commit f472bd1d036719deebc4a4ccbfa8eb84cd20ab17
from: Sergey Bronnikov <estetus@gmail.com>
via: Sergey Bronnikov <sergeyb@tarantool.org>
date: Fri Nov  1 12:00:35 2024 UTC

rules: update Lua rules

Rule `lua_loadstring` merged with `lua_unsafe_function`.

commit - 0a2a8887d3ac56ae5d4f7b2db7909a5b2c028f77
commit + f472bd1d036719deebc4a4ccbfa8eb84cd20ab17
blob - c39d4a04e54d29fccd046643a87c10c16ac9e31f
blob + bd2420e1dcc34930948b811442a310c0ed104e90
--- README.md
+++ README.md
@@ -48,7 +48,6 @@ $ spatch --sp-file coccinelle/mmap_map_failed.cocci --
 | [lua_import_unused](rules/lua/basic/lua_import_unused.yaml) | Unused import. |
 | [lua_init_rng_without_seed](rules/lua/basic/lua_init_rng_without_seed.yaml) | math.random() is used without random seed. |
 | [lua_integer_parsing](rules/lua/basic/lua_integer_parsing.yaml) | Incorrect using integers. |
-| [lua_loadstring](rules/lua/basic/lua_loadstring.yaml) | Using `loadstring()`. |
 | [lua_local_shadow](rules/lua/basic/lua_local_shadow.yaml) | Using local shadow. |
 | [lua_local_unused](rules/lua/basic/lua_local_unused.yaml) | Unused local. |
 | [lua_magic_number](rules/lua/basic/lua_magic_number.yaml) | Using magic numbers. |
@@ -70,13 +69,13 @@ $ spatch --sp-file coccinelle/mmap_map_failed.cocci --
 | [lua_unknown_global](rules/lua/basic/lua_unknown_global.yaml) | Using unknown global variable. |
 | [lua_unknown_type](rules/lua/basic/lua_unknown_type.yaml) | Unknown type. |
 | [lua_unreachable_code](rules/lua/basic/lua_unreachable_code.yaml) | Unreachable code. |
-| [lua_unsafe_function](rules/lua/basic/lua_unsafe_function.yaml) |  |
+| [lua_unsafe_function](rules/lua/basic/lua_unsafe_function.yaml) | Unsafe function. |
 | [lua_use_fd_after_close](rules/lua/basic/lua_use_fd_after_close.yaml) | File descriptors leak. |
 | [lua_writing_to_file_in_read_mode](rules/lua/basic/lua_writing_to_file_in_read_mode.yaml) | Writing to a file opened in read-only mode. |
-| [luajit_2.1](rules/lua/luajit/luajit_2.1.yaml) |  |
-| [luajit_jit_off](rules/lua/luajit/luajit_jit_off.yaml) |  |
-| [luajit_nyi](rules/lua/luajit/luajit_nyi.yaml) |  |
-| [luajit_partial_compilation](rules/lua/luajit/luajit_partial_compilation.yaml) |  |
+| [luajit_2.1](rules/lua/luajit/luajit_2.1.yaml) | Function is compiled starting with LuaJIT 2.1. |
+| [luajit_jit_off](rules/lua/luajit/luajit_jit_off.yaml) | JIT compilation is turned off. |
+| [luajit_nyi](rules/lua/luajit/luajit_nyi.yaml) | Function is not JIT-compiled. |
+| [luajit_partial_compilation](rules/lua/luajit/luajit_partial_compilation.yaml) | Function may be JIT-compiled, depending on the circumstances. |
 | [tarantool_box_cfg_raw_access](rules/lua/tarantool/tarantool_box_cfg_raw_access.yaml) | Raw access to a `box.cfg` table. |
 | [tarantool_box_grant_guest_full_access](rules/lua/tarantool/tarantool_box_grant_guest_full_access.yaml) | Full access for a guest user to universe. |
 | [tarantool_box_insert_nil](rules/lua/tarantool/tarantool_box_insert_nil.yaml) | Insert a `nil` to a space. |
@@ -85,10 +84,13 @@ $ spatch --sp-file coccinelle/mmap_map_failed.cocci --
 | [tarantool_box_select_nil](rules/lua/tarantool/tarantool_box_select_nil.yaml) | Using `nil` in `:select()`. |
 | [tarantool_box_set_trigger_once](rules/lua/tarantool/tarantool_box_set_trigger_once.yaml) | Set trigger only once. |
 | [tarantool_box_space_format](rules/lua/tarantool/tarantool_box_space_format.yaml) |  |
+| [tarantool_box_space_name](rules/lua/tarantool/tarantool_box_space_name.yaml) | Rules for object names. |
 | [tarantool_crypto_insecure_hash_algorithm](rules/lua/tarantool/tarantool_crypto_insecure_hash_algorithm.yaml) | Using insecure hash algorithm. |
-| [insecure-hash-algorithm-sha1](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) |  |
+| [tarantool_deprecated_c_api](rules/lua/tarantool/tarantool_deprecated_api.yaml) | Using deprecated C/C++ function(s). |
+| [tarantool_deprecated_lua_api](rules/lua/tarantool/tarantool_deprecated_api.yaml) | Using deprecated Tarantool Lua function(s). |
 | [tarantool_digest_insecure_hash_algorithm](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) | Using insecure hash algorithm. |
 | [tarantool_digest_insecure_hash_algorithm](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) |  |
+| [tarantool_insecure-hash-algorithm-sha1](rules/lua/tarantool/tarantool_digest_insecure_hash_algorithm.yaml) |  |
 | [tarantool_fiber_missed_name](rules/lua/tarantool/tarantool_fiber_missed_name.yaml) | Fiber name is not set. |
 | [tarantool_fiber_missed_testcancel](rules/lua/tarantool/tarantool_fiber_missed_testcancel.yaml) | Fiber method `:testcancel()` is missed. |
 | [tarantool_fiber_missed_timeout](rules/lua/tarantool/tarantool_fiber_missed_timeout.yaml) | Timeout is missed in a fiber method. |
@@ -107,10 +109,11 @@ $ spatch --sp-file coccinelle/mmap_map_failed.cocci --
 | [tarantool_popen_use_fd_after_close](rules/lua/tarantool/tarantool_popen_use_fd_after_close.yaml) | Using file descriptor after close. |
 | [tarantool_socket_bind_to_all_interfaces](rules/lua/tarantool/tarantool_socket_bind_to_all_interfaces.yaml) | Socket bind to `0.0.0.0` or `::`. |
 | [tarantool_socket_fd_leak](rules/lua/tarantool/tarantool_socket_fd_leak.yaml) | File descriptor leaks. |
+| [tarantool_socket_fd_leak](rules/lua/tarantool/tarantool_socket_fd_leak.yaml) |  |
 | [tarantool_socket_missed_timeout](rules/lua/tarantool/tarantool_socket_missed_timeout.yaml) | Timeout is not set. |
 | [tarantool_socket_use_fd_after_close](rules/lua/tarantool/tarantool_socket_use_fd_after_close.yaml) | Using socket handler after close. |
-| [tarantool_bad_hash_func](rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml) | Sharding hash algorithm is bad. |
-| [tarantool_no_timeouts](rules/lua/tarantool/tarantool_vshard_missed_timeout.yaml) | Timeout is not set. |
+| [tarantool_vshard_bad_hash_func](rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml) | Sharding hash algorithm is bad. |
+| [tarantool_vshard_no_timeouts](rules/lua/tarantool/tarantool_vshard_missed_timeout.yaml) | Timeout is not set. |
 
 ### Flakiness
 
blob - 2f17514da39da8b3581ae000032efa5ac65b9be0 (mode 644)
blob + /dev/null
--- rules/lua/basic/lua_loadstring.lua
+++ /dev/null
@@ -1,7 +0,0 @@
-local c = "os.exec('cat /etc/passwd')"
-
--- ruleid: lua_loadstring
-loadstring(c)
-
--- ok: lua_loadstring
-loadstring("os.exec('cat /etc/passwd')")
blob - 2afb51ba9bd1976c6dfd666c2c55135b751058c3 (mode 644)
blob + /dev/null
--- rules/lua/basic/lua_loadstring.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-rules:
-  - id: lua_loadstring
-    metadata:
-      author: Sergey Bronnikov <estetus@gmail.com>
-      description: Using `loadstring()`.
-    message: >-
-      Detected the use of loadstring(). loadstring() can be dangerous if used
-      to evaluate dynamic content. If this content can be input from outside the
-      program, this may be a code injection vulnerability. Ensure evaluated
-      content is not definable by external sources.
-    languages: [lua]
-    severity: WARNING
-    pattern-either:
-      - patterns:
-          - pattern-not: loadstring("...")
-          - pattern: loadstring(...)
-      - patterns:
-          - pattern-not: load("...")
-          - pattern: load(...)
blob - 1e119a3106aa4640420c3ec9d5b8a4f08ab1f2fe
blob + caef005eb564b8b99a5298a788502c82567634e3
--- rules/lua/basic/lua_unsafe_function.lua
+++ rules/lua/basic/lua_unsafe_function.lua
@@ -18,3 +18,11 @@ dofile("")
 
 -- ruleid: lua_unsafe_function
 os.remove("")
+
+local c = "os.exec('cat /etc/passwd')"
+
+-- ruleid: lua_unsafe_function
+loadstring(c)
+
+-- ok: lua_unsafe_function
+loadstring("os.exec('cat /etc/passwd')")
blob - 087ad88b2b4f9c69795b4ed9ad2af7d9fe788313
blob + aa001d885fe99aede0765074856128949676e99f
--- rules/lua/basic/lua_unsafe_function.yaml
+++ rules/lua/basic/lua_unsafe_function.yaml
@@ -2,15 +2,28 @@ rules:
   - id: lua_unsafe_function
     metadata:
       author: Sergey Bronnikov <estetus@gmail.com>
-    message: Using unsafe function.
+      description: Unsafe function.
+    message: |
+      Detected the use of loadstring(). loadstring() can be
+      dangerous if used to evaluate dynamic content. If this
+      content can be input from outside the program, this may be
+      a code injection vulnerability. Ensure evaluated content is
+      not definable by external sources.
+      Lua 5.2 does not have bytecode verification anymore. So,
+      all functions that load code (`load` and `loadfile`) are
+      potentially insecure when loading untrusted binary data.
+      (Actually, those functions were already insecure because of
+      flaws in the verification algorithm.) When in doubt, use
+      the mode argument of those functions to restrict them to
+      loading textual chunks.
     # https://fuzz-introspector.readthedocs.io/en/latest/user-guides/analyse-sink-function.html
     languages: [lua]
     severity: WARNING
     pattern-either:
-      - pattern: os.execute(...)
+      - pattern: dofile(...)
       - pattern: io.popen(...)
-      - pattern: loadstring(...)
       - pattern: load(...)
       - pattern: loadfile(...)
-      - pattern: dofile(...)
+      - pattern: loadstring(...)
+      - pattern: os.execute(...)
       - pattern: os.remove(...)
blob - dda00b1b3fb91d9b392cfdd60544fece708c7c1b
blob + dedcfe75aa0153609f5c99e84b216633fd56695f
--- rules/lua/luajit/luajit_2.1.yaml
+++ rules/lua/luajit/luajit_2.1.yaml
@@ -3,6 +3,9 @@ rules:
     metadata:
       author: Sergey Bronnikov <estetus@gmail.com>
       description: Function is compiled starting with LuaJIT 2.1.
+      references:
+        - https://github.com/tarantool/tarantool/wiki/LuaJIT-Not-Yet-Implemented
+        - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
     pattern-either:
       - pattern: collectgarbage()           # 2.1 stitch
       - pattern: gcinfo()                   # 2.1 stitch
@@ -45,7 +48,4 @@ rules:
 
       This function is compiled starting with LuaJIT 2.1.
     languages: [lua]
-    metadata:
-      references:
-        - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
     severity: INFO
blob - 96c78ebc2084ef054c4fc2f1277fa745e625c069
blob + 2b51259c17329c993ba8f193587bff655d4eaee2
--- rules/lua/luajit/luajit_jit_off.yaml
+++ rules/lua/luajit/luajit_jit_off.yaml
@@ -3,11 +3,10 @@ rules:
     metadata:
       author: Sergey Bronnikov <estetus@gmail.com>
       description: JIT compilation is turned off.
+      references:
+        - https://luajit.org/ext_jit.html
     patterns:
       - pattern: jit.off(...)
     message: Должны быть серьёзные причины для выключения JIT-компиляции.
     languages: [lua]
-    metadata:
-      references:
-        - https://luajit.org/ext_jit.html
     severity: INFO
blob - 226022d5fd663ffe40a47193d9f5a57a88cdf639
blob + 583a7b486c61f4108b9174c1575bc785f75ef5c8
--- rules/lua/luajit/luajit_nyi.yaml
+++ rules/lua/luajit/luajit_nyi.yaml
@@ -3,6 +3,9 @@ rules:
     metadata:
       author: Sergey Bronnikov <estetus@gmail.com>
       description: Function is not JIT-compiled.
+      references:
+        - https://github.com/tarantool/tarantool/wiki/LuaJIT-Not-Yet-Implemented
+        - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
     pattern-either:
       - pattern: dofile(...)              # never 2.1 stitch
       - pattern: error(...)               # never
@@ -27,7 +30,4 @@ rules:
       This function is not JIT-compiled (yet), will always fall back to the
       interpreter or will not be JIT-compiled, even in future versions.
     languages: [lua]
-    metadata:
-      references:
-        - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
     severity: INFO
blob - 4606ca74dce2890e4a5ef16f13df37d7834ba752
blob + 4e7f4c54ee5dec567637820a919e75727cc34a1e
--- rules/lua/luajit/luajit_partial_compilation.yaml
+++ rules/lua/luajit/luajit_partial_compilation.yaml
@@ -3,6 +3,9 @@ rules:
     metadata:
       author: Sergey Bronnikov <estetus@gmail.com>
       description: Function may be JIT-compiled, depending on the circumstances.
+      references:
+        - https://github.com/tarantool/tarantool/wiki/LuaJIT-Not-Yet-Implemented
+        - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
     pattern-either:
       - pattern: getfenv(...)         # 2.1 partial
       - pattern: next(...)            # 2.1 partial
@@ -26,7 +29,4 @@ rules:
       Function may be JIT-compiled, depending on the circumstances. Otherwise
       will fall back to the interpreter or stitch.
     languages: [lua]
-    metadata:
-      references:
-        - http://web.archive.org/web/20220717120825/http://wiki.luajit.org/NYI
     severity: INFO
blob - 0e6df6ac4129f8745e5c2b918fc1a9a02728dc9a
blob + 591424a633b678730c67206d32e2791c14923964
--- rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml
+++ rules/lua/tarantool/tarantool_vshard_bad_hash_func.yaml
@@ -1,5 +1,5 @@
 rules:
-  - id: tarantool_bad_hash_func
+  - id: tarantool_vshard_bad_hash_func
     metadata:
       author: Sergey Bronnikov <estetus@gmail.com>
       description: Sharding hash algorithm is bad.