mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-09 20:52:11 +02:00
Phase 1 (#33)
* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
This commit is contained in:
parent
19b578c5c4
commit
1bbe4b1cfb
456 changed files with 25628 additions and 1228 deletions
16
tests/fixtures/real_world/cpp/taint/cmdi_system.cpp
vendored
Normal file
16
tests/fixtures/real_world/cpp/taint/cmdi_system.cpp
vendored
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
#include <cstdlib>
|
||||
#include <string>
|
||||
|
||||
void execute_user_cmd() {
|
||||
const char *cmd = std::getenv("USER_CMD");
|
||||
system(cmd);
|
||||
}
|
||||
|
||||
void execute_safe() {
|
||||
const char *cmd = std::getenv("USER_CMD");
|
||||
if (cmd == nullptr) return;
|
||||
std::string s(cmd);
|
||||
if (s == "ls" || s == "date") {
|
||||
system(cmd);
|
||||
}
|
||||
}
|
||||
45
tests/fixtures/real_world/cpp/taint/cmdi_system.expect.json
vendored
Normal file
45
tests/fixtures/real_world/cpp/taint/cmdi_system.expect.json
vendored
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
{
|
||||
"description": "C++ command injection: std::getenv flows to system(). Safe version uses allowlist.",
|
||||
"tags": [
|
||||
"taint",
|
||||
"cmdi"
|
||||
],
|
||||
"modes": [
|
||||
"full"
|
||||
],
|
||||
"expected": [
|
||||
{
|
||||
"rule_id": "cpp.cmdi.system",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
4,
|
||||
8
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "system(cmd) where cmd comes from std::getenv"
|
||||
},
|
||||
{
|
||||
"rule_id": "taint-unsanitised-flow",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
3,
|
||||
8
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "std::getenv flows directly to system() without sanitization"
|
||||
},
|
||||
{
|
||||
"rule_id": "cpp.cmdi.system",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
12,
|
||||
16
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "AST pattern still matches system() in safe version"
|
||||
}
|
||||
]
|
||||
}
|
||||
9
tests/fixtures/real_world/cpp/taint/env_to_system.cpp
vendored
Normal file
9
tests/fixtures/real_world/cpp/taint/env_to_system.cpp
vendored
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
#include <cstdlib>
|
||||
#include <string>
|
||||
|
||||
int main() {
|
||||
char *home = std::getenv("HOME");
|
||||
std::string cmd = "ls " + std::string(home);
|
||||
system(cmd.c_str());
|
||||
return 0;
|
||||
}
|
||||
34
tests/fixtures/real_world/cpp/taint/env_to_system.expect.json
vendored
Normal file
34
tests/fixtures/real_world/cpp/taint/env_to_system.expect.json
vendored
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
{
|
||||
"description": "Environment variable concatenated into system() call \u2014 command injection via HOME",
|
||||
"tags": [
|
||||
"taint",
|
||||
"cmdi"
|
||||
],
|
||||
"modes": [
|
||||
"full"
|
||||
],
|
||||
"expected": [
|
||||
{
|
||||
"rule_id": "cpp.cmdi.system",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
5,
|
||||
9
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "system() called with command built from std::getenv(\"HOME\")"
|
||||
},
|
||||
{
|
||||
"rule_id": "taint-unsanitised-flow",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
3,
|
||||
9
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "std::getenv flows through string concatenation into system()"
|
||||
}
|
||||
]
|
||||
}
|
||||
10
tests/fixtures/real_world/cpp/taint/format_string.cpp
vendored
Normal file
10
tests/fixtures/real_world/cpp/taint/format_string.cpp
vendored
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
#include <cstdio>
|
||||
#include <cstdlib>
|
||||
|
||||
void print_unsafe(const char *user_input) {
|
||||
printf(user_input);
|
||||
}
|
||||
|
||||
void print_safe(const char *user_input) {
|
||||
printf("%s", user_input);
|
||||
}
|
||||
23
tests/fixtures/real_world/cpp/taint/format_string.expect.json
vendored
Normal file
23
tests/fixtures/real_world/cpp/taint/format_string.expect.json
vendored
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
{
|
||||
"description": "C++ format string vulnerability: printf with user-controlled format argument",
|
||||
"tags": [
|
||||
"taint",
|
||||
"fmt"
|
||||
],
|
||||
"modes": [
|
||||
"full"
|
||||
],
|
||||
"expected": [
|
||||
{
|
||||
"rule_id": "cpp.memory.printf_no_fmt",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
3,
|
||||
7
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "printf(user_input) \u2014 user-controlled format string"
|
||||
}
|
||||
]
|
||||
}
|
||||
12
tests/fixtures/real_world/cpp/taint/gets_strcpy.cpp
vendored
Normal file
12
tests/fixtures/real_world/cpp/taint/gets_strcpy.cpp
vendored
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
#include <cstdio>
|
||||
#include <cstring>
|
||||
|
||||
void copy_unsafe(const char *input) {
|
||||
char buf[64];
|
||||
strcpy(buf, input);
|
||||
}
|
||||
|
||||
void gets_input() {
|
||||
char buf[128];
|
||||
gets(buf);
|
||||
}
|
||||
34
tests/fixtures/real_world/cpp/taint/gets_strcpy.expect.json
vendored
Normal file
34
tests/fixtures/real_world/cpp/taint/gets_strcpy.expect.json
vendored
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
{
|
||||
"description": "C++ legacy C function usage: strcpy and gets without bounds checking",
|
||||
"tags": [
|
||||
"mem",
|
||||
"buffer-overflow"
|
||||
],
|
||||
"modes": [
|
||||
"full"
|
||||
],
|
||||
"expected": [
|
||||
{
|
||||
"rule_id": "cpp.memory.strcpy",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
4,
|
||||
8
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "strcpy without bounds check in C++ code"
|
||||
},
|
||||
{
|
||||
"rule_id": "cpp.memory.gets",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
9,
|
||||
13
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "gets() always unsafe \u2014 no bounds checking"
|
||||
}
|
||||
]
|
||||
}
|
||||
13
tests/fixtures/real_world/cpp/taint/popen_cmd.cpp
vendored
Normal file
13
tests/fixtures/real_world/cpp/taint/popen_cmd.cpp
vendored
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
#include <cstdio>
|
||||
#include <cstdlib>
|
||||
#include <string>
|
||||
|
||||
void run_command(const std::string &user_input) {
|
||||
std::string cmd = "grep " + user_input + " /var/log/syslog";
|
||||
FILE *fp = popen(cmd.c_str(), "r");
|
||||
char buf[1024];
|
||||
while (fgets(buf, sizeof(buf), fp)) {
|
||||
printf("%s", buf);
|
||||
}
|
||||
pclose(fp);
|
||||
}
|
||||
23
tests/fixtures/real_world/cpp/taint/popen_cmd.expect.json
vendored
Normal file
23
tests/fixtures/real_world/cpp/taint/popen_cmd.expect.json
vendored
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
{
|
||||
"description": "Command injection via popen: user input concatenated into shell command string",
|
||||
"tags": [
|
||||
"taint",
|
||||
"cmdi"
|
||||
],
|
||||
"modes": [
|
||||
"full"
|
||||
],
|
||||
"expected": [
|
||||
{
|
||||
"rule_id": "cpp.cmdi.popen",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
5,
|
||||
9
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "popen executes command string built from user input via string concatenation"
|
||||
}
|
||||
]
|
||||
}
|
||||
12
tests/fixtures/real_world/cpp/taint/reinterpret_cast.cpp
vendored
Normal file
12
tests/fixtures/real_world/cpp/taint/reinterpret_cast.cpp
vendored
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
#include <cstring>
|
||||
#include <cstdio>
|
||||
|
||||
struct Header {
|
||||
int type;
|
||||
int length;
|
||||
};
|
||||
|
||||
void parse_packet(const char *data) {
|
||||
Header *hdr = reinterpret_cast<Header*>(const_cast<char*>(data));
|
||||
printf("Type: %d, Length: %d\n", hdr->type, hdr->length);
|
||||
}
|
||||
34
tests/fixtures/real_world/cpp/taint/reinterpret_cast.expect.json
vendored
Normal file
34
tests/fixtures/real_world/cpp/taint/reinterpret_cast.expect.json
vendored
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
{
|
||||
"description": "Dangerous C++ casts: reinterpret_cast and const_cast used to parse raw data",
|
||||
"tags": [
|
||||
"cast",
|
||||
"unsafe"
|
||||
],
|
||||
"modes": [
|
||||
"full"
|
||||
],
|
||||
"expected": [
|
||||
{
|
||||
"rule_id": "cpp.memory.reinterpret_cast",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
8,
|
||||
12
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "reinterpret_cast<Header*> \u2014 type punning raw bytes to struct pointer"
|
||||
},
|
||||
{
|
||||
"rule_id": "cpp.memory.const_cast",
|
||||
"severity": null,
|
||||
"must_match": true,
|
||||
"line_range": [
|
||||
8,
|
||||
12
|
||||
],
|
||||
"evidence_contains": [],
|
||||
"notes": "const_cast<char*> removes const qualifier from data pointer"
|
||||
}
|
||||
]
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue