parser: skip BOM at the beginning of input

kdudka · kdudka · commit 21f1858a2719 · 2024-05-21T17:18:20.000+02:00
diff --git a/src/lib/instream.cc b/src/lib/instream.cc
@@ -57,21 +57,37 @@ void InStream::handleError(const std::string &msg, const unsigned long line)
 InStreamLookAhead::InStreamLookAhead(
         InStream               &input,
         const unsigned          size,
+        const bool              skipBOM,
         bool                    skipWhiteSpaces)
 {
     std::istream &inStr = input.str();
 
-    // read `size` chars from input
-    while (buf_.size() < size) {
-        const int c = inStr.get();
-        if (skipWhiteSpaces && isspace(c) && !!inStr)
+    int c = inStr.get();
+    if (skipBOM
+            // try to read BOM ... [0xEF, 0xBB, 0xBF]
+            && (0xEF == c)
+            && (0xBB == (c = inStr.get()))
+            && (0xBF == (c = inStr.get())))
+        // BOM successfully read -> read the next char
+        c = inStr.get();
+
+    // read chars from input
+    for (;;) {
+        if (skipWhiteSpaces && isspace(c))
             // skip a white-space
-            continue;
+            goto next;
 
         // only the leading white-spaces are skipped
         skipWhiteSpaces = false;
 
+        // append one char to the buffer
         buf_.push_back(c);
+        if (size <= buf_.size())
+            // the requested number of chars have been read
+            break;
+next:
+        // read the next char
+        c = inStr.get();
     }
 
     // put the chars back to the input stream
diff --git a/src/lib/instream.hh b/src/lib/instream.hh
@@ -62,7 +62,8 @@ class InStreamLookAhead {
         InStreamLookAhead(
                 InStream       &input,
                 unsigned        size,
-                bool            skipWhiteSpaces = false);
+                bool            skipBOM,
+                bool            skipWhiteSpaces);
 
         char operator[](const unsigned idx) const {
             return buf_.at(idx);
diff --git a/src/lib/parser.cc b/src/lib/parser.cc
@@ -34,7 +34,9 @@ static inline std::unique_ptr<T> make_unique(InStream &input) {
 AbstractParserPtr createParser(InStream &input)
 {
     // skip all white-spaces and sniff the first two chars from the input
-    InStreamLookAhead head(input, 2U, /* skipWhiteSpaces */ true);
+    InStreamLookAhead head(input, 2U,
+            /* skipBOM         */ true,
+            /* skipWhiteSpaces */ true);
 
     switch (head[0]) {
         case '{':
diff --git a/tests/csgrep/0125-sarif-parser-bom-args.txt b/tests/csgrep/0125-sarif-parser-bom-args.txt
@@ -0,0 +1 @@
+--mode=json
diff --git a/tests/csgrep/0125-sarif-parser-bom-stdin.txt b/tests/csgrep/0125-sarif-parser-bom-stdin.txt
diff --git a/tests/csgrep/0125-sarif-parser-bom-stdout.txt b/tests/csgrep/0125-sarif-parser-bom-stdout.txt
@@ -0,0 +1,41 @@
+Error: SNYK_CODE_WARNING (CWE-290):
+vendor/krb5-src/krb5/src/lib/krb5/krb/t_princ.c:381:26: note[cpp/WeakGuard]: An hardcoded domain name is compared in strcmp. This check could lead to a bypass since the domain name can be spoofed or controlled by an attacker.
+
+Error: SNYK_CODE_WARNING (CWE-290):
+vendor/krb5-src/krb5/src/wconfig.c:140:21: note[cpp/WeakGuard]: An hardcoded domain name is compared in strcmp. This check could lead to a bypass since the domain name can be spoofed or controlled by an attacker.
+
+Error: SNYK_CODE_WARNING (CWE-290):
+vendor/krb5-src/krb5/src/wconfig.c:145:21: note[cpp/WeakGuard]: An hardcoded domain name is compared in strcmp. This check could lead to a bypass since the domain name can be spoofed or controlled by an attacker.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/sasl2-sys/sasl2/utils/smtptest.c:360:3: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into an addition operator (+), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/krb5-src/krb5/src/tests/asn.1/trval.c:161:19: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into an addition operator (+), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/krb5-src/krb5/src/tests/asn.1/trval.c:161:30: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into an addition operator (+), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/rdkafka-sys/librdkafka/tests/0098-consumer-txn.cpp:307:35: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into an addition operator (+), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/rdkafka-sys/librdkafka/tests/0098-consumer-txn.cpp:444:7: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into an addition operator (+), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/lz4-sys/liblz4/tests/abiTest.c:81:27: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into a subtraction operator (-), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/krb5-src/krb5/src/tests/asn.1/trval.c:126:17: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into a subtraction operator (-), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/krb5-src/krb5/src/tests/asn.1/trval.c:128:17: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into a subtraction operator (-), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/krb5-src/krb5/src/tests/asn.1/trval.c:130:17: note[cpp/IntegerOverflow/test]: Unsanitized input from a file flows into a subtraction operator (-), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/openssl-src/openssl/test/confdump.c:37:25: note[cpp/IntegerOverflow/test]: Unsanitized input from a command line argument flows into a subtraction operator (-), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
+
+Error: SNYK_CODE_WARNING (CWE-190):
+vendor/lz4-sys/liblz4/tests/fuzzer.c:378:95: note[cpp/IntegerOverflow/test]: Unsanitized input from a command line argument flows into a subtraction operator (-), where it is used in integer arithmetic. This may result in an integer overflow vulnerability.
diff --git a/tests/csgrep/CMakeLists.txt b/tests/csgrep/CMakeLists.txt
@@ -168,3 +168,4 @@ test_csgrep("0121-cov-parser-lock-evasion"            )
 test_csgrep("0122-json-parser-cov-v10-column"         )
 test_csgrep("0123-csgrep-hash-v1"                     )
 test_csgrep("0124-sarif-writer-imp"                   )
+test_csgrep("0125-sarif-parser-bom"                   )
