mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
1bbe4b1cfb
* chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
89 lines
2.4 KiB
Markdown
89 lines
2.4 KiB
Markdown
# C Rules
|
|
|
|
Nyx detects C vulnerabilities through AST patterns (banned functions, format strings) and taint analysis (user input → shell execution, buffer overflow sinks).
|
|
|
|
## Taint Sources
|
|
|
|
| Function | Capability | Source Kind |
|
|
|----------|-----------|-------------|
|
|
| `getenv` | `all` | EnvironmentConfig |
|
|
| `fgets`, `scanf`, `fscanf`, `gets`, `read` | `all` | UserInput |
|
|
|
|
## Taint Sinks
|
|
|
|
| Function | Required Capability |
|
|
|----------|-------------------|
|
|
| `system`, `popen`, `exec*` family | `SHELL_ESCAPE` |
|
|
| `sprintf`, `strcpy`, `strcat` | `HTML_ESCAPE` |
|
|
| `printf`, `fprintf` | `FMT_STRING` |
|
|
| `fopen`, `open` | `FILE_IO` |
|
|
|
|
---
|
|
|
|
## AST Pattern Rules
|
|
|
|
### Memory Safety (Banned Functions)
|
|
|
|
| Rule ID | Severity | Tier | Description |
|
|
|---------|----------|------|-------------|
|
|
| `c.memory.gets` | High | A | `gets()` — no bounds checking, always exploitable |
|
|
| `c.memory.strcpy` | High | A | `strcpy()` — no bounds checking on destination buffer |
|
|
| `c.memory.strcat` | High | A | `strcat()` — no bounds checking on destination buffer |
|
|
| `c.memory.sprintf` | High | A | `sprintf()` — no length limit on output buffer |
|
|
| `c.memory.scanf_percent_s` | High | A | `scanf("%s")` — unbounded string read |
|
|
| `c.memory.printf_no_fmt` | High | B | `printf(var)` — format-string vulnerability (non-literal first arg) |
|
|
|
|
### Command Execution
|
|
|
|
| Rule ID | Severity | Tier | Description |
|
|
|---------|----------|------|-------------|
|
|
| `c.cmdi.system` | High | A | `system()` — shell command execution |
|
|
| `c.cmdi.popen` | Medium | A | `popen()` — shell command execution with pipe |
|
|
|
|
---
|
|
|
|
## Examples
|
|
|
|
### `c.memory.gets` — Banned function
|
|
|
|
**Vulnerable:**
|
|
```c
|
|
char buf[64];
|
|
gets(buf); // No bounds checking — buffer overflow
|
|
```
|
|
|
|
**Safe alternative:**
|
|
```c
|
|
char buf[64];
|
|
fgets(buf, sizeof(buf), stdin);
|
|
```
|
|
|
|
### `c.memory.printf_no_fmt` — Format string
|
|
|
|
**Vulnerable:**
|
|
```c
|
|
char *user_input = get_input();
|
|
printf(user_input); // Format string vulnerability
|
|
```
|
|
|
|
**Safe alternative:**
|
|
```c
|
|
char *user_input = get_input();
|
|
printf("%s", user_input);
|
|
```
|
|
|
|
### `c.cmdi.system` — Shell execution
|
|
|
|
**Vulnerable:**
|
|
```c
|
|
char cmd[256];
|
|
snprintf(cmd, sizeof(cmd), "ls %s", user_dir);
|
|
system(cmd); // Command injection if user_dir contains shell metacharacters
|
|
```
|
|
|
|
**Safe alternative:**
|
|
```c
|
|
// Use execvp with explicit argument array
|
|
char *args[] = {"ls", user_dir, NULL};
|
|
execvp("ls", args);
|
|
```
|