Rules - One php and one java rule (#20)

ESS-ENN · web-flow · commit 72e144d6c951 · 2024-10-21T18:59:08.000+03:00
diff --git a/rules/java/security/drivermanager-hardcoded-secret-java.yml b/rules/java/security/drivermanager-hardcoded-secret-java.yml
@@ -0,0 +1,135 @@
+id: drivermanager-hardcoded-secret-java
+severity: warning
+language: java
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  MATCH_PATTERN_DriverManager.getConnection:
+    kind: method_invocation
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: "^DriverManager$"
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: "^getConnection$"
+      - has:
+          stopBy: end
+          kind: argument_list
+          nthChild: 3
+          has:
+            stopBy: end
+            kind: string_literal
+            nthChild: 3
+
+  MATCH_PATTERN_DriverManager.getConnection_With_Instance:
+    kind: method_invocation
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: "^DriverManager$"
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: "^getConnection$"
+      - has:
+          stopBy: end
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: identifier
+            nthChild: 3
+            pattern: $Q
+      - inside:
+          stopBy: end
+          kind: local_variable_declaration
+          follows:
+            stopBy: end
+            kind: local_variable_declaration
+            has:
+              stopBy: end
+              kind: variable_declarator
+              all:
+                - has:
+                    stopBy: end
+                    kind: identifier
+                    pattern: $Q
+                - has:
+                    stopBy: end
+                    kind: string_literal
+
+  MATCH_PATTERN_DriverManagerDataSource:
+    kind: expression_statement
+    has:
+      stopBy: neighbor
+      kind: object_creation_expression
+      all:
+        - has:
+            stopBy: neighbor
+            kind: type_identifier
+            regex: "^DriverManagerDataSource$"
+        - has:
+            stopBy: end
+            kind: argument_list
+            has:
+              stopBy: end
+              kind: string_literal
+              nthChild: 3
+
+  MATCH_PATTERN_DriverManagerDataSource_With_Instance:
+    kind: expression_statement
+    all:
+      - has:
+          stopBy: neighbor
+          kind: method_invocation
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $R
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: "^setPassword$"
+            - has:
+                stopBy: neighbor
+                kind: argument_list
+                has:
+                  stopBy: neighbor
+                  kind: string_literal
+      - follows:
+          stopBy: end
+          kind: local_variable_declaration
+          all:
+            - has:
+                stopBy: neighbor
+                kind: type_identifier
+                regex: "^DriverManagerDataSource$"
+            - has:
+                stopBy: neighbor
+                kind: variable_declarator
+                has:
+                  stopBy: neighbor
+                  kind: identifier
+                  pattern: $R
+rule:
+  any:
+    - kind: method_invocation
+      any:
+        - matches: MATCH_PATTERN_DriverManager.getConnection
+        - matches: MATCH_PATTERN_DriverManager.getConnection_With_Instance
+    - kind: expression_statement
+      any:
+        - matches: MATCH_PATTERN_DriverManagerDataSource
+        - matches: MATCH_PATTERN_DriverManagerDataSource_With_Instance
diff --git a/rules/php/security/search-active-debug-php.yml b/rules/php/security/search-active-debug-php.yml
@@ -0,0 +1,91 @@
+id: search-active-debug-php
+language: php
+severity: warning
+message: >-
+  Debug logging is explicitly enabled. This can potentially disclose
+  sensitive information and should never be active on production systems.
+note: >-
+  [CWE-489] Active Debug Code.
+  [REFERENCES]
+      - https://www.php.net/manual/en/function.setcookie.php
+utils:
+  Match_pattern_one:
+    kind: expression_statement
+    has:
+      stopBy: end
+      kind: function_call_expression
+      pattern: $C
+      has:
+        stopBy: end
+        kind: arguments
+        all:
+          - has:
+              stopBy: end
+              kind: argument
+              pattern: $A
+          - has:
+              stopBy: end
+              kind: boolean
+              pattern: $B
+
+  Match_pattern_two_with_integer:
+    kind: expression_statement
+    has:
+      stopBy: end
+      kind: function_call_expression
+      pattern: $C
+      has:
+        stopBy: end
+        kind: arguments
+        all:
+          - has:
+              stopBy: end
+              kind: argument
+              pattern: $A
+          - has:
+              stopBy: end
+              kind: integer
+              pattern: $D
+
+  Match_pattern_three_with_string:
+    kind: expression_statement
+    has:
+      stopBy: end
+      kind: function_call_expression
+      pattern: $C
+      has:
+        stopBy: end
+        kind: arguments
+        all:
+          - has:
+              stopBy: end
+              kind: argument
+              pattern: $A
+          - has:
+              stopBy: end
+              kind: argument
+              has:
+                stopBy: end
+                kind: encapsed_string
+                has:
+                  stopBy: neighbor
+                  pattern: $S
+
+rule:
+  kind: expression_statement
+  any:
+    - matches: Match_pattern_one
+    - matches: Match_pattern_two_with_integer
+    - matches: Match_pattern_three_with_string
+
+constraints:
+  C:
+    regex: (define|ini_set)
+  A:
+    regex: (WP_DEBUG|display_errors)
+  B:
+    regex: "true"
+  D:
+    regex: "1"
+  S:
+    regex: on
diff --git a/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml
@@ -0,0 +1,30 @@
+id: drivermanager-hardcoded-secret-java
+snapshots:
+  ? |
+    String password = "a";
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password");
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password);
+    String password = "a";
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password");
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password);
+  : labels:
+    - source: DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password")
+      style: primary
+      start: 40
+      end: 124
+    - source: DriverManager
+      style: secondary
+      start: 40
+      end: 53
+    - source: getConnection
+      style: secondary
+      start: 54
+      end: 67
+    - source: '"password"'
+      style: secondary
+      start: 113
+      end: 123
+    - source: ("jdbc:oracle:thin:@localhost:1521:o92", "a", "password")
+      style: secondary
+      start: 67
+      end: 124
diff --git a/tests/__snapshots__/search-active-debug-php-snapshot.yml b/tests/__snapshots__/search-active-debug-php-snapshot.yml
@@ -0,0 +1,29 @@
+id: search-active-debug-php
+snapshots:
+  ? |
+    <?php
+    ini_set("display_errors",1);
+    define("WP_DEBUG",true);
+    ini_set("display_errors",true);
+    ini_set("display_errors","on");
+  : labels:
+    - source: ini_set("display_errors",1);
+      style: primary
+      start: 6
+      end: 34
+    - source: '"display_errors"'
+      style: secondary
+      start: 14
+      end: 30
+    - source: '1'
+      style: secondary
+      start: 31
+      end: 32
+    - source: ("display_errors",1)
+      style: secondary
+      start: 13
+      end: 33
+    - source: ini_set("display_errors",1)
+      style: secondary
+      start: 6
+      end: 33
diff --git a/tests/java/drivermanager-hardcoded-secret-java-test.yml b/tests/java/drivermanager-hardcoded-secret-java-test.yml
@@ -0,0 +1,12 @@
+id: drivermanager-hardcoded-secret-java
+valid:
+  - |
+    Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92","a");
+invalid:
+  - |
+    String password = "a";
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password");
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password);
+    String password = "a";
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password");
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password);
diff --git a/tests/php/search-active-debug-php-test.yml b/tests/php/search-active-debug-php-test.yml
@@ -0,0 +1,13 @@
+id: search-active-debug-php
+valid:
+  - |
+    <?php
+    ini_set("display_errors","on");
+    ini_set("display_errors","off");
+invalid:
+  - |
+    <?php
+    ini_set("display_errors",1);
+    define("WP_DEBUG",true);
+    ini_set("display_errors",true);
+    ini_set("display_errors","on");
