search

david-a-wheeler / flawfinder

a static analysis tool for finding vulnerabilities in C/C++ source code
GNU General Public License v2.0
486 stars 82 forks source link

std::istream::read() reports security issue, false alert? #59

Open oneiric opened 3 years ago

oneiric commented 3 years ago

Hi Expert,

I noticed that flawfinder will report security issue when using modern C++ std::istream::read(). https://en.cppreference.com/w/cpp/io/basic_istream/read

https://github.com/OpenAPITools/openapi-generator/issues/10349

The check rule in Flawfinder is as below:

https://github.com/david-a-wheeler/flawfinder/blob/d9ddc06b7efea4c626205e5d39157255d112bfe4/flawfinder.py#L1282~L1287

    # fread not included here; in practice I think it's rare to mistake it.
    "getchar|fgetc|getc|read|_gettc":
    (normal, 1,
     "Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20)",
     "",
     "buffer", "dangers-c", {'input': 1}, "FF1029"),

Is this a false alert when using modern C++ std::istream::read() function? If no, how to fix this issue? https://github.com/OpenAPITools/openapi-generator/blob/master/samples/client/petstore/cpp-restsdk/client/ModelBase.cpp#L519

Regards, Alex

oneiric commented 3 years ago

By the way, the read() API is not in the latest microsoft banned functions.

https://github.com/x509cert/banned/blob/master/banned.h

oneiric commented 3 years ago

@david-a-wheeler

david-a-wheeler commented 3 years ago

For your specific challenge, just use a flawfinder: ignore comment.

The problem is that flawfinder doesn't understand C++ namespace references. It's completely possible to add that functionality. Patches welcome.

oneiric commented 3 years ago

Thanks for the suggestions, David.