Enable CodeQL scans for mod_proxy.

Castaglia · Dec 18, 2022 · 4e56c89 · 4e56c89
1 parent f331f36
commit 4e56c89
Show file tree

Hide file tree

Showing 20 changed files with 246 additions and 85 deletions.
diff --git a/.codeql.yml b/.codeql.yml
@@ -0,0 +1,23 @@
+---
+query-filters:
+  - exclude:
+      # See: https://codeql.github.com/codeql-query-help/cpp/cpp-commented-out-code/
+      id: cpp/commented-out-code
+  - exclude:
+      # See: https://codeql.github.com/codeql-query-help/cpp/cpp-long-switch/
+      id: cpp/long-switch
+  - exclude:
+      # See: https://codeql.github.com/codeql-query-help/cpp/cpp-empty-if/
+      id: cpp/empty-if
+  - exclude:
+      # See: https://codeql.github.com/codeql-query-help/cpp/cpp-loop-variable-changed/
+      id: cpp/loop-variable-changed
+  - exclude:
+      # See: https://codeql.github.com/codeql-query-help/cpp/cpp-missing-check-scanf/
+      id: cpp/missing-check-scanf
+  - exclude:
+      # See: https://codeql.github.com/codeql-query-help/cpp/cpp-poorly-documented-function/
+      id: cpp/poorly-documented-function
+
+paths:
+  - contrib/mod_proxy
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,91 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - '**/*.md'
+      - '**/doc/*'
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - '**/*.md'
+      - '**/doc/*'
+  schedule:
+    - cron: "37 17 * * 2"
+
+jobs:
+  analyze:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: true
+      matrix:
+        language:
+          - cpp
+
+    steps:
+      - name: Checkout ProFTPD
+        uses: actions/checkout@v3
+        with:
+          repository: proftpd/proftpd
+
+      - name: Checkout mod_proxy
+        uses: actions/checkout@v3
+        with:
+          path: contrib/mod_proxy
+
+      - name: Install Packages
+        run: |
+          sudo apt-get update
+          sudo apt-get install --yes libhiredis-dev libsqlite3-dev libssl-dev libsodium-dev zlib1g-dev
+
+      - name: Configure
+        run: |
+          ./configure --enable-redis --with-modules=mod_sftp:mod_tls:mod_proxy
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          config-file: contrib/mod_proxy/.codeql.yml
+          queries: +security-and-quality
+          source-root: contrib/mod_proxy
+
+      - name: Build
+        run: |
+          make
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"
+          checkout_path: contrib/mod_proxy
+          output: sarif-results
+          upload: false
+
+      - name: Filter CodeQL SARIF
+        uses: advanced-security/filter-sarif@v1
+        with:
+          patterns: |
+            -**/lib/proxy/dns.c:cpp/large-parameter
+            -**/lib/proxy/ssh.c:cpp/stack-address-escape
+            -**/lib/proxy/ssh/compress.c:cpp/stack-address-escape
+            -**/lib/proxy/ssh/packet.c:cpp/stack-address-escape
+            -**/lib/proxy/ssh/umac.c
+            -**/lib/proxy/ssh/umac128.c
+          input: "sarif-results/${{ matrix.language }}.sarif"
+          output: "sarif-results/${{ matrix.language }}.sarif"
+
+      - name: Upload CodeQL SARIF
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          checkout_path: contrib/mod_proxy
+          sarif_file: "sarif-results/${{ matrix.language }}.sarif"
diff --git a/README.md b/README.md
@@ -4,6 +4,7 @@ proftpd-mod_proxy
 Status
 ------
 [![GitHub Actions CI Status](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/ci.yml)
+[![CodeQL Analysis](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/codeql.yml/badge.svg)](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/codeql.yml)
 [![License](https://img.shields.io/badge/license-GPL-brightgreen.svg)](https://img.shields.io/badge/license-GPL-brightgreen.svg)
 
 

diff --git a/lib/proxy/conn.c b/lib/proxy/conn.c
@@ -121,6 +121,12 @@ int proxy_conn_connect_timeout_cb(CALLBACK_FRAME) {
   server_addr = pr_table_get(session.notes, "mod_proxy.proxy-connect-address",
     NULL);
 
+  if (proxy_sess == NULL ||
+      server_addr == NULL) {
+    /* Do not restart the timer. */
+    return 0;
+  }
+
   (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
     "timed out connecting to %s:%d after %d %s",
     pr_netaddr_get_ipstr(server_addr), ntohs(pr_netaddr_get_port(server_addr)),

diff --git a/lib/proxy/ftp/conn.c b/lib/proxy/ftp/conn.c
@@ -143,6 +143,9 @@ conn_t *proxy_ftp_conn_connect(pool *p, const pr_netaddr_t *bind_addr,
   }
 
   conn = pr_inet_create_conn(session.pool, -1, bind_addr, INPORT_ANY, TRUE);
+  if (conn == NULL) {
+    return NULL;
+  }
 
   reverse_dns = pr_netaddr_set_reverse_dns(ServerUseReverseDNS);
 

diff --git a/lib/proxy/ftp/ctrl.c b/lib/proxy/ftp/ctrl.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy FTP control conn routines
- * Copyright (c) 2012-2020 TJ Saunders
+ * Copyright (c) 2012-2022 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -463,8 +463,8 @@ int proxy_ftp_ctrl_send_cmd(pool *p, conn_t *ctrl_conn, cmd_rec *cmd) {
 
     pr_trace_msg(trace_channel, 9,
       "proxied command '%s' from frontend to backend", display_str);
-    res = proxy_netio_printf(ctrl_conn->outstrm, "%s %s\r\n", cmd->argv[0],
-      cmd->arg);
+    res = proxy_netio_printf(ctrl_conn->outstrm, "%s %s\r\n",
+      (char *) cmd->argv[0], cmd->arg);
 
   } else {
     pr_trace_msg(trace_channel, 9,

diff --git a/lib/proxy/ftp/msg.c b/lib/proxy/ftp/msg.c
@@ -168,7 +168,13 @@ const pr_netaddr_t *proxy_ftp_msg_parse_addr(pool *p, const char *msg,
    * We can't predict where the expected address/port numbers start in the
    * string, so start from the beginning.
    */
+
+  h1 = h2 = h3 = h4 = p1 = p2 = 0;
   for (ptr = msg; *ptr; ptr++) {
+    pr_signals_handle();
+
+    h1 = h2 = h3 = h4 = p1 = p2 = 0;
+
     if (sscanf(ptr, "%u,%u,%u,%u,%u,%u", &h1, &h2, &h3, &h4, &p1, &p2) == 6) {
       valid_fmt = TRUE;
       break;

diff --git a/lib/proxy/ftp/sess.c b/lib/proxy/ftp/sess.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy FTP session routines
- * Copyright (c) 2013-2021 TJ Saunders
+ * Copyright (c) 2013-2022 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -519,8 +519,9 @@ int proxy_ftp_sess_send_pbsz_prot(pool *p,
 
   res = 0;
   resp = send_recv(tmp_pool, proxy_sess->backend_ctrl_conn, cmd, &resp_nlines);
+  xerrno = errno;
+
   if (resp == NULL) {
-    xerrno = errno;
     res = -1;
 
   } else {
@@ -591,8 +592,9 @@ int proxy_ftp_sess_send_pbsz_prot(pool *p,
     res = 0;
     resp = send_recv(tmp_pool, proxy_sess->backend_ctrl_conn, cmd,
       &resp_nlines);
+    xerrno = errno;
+
     if (resp == NULL) {
-      xerrno = errno;
       res = -1;
 
     } else {

diff --git a/lib/proxy/ftp/xfer.c b/lib/proxy/ftp/xfer.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy FTP data transfer routines
- * Copyright (c) 2013-2021 TJ Saunders
+ * Copyright (c) 2013-2022 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -415,7 +415,7 @@ const pr_netaddr_t *proxy_ftp_xfer_prepare_passive(int policy_id, cmd_rec *cmd,
       }
 
       if (pr_cmd_cmp(cmd, PR_CMD_EPSV_ID) == 0) {
-        int epsv_supported = TRUE;
+        int epsv_supported = FALSE;
 
         if (pr_table_get(proxy_sess->backend_features, C_EPSV, NULL) == NULL) {
           /* If the remote host does not mention EPSV in its features, fall back

diff --git a/lib/proxy/ssh.c b/lib/proxy/ssh.c
@@ -931,7 +931,9 @@ int proxy_ssh_sess_init(pool *p, struct proxy_session *proxy_sess, int flags) {
       ssh_ssh2_kex_completed_ev, proxy_sess);
   }
 
-  proxy_ssh_auth_sess_init(p, proxy_sess);
+  if (proxy_ssh_auth_sess_init(p, proxy_sess) < 0) {
+    return -1;
+  }
 #endif /* PR_USE_OPENSSL */
   return 0;
 }

diff --git a/lib/proxy/ssh/compress.c b/lib/proxy/ssh/compress.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy SSH compression
- * Copyright (c) 2021 TJ Saunders
+ * Copyright (c) 2021-2022 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -462,51 +462,47 @@ int proxy_ssh_compress_write_data(struct proxy_ssh_packet *pkt) {
       stream->avail_out = sizeof(buf);
 
       zres = deflate(stream, Z_SYNC_FLUSH);
+      if (zres == Z_OK) {
+        copy_len = sizeof(buf) - stream->avail_out;
 
-      switch (zres) {
-        case Z_OK:
-          copy_len = sizeof(buf) - stream->avail_out;
+        /* Allocate more space for the data if necessary. */
+        if ((payload_len + copy_len) > payload_sz) {
+          uint32_t new_sz;
+          char *tmp;
 
-          /* Allocate more space for the data if necessary. */
-          if ((payload_len + copy_len) > payload_sz) {
-            uint32_t new_sz;
-            char *tmp;
-
-            new_sz = payload_sz;
-            while ((payload_len + copy_len) > new_sz) {
-              pr_signals_handle();
-
-              /* Keep increasing the size until it is large enough. */
-              new_sz += payload_sz;
-            }
-
-            pr_trace_msg(trace_channel, 20,
-              "allocating larger payload size (%lu bytes) for "
-              "deflated data (%lu bytes) plus existing payload %lu bytes",
-              (unsigned long) new_sz, (unsigned long) copy_len,
-              (unsigned long) payload_len);
+          new_sz = payload_sz;
+          while ((payload_len + copy_len) > new_sz) {
+            pr_signals_handle();
 
-            tmp = palloc(sub_pool, new_sz);
-            memcpy(tmp, payload, payload_len);
-            payload = tmp;
-            payload_sz = new_sz;
+            /* Keep increasing the size until it is large enough. */
+            new_sz += payload_sz;
           }
 
-          memcpy(payload + payload_len, buf, copy_len);
-          payload_len += copy_len;
-
           pr_trace_msg(trace_channel, 20,
-            "deflated %lu bytes to %lu bytes",
-            (unsigned long) input_len, (unsigned long) copy_len);
-
-          break;
-
-        default:
-          (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
-            "unhandled zlib error (%d) while compressing", zres);
-          destroy_pool(sub_pool);
-          errno = EIO;
-          return -1;
+            "allocating larger payload size (%lu bytes) for "
+            "deflated data (%lu bytes) plus existing payload %lu bytes",
+            (unsigned long) new_sz, (unsigned long) copy_len,
+            (unsigned long) payload_len);
+
+          tmp = palloc(sub_pool, new_sz);
+          memcpy(tmp, payload, payload_len);
+          payload = tmp;
+          payload_sz = new_sz;
+        }
+
+        memcpy(payload + payload_len, buf, copy_len);
+        payload_len += copy_len;
+
+        pr_trace_msg(trace_channel, 20,
+          "deflated %lu bytes to %lu bytes",
+          (unsigned long) input_len, (unsigned long) copy_len);
+
+      } else {
+        (void) pr_log_writefile(proxy_logfd, MOD_PROXY_VERSION,
+          "unhandled zlib error (%d) while compressing", zres);
+        destroy_pool(sub_pool);
+        errno = EIO;
+        return -1;
       }
     }
 

diff --git a/lib/proxy/ssh/interop.c b/lib/proxy/ssh/interop.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_proxy SSH interoperability
- * Copyright (c) 2021 TJ Saunders
+ * Copyright (c) 2021-2022 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -286,11 +286,8 @@ int proxy_ssh_interop_handle_version(pool *p,
 }
 
 int proxy_ssh_interop_supports_feature(int feat_flag) {
-  switch (feat_flag) {
-    default:
-      if (!(default_flags & feat_flag)) {
-        return FALSE;
-      }
+  if (!(default_flags & feat_flag)) {
+    return FALSE;
   }
 
   return TRUE;

diff --git a/lib/proxy/ssh/kex.c b/lib/proxy/ssh/kex.c
@@ -2861,6 +2861,12 @@ static int handle_server_hostkey(pool *p,
   uint32_t stored_hostkey_datalen = 0;
 
   proxy_sess = pr_table_get(session.notes, "mod_proxy.proxy-session", NULL);
+  if (proxy_sess == NULL) {
+    /* Unlikely to occur. */
+    errno = EINVAL;
+    return -1;
+  }
+
   backend_uri = proxy_conn_get_uri(proxy_sess->dst_pconn);
   vhost_id = main_server->sid;
 

diff --git a/lib/proxy/ssh/keys.c b/lib/proxy/ssh/keys.c
@@ -3131,19 +3131,14 @@ static int deserialize_openssh_private_key(pool *p, const char *path,
    * it.  Ugh.  This "divide in half" hack only works for these keys where the
    * private and public key sizes are the same.
    */
-  switch (*key_type) {
-    case PROXY_SSH_KEY_ED448:
 #if defined(HAVE_X448_OPENSSL) && defined(HAVE_SHA512_OPENSSL)
-      if (secret_keylen > (CURVE448_SIZE + 1)) {
-        have_extra_public_key = TRUE;
-        secret_keylen /= 2;
-      }
-#endif /* HAVE_X448_OPENSSL and HAVE_SHA512_OPENSSL */
-      break;
-
-    default:
-      break;
+  if (*key_type == PROXY_SSH_KEY_ED448) {
+    if (secret_keylen > (CURVE448_SIZE + 1)) {
+      have_extra_public_key = TRUE;
+      secret_keylen /= 2;
+    }
   }
+#endif /* HAVE_X448_OPENSSL and HAVE_SHA512_OPENSSL */
 
   len = proxy_ssh_msg_read_data(p, data, data_len, secret_keylen,
     &secret_key);
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ proftpd-mod_proxy @@
     Status
     ------
     [![GitHub Actions CI Status](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/ci.yml)
+    [![CodeQL Analysis](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/codeql.yml/badge.svg)](https://github.com/Castaglia/proftpd-mod_proxy/actions/workflows/codeql.yml)
     [![License](https://img.shields.io/badge/license-GPL-brightgreen.svg)](https://img.shields.io/badge/license-GPL-brightgreen.svg)
@@ Expand Down @@