Skip to content

Commit d3972fa

Browse files
ESS-ENNSakshis
and
Sakshis
authored
Add security rules for cookie settings and XML processing in YAML config (#66)
* 101 cookie-secure-flag-false-java * documentbuilderfactory-disallow-doctype-decl-false-java --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent a34ecdf commit d3972fa

7 files changed

+208
-0
lines changed

package-lock.json

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
id: cookie-secure-flag-false-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
A cookie was detected without setting the 'secure' flag. The 'secure'
6+
flag for cookies prevents the client from transmitting the cookie over
7+
insecure channels such as HTTP. Set the 'secure' flag by calling
8+
'$COOKIE.setSecure(true);'.
9+
note: >-
10+
[CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute.
11+
[REFERENCES]
12+
- https://owasp.org/www-community/controls/SecureCookieAttribute
13+
rule:
14+
pattern: $COOKIE.setSecure(false);
Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
id: documentbuilderfactory-disallow-doctype-decl-false-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting
6+
external entity declarations, this is vulnerable to XML external entity
7+
attacks. Disable this by setting the feature
8+
"http://apache.org/xml/features/disallow-doctype-decl" to true.
9+
Alternatively, allow DOCTYPE declarations and only prohibit external
10+
entities declarations. This can be done by setting the features
11+
"http://xml.org/sax/features/external-general-entities" and
12+
"http://xml.org/sax/features/external-parameter-entities" to false.
13+
note: >-
14+
[CWE-611]: mproper Restriction of XML External Entity Reference
15+
[OWASP A04:2017]: XML External Entities (XXE)
16+
[OWASP A05:2021 - Security Misconfiguration]
17+
[REFERENCES]
18+
https://blog.sonarsource.com/secure-xml-processor
19+
https://xerces.apache.org/xerces2-j/features.html
20+
utils:
21+
match_expression_statement:
22+
kind: expression_statement
23+
has:
24+
stopBy: end
25+
kind: method_invocation
26+
all:
27+
- has:
28+
stopBy: end
29+
kind: identifier
30+
- has:
31+
stopBy: end
32+
kind: identifier
33+
regex: '^setFeature$'
34+
has:
35+
kind: argument_list
36+
all:
37+
- has:
38+
stopBy: end
39+
kind: string_literal
40+
regex: 'http://apache.org/xml/features/disallow-doctype-decl'
41+
- has:
42+
stopBy: end
43+
regex: '^false$'
44+
rule:
45+
any:
46+
- matches: match_expression_statement
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
id: cookie-secure-flag-false-java
2+
snapshots:
3+
? |
4+
cookie.setSecure(false);
5+
: labels:
6+
- source: cookie.setSecure(false);
7+
style: primary
8+
start: 0
9+
end: 24
Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
id: documentbuilderfactory-disallow-doctype-decl-false-java
2+
snapshots:
3+
? |
4+
ParserConfigurationException {
5+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
6+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
7+
}
8+
: labels:
9+
- source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
10+
style: primary
11+
start: 106
12+
end: 184
13+
- source: dbf
14+
style: secondary
15+
start: 106
16+
end: 109
17+
- source: setFeature
18+
style: secondary
19+
start: 110
20+
end: 120
21+
- source: '"http://apache.org/xml/features/disallow-doctype-decl"'
22+
style: secondary
23+
start: 121
24+
end: 175
25+
- source: 'false'
26+
style: secondary
27+
start: 177
28+
end: 182
29+
- source: ("http://apache.org/xml/features/disallow-doctype-decl", false)
30+
style: secondary
31+
start: 120
32+
end: 183
33+
- source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
34+
style: secondary
35+
start: 106
36+
end: 183
37+
? |
38+
ParserConfigurationException {
39+
SAXParserFactory spf = SAXParserFactory.newInstance();
40+
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
41+
}
42+
: labels:
43+
- source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
44+
style: primary
45+
start: 94
46+
end: 172
47+
- source: spf
48+
style: secondary
49+
start: 94
50+
end: 97
51+
- source: setFeature
52+
style: secondary
53+
start: 98
54+
end: 108
55+
- source: '"http://apache.org/xml/features/disallow-doctype-decl"'
56+
style: secondary
57+
start: 109
58+
end: 163
59+
- source: 'false'
60+
style: secondary
61+
start: 165
62+
end: 170
63+
- source: ("http://apache.org/xml/features/disallow-doctype-decl", false)
64+
style: secondary
65+
start: 108
66+
end: 171
67+
- source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false)
68+
style: secondary
69+
start: 94
70+
end: 171
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
id: cookie-secure-flag-false-java
2+
valid:
3+
- |
4+
response.addCookie(cookie);
5+
cookie.setSecure(true);
6+
cookie.setHttpOnly(true);
7+
response.addCookie(cookie);
8+
invalid:
9+
- |
10+
cookie.setSecure(false);
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
id: documentbuilderfactory-disallow-doctype-decl-false-java
2+
valid:
3+
- |
4+
ParserConfigurationException {
5+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
6+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
7+
}
8+
- |
9+
ParserConfigurationException {
10+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
11+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
12+
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
13+
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
14+
}
15+
- |
16+
ParserConfigurationException {
17+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
18+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
19+
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
20+
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
21+
}
22+
- |
23+
ParserConfigurationException {
24+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
25+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
26+
dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
27+
dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
28+
}
29+
- |
30+
ParserConfigurationException {
31+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
32+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
33+
dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
34+
dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
35+
}
36+
- |
37+
ParserConfigurationException {
38+
SAXParserFactory spf = SAXParserFactory.newInstance();
39+
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
40+
}
41+
invalid:
42+
- |
43+
ParserConfigurationException {
44+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
45+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
46+
}
47+
- |
48+
ParserConfigurationException {
49+
SAXParserFactory spf = SAXParserFactory.newInstance();
50+
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
51+
}

0 commit comments

Comments
 (0)