From bb7b8e1ad0e345862980a163b688f4554ebc1df8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 13:09:06 +0000 Subject: [PATCH 1/7] removed missing-secure-java --- rules/java/security/missing-secure-java.yml | 70 ------------------- .../missing-secure-java-snapshot.yml | 32 --------- tests/java/missing-secure-java-test.yml | 15 ---- 3 files changed, 117 deletions(-) delete mode 100644 rules/java/security/missing-secure-java.yml delete mode 100644 tests/__snapshots__/missing-secure-java-snapshot.yml delete mode 100644 tests/java/missing-secure-java-test.yml diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 755e6660..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - - match_instance: - kind: local_variable_declaration - has: - stopBy: end - kind: identifier - follows: - stopBy: end - kind: variable_declarator - - match_identifier_with_simplecookie: - kind: identifier - inside: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: '^SimpleCookie$|^Cookie$' - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: object_creation_expression - - not: - precedes: - stopBy: neighbor - kind: expression_statement -rule: - any: - - matches: match_instance - - matches: match_without_httponly - - matches: match_cookie_last - - matches: match_identifier_with_simplecookie diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 3931463b..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - : labels: - - source: s - style: primary - start: 13 - end: 14 - - source: SimpleCookie - style: secondary - start: 0 - end: 12 - - source: s - style: secondary - start: 13 - end: 14 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 0 - end: 48 diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 507f951f..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-secure-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie c = new NettyCookie("foo", "bar"); - c.secure(true); - NettyCookie r = new NettyCookie("foo", "bar").secure(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); From 12bb3aab8d57915cd459d2e2ac04c42dfb2dca48 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 18:58:13 +0530 Subject: [PATCH 2/7] httponly-false-csharp --- rules/csharp/security/httponly-false-csharp | 48 +++++++++++++++++++++ tests/csharp/httponly-false-csharp-test.yml | 9 ++++ 2 files changed, 57 insertions(+) create mode 100644 rules/csharp/security/httponly-false-csharp create mode 100644 tests/csharp/httponly-false-csharp-test.yml diff --git a/rules/csharp/security/httponly-false-csharp b/rules/csharp/security/httponly-false-csharp new file mode 100644 index 00000000..af939938 --- /dev/null +++ b/rules/csharp/security/httponly-false-csharp @@ -0,0 +1,48 @@ +id: httponly-false-csharp +language: csharp +severity: warning +message: >- + "Detected a cookie where the `HttpOnly` flag is either missing or + disabled. The `HttpOnly` cookie flag instructs the browser to forbid + client-side JavaScript to read the cookie. If JavaScript interaction is + required, you can ignore this finding. However, set the `HttpOnly` flag to + `true` in all other cases. If this wasn't intentional, it's recommended to + set the HttpOnly flag to true so the cookie will not be accessible through + client-side scripts or to use the Cookie Policy Middleware to globally set + the HttpOnly flag. You can then use the CookieOptions class when + instantiating the cookie, which inherits these settings and will require + future developers to have to explicitly override them on a case-by-case + basis if needed. This approach ensures cookies are secure by default." +note: >- + [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" + [REFERENCES] + - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + + +ast-grep-essentials: true + +rule: + kind: boolean_literal + pattern: $LITERAL + follows: + regex: ^=$ + follows: + kind: member_access_expression + inside: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + regex: \.Cookie$ + - has: + kind: identifier + nthChild: 2 + regex: ^HttpOnly$ + +constraints: + LITERAL: + regex: ^false$ + diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml new file mode 100644 index 00000000..e29a7eab --- /dev/null +++ b/tests/csharp/httponly-false-csharp-test.yml @@ -0,0 +1,9 @@ +id: httponly-false-csharp +valid: + - | + myHttpOnlyCookie.HttpOnly = true; + - | + options.Cookie.HttpOnly = true; +invalid: + - | + options.Cookie.HttpOnly = false; From 2c5ea88476cdca70b993026ce65cb1435e602119 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 19:00:33 +0530 Subject: [PATCH 3/7] use-of-md5-digest-utils-java --- .../security/use-of-md5-digest-utils-java.yml | 42 +++++++++++++++++++ .../use-of-md5-digest-utils-java-snapshot.yml | 29 +++++++++++++ .../use-of-md5-digest-utils-java-test.yml | 7 ++++ 3 files changed, 78 insertions(+) create mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml create mode 100644 tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml create mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml new file mode 100644 index 00000000..553bac8a --- /dev/null +++ b/rules/java/security/use-of-md5-digest-utils-java.yml @@ -0,0 +1,42 @@ +id: use-of-md5-digest-utils-java +language: java +severity: warning +message: >- + 'Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use HMAC instead.' +note: >- + [CWE-328] Use of Weak Hash + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + +ast-grep-essentials: true + +rule: + kind: identifier + regex: ^getMd5Digest$ + nthChild: 2 + precedes: + nthChild: 3 + kind: argument_list + not: + has: + nthChild: 1 + inside: + kind: method_invocation + nthChild: 1 + inside: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 2 + regex: ^digest$ + - has: + kind: argument_list + nthChild: 3 + - not: + has: + stopBy: end + kind: ERROR + diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml new file mode 100644 index 00000000..2e74b70e --- /dev/null +++ b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml @@ -0,0 +1,29 @@ +id: use-of-md5-digest-utils-java +snapshots: + ? | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); + : labels: + - source: getMd5Digest + style: primary + start: 31 + end: 43 + - source: digest + style: secondary + start: 46 + end: 52 + - source: (password.getBytes()) + style: secondary + start: 52 + end: 73 + - source: DigestUtils.getMd5Digest().digest(password.getBytes()) + style: secondary + start: 19 + end: 73 + - source: DigestUtils.getMd5Digest() + style: secondary + start: 19 + end: 45 + - source: () + style: secondary + start: 43 + end: 45 diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml new file mode 100644 index 00000000..769a4b52 --- /dev/null +++ b/tests/java/use-of-md5-digest-utils-java-test.yml @@ -0,0 +1,7 @@ +id: use-of-md5-digest-utils-java +valid: + - | + byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); +invalid: + - | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); From d3067f11ba31741fd738392f2d2efb1702116dcf Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 19:05:33 +0530 Subject: [PATCH 4/7] removing use-of-md5-digest-utils and httponly-false-csharp --- rules/csharp/security/httponly-false-csharp | 48 ------------------- .../security/use-of-md5-digest-utils-java.yml | 42 ---------------- tests/csharp/httponly-false-csharp-test.yml | 9 ---- .../use-of-md5-digest-utils-java-test.yml | 7 --- 4 files changed, 106 deletions(-) delete mode 100644 rules/csharp/security/httponly-false-csharp delete mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml delete mode 100644 tests/csharp/httponly-false-csharp-test.yml delete mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml diff --git a/rules/csharp/security/httponly-false-csharp b/rules/csharp/security/httponly-false-csharp deleted file mode 100644 index af939938..00000000 --- a/rules/csharp/security/httponly-false-csharp +++ /dev/null @@ -1,48 +0,0 @@ -id: httponly-false-csharp -language: csharp -severity: warning -message: >- - "Detected a cookie where the `HttpOnly` flag is either missing or - disabled. The `HttpOnly` cookie flag instructs the browser to forbid - client-side JavaScript to read the cookie. If JavaScript interaction is - required, you can ignore this finding. However, set the `HttpOnly` flag to - `true` in all other cases. If this wasn't intentional, it's recommended to - set the HttpOnly flag to true so the cookie will not be accessible through - client-side scripts or to use the Cookie Policy Middleware to globally set - the HttpOnly flag. You can then use the CookieOptions class when - instantiating the cookie, which inherits these settings and will require - future developers to have to explicitly override them on a case-by-case - basis if needed. This approach ensures cookies are secure by default." -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" - [REFERENCES] - - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware - - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - - -ast-grep-essentials: true - -rule: - kind: boolean_literal - pattern: $LITERAL - follows: - regex: ^=$ - follows: - kind: member_access_expression - inside: - kind: assignment_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - regex: \.Cookie$ - - has: - kind: identifier - nthChild: 2 - regex: ^HttpOnly$ - -constraints: - LITERAL: - regex: ^false$ - diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml deleted file mode 100644 index 553bac8a..00000000 --- a/rules/java/security/use-of-md5-digest-utils-java.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: use-of-md5-digest-utils-java -language: java -severity: warning -message: >- - 'Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use HMAC instead.' -note: >- - [CWE-328] Use of Weak Hash - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -rule: - kind: identifier - regex: ^getMd5Digest$ - nthChild: 2 - precedes: - nthChild: 3 - kind: argument_list - not: - has: - nthChild: 1 - inside: - kind: method_invocation - nthChild: 1 - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 2 - regex: ^digest$ - - has: - kind: argument_list - nthChild: 3 - - not: - has: - stopBy: end - kind: ERROR - diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml deleted file mode 100644 index e29a7eab..00000000 --- a/tests/csharp/httponly-false-csharp-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: httponly-false-csharp -valid: - - | - myHttpOnlyCookie.HttpOnly = true; - - | - options.Cookie.HttpOnly = true; -invalid: - - | - options.Cookie.HttpOnly = false; diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml deleted file mode 100644 index 769a4b52..00000000 --- a/tests/java/use-of-md5-digest-utils-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: use-of-md5-digest-utils-java -valid: - - | - byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); -invalid: - - | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); From 5f251d6d7efbf0f17a06b8dfffb048ca170fe3c9 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Fri, 7 Feb 2025 14:13:38 +0530 Subject: [PATCH 5/7] dont-call-system-c --- rules/c/security/dont-call-system-c.yml | 61 ++++++++++ .../dont-call-system-c-snapshot.yml | 45 +++++++ ...matter-deserialization-csharp-snapshot.yml | 16 +++ ...ssandra-hardcoded-secret-ruby-snapshot.yml | 115 ++++++++++++++++++ tests/java/dont-call-system-c-test.yml | 34 ++++++ 5 files changed, 271 insertions(+) create mode 100644 rules/c/security/dont-call-system-c.yml create mode 100644 tests/__snapshots__/dont-call-system-c-snapshot.yml create mode 100644 tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml create mode 100644 tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml create mode 100644 tests/java/dont-call-system-c-test.yml diff --git a/rules/c/security/dont-call-system-c.yml b/rules/c/security/dont-call-system-c.yml new file mode 100644 index 00000000..1cc4810a --- /dev/null +++ b/rules/c/security/dont-call-system-c.yml @@ -0,0 +1,61 @@ +id: dont-call-system-c +language: c +severity: warning +message: >- + Don't call `system`. It's a high-level wrapper that allows for stacking + multiple commands. Always prefer a more restrictive API such as calling + `execve` from the `exec` family. +note: >- + [CWE-78] Improper Neutralization of Special Elements used in an OS + Command ('OS Command Injection'). + [REFERENCES] + - https://owasp.org/Top10/A03_2021-Injection + +ast-grep-essentials: true + +utils: + PATTERN_SYSTEM_INSIDE_IF_STATEMENT: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^system$' + - has: + stopBy: neighbor + kind: argument_list + - inside: + stopBy: end + kind: parenthesized_expression + inside: + kind: if_statement + PATTERN_SYSTEM: + any: + - kind: expression_statement + - kind: return_statement + - kind: field_declaration + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^system$' + - has: + stopBy: neighbor + kind: argument_list +rule: + any: + - matches: PATTERN_SYSTEM_INSIDE_IF_STATEMENT + - matches: PATTERN_SYSTEM + not: + all: + - has: + stopBy: end + kind: ERROR + - inside: + has: + stopBy: end + kind: ERROR + diff --git a/tests/__snapshots__/dont-call-system-c-snapshot.yml b/tests/__snapshots__/dont-call-system-c-snapshot.yml new file mode 100644 index 00000000..97ca6fda --- /dev/null +++ b/tests/__snapshots__/dont-call-system-c-snapshot.yml @@ -0,0 +1,45 @@ +id: dont-call-system-c +snapshots: + ? | + void test_002(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + system(cmdbuf); + } + void test_001(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + if (len_wanted >= BUFFERSIZE) + { + /* Handle error */ + } + else if (len_wanted < 0) + { + /* Handle error */ + } + else if (system(cmdbuf) == -1) + { + /* Handle error */ + } + } + : labels: + - source: system(cmdbuf); + style: primary + start: 156 + end: 171 + - source: system + style: secondary + start: 156 + end: 162 + - source: (cmdbuf) + style: secondary + start: 162 + end: 170 + - source: system(cmdbuf) + style: secondary + start: 156 + end: 170 diff --git a/tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml b/tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml new file mode 100644 index 00000000..d2c29dfb --- /dev/null +++ b/tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml @@ -0,0 +1,16 @@ +id: insecure-binaryformatter-deserialization-csharp +snapshots: + ? "using System.Runtime.Serialization.Formatters.Binary; \nnamespace InsecureDeserialization\n{\n public class InsecureBinaryFormatterDeserialization\n {\n public void BinaryFormatterDeserialization(string json)\n {\n try\n {\n BinaryFormatter binaryFormatter = new BinaryFormatter();\n\n MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));\n binaryFormatter.Deserialize(memoryStream);\n memoryStream.Close();\n }\n catch (Exception e)\n {\n Console.WriteLine(e);\n }\n }\n}\n}\n" + : labels: + - source: new BinaryFormatter() + style: primary + start: 281 + end: 302 + - source: using System.Runtime.Serialization.Formatters.Binary; + style: secondary + start: 0 + end: 53 + - source: using System.Runtime.Serialization.Formatters.Binary; + style: secondary + start: 0 + end: 53 diff --git a/tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml new file mode 100644 index 00000000..6536d106 --- /dev/null +++ b/tests/__snapshots__/ruby-cassandra-hardcoded-secret-ruby-snapshot.yml @@ -0,0 +1,115 @@ +id: ruby-cassandra-hardcoded-secret-ruby +snapshots: + ? | + require 'cassandra' + cluster = Cassandra.cluster( username: 'user',password: 'password') + : labels: + - source: 'Cassandra.cluster( username: ''user'',password: ''password'')' + style: primary + start: 30 + end: 87 + - source: Cassandra + style: secondary + start: 30 + end: 39 + - source: . + style: secondary + start: 39 + end: 40 + - source: cluster + style: secondary + start: 40 + end: 47 + - source: password + style: secondary + start: 66 + end: 74 + - source: password + style: secondary + start: 77 + end: 85 + - source: '''password''' + style: secondary + start: 76 + end: 86 + - source: 'password: ''password''' + style: secondary + start: 66 + end: 86 + - source: '( username: ''user'',password: ''password'')' + style: secondary + start: 47 + end: 87 + - source: require 'cassandra' + style: secondary + start: 0 + end: 19 + - source: require 'cassandra' + style: secondary + start: 0 + end: 19 + ? | + require 'cassandra' + password = 'password' + cluster = Cassandra.cluster( username: 'user',password: password) + : labels: + - source: 'Cassandra.cluster( username: ''user'',password: password)' + style: primary + start: 52 + end: 107 + - source: Cassandra + style: secondary + start: 52 + end: 61 + - source: . + style: secondary + start: 61 + end: 62 + - source: cluster + style: secondary + start: 62 + end: 69 + - source: password + style: secondary + start: 88 + end: 96 + - source: password + style: secondary + start: 98 + end: 106 + - source: 'password: password' + style: secondary + start: 88 + end: 106 + - source: '( username: ''user'',password: password)' + style: secondary + start: 69 + end: 107 + - source: require 'cassandra' + style: secondary + start: 0 + end: 19 + - source: require 'cassandra' + style: secondary + start: 0 + end: 19 + - source: password + style: secondary + start: 20 + end: 28 + - source: password + style: secondary + start: 32 + end: 40 + - source: '''password''' + style: secondary + start: 31 + end: 41 + - source: password = 'password' + style: secondary + start: 20 + end: 41 + - source: password = 'password' + style: secondary + start: 20 + end: 41 diff --git a/tests/java/dont-call-system-c-test.yml b/tests/java/dont-call-system-c-test.yml new file mode 100644 index 00000000..89689983 --- /dev/null +++ b/tests/java/dont-call-system-c-test.yml @@ -0,0 +1,34 @@ +id: dont-call-system-c +valid: + - | + void test_003(const char *input) + { + storer->store_binary(Clocks->system()); + } +invalid: + - | + void test_002(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + system(cmdbuf); + } + void test_001(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + if (len_wanted >= BUFFERSIZE) + { + /* Handle error */ + } + else if (len_wanted < 0) + { + /* Handle error */ + } + else if (system(cmdbuf) == -1) + { + /* Handle error */ + } + } From 783bde67a2d7c05ec4be87e1a5fc1f422c9687e3 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Fri, 7 Feb 2025 14:14:49 +0530 Subject: [PATCH 6/7] dont-call-system-cpp --- rules/cpp/dont-call-system-cpp.yml | 61 +++++++++++++++++++ .../dont-call-system-cpp-snapshot.yml | 45 ++++++++++++++ tests/cpp/dont-call-system-cpp-test.yml | 34 +++++++++++ 3 files changed, 140 insertions(+) create mode 100644 rules/cpp/dont-call-system-cpp.yml create mode 100644 tests/__snapshots__/dont-call-system-cpp-snapshot.yml create mode 100644 tests/cpp/dont-call-system-cpp-test.yml diff --git a/rules/cpp/dont-call-system-cpp.yml b/rules/cpp/dont-call-system-cpp.yml new file mode 100644 index 00000000..6855b9be --- /dev/null +++ b/rules/cpp/dont-call-system-cpp.yml @@ -0,0 +1,61 @@ +id: dont-call-system-cpp +language: cpp +severity: warning +message: >- + Don't call `system`. It's a high-level wrapper that allows for stacking + multiple commands. Always prefer a more restrictive API such as calling + `execve` from the `exec` family. +note: >- + [CWE-78] Improper Neutralization of Special Elements used in an OS + Command ('OS Command Injection'). + [REFERENCES] + - https://owasp.org/Top10/A03_2021-Injection + +ast-grep-essentials: true + +utils: + PATTERN_SYSTEM_INSIDE_IF_STATEMENT: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^system$' + - has: + stopBy: neighbor + kind: argument_list + - inside: + stopBy: end + kind: parenthesized_expression + inside: + kind: if_statement + PATTERN_SYSTEM: + any: + - kind: expression_statement + - kind: return_statement + - kind: field_declaration + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^system$' + - has: + stopBy: neighbor + kind: argument_list +rule: + any: + - matches: PATTERN_SYSTEM_INSIDE_IF_STATEMENT + - matches: PATTERN_SYSTEM + not: + all: + - has: + stopBy: end + kind: ERROR + - inside: + has: + stopBy: end + kind: ERROR + diff --git a/tests/__snapshots__/dont-call-system-cpp-snapshot.yml b/tests/__snapshots__/dont-call-system-cpp-snapshot.yml new file mode 100644 index 00000000..fca691e3 --- /dev/null +++ b/tests/__snapshots__/dont-call-system-cpp-snapshot.yml @@ -0,0 +1,45 @@ +id: dont-call-system-cpp +snapshots: + ? | + void test_002(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + system(cmdbuf); + } + void test_001(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + if (len_wanted >= BUFFERSIZE) + { + /* Handle error */ + } + else if (len_wanted < 0) + { + /* Handle error */ + } + else if (system(cmdbuf) == -1) + { + /* Handle error */ + } + } + : labels: + - source: system(cmdbuf); + style: primary + start: 156 + end: 171 + - source: system + style: secondary + start: 156 + end: 162 + - source: (cmdbuf) + style: secondary + start: 162 + end: 170 + - source: system(cmdbuf) + style: secondary + start: 156 + end: 170 diff --git a/tests/cpp/dont-call-system-cpp-test.yml b/tests/cpp/dont-call-system-cpp-test.yml new file mode 100644 index 00000000..846b4fcc --- /dev/null +++ b/tests/cpp/dont-call-system-cpp-test.yml @@ -0,0 +1,34 @@ +id: dont-call-system-cpp +valid: + - | + void test_003(const char *input) + { + storer->store_binary(Clocks->system()); + } +invalid: + - | + void test_002(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + system(cmdbuf); + } + void test_001(const char *input) + { + char cmdbuf[BUFFERSIZE]; + int len_wanted = snprintf(cmdbuf, BUFFERSIZE, + "any_cmd '%s'", input); + if (len_wanted >= BUFFERSIZE) + { + /* Handle error */ + } + else if (len_wanted < 0) + { + /* Handle error */ + } + else if (system(cmdbuf) == -1) + { + /* Handle error */ + } + } From 2821015873f84f2baef8ab839794eeed766485dd Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Fri, 7 Feb 2025 14:18:20 +0530 Subject: [PATCH 7/7] jwt-tokenvalidationparameters-no-expiry-validation-csharp --- ...parameters-no-expiry-validation-csharp.yml | 146 +++++++++++++++ ...s-no-expiry-validation-csharp-snapshot.yml | 169 ++++++++++++++++++ ...eters-no-expiry-validation-csharp-test.yml | 42 +++++ 3 files changed, 357 insertions(+) create mode 100644 rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml create mode 100644 tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml create mode 100644 tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml diff --git a/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml b/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml new file mode 100644 index 00000000..9fecd003 --- /dev/null +++ b/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml @@ -0,0 +1,146 @@ +id: jwt-tokenvalidationparameters-no-expiry-validation-csharp +severity: warning +language: csharp +message: >- + The TokenValidationParameters.$LIFETIME is set to $FALSE, this means + the JWT tokens lifetime is not validated. This can lead to an JWT token + being used after it has expired, which has security implications. It is + recommended to validate the JWT lifetime to ensure only valid tokens are + used. +note: >- + [CWE-613] Insufficient Session Expiration. + [REFERENCES] + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + - https://cwe.mitre.org/data/definitions/613.html + - https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet + +ast-grep-essentials: true + +utils: + MATCH_PATTERN_ONE: + kind: boolean_literal + inside: + all: + - has: + stopBy: neighbor + regex: ^(RequireExpirationTime|ValidateLifetime).* + any: + - kind: identifier + - kind: member_access_expression + - has: + stopBy: neighbor + regex: '^=$' + - has: + stopBy: neighbor + kind: boolean_literal + regex: '^false$' + - inside: + stopBy: end + kind: object_creation_expression + has: + stopBy: neighbor + kind: identifier + regex: '^TokenValidationParameters$' + + MATCH_PATTERN_TWO: + kind: boolean_literal + inside: + all: + - has: + stopBy: neighbor + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $T + + - has: + stopBy: neighbor + kind: identifier + regex: ^(RequireExpirationTime|ValidateLifetime).* + + - has: + stopBy: neighbor + regex: '^=$' + - has: + stopBy: neighbor + kind: boolean_literal + regex: '^false$' + - inside: + stopBy: end + kind: global_statement + follows: + stopBy: end + kind: global_statement + has: + stopBy: end + kind: variable_declaration + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^TokenValidationParameters$' + - has: + stopBy: neighbor + kind: variable_declarator + has: + stopBy: neighbor + kind: identifier + pattern: $T + MATCH_PATTERN_THREE: + kind: boolean_literal + inside: + all: + - has: + stopBy: neighbor + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $S + + - has: + stopBy: neighbor + kind: identifier + regex: ^(RequireExpirationTime|ValidateLifetime).* + - has: + stopBy: neighbor + regex: '^=$' + - has: + stopBy: neighbor + kind: boolean_literal + regex: '^false$' + - inside: + kind: expression_statement + stopBy: end + follows: + stopBy: end + kind: local_declaration_statement + has: + stopBy: end + kind: variable_declaration + all: + - has: + stopBy: end + kind: identifier + regex: '^TokenValidationParameters$' + - has: + stopBy: neighbor + kind: variable_declarator + has: + stopBy: neighbor + kind: identifier + pattern: $S + +rule: + kind: boolean_literal + any: + - matches: MATCH_PATTERN_ONE + - matches: MATCH_PATTERN_TWO + - matches: MATCH_PATTERN_THREE + not: + has: + kind: ERROR + stopBy: end diff --git a/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml b/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml new file mode 100644 index 00000000..f7b23cff --- /dev/null +++ b/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml @@ -0,0 +1,169 @@ +id: jwt-tokenvalidationparameters-no-expiry-validation-csharp +snapshots: + ? | + TokenValidationParameters parameters = new TokenValidationParameters + { + ValidateLifetime = false, + RequireExpirationTime = false, + ValidateIssuer = false, + ValidateAudience = false + }; + : labels: + - source: 'false' + style: primary + start: 90 + end: 95 + - source: ValidateLifetime + style: secondary + start: 71 + end: 87 + - source: = + style: secondary + start: 88 + end: 89 + - source: 'false' + style: secondary + start: 90 + end: 95 + - source: TokenValidationParameters + style: secondary + start: 43 + end: 68 + - source: |- + new TokenValidationParameters + { + ValidateLifetime = false, + RequireExpirationTime = false, + ValidateIssuer = false, + ValidateAudience = false + } + style: secondary + start: 39 + end: 178 + - source: ValidateLifetime = false + style: secondary + start: 71 + end: 95 + ? "TokenValidationParameters parameters = new TokenValidationParameters\n{ \nValidateLifetime = false,\nRequireExpirationTime = false,\nValidateIssuer = false,\nValidateAudience = false\n};\n" + : labels: + - source: 'false' + style: primary + start: 91 + end: 96 + - source: ValidateLifetime + style: secondary + start: 72 + end: 88 + - source: = + style: secondary + start: 89 + end: 90 + - source: 'false' + style: secondary + start: 91 + end: 96 + - source: TokenValidationParameters + style: secondary + start: 43 + end: 68 + - source: "new TokenValidationParameters\n{ \nValidateLifetime = false,\nRequireExpirationTime = false,\nValidateIssuer = false,\nValidateAudience = false\n}" + style: secondary + start: 39 + end: 179 + - source: ValidateLifetime = false + style: secondary + start: 72 + end: 96 + ? | + options.TokenValidationParameters = new TokenValidationParameters + { + ValidateLifetime = true, + RequireExpirationTime = false, + ValidateIssuer = false, + ValidateAudience = false + }; + : labels: + - source: 'false' + style: primary + start: 125 + end: 130 + - source: RequireExpirationTime + style: secondary + start: 101 + end: 122 + - source: = + style: secondary + start: 123 + end: 124 + - source: 'false' + style: secondary + start: 125 + end: 130 + - source: TokenValidationParameters + style: secondary + start: 40 + end: 65 + - source: |- + new TokenValidationParameters + { + ValidateLifetime = true, + RequireExpirationTime = false, + ValidateIssuer = false, + ValidateAudience = false + } + style: secondary + start: 36 + end: 190 + - source: RequireExpirationTime = false + style: secondary + start: 101 + end: 130 + ? | + options.TokenValidationParameters = new TokenValidationParameters + { + ValidateLifetime = false, + RequireSignedTokens = true, + ValidateIssuer = false, + ValidateAudience = false, + RequireExpirationTime = false + }; + TokenValidationParameters parameters = new TokenValidationParameters(); + parameters.RequireExpirationTime = false; + parameters.ValidateLifetime = false; + : labels: + - source: 'false' + style: primary + start: 87 + end: 92 + - source: ValidateLifetime + style: secondary + start: 68 + end: 84 + - source: = + style: secondary + start: 85 + end: 86 + - source: 'false' + style: secondary + start: 87 + end: 92 + - source: TokenValidationParameters + style: secondary + start: 40 + end: 65 + - source: |- + new TokenValidationParameters + { + ValidateLifetime = false, + RequireSignedTokens = true, + ValidateIssuer = false, + ValidateAudience = false, + RequireExpirationTime = false + } + style: secondary + start: 36 + end: 203 + - source: ValidateLifetime = false + style: secondary + start: 68 + end: 92 diff --git a/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml b/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml new file mode 100644 index 00000000..c6a2689d --- /dev/null +++ b/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml @@ -0,0 +1,42 @@ +id: jwt-tokenvalidationparameters-no-expiry-validation-csharp +valid: + - | + parameters.ValidateLifetime = true; + parameters.RequireExpirationTime = true +invalid: + - | + options.TokenValidationParameters = new TokenValidationParameters + { + ValidateLifetime = false, + RequireSignedTokens = true, + ValidateIssuer = false, + ValidateAudience = false, + RequireExpirationTime = false + }; + TokenValidationParameters parameters = new TokenValidationParameters(); + parameters.RequireExpirationTime = false; + parameters.ValidateLifetime = false; + - | + TokenValidationParameters parameters = new TokenValidationParameters + { + ValidateLifetime = false, + RequireExpirationTime = false, + ValidateIssuer = false, + ValidateAudience = false + }; + - | + options.TokenValidationParameters = new TokenValidationParameters + { + ValidateLifetime = true, + RequireExpirationTime = false, + ValidateIssuer = false, + ValidateAudience = false + }; + - | + TokenValidationParameters parameters = new TokenValidationParameters + { + ValidateLifetime = false, + RequireExpirationTime = false, + ValidateIssuer = false, + ValidateAudience = false + };