commit - 0a2a8887d3ac56ae5d4f7b2db7909a5b2c028f77
commit + f472bd1d036719deebc4a4ccbfa8eb84cd20ab17
blob - c39d4a04e54d29fccd046643a87c10c16ac9e31f
blob + bd2420e1dcc34930948b811442a310c0ed104e90
--- README.md
+++ README.md
| [lua_import_unused](rules/lua/basic/lua_import_unused.yaml) | Unused import. |
| [lua_init_rng_without_seed](rules/lua/basic/lua_init_rng_without_seed.yaml) | math.random() is used without random seed. |
| [lua_integer_parsing](rules/lua/basic/lua_integer_parsing.yaml) | Incorrect using integers. |
-| [lua_loadstring](rules/lua/basic/lua_loadstring.yaml) | Using `loadstring()`. |
| [lua_local_shadow](rules/lua/basic/lua_local_shadow.yaml) | Using local shadow. |
| [lua_local_unused](rules/lua/basic/lua_local_unused.yaml) | Unused local. |
| [lua_magic_number](rules/lua/basic/lua_magic_number.yaml) | Using magic numbers. |
| [lua_unknown_global](rules/lua/basic/lua_unknown_global.yaml) | Using unknown global variable. |
| [lua_unknown_type](rules/lua/basic/lua_unknown_type.yaml) | Unknown type. |
| [lua_unreachable_code](rules/lua/basic/lua_unreachable_code.yaml) | Unreachable code. |
-| [lua_unsafe_function](rules/lua/basic/lua_unsafe_function.yaml) | |
+| [lua_unsafe_function](rules/lua/basic/lua_unsafe_function.yaml) | Unsafe function. |
| [lua_use_fd_after_close](rules/lua/basic/lua_use_fd_after_close.yaml) | File descriptors leak. |
| [lua_writing_to_file_in_read_mode](rules/lua/basic/lua_writing_to_file_in_read_mode.yaml) | Writing to a file opened in read-only mode. |
-| [luajit_2.1](rules/lua/luajit/luajit_2.1.yaml) | |
-| [luajit_jit_off](rules/lua/luajit/luajit_jit_off.yaml) | |
-| [luajit_nyi](rules/lua/luajit/luajit_nyi.yaml) | |
-| [luajit_partial_compilation](rules/lua/luajit/luajit_partial_compilation.yaml) | |
+| [luajit_2.1](rules/lua/luajit/luajit_2.1.yaml) | Function is compiled starting with LuaJIT 2.1. |
+| [luajit_jit_off](rules/lua/luajit/luajit_jit_off.yaml) | JIT compilation is turned off. |
+| [luajit_nyi](rules/lua/luajit/luajit_nyi.yaml) | Function is not JIT-compiled. |
+| [luajit_partial_compilation](rules/lua/luajit/luajit_partial_compilation.yaml) | Function may be JIT-compiled, depending on the circumstances. |
| [tarantool_box_cfg_raw_access](rules/lua/tarantool/tarantool_box_cfg_raw_access.yaml) | Raw access to a `box.cfg` table. |
| [tarantool_box_grant_guest_full_access](rules/lua/tarantool/tarantool_box_grant_guest_full_access.yaml) | Full access for a guest user to universe. |
| [tarantool_box_insert_nil](rules/lua/tarantool/tarantool_box_insert_nil.yaml) | Insert a `nil` to a space. |
| [tarantool_box_select_nil](rules/lua/tarantool/tarantool_box_select_nil.yaml) | Using `nil` in `:select()`. |
| [tarantool_box_set_trigger_once](rules/lua/tarantool/tarantool_box_set_trigger_once.yaml) | Set trigger only once. |
| [tarantool_box_space_format](rules/lua/tarantool/tarantool_box_space_format.yaml) | |
+| [tarantool_box_space_name](rules/lua/tarantool/tarantool_box_space_name.yaml) | Rules for object names. |
| [tarantool_crypto_insecure_hash_algorithm](rules/lua/tarantool/tarantool_crypto_insecure_hash_algorithm.yaml) | Using insecure hash algorithm. |
-| [insecure-hash-algorithm-sha1](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) | |
+| [tarantool_deprecated_c_api](rules/lua/tarantool/tarantool_deprecated_api.yaml) | Using deprecated C/C++ function(s). |
+| [tarantool_deprecated_lua_api](rules/lua/tarantool/tarantool_deprecated_api.yaml) | Using deprecated Tarantool Lua function(s). |
| [tarantool_digest_insecure_hash_algorithm](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) | Using insecure hash algorithm. |
| [tarantool_digest_insecure_hash_algorithm](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) | |
+| [tarantool_insecure-hash-algorithm-sha1](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) | |
| [tarantool_fiber_missed_name](rules/lua/tarantool/tarantool_fiber_missed_name.yaml) | Fiber name is not set. |
| [tarantool_fiber_missed_testcancel](rules/lua/tarantool/tarantool_fiber_missed_testcancel.yaml) | Fiber method `:testcancel()` is missed. |
| [tarantool_fiber_missed_timeout](rules/lua/tarantool/tarantool_fiber_missed_timeout.yaml) | Timeout is missed in a fiber method. |
| [tarantool_popen_use_fd_after_close](rules/lua/tarantool/tarantool_popen_use_fd_after_close.yaml) | Using file descriptor after close. |
| [tarantool_socket_bind_to_all_interfaces](rules/lua/tarantool/tarantool_socket_bind_to_all_interfaces.yaml) | Socket bind to `0.0.0.0` or `::`. |
| [tarantool_socket_fd_leak](rules/lua/tarantool/tarantool_socket_fd_leak.yaml) | File descriptor leaks. |
+| [tarantool_socket_fd_leak](rules/lua/tarantool/tarantool_socket_fd_leak.yaml) | |
| [tarantool_socket_missed_timeout](rules/lua/tarantool/tarantool_socket_missed_timeout.yaml) | Timeout is not set. |
| [tarantool_socket_use_fd_after_close](rules/lua/tarantool/tarantool_socket_use_fd_after_close.yaml) | Using socket handler after close. |
-| [tarantool_bad_hash_func](rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml) | Sharding hash algorithm is bad. |
-| [tarantool_no_timeouts](rules/lua/tarantool/tarantool_vshard_missed_timeout.yaml) | Timeout is not set. |
+| [tarantool_vshard_bad_hash_func](rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml) | Sharding hash algorithm is bad. |
+| [tarantool_vshard_no_timeouts](rules/lua/tarantool/tarantool_vshard_missed_timeout.yaml) | Timeout is not set. |
### Flakiness
blob - 2f17514da39da8b3581ae000032efa5ac65b9be0 (mode 644)
blob + /dev/null
--- rules/lua/basic/lua_loadstring.lua
+++ /dev/null
-local c = "os.exec('cat /etc/passwd')"
-
--- ruleid: lua_loadstring
-loadstring(c)
-
--- ok: lua_loadstring
-loadstring("os.exec('cat /etc/passwd')")
blob - 2afb51ba9bd1976c6dfd666c2c55135b751058c3 (mode 644)
blob + /dev/null
--- rules/lua/basic/lua_loadstring.yaml
+++ /dev/null
-rules:
- - id: lua_loadstring
- metadata:
- author: Sergey Bronnikov <estetus@gmail.com>
- description: Using `loadstring()`.
- message: >-
- Detected the use of loadstring(). loadstring() can be dangerous if used
- to evaluate dynamic content. If this content can be input from outside the
- program, this may be a code injection vulnerability. Ensure evaluated
- content is not definable by external sources.
- languages: [lua]
- severity: WARNING
- pattern-either:
- - patterns:
- - pattern-not: loadstring("...")
- - pattern: loadstring(...)
- - patterns:
- - pattern-not: load("...")
- - pattern: load(...)
blob - 1e119a3106aa4640420c3ec9d5b8a4f08ab1f2fe
blob + caef005eb564b8b99a5298a788502c82567634e3
--- rules/lua/basic/lua_unsafe_function.lua
+++ rules/lua/basic/lua_unsafe_function.lua
-- ruleid: lua_unsafe_function
os.remove("")
+
+local c = "os.exec('cat /etc/passwd')"
+
+-- ruleid: lua_unsafe_function
+loadstring(c)
+
+-- ok: lua_unsafe_function
+loadstring("os.exec('cat /etc/passwd')")
blob - 087ad88b2b4f9c69795b4ed9ad2af7d9fe788313
blob + aa001d885fe99aede0765074856128949676e99f
--- rules/lua/basic/lua_unsafe_function.yaml
+++ rules/lua/basic/lua_unsafe_function.yaml
- id: lua_unsafe_function
metadata:
author: Sergey Bronnikov <estetus@gmail.com>
- message: Using unsafe function.
+ description: Unsafe function.
+ message: |
+ Detected the use of loadstring(). loadstring() can be
+ dangerous if used to evaluate dynamic content. If this
+ content can be input from outside the program, this may be
+ a code injection vulnerability. Ensure evaluated content is
+ not definable by external sources.
+ Lua 5.2 does not have bytecode verification anymore. So,
+ all functions that load code (`load` and `loadfile`) are
+ potentially insecure when loading untrusted binary data.
+ (Actually, those functions were already insecure because of
+ flaws in the verification algorithm.) When in doubt, use
+ the mode argument of those functions to restrict them to
+ loading textual chunks.
# https://fuzz-introspector.readthedocs.io/en/latest/user-guides/analyse-sink-function.html
languages: [lua]
severity: WARNING
pattern-either:
- - pattern: os.execute(...)
+ - pattern: dofile(...)
- pattern: io.popen(...)
- - pattern: loadstring(...)
- pattern: load(...)
- pattern: loadfile(...)
- - pattern: dofile(...)
+ - pattern: loadstring(...)
+ - pattern: os.execute(...)
- pattern: os.remove(...)
blob - dda00b1b3fb91d9b392cfdd60544fece708c7c1b
blob + dedcfe75aa0153609f5c99e84b216633fd56695f
--- rules/lua/luajit/luajit_2.1.yaml
+++ rules/lua/luajit/luajit_2.1.yaml
metadata:
author: Sergey Bronnikov <estetus@gmail.com>
description: Function is compiled starting with LuaJIT 2.1.
+ references:
+ - https://github.com/tarantool/tarantool/wiki/LuaJIT-Not-Yet-Implemented
+ - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
pattern-either:
- pattern: collectgarbage() # 2.1 stitch
- pattern: gcinfo() # 2.1 stitch
This function is compiled starting with LuaJIT 2.1.
languages: [lua]
- metadata:
- references:
- - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
severity: INFO
blob - 96c78ebc2084ef054c4fc2f1277fa745e625c069
blob + 2b51259c17329c993ba8f193587bff655d4eaee2
--- rules/lua/luajit/luajit_jit_off.yaml
+++ rules/lua/luajit/luajit_jit_off.yaml
metadata:
author: Sergey Bronnikov <estetus@gmail.com>
description: JIT compilation is turned off.
+ references:
+ - https://luajit.org/ext_jit.html
patterns:
- pattern: jit.off(...)
message: Должны быть серьёзные причины для выключения JIT-компиляции.
languages: [lua]
- metadata:
- references:
- - https://luajit.org/ext_jit.html
severity: INFO
blob - 226022d5fd663ffe40a47193d9f5a57a88cdf639
blob + 583a7b486c61f4108b9174c1575bc785f75ef5c8
--- rules/lua/luajit/luajit_nyi.yaml
+++ rules/lua/luajit/luajit_nyi.yaml
metadata:
author: Sergey Bronnikov <estetus@gmail.com>
description: Function is not JIT-compiled.
+ references:
+ - https://github.com/tarantool/tarantool/wiki/LuaJIT-Not-Yet-Implemented
+ - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
pattern-either:
- pattern: dofile(...) # never 2.1 stitch
- pattern: error(...) # never
This function is not JIT-compiled (yet), will always fall back to the
interpreter or will not be JIT-compiled, even in future versions.
languages: [lua]
- metadata:
- references:
- - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
severity: INFO
blob - 4606ca74dce2890e4a5ef16f13df37d7834ba752
blob + 4e7f4c54ee5dec567637820a919e75727cc34a1e
--- rules/lua/luajit/luajit_partial_compilation.yaml
+++ rules/lua/luajit/luajit_partial_compilation.yaml
metadata:
author: Sergey Bronnikov <estetus@gmail.com>
description: Function may be JIT-compiled, depending on the circumstances.
+ references:
+ - https://github.com/tarantool/tarantool/wiki/LuaJIT-Not-Yet-Implemented
+ - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
pattern-either:
- pattern: getfenv(...) # 2.1 partial
- pattern: next(...) # 2.1 partial
Function may be JIT-compiled, depending on the circumstances. Otherwise
will fall back to the interpreter or stitch.
languages: [lua]
- metadata:
- references:
- - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
severity: INFO
blob - 0e6df6ac4129f8745e5c2b918fc1a9a02728dc9a
blob + 591424a633b678730c67206d32e2791c14923964
--- rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml
+++ rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml
rules:
- - id: tarantool_bad_hash_func
+ - id: tarantool_vshard_bad_hash_func
metadata:
author: Sergey Bronnikov <estetus@gmail.com>
description: Sharding hash algorithm is bad.
