Source Code Auditing – Candidate Point analysis – List of Regular Expression patterns

When we are tasked with manual code audit of a big source code base, we will get a quick result if we start with candidate point analysis. We can use regular expression patterns to find those quick issues initially.

List of regular expression patterns: (List of patterns I have collected over a period of time)

FD exhaustion
    if\(fd>=0

Null termination issue
    .* *= *0;
    ‘\’

Find mistaken Logical AND (using && instead of &)
    flags *&& *[A-Z_]+

Improper null termination of string (off-by-one)
    \[sizeof\(.*\)\]\ *=\ *’?\\?0′?;$
    \[sizeof\(.*\)\]\ *=

Memset mistake
    C and length are sometimes confused

sizeof issues
    strncat\s*\(.*sizeof\s*\(.*\)\s*\)\s*;

strlen issues
    strncpy\s*\(.*,.*,\s*strlen\s*\(.*\s*\)

Format string
    ^[\ \t]*printf\(getenv
    sprintf\([^,],[^”\ ]
    printf\(getenv|printf\(argv

Improper error number checking (should have used == )
    “if (errno = E”

Improper overflow check
    “<= 65553”
    “<<“

Overflow issue
    strcpy\(.*argv|sprintf\(.*argv|strcat\(.*argv

Looking for hex value usage
    0xfffffff[^0-9a-f]

Misuse of an API
    getopt\ *\(argc,\ *argv,\ *\”[^\”]*;

    According to the man page, a getopt(3) optstring may contain the following elements: individual characters, characters followed by a colon, and characters followed by two colons. In this sample query, we are looking for cases where a colon was mistyped as a semi-colon. Four results showing as of the time of this writing. getopt(3) is supposed to make command line parsing easy, but clearly some command-line options go completely untested.

Find “if” condition with semicolon in the end of the line
    \sif\([^)]*\);

Find ugly|hack|fixme codes
    ugly|hack|fixme|shit|fuck|idiot|guy|wrote|stupid|retarded|drunk|crap|evil|holy|headache|gets
    “what the fuck?”
    “can’t believe”

Looking for backdoor password
    “backdoor password”

Insecure call to CreateProcess()
    Tries to load exe from multiple places if its first parameter is NULL.

Find crypto
    [a-za-z0-9_]+\s+\^\s+[a-za-z0-9_]+.*(secret|pwd|passphrase|cipher|cypher)
    (secret|pwd|passphrase|cipher|cypher).*[a-za-z0-9_]+\s+\^\s+[a-za-z0-9_]+
   
user-supplied variable used in an opentextfile query
    opentextfile\s*\(\s*request\..*

disable warnings
    #pragma warning\s*\(disable\s*:\s*[0-9]+\)

Look for pragma
    “#pragma”

ASP: Create object
    server\.createobject\s*\(\”name\..*

Injection attacks
    <%=.*getparameter
    response\.write\s*\(request\.
    select \s*.*\s*from.*request\.form
    select\s*[a-za-z_0-9,\*\s]+\s*from\s*[a-za-z_0-9,\*\s]+\s*.*request\s*\[\s*\”.*\”\s*\]
    select\s*[a-za-z_0-9,\*\s]+\s*from\s*[a-za-z_0-9,\*\s]+\s*.*cookie.*\(\s*\”.*\”\s*\)
    executequery.*getparameter
    select.*from.*where.*%\$[a-za-z0-9]+%
    out\.println\s*\(\s*request\.getparameter\s*\(\s*\”
    \s+print.*\$cgi->param\s*\([\”‘]
    (echo|print).*\$_(GET|POST|COOKIE|REQUEST)
    query\(.*\$_(GET|POST|COOKIE|REQUEST).*\)
    (include|require)\s*(\(|\s).*\$_(GET|POST|COOKIE|REQUEST)
    \s+eval\s*\(\s*\$_(GET|POST|COOKIE|REQUEST)
    (system|popen|shell_exec|exec)\s*\(\$_(GET|POST|COOKIE|REQUEST).*\)

Advertisements
This entry was posted in ASP.Net, C/C++, Code review experiance, Web and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s