Skip to content

Commit 308e947

Browse files
ESS-ENNESS-ENN
authored
Merge branch 'coderabbitai:main' into main
2 parents bb7b8e1 + a248264 commit 308e947

File tree

70 files changed

+5973
-2
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

70 files changed

+5973
-2
lines changed

rules/java/security/des-is-deprecated-java.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,6 @@ note: >-
1111
- https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard
1212
rule:
1313
pattern: $CIPHER.getInstance($SAS)
14-
constraints:
14+
constraints:
1515
SAS:
16-
regex: "DES"
16+
regex: ^".*/DES/.*"|"DES"|"DES/.*"$

rules/java/security/rsa-no-padding-java.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
id: rsa-no-padding-java
2+
severity: warning
3+
language: java
4+
message: >-
5+
Using RSA without OAEP mode weakens the encryption.
6+
note: >-
7+
[CWE-326] Inadequate Encryption Strength
8+
[REFERENCES]
9+
- https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
10+
rule:
11+
pattern: $YST.getInstance($MODE)
12+
constraints:
13+
MODE:
14+
regex: 'RSA/[Nn][Oo][Nn][Ee]/NoPadding'

rules/java/security/simple-command-injection-direct-input-java.yml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
id: simple-command-injection-direct-input-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
"Untrusted input might be injected into a command executed by the
6+
application, which can lead to a command injection vulnerability. An
7+
attacker can execute arbitrary commands, potentially gaining complete
8+
control of the system. To prevent this vulnerability, avoid executing OS
9+
commands with user input. If this is unavoidable, validate and sanitize
10+
the input, and use safe methods for executing the commands. For more
11+
information, see: [Java command injection
12+
prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/\
13+
)"
14+
note: >-
15+
[CWE-78] Improper Neutralization of Special Elements used in an OS
16+
[REFERENCES]
17+
- https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html
18+
- https://owasp.org/Top10/A03_2021-Injection
19+
20+
rule:
21+
kind: method_invocation
22+
pattern: Runtime.getRuntime().exec($SOURCE)
23+
inside:
24+
kind: method_declaration
25+
stopBy: end
26+
has:
27+
stopBy: end
28+
kind: formal_parameter
29+
has:
30+
kind: modifiers
31+
any:
32+
- has:
33+
kind: marker_annotation
34+
has:
35+
kind: identifier
36+
pattern: $REQ
37+
- has:
38+
kind: annotation
39+
all:
40+
- has:
41+
kind: identifier
42+
pattern: $REQ
43+
- has:
44+
kind: annotation_argument_list
45+
precedes:
46+
kind: type_identifier
47+
pattern: $TYPE
48+
precedes:
49+
kind: identifier
50+
pattern: $SOURCE
51+
52+
constraints:
53+
REQ:
54+
regex: ^(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)
55+
TYPE:
56+
regex: ^[^I].*|^I[^n].*|^In[^t].*|^Int[^e].*|^Inte[^g].*|^Integ[^e].*|^Inge[^r].*|^L[^o].*|^Lo[^n].*|^Lon[^g].*|^F[^l].*|^Fl[^o].*|^Flo[^a].*|^Floa[^t].*|^D[^o].*|^Do[^u].*|^Dou[^b].*|^Doub[^l].*|^Doubl[^e].*|^C[^h].*|^Ch[^a].*|^Cha[^r].*|^B[^o].*|^Bo[^o].*|^Boo[^l].*|^Bool[^e].*|^Boole[^a].*|^Boolea[^n].*|^i[^n].*|^in[^t].*|^l[^o].*|^lo[^n].*|^lon[^g].*|^f[^l].*|^fl[^o].*|^flo[^a].*|^floa[^t].*|^d[^o].*|^do[^u].*|^dou[^b].*|^doub[^l].*|^doubl[^e].*|^c[^h].*|^ch[^a].*|^cha[^r].*|^b[^o].*|^bo[^o].*|^boo[^l].*|^bool[^e].*|^boole[^a].*|^boolea[^n].*

rules/javascript/security/detect-angular-sce-disabled-javascript.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
id: detect-angular-sce-disabled-javascript
2+
language: javascript
3+
severity: warning
4+
message: >-
5+
$sceProvider is set to false. Disabling Strict Contextual escaping
6+
(SCE) in an AngularJS application could provide additional attack surface
7+
for XSS vulnerabilities.
8+
note: >-
9+
[CWE-79] Improper Neutralization of Input During Web Page Generation.
10+
[REFERENCES]
11+
- https://docs.angularjs.org/api/ng/service/$sce
12+
- https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
13+
rule:
14+
pattern: |
15+
$sceProvider.enabled(false);

rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml

Lines changed: 294 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,294 @@
1+
id: express-jwt-hardcoded-secret-javascript
2+
language: javascript
3+
severity: warning
4+
message: >-
5+
A hard-coded credential was detected. It is not recommended to store
6+
credentials in source-code, as this risks secrets being leaked and used by
7+
either an internal or external malicious adversary. It is recommended to
8+
use environment variables to securely provide credentials or retrieve
9+
credentials from a secure vault or HSM (Hardware Security Module).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
utils:
15+
MATCH_SECRET_DIRECTLY:
16+
kind: pair
17+
inside:
18+
stopBy: end
19+
kind: expression_statement
20+
all:
21+
- has:
22+
stopBy: end
23+
kind: call_expression
24+
all:
25+
- has:
26+
stopBy: neighbor
27+
kind: identifier
28+
pattern: $E
29+
- has:
30+
stopBy: end
31+
kind: arguments
32+
has:
33+
stopBy: end
34+
kind: object
35+
has:
36+
stopBy: neighbor
37+
kind: pair
38+
all:
39+
- has:
40+
stopBy: neighbor
41+
kind: property_identifier
42+
regex: '^secret$'
43+
- has:
44+
stopBy: neighbor
45+
kind: string
46+
has:
47+
stopBy: neighbor
48+
kind: string_fragment
49+
50+
- any:
51+
- follows:
52+
stopBy: end
53+
kind: variable_declaration
54+
has:
55+
stopBy: end
56+
kind: variable_declarator
57+
all:
58+
- has:
59+
stopBy: end
60+
kind: identifier
61+
pattern: $E
62+
- has:
63+
stopBy: neighbor
64+
kind: call_expression
65+
all:
66+
- has:
67+
stopBy: neighbor
68+
kind: identifier
69+
regex: '^require$'
70+
- has:
71+
stopBy: neighbor
72+
kind: arguments
73+
has:
74+
stopBy: neighbor
75+
kind : string
76+
has:
77+
stopBy: neighbor
78+
kind: string_fragment
79+
regex: '^express-jwt$'
80+
- follows:
81+
stopBy: end
82+
kind: import_statement
83+
all:
84+
- has:
85+
stopBy: end
86+
kind: import_clause
87+
has:
88+
stopBy: neighbor
89+
kind: identifier
90+
pattern: $E
91+
- has:
92+
stopBy: neighbor
93+
kind: string
94+
has:
95+
stopBy: end
96+
kind: string_fragment
97+
regex: '^express-jwt$'
98+
- follows:
99+
stopBy: end
100+
kind: import_statement
101+
all:
102+
- has:
103+
stopBy: end
104+
kind: import_clause
105+
has:
106+
stopBy: end
107+
kind: namespace_import
108+
has:
109+
stopBy: end
110+
kind: identifier
111+
pattern: $E
112+
- has:
113+
stopBy: neighbor
114+
kind: string
115+
has:
116+
stopBy: neighbor
117+
kind: string_fragment
118+
regex: '^express-jwt$'
119+
- follows:
120+
stopBy: end
121+
kind: import_statement
122+
all:
123+
- has:
124+
stopBy: neighbor
125+
kind: import_clause
126+
has:
127+
stopBy: neighbor
128+
kind: named_imports
129+
has:
130+
stopBy: neighbor
131+
kind: import_specifier
132+
has:
133+
stopBy: end
134+
kind: identifier
135+
pattern: $E
136+
- has:
137+
stopBy: end
138+
kind: string
139+
has:
140+
stopBy: end
141+
kind: string_fragment
142+
regex: '^express-jwt$'
143+
144+
MATCH_PATTERN_WITH_INSTANCE:
145+
kind: pair
146+
pattern: $O
147+
inside:
148+
stopBy: end
149+
kind: expression_statement
150+
all:
151+
- has:
152+
stopBy: end
153+
kind: call_expression
154+
all:
155+
- has:
156+
stopBy: neighbor
157+
kind: identifier
158+
pattern: $E
159+
- has:
160+
stopBy: end
161+
kind: arguments
162+
has:
163+
stopBy: end
164+
kind: object
165+
has:
166+
stopBy: neighbor
167+
kind: pair
168+
pattern: $O
169+
all:
170+
- has:
171+
stopBy: neighbor
172+
kind: property_identifier
173+
regex: '^secret$'
174+
- has:
175+
stopBy: neighbor
176+
kind: identifier
177+
pattern: $F
178+
- follows:
179+
stopBy: end
180+
kind: lexical_declaration
181+
has:
182+
stopBy: end
183+
kind: variable_declarator
184+
all:
185+
- has:
186+
stopBy: neighbor
187+
kind: identifier
188+
pattern: $F
189+
- has:
190+
stopBy: neighbor
191+
kind: string
192+
has:
193+
stopBy: neighbor
194+
kind: string_fragment
195+
196+
- any:
197+
- follows:
198+
stopBy: end
199+
kind: variable_declaration
200+
has:
201+
stopBy: end
202+
kind: variable_declarator
203+
all:
204+
- has:
205+
stopBy: end
206+
kind: identifier
207+
pattern: $E
208+
- has:
209+
stopBy: neighbor
210+
kind: call_expression
211+
all:
212+
- has:
213+
stopBy: neighbor
214+
kind: identifier
215+
regex: '^require$'
216+
- has:
217+
stopBy: neighbor
218+
kind: arguments
219+
has:
220+
stopBy: neighbor
221+
kind : string
222+
has:
223+
stopBy: neighbor
224+
kind: string_fragment
225+
regex: '^express-jwt$'
226+
227+
- follows:
228+
stopBy: end
229+
kind: import_statement
230+
all:
231+
- has:
232+
stopBy: end
233+
kind: import_clause
234+
has:
235+
stopBy: neighbor
236+
kind: identifier
237+
pattern: $E
238+
- has:
239+
stopBy: neighbor
240+
kind: string
241+
has:
242+
stopBy: end
243+
kind: string_fragment
244+
regex: '^express-jwt$'
245+
- follows:
246+
stopBy: end
247+
kind: import_statement
248+
all:
249+
- has:
250+
stopBy: end
251+
kind: import_clause
252+
has:
253+
stopBy: end
254+
kind: namespace_import
255+
has:
256+
stopBy: end
257+
kind: identifier
258+
pattern: $E
259+
- has:
260+
stopBy: neighbor
261+
kind: string
262+
has:
263+
stopBy: neighbor
264+
kind: string_fragment
265+
regex: '^express-jwt$'
266+
- follows:
267+
stopBy: end
268+
kind: import_statement
269+
all:
270+
- has:
271+
stopBy: neighbor
272+
kind: import_clause
273+
has:
274+
stopBy: neighbor
275+
kind: named_imports
276+
has:
277+
stopBy: neighbor
278+
kind: import_specifier
279+
has:
280+
stopBy: end
281+
kind: identifier
282+
pattern: $E
283+
- has:
284+
stopBy: end
285+
kind: string
286+
has:
287+
stopBy: end
288+
kind: string_fragment
289+
regex: '^express-jwt$'
290+
rule:
291+
kind: pair
292+
any:
293+
- matches: MATCH_SECRET_DIRECTLY
294+
- matches: MATCH_PATTERN_WITH_INSTANCE

0 commit comments

Comments
 (0)