Skip to content

Commit b622bca

Browse files
ESS-ENNESS-ENN
authored
Merge branch 'coderabbitai:main' into main
2 parents 0d53f8e + 6fa741b commit b622bca

10 files changed

+557
-0
lines changed

rules/csharp/security/insecure-binaryformatter-deserialization-csharp.yml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
id: insecure-binaryformatter-deserialization-csharp
2+
severity: warning
3+
language: csharp
4+
message: >-
5+
The BinaryFormatter type is dangerous and is not recommended for data
6+
processing. Applications should stop using BinaryFormatter as soon as
7+
possible, even if they believe the data they're processing to be
8+
trustworthy. BinaryFormatter is insecure and can't be made secure.
9+
note: >-
10+
[CWE-502] Deserialization of Untrusted Data.
11+
[REFERENCES]
12+
- https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
13+
14+
ast-grep-essentials: true
15+
16+
utils:
17+
MATCH_PATTERN_BinaryFormatter:
18+
pattern: new BinaryFormatter()
19+
any:
20+
- inside:
21+
stopBy: end
22+
follows:
23+
stopBy: end
24+
kind: using_directive
25+
pattern: using System.Runtime.Serialization.Formatters.Binary;
26+
- inside:
27+
kind: global_statement
28+
stopBy: end
29+
follows:
30+
stopBy: end
31+
kind: using_directive
32+
pattern: using System.Runtime.Serialization.Formatters.Binary
33+
not:
34+
inside:
35+
kind: object_creation_expression
36+
stopBy: end
37+
not:
38+
inside:
39+
kind: variable_declarator
40+
stopBy: end
41+
42+
rule:
43+
matches: MATCH_PATTERN_BinaryFormatter
44+

rules/ruby/security/force-ssl-false-ruby.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
id: force-ssl-false-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
Checks for configuration setting of force_ssl to false. Force_ssl
6+
forces usage of HTTPS, which could lead to network interception of
7+
unencrypted application traffic. To fix, set config.force_ssl = true.
8+
note: >-
9+
[CWE-311] Missing Encryption of Sensitive Data.
10+
[REFERENCES]
11+
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb
12+
13+
ast-grep-essentials: true
14+
15+
utils:
16+
config.force_ssl = $FAL:
17+
kind: assignment
18+
all:
19+
- has:
20+
kind: call
21+
pattern: config.force_ssl
22+
- has:
23+
regex: ^\s*false$
24+
25+
rule:
26+
kind: assignment
27+
any:
28+
- matches: config.force_ssl = $FAL

rules/ruby/security/ruby-cassandra-empty-password-ruby.yml

Lines changed: 151 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,151 @@
1+
id: ruby-cassandra-empty-password-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287] Improper Authentication.
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
16+
ast-grep-essentials: true
17+
18+
utils:
19+
Cassandra.cluster():
20+
# Cassandra.cluster(..., password: "", ...)
21+
kind: call
22+
all:
23+
- has:
24+
stopBy: neighbor
25+
kind: constant
26+
regex: ^Cassandra$
27+
- has:
28+
stopBy: neighbor
29+
regex: ^.$
30+
- has:
31+
stopBy: neighbor
32+
kind: identifier
33+
regex: ^cluster$
34+
- has:
35+
stopBy: neighbor
36+
kind: argument_list
37+
has:
38+
stopBy: neighbor
39+
kind: pair
40+
all:
41+
- has:
42+
stopBy: neighbor
43+
any:
44+
- kind: hash_key_symbol
45+
regex: ^password$
46+
- kind: simple_symbol
47+
regex: ^:password$
48+
- has:
49+
stopBy: neighbor
50+
kind: string
51+
not:
52+
has:
53+
kind: string_content
54+
- any:
55+
- inside:
56+
stopBy: end
57+
follows:
58+
stopBy: end
59+
kind: call
60+
pattern: require 'cassandra'
61+
- follows:
62+
stopBy: end
63+
kind: call
64+
pattern: require 'cassandra'
65+
66+
Cassandra.cluster()_Instance:
67+
# Cassandra.cluster(..., password: "", ...)
68+
kind: call
69+
all:
70+
- has:
71+
stopBy: neighbor
72+
kind: constant
73+
regex: ^Cassandra$
74+
- has:
75+
stopBy: neighbor
76+
regex: ^.$
77+
- has:
78+
stopBy: neighbor
79+
kind: identifier
80+
regex: ^cluster$
81+
- has:
82+
stopBy: neighbor
83+
kind: argument_list
84+
has:
85+
stopBy: neighbor
86+
kind: pair
87+
all:
88+
- has:
89+
stopBy: neighbor
90+
any:
91+
- kind: hash_key_symbol
92+
regex: ^password$
93+
- kind: simple_symbol
94+
regex: ^:password$
95+
- has:
96+
stopBy: neighbor
97+
kind: identifier
98+
pattern: $VAR
99+
- any:
100+
- inside:
101+
stopBy: end
102+
follows:
103+
stopBy: end
104+
kind: call
105+
pattern: require 'cassandra'
106+
- follows:
107+
stopBy: end
108+
kind: call
109+
pattern: require 'cassandra'
110+
- any:
111+
- follows:
112+
stopBy: end
113+
kind: assignment
114+
all:
115+
- has:
116+
kind: identifier
117+
pattern: $VAR
118+
- has:
119+
kind: string
120+
not:
121+
has:
122+
kind: string_content
123+
- inside:
124+
stopBy: end
125+
follows:
126+
stopBy: end
127+
kind: assignment
128+
all:
129+
- has:
130+
kind: identifier
131+
pattern: $VAR
132+
- has:
133+
kind: string
134+
not:
135+
has:
136+
kind: string_content
137+
138+
rule:
139+
kind: call
140+
any:
141+
- matches: Cassandra.cluster()
142+
- matches: Cassandra.cluster()_Instance
143+
not:
144+
all:
145+
- has:
146+
stopBy: end
147+
kind: ERROR
148+
- inside:
149+
stopBy: end
150+
kind: ERROR
151+

rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
id: ruby-cassandra-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
Cassandra.cluster():
19+
# Cassandra.cluster(..., password: "", ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: constant
25+
regex: ^Cassandra$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^cluster$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: neighbor
38+
kind: pair
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
any:
43+
- kind: hash_key_symbol
44+
regex: ^password$
45+
- kind: simple_symbol
46+
regex: ^:password$
47+
- has:
48+
stopBy: neighbor
49+
kind: string
50+
has:
51+
stopBy: neighbor
52+
kind: string_content
53+
- any:
54+
- inside:
55+
stopBy: end
56+
follows:
57+
stopBy: end
58+
kind: call
59+
pattern: require 'cassandra'
60+
- follows:
61+
stopBy: end
62+
kind: call
63+
pattern: require 'cassandra'
64+
65+
Cassandra.cluster()_Instance:
66+
# Cassandra.cluster(..., password: "", ...)
67+
kind: call
68+
all:
69+
- has:
70+
stopBy: neighbor
71+
kind: constant
72+
regex: ^Cassandra$
73+
- has:
74+
stopBy: neighbor
75+
regex: ^.$
76+
- has:
77+
stopBy: neighbor
78+
kind: identifier
79+
regex: ^cluster$
80+
- has:
81+
stopBy: neighbor
82+
kind: argument_list
83+
has:
84+
stopBy: neighbor
85+
kind: pair
86+
all:
87+
- has:
88+
stopBy: neighbor
89+
any:
90+
- kind: hash_key_symbol
91+
regex: ^password$
92+
- kind: simple_symbol
93+
regex: ^:password$
94+
- has:
95+
stopBy: neighbor
96+
kind: identifier
97+
pattern: $VAR
98+
- any:
99+
- inside:
100+
stopBy: end
101+
follows:
102+
stopBy: end
103+
kind: call
104+
pattern: require 'cassandra'
105+
- follows:
106+
stopBy: end
107+
kind: call
108+
pattern: require 'cassandra'
109+
- any:
110+
- follows:
111+
stopBy: end
112+
kind: assignment
113+
all:
114+
- has:
115+
kind: identifier
116+
pattern: $VAR
117+
- has:
118+
kind: string
119+
has:
120+
kind: string_content
121+
- inside:
122+
stopBy: end
123+
follows:
124+
stopBy: end
125+
kind: assignment
126+
all:
127+
- has:
128+
kind: identifier
129+
pattern: $VAR
130+
- has:
131+
kind: string
132+
has:
133+
kind: string_content
134+
rule:
135+
kind: call
136+
any:
137+
- matches: Cassandra.cluster()
138+
- matches: Cassandra.cluster()_Instance
139+
not:
140+
all:
141+
- has:
142+
stopBy: end
143+
kind: ERROR
144+
- inside:
145+
stopBy: end
146+
kind: ERROR
147+

tests/__snapshots__/force-ssl-false-ruby-snapshot.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
id: force-ssl-false-ruby
2+
snapshots:
3+
? |
4+
def bad_ssl
5+
config.force_ssl = false
6+
end
7+
: labels:
8+
- source: config.force_ssl = false
9+
style: primary
10+
start: 12
11+
end: 36
12+
- source: config.force_ssl
13+
style: secondary
14+
start: 12
15+
end: 28
16+
- source: 'false'
17+
style: secondary
18+
start: 31
19+
end: 36

0 commit comments

Comments
 (0)