Revert "Removing all rules except those tested on live pipeline (#61)"

ESS-ENN · web-flow · commit 88d9b5ce3a8a · 2024-12-03T19:00:39.000+05:30
This reverts commit 30448e0.
diff --git a/d b/d
diff --git a/rules/c/security/info-leak-on-non-formated-string.yml b/rules/c/security/info-leak-on-non-formated-string.yml
@@ -0,0 +1,13 @@
+id: info-leak-on-non-formated-string
+language: c
+severity: warning
+message: >-
+  Information leak on non-formatted string detected. This can lead to security
+  vulnerabilities. Use formatted strings to prevent information leaks.
+note: >-
+  [CWE-532] Insertion of Sensitive Information into Log File
+  [OWASP A09:2021] Security Logging and Monitoring Failures
+  [REFERENCES]
+      - http://nebelwelt.net/files/13PPREW.pdf
+rule:
+  pattern: 'printf($A);'
diff --git a/rules/c/security/insecure-use-gets-function.yml b/rules/c/security/insecure-use-gets-function.yml
@@ -0,0 +1,12 @@
+id: insecure-use-gets-function
+language: c
+message: >-
+  Avoid 'gets()' function, it does not consider buffer boundaries and can lead
+  to buffer overflows. Use 'fgets()' or 'gets_s()' instead.
+note: >-
+  [CWE-676] Use of Potentially Dangerous Function
+  [REFERENCES]
+      - https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s
+severity: warning
+rule:
+  pattern: gets($$$);
diff --git a/rules/c/security/insecure-use-memset.yml b/rules/c/security/insecure-use-memset.yml
@@ -0,0 +1,14 @@
+id: insecure-use-memset-function
+language: c
+message: >-
+  Avoid 'memset()' function, it does not consider buffer boundaries and can lead
+  to buffer overflows. Use 'memset_s()' instead.
+severity: warning
+note: >-
+  [CWE-14]: Compiler Removal of Code to Clear Buffers
+  [OWASP A04:2021] Insecure Design
+  [REFERENCES]
+      - https://cwe.mitre.org/data/definitions/14.html
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
+rule:
+  pattern: memset($$$);
diff --git a/rules/c/security/insecure-use-scanf-function.yml b/rules/c/security/insecure-use-scanf-function.yml
@@ -0,0 +1,12 @@
+id: insecure-use-scanf-function
+language: c
+message: >-
+  Avoid 'scanf()' function, it does not consider buffer boundaries and can lead
+  to buffer overflows. Use 'fgets()' or 'scanf_s()' instead.
+severity: warning
+note: >-
+  [CWE-676]: Use of Potentially Dangerous Function
+  [REFERENCES]
+      - http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html
+rule:
+  pattern: scanf($$$);
diff --git a/rules/c/security/insecure-use-strcat-function.yml b/rules/c/security/insecure-use-strcat-function.yml
@@ -0,0 +1,15 @@
+id: insecure-use-strcat-function
+language: c
+message: >-
+  Avoid 'strcat()' or 'strncat()' functions, it does not consider buffer boundaries and can lead
+  to buffer overflows. Use 'strcat_s()' instead.
+severity: warning
+note: >-
+  [CWE-676]: Use of Potentially Dangerous Function
+  [REFERENCES]
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-12553
+      - https://techblog.mediaservice.net/2020/04/cve-2020-2851-stack-based-buffer-overflow-in-cde-libdtsvc/
+rule:
+  any:
+    - pattern: strcat($$$);
+    - pattern: strncat($$$);
diff --git a/rules/c/security/insecure-use-string-copy-function.yml b/rules/c/security/insecure-use-string-copy-function.yml
@@ -0,0 +1,15 @@
+id: insecure-use-string-copy-function
+language: c
+severity: warning
+message: >-
+  Avoid 'strcpy()' or 'strncpy()' function, it does not consider buffer boundaries and can lead
+  to buffer overflows. Use 'strcpy_s()' instead.
+note: >-
+  [CWE-676]: Use of Potentially Dangerous Function
+  [REFERENCES]
+      - https://cwe.mitre.org/data/definitions/676
+      - https://nvd.nist.gov/vuln/detail/CVE-2019-11365
+rule:
+  any:
+    - pattern: strcpy($$$);
+    - pattern: strncpy($$$);
diff --git a/rules/c/security/insecure-use-strtok-function.yml b/rules/c/security/insecure-use-strtok-function.yml
@@ -0,0 +1,12 @@
+id: insecure-use-strtok-function
+language: c
+severity: warning
+message: >-
+  Avoid 'strtok()' function, it is not reentrant and can lead to security
+  vulnerabilities. Use 'strtok_r()' instead.
+note: >-
+  [CWE-676]: Use of Potentially Dangerous Function
+  [REFERENCES]
+      - https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged
+rule:
+  pattern: strtok($$$);
diff --git a/rules/csharp/security/binary-formatter.yml b/rules/csharp/security/binary-formatter.yml
@@ -0,0 +1,12 @@
+id: binary-formatter
+language: csharp
+message: 'Avoid using BinaryFormatter, it is insecure and can lead to remote code execution'
+severity: warning
+note: >-
+  [CWE-502]: Deserialization of Untrusted Data
+  [OWASP A08:2017]: Insecure Deserialization
+  [OWASP A08:2021]: Software and Data Integrity Failures
+  [REFERENCES]
+      - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
+rule:
+  pattern: new BinaryFormatter()
diff --git a/rules/csharp/security/data-contract-resolver.yml b/rules/csharp/security/data-contract-resolver.yml
@@ -0,0 +1,14 @@
+id: data-contract-resolver
+language: csharp
+note: >-
+  [CWE-502]: Deserialization of Untrusted Data
+  [OWASP A08:2017]: Insecure Deserialization
+  [OWASP A08:2021]: Software and Data Integrity Failures
+  [REFERENCES]
+      - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
+message: >-
+  Use DataContractResolver if you are sure that the data is safe to deserialize.
+severity: warning
+rule:
+  pattern: |
+    class $DCR : DataContractResolver { $$$ }
diff --git a/rules/csharp/security/html-raw-json.yml b/rules/csharp/security/html-raw-json.yml
@@ -0,0 +1,18 @@
+id: html-raw-json
+language: csharp
+message: >-
+  Avoid using '@Html.Raw(Json.Encode())', '@Html.Raw(JsonConvert.SerializeObject())' or '@Html.Raw().ToJson()' to prevent Cross-Site Scripting (XSS) attacks.
+  Use '@Html.Raw()' only when necessary and ensure that the data is properly sanitized.
+  For more information checkout the references.
+note: >-
+  [CWE-79]: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+  [OWASP Top 10 2017]: A07:2017 - Cross-Site Scripting (XSS)
+  [OWASP Top 10 2021]: A03:2021 - Injection
+  [REFERENCES]
+      - https://owasp.org/Top10/A03_2021-Injection
+severity: warning
+rule:
+  any:
+    - pattern: '@Html.Raw(Json.Encode($$$))'
+    - pattern: '@Html.Raw(JsonConvert.SerializeObject($$$))'
+    - pattern: '@Html.Raw($$$ToJson($$$))'
diff --git a/rules/csharp/security/insecure-fspickler-deserialization.yml b/rules/csharp/security/insecure-fspickler-deserialization.yml
@@ -0,0 +1,12 @@
+id: insecure-fspickler-deserialization
+severity: warning
+language: csharp
+message: Avoid using FSPickler, it is insecure and can lead to remote code execution
+note: >-
+  [CWE-502]: Deserialization of Untrusted Data
+  [OWASP A08:2017]: Insecure Deserialization
+  [OWASP A08:2021]: Software and Data Integrity Failures
+  [REFERENCES]
+      - https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution
+rule:
+  pattern: FsPickler.CreateJsonSerializer()
diff --git a/rules/csharp/security/insecure-netdatacontract-deserialization.yml b/rules/csharp/security/insecure-netdatacontract-deserialization.yml
@@ -0,0 +1,12 @@
+id: insecure-netdatacontract-deserialization
+severity: warning
+language: csharp
+message: Avoid using NetDataContractSerializer, it is insecure and can lead to remote code execution
+note: >-
+  [CWE-502]: Deserialization of Untrusted Data
+  [OWASP A08:2017]: Insecure Deserialization
+  [OWASP A08:2021]: Software and Data Integrity Failures
+  [REFERENCES]
+      - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8
+rule:
+  pattern: new NetDataContractSerializer()
diff --git a/rules/csharp/security/los-formatter.yml b/rules/csharp/security/los-formatter.yml
@@ -0,0 +1,12 @@
+id: los-formatter
+language: csharp
+message: 'Avoid using LosFormatter, it is insecure and can lead to remote code execution'
+severity: warning
+note: >-
+  [CWE-502]: Deserialization of Untrusted Data
+  [OWASP A08:2017]: Insecure Deserialization
+  [OWASP A08:2021]: Software and Data Integrity Failures
+  [REFERENCES]
+      - https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.webcontrols.losformatter?view=netframework-4.8
+rule:
+  pattern: new LosFormatter()
