coderabbitai
diff --git a/‎package-lock.json
Lines changed: 8 additions & 0 deletions b/‎package-lock.json
Lines changed: 8 additions & 0 deletions
diff --git a/‎package.json
Lines changed: 1 addition & 1 deletion b/‎package.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/java/security/cookie-httponly-false-java.yml
Lines changed: 13 additions & 0 deletions b/‎rules/java/security/cookie-httponly-false-java.yml
Lines changed: 13 additions & 0 deletions
diff --git a/‎rules/java/security/cookie-missing-samesite-java.yml
Lines changed: 68 additions & 0 deletions b/‎rules/java/security/cookie-missing-samesite-java.yml
Lines changed: 68 additions & 0 deletions
diff --git a/‎rules/java/security/cookie-secure-flag-false-java.yml
Lines changed: 14 additions & 0 deletions b/‎rules/java/security/cookie-secure-flag-false-java.yml
Lines changed: 14 additions & 0 deletions
diff --git a/‎rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml
Lines changed: 46 additions & 0 deletions b/‎rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml
Lines changed: 46 additions & 0 deletions
diff --git a/‎rules/java/security/simple-command-injection-direct-input-java.yml
Lines changed: 56 additions & 0 deletions b/‎rules/java/security/simple-command-injection-direct-input-java.yml
Lines changed: 56 additions & 0 deletions
diff --git a/‎rules/javascript/security/detect-angular-sce-disabled-javascript.yml
Lines changed: 15 additions & 0 deletions b/‎rules/javascript/security/detect-angular-sce-disabled-javascript.yml
Lines changed: 15 additions & 0 deletions
@@ -12,6 +12,6 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
-    "@ast-grep/cli": "^0.30.1"
+    "@ast-grep/cli": "^0.31.1"
   }
 }
@@ -0,0 +1,13 @@
+id: cookie-httponly-false-java
+language: java
+message: >-
+  A cookie was detected without setting the 'HttpOnly' flag. The
+  'HttpOnly' flag for cookies instructs the browser to forbid client-side
+  scripts from reading the cookie. Set the 'HttpOnly' flag by calling
+  'cookie.setHttpOnly(true);'
+note: >-
+  [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag.
+  [REFERENCES]
+  - https://capec.mitre.org/data/definitions/463.html
+rule:
+  pattern: $COOKIE.setHttpOnly(false);
@@ -0,0 +1,68 @@
+id: cookie-missing-samesite-java
+severity: warning
+language: java
+message: >-
+  The application does not appear to verify inbound requests which can
+  lead to a Cross-site request forgery (CSRF) vulnerability. If the
+  application uses cookie-based authentication, an attacker can trick users
+  into sending authenticated HTTP requests without their knowledge from any
+  arbitrary domain they visit. To prevent this vulnerability start by
+  identifying if the framework or library leveraged has built-in features or
+  offers plugins for CSRF protection. CSRF tokens should be unique and
+  securely random. The `Synchronizer Token` or `Double Submit Cookie`
+  patterns with defense-in-depth mechanisms such as the `sameSite` cookie
+  flag can help prevent CSRF. For more information, see: [Cross-site request
+  forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Req\
+  uest_Forgery_Prevention_Cheat_Sheet.html).
+note: >-
+  [CWE-352] Cross-Site Request Forgery (CSRF).
+  [REFERENCES]
+      - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application
+rule:
+  any:
+    - pattern: $RESP.setHeader("Set-Cookie", $T);
+      inside:
+        stopBy: end
+        kind: block 
+        follows: 
+          stopBy: end
+          kind: formal_parameters
+          has:
+            stopBy: end
+            kind: formal_parameter
+            all:
+              - has:
+                  stopBy: end
+                  kind: type_identifier
+                  regex: '^HttpServletResponse$'
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+    - pattern: $RESP.addCookie($$$);
+      not:
+        follows:
+          stopBy: end
+          kind: expression_statement
+          pattern: $RESP.setHeader("Set-Cookie", $T);
+          inside:
+           stopBy: end
+           kind: block   
+           follows: 
+             stopBy: end
+             kind: formal_parameters
+             has:
+              stopBy: end
+              kind: formal_parameter
+              all:
+              - has:
+                  stopBy: end
+                  kind: type_identifier
+                  regex: '^HttpServletResponse$'
+              - has:
+                  stopBy: neighbor
+                  kind: identifier     
+    - pattern: $RESP.setHeader("Set-Cookie");
+constraints:
+  T:
+    not:
+      regex: ".*SameSite=.*"
@@ -0,0 +1,14 @@
+id: cookie-secure-flag-false-java
+language: java
+severity: warning
+message: >-
+ A cookie was detected without setting the 'secure' flag. The 'secure'
+ flag for cookies prevents the client from transmitting the cookie over
+ insecure channels such as HTTP. Set the 'secure' flag by calling
+ '$COOKIE.setSecure(true);'.
+note: >-
+  [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute.
+  [REFERENCES]
+      - https://owasp.org/www-community/controls/SecureCookieAttribute
+rule:
+ pattern: $COOKIE.setSecure(false);
@@ -0,0 +1,46 @@
+id: documentbuilderfactory-disallow-doctype-decl-false-java
+language: java
+severity: warning
+message: >-
+    DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting
+      external entity declarations, this is vulnerable to XML external entity
+      attacks. Disable this by setting the feature
+      "http://apache.org/xml/features/disallow-doctype-decl" to true.
+      Alternatively, allow DOCTYPE declarations and only prohibit external
+      entities declarations. This can be done by setting the features
+      "http://xml.org/sax/features/external-general-entities" and
+      "http://xml.org/sax/features/external-parameter-entities" to false.
+note: >-
+  [CWE-611]: mproper Restriction of XML External Entity Reference
+  [OWASP A04:2017]: XML External Entities (XXE)
+  [OWASP A05:2021 - Security Misconfiguration]
+  [REFERENCES]
+       https://blog.sonarsource.com/secure-xml-processor
+       https://xerces.apache.org/xerces2-j/features.html
+utils:
+  match_expression_statement:
+    kind: expression_statement
+    has:
+      stopBy: end
+      kind: method_invocation
+      all:
+        - has:
+           stopBy: end
+           kind: identifier
+        - has:
+           stopBy: end
+           kind: identifier
+           regex: '^setFeature$'
+      has:
+        kind: argument_list
+        all:
+          - has:
+             stopBy: end
+             kind: string_literal
+             regex: 'http://apache.org/xml/features/disallow-doctype-decl'
+          - has:
+             stopBy: end
+             regex: '^false$'
+rule:
+  any:
+    - matches: match_expression_statement
@@ -0,0 +1,56 @@
+id: simple-command-injection-direct-input-java
+language: java
+severity: warning
+message: >-
+  "Untrusted input might be injected into a command executed by the
+      application, which can lead to a command injection vulnerability. An
+      attacker can execute arbitrary commands, potentially gaining complete
+      control of the system. To prevent this vulnerability, avoid executing OS
+      commands with user input. If this is unavoidable, validate and sanitize
+      the input, and use safe methods for executing the commands. For more
+      information, see: [Java command injection
+      prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/\
+      )"
+note: >-
+  [CWE-78] Improper Neutralization of Special Elements used in an OS
+  [REFERENCES]
+      - https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html
+      - https://owasp.org/Top10/A03_2021-Injection
+
+rule:
+  kind: method_invocation
+  pattern: Runtime.getRuntime().exec($SOURCE)
+  inside:
+    kind: method_declaration
+    stopBy: end
+    has:
+      stopBy: end
+      kind: formal_parameter
+      has:
+        kind: modifiers
+        any:
+          - has:
+              kind: marker_annotation
+              has:
+                kind: identifier
+                pattern: $REQ
+          - has:
+              kind: annotation
+              all:
+                - has:
+                    kind: identifier
+                    pattern: $REQ
+                - has:
+                    kind: annotation_argument_list
+        precedes:
+          kind: type_identifier
+          pattern: $TYPE
+          precedes:
+            kind: identifier
+            pattern: $SOURCE
+
+constraints:
+  REQ:
+    regex: ^(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)
+  TYPE:
+    regex: ^[^I].*|^I[^n].*|^In[^t].*|^Int[^e].*|^Inte[^g].*|^Integ[^e].*|^Inge[^r].*|^L[^o].*|^Lo[^n].*|^Lon[^g].*|^F[^l].*|^Fl[^o].*|^Flo[^a].*|^Floa[^t].*|^D[^o].*|^Do[^u].*|^Dou[^b].*|^Doub[^l].*|^Doubl[^e].*|^C[^h].*|^Ch[^a].*|^Cha[^r].*|^B[^o].*|^Bo[^o].*|^Boo[^l].*|^Bool[^e].*|^Boole[^a].*|^Boolea[^n].*|^i[^n].*|^in[^t].*|^l[^o].*|^lo[^n].*|^lon[^g].*|^f[^l].*|^fl[^o].*|^flo[^a].*|^floa[^t].*|^d[^o].*|^do[^u].*|^dou[^b].*|^doub[^l].*|^doubl[^e].*|^c[^h].*|^ch[^a].*|^cha[^r].*|^b[^o].*|^bo[^o].*|^boo[^l].*|^bool[^e].*|^boole[^a].*|^boolea[^n].*
@@ -0,0 +1,15 @@
+id: detect-angular-sce-disabled-javascript
+language: javascript
+severity: warning
+message: >-
+  $sceProvider is set to false. Disabling Strict Contextual escaping
+  (SCE) in an AngularJS application could provide additional attack surface
+  for XSS vulnerabilities.
+note: >-
+  [CWE-79] Improper Neutralization of Input During Web Page Generation.
+  [REFERENCES]
+      - https://docs.angularjs.org/api/ng/service/$sce
+      - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
+rule:
+  pattern: |
+      $sceProvider.enabled(false);
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,6 @@`
`12`	`12`	`"author": "",`
`13`	`13`	`"license": "ISC",`
`14`	`14`	`"devDependencies": {`
`15`		`- "@ast-grep/cli": "^0.30.1"`
	`15`	`+ "@ast-grep/cli": "^0.31.1"`
`16`	`16`	`}`
`17`	`17`	`}`