Skip to content

Commit 44df5b8

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add Security Rules for Vulnerability Detection in JavaScript and Java Applications (#72)
* simple-command-injection-direct-input-java * node-sequelize-empty-password-argument-javascript * detect-angular-sce-disabled-javascript * SEPARATING FOLDER node-sequelize-empty-password-argument-javascript * SEPARATING FOLDER detect-angular-sce-disabled-javascript * modification in node-sequelize-empty-password-argument-javascript --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 0219e85 commit 44df5b8

9 files changed

+776
-0
lines changed

rules/java/security/simple-command-injection-direct-input-java.yml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
id: simple-command-injection-direct-input-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
"Untrusted input might be injected into a command executed by the
6+
application, which can lead to a command injection vulnerability. An
7+
attacker can execute arbitrary commands, potentially gaining complete
8+
control of the system. To prevent this vulnerability, avoid executing OS
9+
commands with user input. If this is unavoidable, validate and sanitize
10+
the input, and use safe methods for executing the commands. For more
11+
information, see: [Java command injection
12+
prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/\
13+
)"
14+
note: >-
15+
[CWE-78] Improper Neutralization of Special Elements used in an OS
16+
[REFERENCES]
17+
- https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html
18+
- https://owasp.org/Top10/A03_2021-Injection
19+
20+
rule:
21+
kind: method_invocation
22+
pattern: Runtime.getRuntime().exec($SOURCE)
23+
inside:
24+
kind: method_declaration
25+
stopBy: end
26+
has:
27+
stopBy: end
28+
kind: formal_parameter
29+
has:
30+
kind: modifiers
31+
any:
32+
- has:
33+
kind: marker_annotation
34+
has:
35+
kind: identifier
36+
pattern: $REQ
37+
- has:
38+
kind: annotation
39+
all:
40+
- has:
41+
kind: identifier
42+
pattern: $REQ
43+
- has:
44+
kind: annotation_argument_list
45+
precedes:
46+
kind: type_identifier
47+
pattern: $TYPE
48+
precedes:
49+
kind: identifier
50+
pattern: $SOURCE
51+
52+
constraints:
53+
REQ:
54+
regex: ^(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute)
55+
TYPE:
56+
regex: ^[^I].*|^I[^n].*|^In[^t].*|^Int[^e].*|^Inte[^g].*|^Integ[^e].*|^Inge[^r].*|^L[^o].*|^Lo[^n].*|^Lon[^g].*|^F[^l].*|^Fl[^o].*|^Flo[^a].*|^Floa[^t].*|^D[^o].*|^Do[^u].*|^Dou[^b].*|^Doub[^l].*|^Doubl[^e].*|^C[^h].*|^Ch[^a].*|^Cha[^r].*|^B[^o].*|^Bo[^o].*|^Boo[^l].*|^Bool[^e].*|^Boole[^a].*|^Boolea[^n].*|^i[^n].*|^in[^t].*|^l[^o].*|^lo[^n].*|^lon[^g].*|^f[^l].*|^fl[^o].*|^flo[^a].*|^floa[^t].*|^d[^o].*|^do[^u].*|^dou[^b].*|^doub[^l].*|^doubl[^e].*|^c[^h].*|^ch[^a].*|^cha[^r].*|^b[^o].*|^bo[^o].*|^boo[^l].*|^bool[^e].*|^boole[^a].*|^boolea[^n].*

rules/javascript/security/detect-angular-sce-disabled-javascript.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
id: detect-angular-sce-disabled-javascript
2+
language: javascript
3+
severity: warning
4+
message: >-
5+
$sceProvider is set to false. Disabling Strict Contextual escaping
6+
(SCE) in an AngularJS application could provide additional attack surface
7+
for XSS vulnerabilities.
8+
note: >-
9+
[CWE-79] Improper Neutralization of Input During Web Page Generation.
10+
[REFERENCES]
11+
- https://docs.angularjs.org/api/ng/service/$sce
12+
- https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
13+
rule:
14+
pattern: |
15+
$sceProvider.enabled(false);

rules/javascript/security/node-sequelize-empty-password-argument-javascript.yml

Lines changed: 197 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,197 @@
1+
id: node-sequelize-empty-password-argument-javascript
2+
language: javascript
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287] Improper Authentication.
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
utils:
16+
MATCH_BLANK_PASSWORD:
17+
kind: string
18+
pattern: $Q
19+
inside:
20+
stopBy: end
21+
kind: lexical_declaration
22+
all:
23+
- has:
24+
stopBy: end
25+
kind: new_expression
26+
all:
27+
- has:
28+
stopBy: end
29+
kind: identifier
30+
pattern: $E
31+
- has:
32+
stopBy: end
33+
kind: arguments
34+
nthChild: 2
35+
has:
36+
stopBy: end
37+
kind: string
38+
nthChild: 3
39+
pattern: $Q
40+
not:
41+
has:
42+
stopBy: end
43+
kind: string_fragment
44+
- any:
45+
- follows:
46+
stopBy: end
47+
kind: lexical_declaration
48+
has:
49+
stopBy: end
50+
kind: variable_declarator
51+
all:
52+
- has:
53+
stopBy: neighbor
54+
kind: identifier
55+
- has:
56+
stopBy: neighbor
57+
kind: call_expression
58+
all:
59+
- has:
60+
stopBy: neighbor
61+
kind: identifier
62+
regex: '^require$'
63+
- has:
64+
stopBy: neighbor
65+
kind: arguments
66+
has:
67+
stopBy: neighbor
68+
kind: string
69+
has:
70+
stopBy: neighbor
71+
kind: string_fragment
72+
regex: '^sequelize$'
73+
- follows:
74+
stopBy: end
75+
kind: import_statement
76+
has:
77+
stopBy: end
78+
kind: import_clause
79+
has:
80+
stopBy: end
81+
kind: identifier
82+
pattern: $E
83+
- follows:
84+
stopBy: end
85+
kind: import_statement
86+
has:
87+
stopBy: end
88+
kind: import_clause
89+
has:
90+
stopBy: end
91+
kind: identifier
92+
pattern: $E
93+
94+
95+
MATCH_BLANK_PASSWORD_WITH_INSTANCE:
96+
kind: identifier
97+
pattern: $Q
98+
inside:
99+
stopBy: end
100+
kind: lexical_declaration
101+
all:
102+
- has:
103+
stopBy: end
104+
kind: new_expression
105+
all:
106+
- has:
107+
stopBy: end
108+
kind: identifier
109+
pattern: $E
110+
- has:
111+
stopBy: end
112+
kind: arguments
113+
nthChild: 2
114+
has:
115+
stopBy: end
116+
kind: identifier
117+
nthChild: 3
118+
pattern: $Q
119+
not:
120+
has:
121+
stopBy: end
122+
kind: string_fragment
123+
- follows:
124+
stopBy: end
125+
kind: lexical_declaration
126+
has:
127+
stopBy: end
128+
kind: variable_declarator
129+
all:
130+
- has:
131+
stopBy: neighbor
132+
kind: identifier
133+
pattern: $Q
134+
- has:
135+
stopBy: neighbor
136+
kind: string
137+
not:
138+
has:
139+
stopBy: neighbor
140+
kind: string_fragment
141+
- any:
142+
- follows:
143+
stopBy: end
144+
kind: lexical_declaration
145+
has:
146+
stopBy: end
147+
kind: variable_declarator
148+
all:
149+
- has:
150+
stopBy: neighbor
151+
kind: identifier
152+
- has:
153+
stopBy: neighbor
154+
kind: call_expression
155+
all:
156+
- has:
157+
stopBy: neighbor
158+
kind: identifier
159+
regex: '^require$'
160+
- has:
161+
stopBy: neighbor
162+
kind: arguments
163+
has:
164+
stopBy: neighbor
165+
kind: string
166+
has:
167+
stopBy: neighbor
168+
kind: string_fragment
169+
regex: '^sequelize$'
170+
- follows:
171+
stopBy: end
172+
kind: import_statement
173+
has:
174+
stopBy: end
175+
kind: import_clause
176+
has:
177+
stopBy: end
178+
kind: identifier
179+
pattern: $E
180+
- follows:
181+
stopBy: end
182+
kind: import_statement
183+
has:
184+
stopBy: end
185+
kind: import_clause
186+
has:
187+
stopBy: end
188+
kind: identifier
189+
pattern: $E
190+
rule:
191+
any:
192+
- kind: string
193+
matches: MATCH_BLANK_PASSWORD
194+
- kind: identifier
195+
matches: MATCH_BLANK_PASSWORD_WITH_INSTANCE
196+
197+

tests/__snapshots__/detect-angular-sce-disabled-javascript-snapshot.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
id: detect-angular-sce-disabled-javascript
2+
snapshots:
3+
? |
4+
$sceProvider.enabled(false);
5+
: labels:
6+
- source: $sceProvider.enabled(false);
7+
style: primary
8+
start: 0
9+
end: 28

0 commit comments

Comments
 (0)