Policy: disallow unsafe string manipulation functions #108917

New Issue

Campbell Barton · 2023-06-13T02:27:15+02:00

Campbell Barton commented

2023-06-13 02:27:15 +02:00

This issue proposes to disallow use of unsafe string manipulation functions in parts of the code-base maintained by Blender developers.

Motivation

To prevent unsafe string manipulation, potentially resulting in buffer overflow errors.

Recently I noticed unsafe strcat use in some areas of Blender and checked all uses of strcat, finding some cases could cause buffer overflows. Since then strcat has been removed from source/ (except for makesrna.c utility, a separate binary).

On further testing, some of these buffer overflows were reasonably easy to trigger (a file exception longer than 32 characters would overflow when calling BLI_path_frame_strip for e.g.).

Calls to strcpy are still used, although in most cases switching to BLI_strncpy isn't a problem.

Rationale

Currently we accept use of strcpy/strcat with the understanding that developers are responsible for ensuring this doesn't cause problems. After having looked over use of these functions - I believe they're error prone enough that they should be avoided entirely.

Even in cases where it seems reasonable to use strcpy can lead to potential errors:

char mode_str[32];
...
strcpy(mode_str, "Sliding Tool");

Was later replaced with:

strcpy(mode_str, TIP_("Sliding Tool"));

Meaning a change to translations can result in a buffer overflow.

Notes

Currently there is a double-standard for buffer overflow related bugs in Blender.

When found in 3rd party libraries they're viewed as security vulnerabilities (something which may even cause us to release updates).
Where as they're have been accepted in Blender's own code - a quick search for strcat for e.g. shows fairly obvious unsafe usage up until recently.

On the other hand, in practice I suspect it's rare for users to encounter buffer overflows - making the case for this proposal less compelling.

There is another consideration however, that we can largely rule out a particular category of bug when investigating a problem, it's also one less thing to have to discuss during code review.
Personally, this alone is reason enough to disallow error-prone string manipulation functions.

Examples

Some commits resolving unsafe strcat/strcpy use:

Proposal

Besides updating the WIKI code-style pages, it would be good to disallow using these functions as it's one less thing to have to communicate in code-review.

NOTE: for the initial patch (if we choose to use poisoning), we might first do this for strcat as it's use has already been removed.

Ensure Policy is Followed

Poison API calls
- Use compiler pragma #pragma deprecated, need to check on MSVC (possibly __declspec(deprecated) ).
- Which header should poison isn't so clear (BLI_sys_types.h / BLI_utildefines.h / BLI_string.h). Suggest to add a new header to do this which could be included as an argument to the compiler.
- This could be optional WITH_COMPILER_POISION_UNSAFE, which would be enabled for developer builds, to avoid minor differences in compilers breaking the build-bot, while preventing developers using these API's.
Enforce manually (code-review etc).

We could just try to follow this as a general rule without having the compiler disallow it. We might want to do this if compilers don't handle poisoning the same way, making it too easy to unintentionally break the build for other developers.

Exceptions

Currently the only exception I'm aware of where we would still want to allow strcpy is the RNA API (which assumes a length-check before string access with strcpy). In this case an exception would be allowed.

Alternative API's

Use BLI_strncpy, BLI_strncat or memcpy (for low level buffer operations when sizes have been calculated).
Or when static sized buffers are not appropriate use alternative API's that support dynamically sized strings.

Which directories to include?

Initially only source/ although some directories in intern/ could eventually be included too.

Further Changes

We might want to exclude other functions: sprintf vsprintf, strncat, strncpy ... if there is a consensus among developers that can be made part of this proposal too.

This issue proposes to disallow use of unsafe string manipulation functions in parts of the code-base maintained by Blender developers. # Motivation To prevent unsafe string manipulation, potentially resulting in buffer overflow errors. Recently I noticed unsafe `strcat` use in some areas of Blender and checked all uses of `strcat`, finding some cases could cause buffer overflows. Since then `strcat` has been removed from `source/` (except for `makesrna.c` utility, a separate binary). On further testing, some of these buffer overflows were reasonably easy to trigger (a file exception longer than 32 characters would overflow when calling `BLI_path_frame_strip` for e.g.). Calls to `strcpy` are still used, although in most cases switching to `BLI_strncpy` isn't a problem. # Rationale Currently we accept use of strcpy/strcat with the understanding that developers are responsible for ensuring this doesn't cause problems. After having looked over use of these functions - I believe they're error prone enough that they should be avoided entirely. Even in cases where it seems reasonable to use `strcpy` can lead to potential errors: ``` char mode_str[32]; ... strcpy(mode_str, "Sliding Tool"); ``` Was later replaced with: ``` strcpy(mode_str, TIP_("Sliding Tool")); ``` Meaning a change to translations can result in a buffer overflow. # Notes Currently there is a double-standard for buffer overflow related bugs in Blender. - When found in 3rd party libraries they're viewed as security vulnerabilities (something which may even cause us to release updates). - Where as they're have been accepted in Blender's own code - a quick search for `strcat` for e.g. shows fairly obvious unsafe usage up until recently. On the other hand, in practice I suspect it's rare for users to encounter buffer overflows - making the case for this proposal less compelling. There is another consideration however, that we can largely rule out a particular category of bug when investigating a problem, it's also one less thing to have to discuss during code review. Personally, this alone is reason enough to disallow error-prone string manipulation functions. ## Examples Some commits resolving unsafe `strcat/strcpy` use: - b68b66d29ef7a8f62d4e3715b02a503f085cb0a2 - 78f5d9d599e2dc92f51227d82f974a575d526f01 - 1715f1c1f42cf9a0d842e1ec228e0dd7e5662943 - 574b2db317d446a00a68e327dfbf6d4a46b502ff - 1f6b3c20c84d7b85309f34354895cc499190895d - 686ec6310ca121f7f6560d7ec507c34914334f42 - 21ef4276ee0f38bbeffc5dfc7e73e05e792b7d4f - 04280439674dfa8bb41eb91084acb741c2ce19ee # Proposal Besides updating the WIKI code-style pages, it would be good to disallow using these functions as it's one less thing to have to communicate in code-review. NOTE: for the initial patch (if we choose to use poisoning), we might first do this for `strcat` as it's use has already been removed. ### Ensure Policy is Followed - Poison API calls - Use compiler pragma `#pragma deprecated`, need to check on MSVC (possibly `__declspec(deprecated)` ). - Which header should poison isn't so clear (`BLI_sys_types.h` / `BLI_utildefines.h` / `BLI_string.h`). Suggest to add a new header to do this which could be included as an argument to the compiler. - This could be optional `WITH_COMPILER_POISION_UNSAFE`, which would be enabled for developer builds, to avoid minor differences in compilers breaking the build-bot, while preventing developers using these API's. - Enforce manually (code-review etc). We could just try to follow this as a general rule without having the compiler disallow it. We might want to do this if compilers don't handle poisoning the same way, making it too easy to unintentionally break the build for other developers. ### Exceptions Currently the only exception I'm aware of where we would still want to allow `strcpy` is the RNA API (which assumes a length-check before string access with `strcpy`). In this case an exception would be allowed. ### Alternative API's - Use `BLI_strncpy`, `BLI_strncat` or `memcpy` (for low level buffer operations when sizes have been calculated). - Or when static sized buffers are not appropriate use alternative API's that support dynamically sized strings. ### Which directories to include? Initially only `source/` although some directories in `intern/` could eventually be included too. ### Further Changes We might want to exclude other functions: `sprintf` `vsprintf`, `strncat`, `strncpy` ... if there is a consensus among developers that can be made part of this proposal too.

👍 1

Campbell Barton added the

Type

Design

label 2023-06-13 02:27:15 +02:00

Campbell Barton changed title from ~~Policy: poison unsafe string manipulation funcitons (strcat, strcpy)~~ to Policy: disallow unsafe string manipulation functions (strcat, strcpy)

2023-06-13 03:58:37 +02:00

Campbell Barton changed title from ~~Policy: disallow unsafe string manipulation functions (strcat, strcpy)~~ to Policy: disallow unsafe string manipulation functions

2023-06-13 04:02:05 +02:00

Sergey Sharybin commented

2023-06-13 09:44:57 +02:00

Yes please!
Just make sure the poisoning works with all compilers :)

The recent Apple Clang warns (unconditionally!) about use of the insecure string functions. So longer term we should not have exceptions from the rule. It shouldn't be bare strcpy anyway, and maybe something like BLI_strcpy_unsafe.

The WITH_COMPILER_POISION_UNSAFE I am not really sure. I wouldn't use it on buildbot, to let people see possible issues early on on platforms they have no direct access to.

Yes please! Just make sure the poisoning works with all compilers :) The recent Apple Clang warns (unconditionally!) about use of the insecure string functions. So longer term we should not have exceptions from the rule. It shouldn't be bare `strcpy` anyway, and maybe something like `BLI_strcpy_unsafe`. The `WITH_COMPILER_POISION_UNSAFE ` I am not really sure. I wouldn't use it on buildbot, to let people see possible issues early on on platforms they have no direct access to.

Campbell Barton referenced this issue from a commit

2023-06-19 03:59:15 +02:00

Cleanup: remove all strcpy calls in source/blender/editors/

Bastien Montagne commented

2023-06-19 10:45:40 +02:00

I would also just forbid unconditionally any usage of these unsafe string manipulation functions. They are indeed dangerous, and impossible to ensure that they will remain properly used, even when initial commit is not buggy.

Campbell Barton referenced this issue from a commit

2023-06-25 05:37:11 +02:00

BLI_string: remove potentially unsafe BLI_sprintf

Campbell Barton commented

2023-08-03 08:11:08 +02:00

From investigating this - unfortunately cross platform poisoning/deprecating is impractical unless a header is added to every source file (after system headers).

Added text to avoid unsafe string functions to: https://wiki.blender.org/wiki/Style_Guide/Best_Practice_C_Cpp

Closing.

From investigating this - unfortunately cross platform poisoning/deprecating is impractical unless a header is added to every source file (after system headers). Added text to avoid unsafe string functions to: https://wiki.blender.org/wiki/Style_Guide/Best_Practice_C_Cpp Closing.

Campbell Barton closed this issue

2023-08-03 08:11:09 +02:00

Blender Bot added the

Status

Archived

label 2023-08-03 08:11:50 +02:00

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Policy: disallow unsafe string manipulation functions #108917