Enhance detection and diagnostics of LoadLibrary(Ex)

2021-01-09 20:25:26 -05:00 · 2021-01-09 20:25:26 -05:00 · 917d03e4f9
parent 0cba711317
commit 917d03e4f9
3 changed files with 22 additions and 6 deletions
--- a/22
+++ b/22
@ -847,9 +847,23 @@ def cpp_unsafe_stl(hit):
        add_warning(hit)

 def load_library_ex(hit):
-    # If parameter 3 is 'LOAD_LIBRARY_SEARCH_SYSTEM32', it's safe.
+    # If parameter 3 has one of the flags below, it's safe.
+    safe_search = [
+        # Load only from the folder where the .exe file is located
+        'LOAD_LIBRARY_SEARCH_APPLICATION_DIR',
+        # Combination of application, System32 and user directories
+        'LOAD_LIBRARY_SEARCH_DEFAULT_DIRS',
+        # Load only from System32
+        'LOAD_LIBRARY_SEARCH_SYSTEM32',
+        # Load only from directories specified with AddDllDirectory
+        # or SetDllDirectory
+        'LOAD_LIBRARY_SEARCH_USER_DIRS',
+        # Loading from the current directory will only proceed if
+        # the current directory is part of the safe load list
+        'LOAD_LIBRARY_SAFE_CURRENT_DIRS'
+    ]
    if (len(hit.parameters) >= 4 and
-       hit.parameters[3] == 'LOAD_LIBRARY_SEARCH_SYSTEM32'):
+            any(flag in hit.parameters[3] for flag in safe_search)):
        return
    normal(hit)

@ -1298,12 +1312,12 @@ c_ruleset = {

    "LoadLibrary":
    (normal, 3, "Ensure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20)",
-     "Use registry entry or GetWindowsDirectory to find library path, if you aren't already",
+     "Use LoadLibraryEx with one of the search flags, or call SetSearchPathMode to use a safe search path, or pass a full path to the library",
     "misc", "", {'input': 1}),

    "LoadLibraryEx":
    (load_library_ex, 3, "Ensure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20)",
-     "Use registry entry or GetWindowsDirectory to find library path, if you aren't already",
+     "Use a flag like LOAD_LIBRARY_SEARCH_SYSTEM32 or LOAD_LIBRARY_SEARCH_APPLICATION_DIR to search only desired folders",
     "misc", "", {'input': 1}),

    "SetSecurityDescriptorDacl":
--- a/test/correct-results.txt
+++ b/test/correct-results.txt
--- a/test/test.c
+++ b/test/test.c
@ -77,8 +77,10 @@ demo2() {
  SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
  /* This one is a bad idea - first param shouldn't be NULL */
  CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
-  /* This should be ignored */
-  (void) LoadLibraryEx(L"user32.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32);
+  /* Bad, may load from current directory */
+  (void) LoadLibraryEx(L"user32.dll", nullptr, LOAD_LIBRARY_AS_DATAFILE);
+  /* This should be ignored, since it's loading only from System32 */
+  (void) LoadLibraryEx(L"user32.dll", nullptr, LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_REQUIRE_SIGNED_TARGET);
  /* Test interaction of quote characters */
  printf("%c\n", 'x');
  printf("%c\n", '"');