mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
1bbe4b1cfb
* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
2.4 KiB
2.4 KiB
C Rules
Nyx detects C vulnerabilities through AST patterns (banned functions, format strings) and taint analysis (user input → shell execution, buffer overflow sinks).
Taint Sources
| Function | Capability | Source Kind |
|---|---|---|
getenv |
all |
EnvironmentConfig |
fgets, scanf, fscanf, gets, read |
all |
UserInput |
Taint Sinks
| Function | Required Capability |
|---|---|
system, popen, exec* family |
SHELL_ESCAPE |
sprintf, strcpy, strcat |
HTML_ESCAPE |
printf, fprintf |
FMT_STRING |
fopen, open |
FILE_IO |
AST Pattern Rules
Memory Safety (Banned Functions)
| Rule ID | Severity | Tier | Description |
|---|---|---|---|
c.memory.gets |
High | A | gets() — no bounds checking, always exploitable |
c.memory.strcpy |
High | A | strcpy() — no bounds checking on destination buffer |
c.memory.strcat |
High | A | strcat() — no bounds checking on destination buffer |
c.memory.sprintf |
High | A | sprintf() — no length limit on output buffer |
c.memory.scanf_percent_s |
High | A | scanf("%s") — unbounded string read |
c.memory.printf_no_fmt |
High | B | printf(var) — format-string vulnerability (non-literal first arg) |
Command Execution
| Rule ID | Severity | Tier | Description |
|---|---|---|---|
c.cmdi.system |
High | A | system() — shell command execution |
c.cmdi.popen |
Medium | A | popen() — shell command execution with pipe |
Examples
c.memory.gets — Banned function
Vulnerable:
char buf[64];
gets(buf); // No bounds checking — buffer overflow
Safe alternative:
char buf[64];
fgets(buf, sizeof(buf), stdin);
c.memory.printf_no_fmt — Format string
Vulnerable:
char *user_input = get_input();
printf(user_input); // Format string vulnerability
Safe alternative:
char *user_input = get_input();
printf("%s", user_input);
c.cmdi.system — Shell execution
Vulnerable:
char cmd[256];
snprintf(cmd, sizeof(cmd), "ls %s", user_dir);
system(cmd); // Command injection if user_dir contains shell metacharacters
Safe alternative:
// Use execvp with explicit argument array
char *args[] = {"ls", user_dir, NULL};
execvp("ls", args);