() { voidExpr(this.getExpr()) }
}
from VoidReturnStmt r
where not (r.getExpr() instanceof ConstructorCall)
select r
It uses predicate
and class
to limit the search only for return
statements that have an expression returning void
. The query returns 19
results in the master
branch which have already been flagged by
Clazy.
That’s all that I have in this month. See you in the next one!