Add security rules for system() usage in C/C++ and JWT expiry in C#

rules/c/security/dont-call-system-c.yml

@@ -0,0 +1,61 @@
+id: dont-call-system-c
+language: c
+severity: warning
+message: >-
+  Don't call `system`. It's a high-level wrapper that allows for stacking
+  multiple commands. Always prefer a more restrictive API such as calling
+  `execve` from the `exec` family.
+note: >-
+  [CWE-78] Improper Neutralization of Special Elements used in an OS
+          Command ('OS Command Injection').
+  [REFERENCES]
+      - https://owasp.org/Top10/A03_2021-Injection
+
+ast-grep-essentials: true
+
+utils:
+  PATTERN_SYSTEM_INSIDE_IF_STATEMENT:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: '^system$'
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+      - inside:
+          stopBy: end
+          kind: parenthesized_expression
+          inside:
+            kind: if_statement
+  PATTERN_SYSTEM:
+    any:
+    - kind: expression_statement
+    - kind: return_statement
+    - kind: field_declaration
+    has:
+      stopBy: neighbor
+      kind: call_expression
+      all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: '^system$'
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+rule:
+  any:
+  - matches: PATTERN_SYSTEM_INSIDE_IF_STATEMENT
+  - matches: PATTERN_SYSTEM
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          has:
+            stopBy: end
+            kind: ERROR
+

rules/cpp/dont-call-system-cpp.yml

@@ -0,0 +1,61 @@
+id: dont-call-system-cpp
+language: cpp
+severity: warning
+message: >-
+  Don't call `system`. It's a high-level wrapper that allows for stacking
+  multiple commands. Always prefer a more restrictive API such as calling
+  `execve` from the `exec` family.
+note: >-
+  [CWE-78] Improper Neutralization of Special Elements used in an OS
+          Command ('OS Command Injection').
+  [REFERENCES]
+      - https://owasp.org/Top10/A03_2021-Injection
+
+ast-grep-essentials: true
+
+utils:
+  PATTERN_SYSTEM_INSIDE_IF_STATEMENT:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: '^system$'
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+      - inside:
+          stopBy: end
+          kind: parenthesized_expression
+          inside:
+            kind: if_statement
+  PATTERN_SYSTEM:
+    any:
+    - kind: expression_statement
+    - kind: return_statement
+    - kind: field_declaration
+    has:
+      stopBy: neighbor
+      kind: call_expression
+      all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: '^system$'
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+rule:
+  any:
+  - matches: PATTERN_SYSTEM_INSIDE_IF_STATEMENT
+  - matches: PATTERN_SYSTEM
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          has:
+            stopBy: end
+            kind: ERROR
+

rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml

@@ -0,0 +1,146 @@
+id: jwt-tokenvalidationparameters-no-expiry-validation-csharp
+severity: warning
+language: csharp
+message: >-
+  The TokenValidationParameters.$LIFETIME is set to $FALSE, this means
+  the JWT tokens lifetime is not validated. This can lead to an JWT token
+  being used after it has expired, which has security implications. It is
+  recommended to validate the JWT lifetime to ensure only valid tokens are
+  used.
+note: >-
+  [CWE-613] Insufficient Session Expiration.
+  [REFERENCES]
+      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
+      - https://cwe.mitre.org/data/definitions/613.html
+      - https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet
+
+ast-grep-essentials: true
+
+utils:
+  MATCH_PATTERN_ONE:
+    kind: boolean_literal
+    inside:
+      all:
+        - has:
+            stopBy: neighbor
+            regex: ^(RequireExpirationTime|ValidateLifetime).*
+            any:
+              - kind: identifier
+              - kind: member_access_expression
+        - has:
+            stopBy: neighbor
+            regex: '^=$'
+        - has:
+            stopBy: neighbor
+            kind: boolean_literal
+            regex: '^false$'
+        - inside:
+            stopBy: end
+            kind: object_creation_expression
+            has:
+              stopBy: neighbor
+              kind: identifier
+              regex: '^TokenValidationParameters$'
+
+  MATCH_PATTERN_TWO:
+      kind: boolean_literal
+      inside:
+        all:
+          - has:
+              stopBy: neighbor
+              kind: member_access_expression
+              all:
+                - has:
+                    stopBy: end
+                    kind: identifier
+                    pattern: $T
+
+                - has:
+                    stopBy: neighbor
+                    kind: identifier
+                    regex: ^(RequireExpirationTime|ValidateLifetime).*
+
+          - has:
+              stopBy: neighbor
+              regex: '^=$'
+          - has:
+              stopBy: neighbor
+              kind: boolean_literal
+              regex: '^false$'
+          - inside:
+              stopBy: end
+              kind: global_statement
+              follows:
+                stopBy: end
+                kind: global_statement
+                has:
+                  stopBy: end
+                  kind: variable_declaration
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        regex: '^TokenValidationParameters$'
+                    - has:
+                        stopBy: neighbor
+                        kind: variable_declarator
+                        has:
+                          stopBy: neighbor
+                          kind: identifier
+                          pattern: $T           
+  MATCH_PATTERN_THREE:
+    kind: boolean_literal
+    inside:
+      all:
+        - has:
+            stopBy: neighbor
+            kind: member_access_expression
+            all:
+              - has:
+                  stopBy: end
+                  kind: identifier
+                  pattern: $S
+
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: ^(RequireExpirationTime|ValidateLifetime).*        
+        - has:
+            stopBy: neighbor
+            regex: '^=$'
+        - has:
+            stopBy: neighbor
+            kind: boolean_literal
+            regex: '^false$'
+        - inside:
+            kind: expression_statement
+            stopBy: end
+            follows:
+              stopBy: end
+              kind: local_declaration_statement
+              has:
+                stopBy: end
+                kind: variable_declaration
+                all:
+                  - has:
+                      stopBy: end
+                      kind: identifier
+                      regex: '^TokenValidationParameters$'
+                  - has:
+                      stopBy: neighbor
+                      kind: variable_declarator
+                      has:
+                        stopBy: neighbor
+                        kind: identifier
+                        pattern: $S           
+
+rule:
+  kind: boolean_literal
+  any:
+    - matches: MATCH_PATTERN_ONE
+    - matches: MATCH_PATTERN_TWO
+    - matches: MATCH_PATTERN_THREE
+  not:
+    has:
+      kind: ERROR
+      stopBy: end

tests/__snapshots__/dont-call-system-c-snapshot.yml

@@ -0,0 +1,45 @@
+id: dont-call-system-c
+snapshots:
+  ? |
+    void test_002(const char *input)
+    {
+    char cmdbuf[BUFFERSIZE];
+    int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
+                              "any_cmd '%s'", input);
+    system(cmdbuf);
+    }
+    void test_001(const char *input)
+    {
+    char cmdbuf[BUFFERSIZE];
+    int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
+                              "any_cmd '%s'", input);
+    if (len_wanted >= BUFFERSIZE)
+    {
+        /* Handle error */
+    }
+    else if (len_wanted < 0)
+    {
+        /* Handle error */
+    }
+    else if (system(cmdbuf) == -1)
+    {
+        /* Handle error */
+    }
+    }
+  : labels:
+    - source: system(cmdbuf);
+      style: primary
+      start: 156
+      end: 171
+    - source: system
+      style: secondary
+      start: 156
+      end: 162
+    - source: (cmdbuf)
+      style: secondary
+      start: 162
+      end: 170
+    - source: system(cmdbuf)
+      style: secondary
+      start: 156
+      end: 170

tests/__snapshots__/dont-call-system-cpp-snapshot.yml

@@ -0,0 +1,45 @@
+id: dont-call-system-cpp
+snapshots:
+  ? |
+    void test_002(const char *input)
+    {
+    char cmdbuf[BUFFERSIZE];
+    int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
+                              "any_cmd '%s'", input);
+    system(cmdbuf);
+    }
+    void test_001(const char *input)
+    {
+    char cmdbuf[BUFFERSIZE];
+    int len_wanted = snprintf(cmdbuf, BUFFERSIZE,
+                              "any_cmd '%s'", input);
+    if (len_wanted >= BUFFERSIZE)
+    {
+        /* Handle error */
+    }
+    else if (len_wanted < 0)
+    {
+        /* Handle error */
+    }
+    else if (system(cmdbuf) == -1)
+    {
+        /* Handle error */
+    }
+    }
+  : labels:
+    - source: system(cmdbuf);
+      style: primary
+      start: 156
+      end: 171
+    - source: system
+      style: secondary
+      start: 156
+      end: 162
+    - source: (cmdbuf)
+      style: secondary
+      start: 162
+      end: 170
+    - source: system(cmdbuf)
+      style: secondary
+      start: 156
+      end: 170