Update ast-grep CLI & add Java cookie management rules

ESS-ENN · web-flow · commit 5c87db335732 · 2024-09-17T15:49:03.000+03:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -12,6 +12,6 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
-    "@ast-grep/cli": "^0.20.2"
+    "@ast-grep/cli": "^0.26.0"
   }
-}
+}
diff --git a/rules/java/security/cookie-secure-flag-false-java.yml b/rules/java/security/cookie-secure-flag-false-java.yml
@@ -0,0 +1,14 @@
+id: cookie-secure-flag-false-java
+language: java
+severity: warning
+message: >-
+  A cookie was detected without setting the 'secure' flag. The 'secure'
+  flag for cookies prevents the client from transmitting the cookie over
+  insecure channels such as HTTP. Set the 'secure' flag by calling
+  '$COOKIE.setSecure(true);'.
+note: >-
+  [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute.
+  [REFERENCES]
+      - https://owasp.org/www-community/controls/SecureCookieAttribute
+rule:
+  pattern: $COOKIE.setSecure(false);
diff --git a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml
@@ -0,0 +1,16 @@
+id: documentbuilderfactory-external-general-entities-true-java
+language: java
+severity: warning
+message: >-
+  External entities are allowed for $DBFACTORY. This is vulnerable to XML
+  external entity attacks. Disable this by setting the feature
+  "http://xml.org/sax/features/external-general-entities" to false.
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+      - https://blog.sonarsource.com/secure-xml-processor
+rule:
+  pattern:
+    $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities",
+    true);
diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml
@@ -0,0 +1,13 @@
+id: use-of-rc2-java
+language: java
+severity: warning
+message: >-
+  Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and
+  is therefore considered non-compliant. Instead, use a strong, secure.
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+      - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
+rule:
+  pattern: $CIPHER.getInstance("RC2")
diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml
@@ -19,7 +19,4 @@ rule:
     - pattern: new XMLInputFactory($$$)
 precedes:
   not:
-    pattern: $XMLFACTORY.setProperty($MODE, false)
-constraints:
-  MODE:
-    regex: "javax.xml.stream.isSupportingExternalEntities"
+    pattern: $XMLFACTORY.setProperty(javax.xml.stream.isSupportingExternalEntities, false)
diff --git a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml
@@ -0,0 +1,9 @@
+id: cookie-secure-flag-false-java
+snapshots:
+  ? |
+    cookie.setSecure(false);
+  : labels:
+    - source: cookie.setSecure(false);
+      style: primary
+      start: 0
+      end: 24
diff --git a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml
@@ -0,0 +1,10 @@
+id: documentbuilderfactory-external-general-entities-true-java
+snapshots:
+  ? |
+    dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+    spf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+  : labels:
+    - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+      style: primary
+      start: 0
+      end: 79
diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml
@@ -0,0 +1,10 @@
+id: use-of-rc2-java
+snapshots:
+  ? |
+    useCipher(Cipher.getInstance("RC2"));
+    Cipher.getInstance("RC2");
+  : labels:
+    - source: Cipher.getInstance("RC2")
+      style: primary
+      start: 10
+      end: 35
diff --git a/tests/java/cookie-secure-flag-false-java-test.yml b/tests/java/cookie-secure-flag-false-java-test.yml
@@ -0,0 +1,10 @@
+id: cookie-secure-flag-false-java
+valid:
+  - |
+    response.addCookie(cookie);
+    cookie.setSecure(true);
+    cookie.setHttpOnly(true);
+    response.addCookie(cookie);
+invalid:
+  - |
+    cookie.setSecure(false);
diff --git a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml
@@ -0,0 +1,9 @@
+id: documentbuilderfactory-external-general-entities-true-java
+valid:
+  - |
+    dbf.setFeature("http://xml.org/sax/features/external-general-entities" , false);
+    spf.setFeature("http://xml.org/sax/features/external-general-entities" , false);
+invalid:
+  - |
+    dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+    spf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml
@@ -0,0 +1,8 @@
+id: use-of-rc2-java
+valid:
+  - |
+    Cipher.getInstance("AES/CBC/PKCS7PADDING");
+invalid:
+  - |
+    useCipher(Cipher.getInstance("RC2"));
+    Cipher.getInstance("RC2");

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,6 @@`
`12`	`12`	`"author": "",`
`13`	`13`	`"license": "ISC",`
`14`	`14`	`"devDependencies": {`
`15`		`- "@ast-grep/cli": "^0.20.2"`
	`15`	`+ "@ast-grep/cli": "^0.26.0"`
`16`	`16`	`}`
`17`		`-}`
	`17`	`+}`