Merge branch 'main' into alan/crypto_doc_update

Author: GrosQuildu

README.md

@@ -30,6 +30,7 @@ codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -
 | Name | Description | Severity | Precision  |
 | ---  | ----------- | :----:   | :--------: |
 |[BN_CTX_free called before BN_CTX_end](./cpp/src/docs/crypto/BnCtxFreeBeforeEnd.md)|Detects BN_CTX_free called before BN_CTX_end, which violates the required lifecycle|error|medium|
+|[Unbalanced BN_CTX_start and BN_CTX_end pair](./cpp/src/docs/crypto/UnbalancedBnCtx.md)|Detects if one call in the BN_CTX_start/BN_CTX_end pair is missing|warning|medium|
 |[Crypto variable initialized using static key](./cpp/src/docs/crypto/StaticKeyFlow.md)|Finds crypto variables initialized using static keys|error|high|
 |[Crypto variable initialized using static password](./cpp/src/docs/crypto/StaticPasswordFlow.md)|Finds crypto variables initialized using static passwords|error|high|
 |[Crypto variable initialized using weak randomness](./cpp/src/docs/crypto/WeakRandomnessTaint.md)|Finds crypto variables initialized using weak randomness|error|high|
@@ -40,17 +41,18 @@ codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -
 |[Missing error handling](./cpp/src/docs/crypto/MissingErrorHandling.md)|Checks if returned error codes are properly checked|warning|high|
 |[Missing zeroization of potentially sensitive random BIGNUM](./cpp/src/docs/crypto/MissingZeroization.md)|Determines if random bignums are properly zeroized|warning|medium|
 |[Random buffer too small](./cpp/src/docs/crypto/RandomBufferTooSmall.md)|Finds buffer overflows in calls to CSPRNGs|warning|high|
-|[Unbalanced BN_CTX_start and BN_CTX_end pair](./cpp/src/docs/crypto/UnbalancedBnCtx.md)|Detects if one call in the BN_CTX_start/BN_CTX_end pair is missing|warning|medium|
 |[Use of legacy cryptographic algorithm](./cpp/src/docs/crypto/UseOfLegacyAlgorithm.md)|Detects potential instantiations of legacy cryptographic algorithms|warning|medium|
 
 #### Security
 
 | Name | Description | Severity | Precision  |
 | ---  | ----------- | :----:   | :--------: |
 |[Async unsafe signal handler](./cpp/src/docs/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.md)|Async unsafe signal handler (like the one used in CVE-2024-6387)|warning|high|
+|[Decrementation overflow when comparing](./cpp/src/docs/security/DecOverflowWhenComparing/DecOverflowWhenComparing.md)|This query finds unsigned integer overflows resulting from unchecked decrementation during comparison.|error|high|
+|[Find all problematic implicit casts](./cpp/src/docs/security/UnsafeImplicitConversions/UnsafeImplicitConversions.md)|Find all implicit casts that may be problematic. That is, casts that may result in unexpected truncation, reinterpretation or widening of values.|error|high|
+|[Inconsistent handling of return values from a specific function](./cpp/src/docs/security/InconsistentReturnValueHandling/InconsistentReturnValueHandling.md)|Detects functions whose return values are compared inconsistently across call sites, which may indicate bugs|warning|medium|
 |[Invalid string size passed to string manipulation function](./cpp/src/docs/security/CStrnFinder/CStrnFinder.md)|Finds calls to functions that take as input a string and its size as separate arguments (e.g., `strncmp`, `strncat`, ...) and the size argument is wrong|error|low|
 |[Missing null terminator](./cpp/src/docs/security/NoNullTerminator/NoNullTerminator.md)|This query finds incorrectly initialized strings that are passed to functions expecting null-byte-terminated strings|error|high|
-|[Unsafe implicit integer conversion](./cpp/src/docs/security/UnsafeImplicitConversions/UnsafeImplicitConversions.md)|Finds implicit integer casts that may overflow or be truncated, with false positive reduction via Value Range Analysis|warning|low|
 
 ### Go
 
@@ -65,7 +67,7 @@ codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -
 | Name | Description | Severity | Precision  |
 | ---  | ----------- | :----:   | :--------: |
 |[Invalid file permission parameter](./go/src/docs/security/FilePermsFlaws/FilePermsFlaws.md)|Finds non-octal (e.g., `755` vs `0o755`) and unsupported (e.g., `04666`) literals used as a filesystem permission parameter (`FileMode`)|error|medium|
-|[Missing MinVersion in tls.Config](./go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md)|This rule finds cases when you do not set the `tls.Config.MinVersion` explicitly for servers. By default version 1.0 is used, which is considered insecure. This rule does not mark explicitly set insecure versions|error|medium|
+|[Missing MinVersion in tls.Config](./go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md)|Finds uses of tls.Config where MinVersion is not set and the project's minimum Go version (from go.mod) indicates insecure defaults: Go < 1.18 for clients or Go < 1.22 for servers. Does not mark explicitly set versions (including explicitly insecure ones).|error|medium|
 |[Trim functions misuse](./go/src/docs/security/TrimMisuse/TrimMisuse.md)|Finds calls to `string.{Trim,TrimLeft,TrimRight}` with the 2nd argument not being a cutset but a continuous substring to be trimmed|error|low|
 
 ### Java-kotlin
@@ -74,7 +76,7 @@ codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -
 
 | Name | Description | Severity | Precision  |
 | ---  | ----------- | :----:   | :--------: |
-|[Recursive functions](./java-kotlin/src/docs/security/Recursion/Recursion.md)|Detects recursive calls|warning|low|
+|[Recursive functions](./java-kotlin/src/docs/security/Recursion/Recursion.md)|Detects possibly unbounded recursive calls|warning|low|
 
 ## Query suites
 

cpp/src/crypto/UseOfLegacyAlgorithm.ql

@@ -36,9 +36,10 @@ where
      * 			descend
      * 			destroy
      */
-
-    cipherName = "DES" and
-    functionName.regexpMatch(".*(?<!no|mo|co)des(?!cri(be|ption|ptor)|ign|cend|troy).*")
+    (
+      cipherName = "DES" and
+      functionName.regexpMatch(".*(?<!no|mo|co)des(?!cri(be|ption|ptor)|ign|cend|troy).*")
+    )
   )
 select call.getLocation(),
   "Potential use of legacy cryptographic algorithm " + cipherName + " detected in function name " +

cpp/src/docs/security/DecOverflowWhenComparing/DecOverflowWhenComparing.md

@@ -0,0 +1,72 @@
+# Decrementation overflow when comparing
+Finds unsigned integer overflow issues with the following heuristic: \* variable is compared to 0 and decremented \* variable is used after the comparison and decrementation In such cases it is likely that the decrementation was not expected.
+
+You can read about a real-world vulnerability here: https://github.com/trailofbits/exploits/tree/main/obts-2025-macos-lpe
+
+
+## Recommendation
+Move the decrementation outside of comparison and/or add explicit checks for overflows.
+
+
+## Example
+
+```c
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+// from https://github.com/apple-oss-distributions/Libinfo/blob/9fce29e5c5edc15d3ecea55116ca17d3f6350603/lookup.subproj/mdns_module.c#L1033C1-L1079C2
+char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)
+{
+	int i = 0, j = 0;
+	uint32_t domainlen = 0;
+	char *domain = NULL;
+
+	if ((data == NULL) || (datalen == 0)) return NULL;
+
+	while (datalen-- > 0)
+	{
+		uint32_t len = data[i++];
+		domainlen += (len + 1);
+		domain = reallocf(domain, domainlen);
+
+		if (domain == NULL) return NULL;
+
+		if (len == 0) break;	// DNS root (NUL)
+
+		if (j > 0)
+		{
+			domain[j++] = datalen ? '.' : '\0';
+		}
+
+		while ((len-- > 0) && (0 != datalen--))
+		{
+			if (data[i] == '.')
+			{
+				/* special case: escape the '.' with a '\' */
+				domain = reallocf(domain, ++domainlen);
+				if (domain == NULL) return NULL;
+
+				domain[j++] = '\\';
+			}
+
+			domain[j++] = data[i++];
+		}
+	}
+
+	domain[j] = '\0';
+
+	return domain;
+}
+
+int main() {
+    const uint16_t datalen = 128;
+    uint8_t data[datalen] = {};
+    memcpy(data, "\x04quildu\x03xyz\x00", 11);
+    _mdns_parse_domain_name(data, datalen);
+}
+
+```
+The `datalen` variable may overflow to UINT_MAX given a specific input.
+

cpp/src/docs/security/InconsistentReturnValueHandling/InconsistentReturnValueHandling.md

@@ -0,0 +1,69 @@
+# Inconsistent handling of return values from a specific function
+When a function's return value is checked in `if` statements across multiple call sites, the comparisons typically fall into a consistent pattern (e.g., compared against a numeric literal, `NULL`, or `sizeof`). If a small number of call sites compare the return value in a different way than the majority, these inconsistent comparisons may indicate a bug.
+
+The query categorizes each comparison into one of the following categories:
+
+* Numeric literal (e.g., `ret != -1`)
+* Boolean (e.g., `ret == true`)
+* Null pointer (e.g., `ret != NULL`)
+* Pointer
+* `sizeof` expression (e.g., `ret > sizeof(buf)`)
+* Another function's return value (e.g., `ret != other_func()`)
+* Passed as argument to another function (e.g., `if (check(ret))`)
+* Arithmetic expression
+
+When at least 75% of a function's return value comparisons fall into one category, the remaining comparisons in a different category are flagged as potentially incorrect.
+
+
+## Recommendation
+Review each flagged call site and verify that the comparison matches the function's return value semantics. If the function returns an error code or count, all call sites should compare it consistently. Fix any comparisons that use the wrong type of operand (e.g., comparing an integer return value against `sizeof` when all other sites compare against a numeric literal).
+
+
+## Example
+
+```c
+struct header {
+    int type;
+    int length;
+};
+
+// Returns number of items processed, or -1 on error
+int process_items(int *items, int count) {
+    int processed = 0;
+    for (int i = 0; i < count; i++) {
+        if (items[i] < 0)
+            return -1;
+        processed++;
+    }
+    return processed;
+}
+
+void example() {
+    int items[10];
+    int result;
+
+    // Typical: return value compared with a numeric literal
+    result = process_items(items, 10);
+    if (result > 0) { /* success */ }
+
+    result = process_items(items, 5);
+    if (result != -1) { /* no error */ }
+
+    result = process_items(items, 3);
+    if (result == 0) { /* empty */ }
+
+    result = process_items(items, 8);
+    if (result >= 1) { /* at least one */ }
+
+    // BAD: comparing with sizeof instead of a numeric literal.
+    // This is inconsistent with all other call sites and likely a bug.
+    result = process_items(items, 7);
+    if (result > sizeof(struct header)) { /* wrong comparison */ }
+}
+```
+In this example, `process_items` returns the number of items processed or `-1` on error. Most call sites correctly compare the return value with a numeric literal. However, one call site mistakenly compares it with `sizeof(struct header)`, which is inconsistent with how the return value is used everywhere else.
+
+
+## References
+* [CWE-252: Unchecked Return Value](https://cwe.mitre.org/data/definitions/252.html)
+* [CWE-253: Incorrect Check of Function Return Value](https://cwe.mitre.org/data/definitions/253.html)

cpp/src/security/DecOverflowWhenComparing/DecOverflowWhenComparing.c

@@ -0,0 +1,55 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+// from https://github.com/apple-oss-distributions/Libinfo/blob/9fce29e5c5edc15d3ecea55116ca17d3f6350603/lookup.subproj/mdns_module.c#L1033C1-L1079C2
+char* _mdns_parse_domain_name(const uint8_t *data, uint32_t datalen)
+{
+	int i = 0, j = 0;
+	uint32_t domainlen = 0;
+	char *domain = NULL;
+
+	if ((data == NULL) || (datalen == 0)) return NULL;
+
+	while (datalen-- > 0)
+	{
+		uint32_t len = data[i++];
+		domainlen += (len + 1);
+		domain = reallocf(domain, domainlen);
+
+		if (domain == NULL) return NULL;
+
+		if (len == 0) break;	// DNS root (NUL)
+
+		if (j > 0)
+		{
+			domain[j++] = datalen ? '.' : '\0';
+		}
+
+		while ((len-- > 0) && (0 != datalen--))
+		{
+			if (data[i] == '.')
+			{
+				/* special case: escape the '.' with a '\' */
+				domain = reallocf(domain, ++domainlen);
+				if (domain == NULL) return NULL;
+
+				domain[j++] = '\\';
+			}
+
+			domain[j++] = data[i++];
+		}
+	}
+
+	domain[j] = '\0';
+
+	return domain;
+}
+
+int main() {
+    const uint16_t datalen = 128;
+    uint8_t data[datalen] = {};
+    memcpy(data, "\x04quildu\x03xyz\x00", 11);
+    _mdns_parse_domain_name(data, datalen);
+}

cpp/src/security/DecOverflowWhenComparing/DecOverflowWhenComparing.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Finds unsigned integer overflow issues with the following heuristic:
+* variable is compared to 0 and decremented
+* variable is used after the comparison and decrementation
+
+In such cases it is likely that the decrementation was not expected.
+</p>
+
+<p>
+You can read about a real-world vulnerability here: https://github.com/trailofbits/exploits/tree/main/obts-2025-macos-lpe
+</p>
+</overview>
+
+<recommendation>
+<p>
+Move the decrementation outside of comparison and/or add explicit checks for overflows.
+</p>
+</recommendation>
+
+<example>
+<sample src="DecOverflowWhenComparing.c" />
+
+<p>
+The <code>datalen</code> variable may overflow to UINT_MAX given a specific input.
+</p>
+</example>
+
+</qhelp>
+