raptor-ret-stack-address not checking for `static` variables
parsiya opened this issue · 2 comments
The raptor-ret-stack-address rule checks if we are returning a pointer to a stack variable.
It returns a false positive if we are returning a static variable.
static SomeObject* getObject()
{
static SomeObject o;
return &o;
}This usually happens inside a static function.
Adding all the edge cases will be a pain, we basically have to add a pattern-not-inside for each pattern-inside.
I tried filtering the $TYPE metavariable and filtering with metavariable-regex. But $TYPE only contains the type (e.g., SomeObject here) and not static.
You could also decide that the false positives are worth keeping the rule simple which is definitely a good tradeoff.
This is indeed a known limitation in my rules (shared also by the raptor-write-into-stack-buffer rule for instance). Based on my tests, Semgrep does not seem to support static variable declarations and other modifiers such as register/volatile (at least not consistently). I've been meaning to open an issue with Semgrep, but I haven't had the time to better investigate this behaviour yet.
There are some other examples of (apparent) lack of support by Semgrep:
- returntocorp/semgrep#4939
- the ternary operator
- metavariables passed as function arguments
- a pattern such as
<... $TYPE $I = 0 ...> - integer promotions and other C/C++ idiosyncrasies
- preprocessor directives
This is probably due to the fact that C/C++ support is still experimental.
Thanks again for your interest! Let me know if you find a clever way to overcome these limitations.
Thanks for the reply. C/C++ support is indeed still experimental but more folks are asking for support and it might get on the roadmap, soon.
I am gonna try and see if I can manually include static in pattern-not-inside and see if it works. It worked with my limited test case.
Again, thanks for the great rules.