Source Code Auditing – Candidate Point analysis – List of Regular Expression patterns

When we are tasked with manual code audit of a big source code base, we will get a quick result if we start with candidate point analysis. We can use regular expression patterns to find those quick issues initially.

List of regular expression patterns: (List of patterns I have collected over a period of time)

FD exhaustion

Null termination issue
    .* *= *0;

Find mistaken Logical AND (using && instead of &)
    flags *&& *[A-Z_]+

Improper null termination of string (off-by-one)
    \[sizeof\(.*\)\]\ *=\ *’?\\?0′?;$
    \[sizeof\(.*\)\]\ *=

Memset mistake
    C and length are sometimes confused

sizeof issues

strlen issues

Format string
    ^[\ \t]*printf\(getenv
    sprintf\([^,],[^”\ ]

Improper error number checking (should have used == )
    “if (errno = E”

Improper overflow check
    “<= 65553”

Overflow issue

Looking for hex value usage

Misuse of an API
    getopt\ *\(argc,\ *argv,\ *\”[^\”]*;

    According to the man page, a getopt(3) optstring may contain the following elements: individual characters, characters followed by a colon, and characters followed by two colons. In this sample query, we are looking for cases where a colon was mistyped as a semi-colon. Four results showing as of the time of this writing. getopt(3) is supposed to make command line parsing easy, but clearly some command-line options go completely untested.

Find “if” condition with semicolon in the end of the line

Find ugly|hack|fixme codes
    “what the fuck?”
    “can’t believe”

Looking for backdoor password
    “backdoor password”

Insecure call to CreateProcess()
    Tries to load exe from multiple places if its first parameter is NULL.

Find crypto
user-supplied variable used in an opentextfile query

disable warnings
    #pragma warning\s*\(disable\s*:\s*[0-9]+\)

Look for pragma

ASP: Create object

Injection attacks
    select \s*.*\s*from.*request\.form

This entry was posted in ASP.Net, C/C++, Code review experiance, Web and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s