Skip to content

Commit d6616fc

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add YAML-based AST security rules and tests for C#, Java, Ruby (#186)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * stacktrace-disclosure-csharp * weak-ssl-context-java * hardcoded-secret-rsa-passphrase-ruby --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 1735d18 commit d6616fc

9 files changed

+684
-0
lines changed

rules/csharp/security/stacktrace-disclosure-csharp.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
id: stacktrace-disclosure-csharp
2+
severity: warning
3+
language: csharp
4+
message: >-
5+
Stacktrace information is displayed in a non-Development environment.
6+
Accidentally disclosing sensitive stack trace information in a production
7+
environment aids an attacker in reconnaissance and information gathering.
8+
note: >-
9+
[CWE-209] Generation of Error Message Containing Sensitive Information.
10+
[REFERENCES]
11+
- https://cwe.mitre.org/data/definitions/209.html
12+
- https://owasp.org/Top10/A04_2021-Insecure_Design/
13+
14+
ast-grep-essentials: true
15+
16+
utils:
17+
$APP.UseDeveloperExceptionPage(...):
18+
kind: invocation_expression
19+
pattern: $APP.UseDeveloperExceptionPage($$$)
20+
all:
21+
- not:
22+
inside:
23+
stopBy: end
24+
any:
25+
- kind: postfix_unary_expression
26+
- kind: member_access_expression
27+
inside:
28+
kind: invocation_expression
29+
- not:
30+
inside:
31+
stopBy: neighbor
32+
kind: block
33+
follows:
34+
stopBy: end
35+
any:
36+
- kind: invocation_expression
37+
pattern: $ENV.IsDevelopment()
38+
- kind: parenthesized_expression
39+
has:
40+
kind: invocation_expression
41+
pattern: $ENV.IsDevelopment()
42+
inside:
43+
kind: if_statement
44+
rule:
45+
matches: $APP.UseDeveloperExceptionPage(...)

rules/java/security/weak-ssl-context-java.yml

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
id: weak-ssl-context-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all
6+
SSL versions are considered weak encryption and are deprecated. Use
7+
SSLContext.getInstance("TLSv1.2") for the best security.'
8+
note: >-
9+
[CWE-326] Inadequate Encryption Strength
10+
[REFERENCES]
11+
- https://tools.ietf.org/html/rfc7568
12+
- https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
13+
14+
ast-grep-essentials: true
15+
16+
# rule:
17+
# all:
18+
# - pattern: SSLContext.getInstance($CONTEXT)
19+
20+
# constraints:
21+
# CONTEXT:
22+
# any:
23+
# - kind: string_literal
24+
# has:
25+
# kind: string_fragment
26+
# all:
27+
# - not:
28+
# regex: ^TLSv1.2$
29+
# - not:
30+
# regex: ^TLSv1.3$
31+
# - kind: string_literal
32+
# not:
33+
# has:
34+
# kind: string_fragment
35+
36+
rule:
37+
kind: method_invocation
38+
not:
39+
has:
40+
stopBy: end
41+
kind: method_invocation
42+
all:
43+
- has:
44+
kind: identifier
45+
field: object
46+
nthChild: 1
47+
regex: ^SSLContext$
48+
- has:
49+
kind: identifier
50+
field: name
51+
nthChild: 2
52+
regex: ^getInstance$
53+
- has:
54+
kind: argument_list
55+
field: arguments
56+
nthChild: 3
57+
has:
58+
nthChild:
59+
position: 1
60+
ofRule:
61+
kind: string_literal
62+
any:
63+
- not:
64+
has:
65+
kind: string_fragment
66+
- has:
67+
kind: string_fragment
68+
all:
69+
- not:
70+
regex: ^TLSv1.2$
71+
- not:
72+
regex: ^TLSv1.3$
73+
not:
74+
has:
75+
nthChild:
76+
position: 2
77+
ofRule:
78+
not:
79+
kind: line_comment

rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml

Lines changed: 232 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,232 @@
1+
id: hardcoded-secret-rsa-passphrase-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
Found the use of an hardcoded passphrase for RSA. The passphrase can be
6+
easily discovered, and therefore should not be stored in source-code. It
7+
is recommended to remove the passphrase from source-code, and use system
8+
environment variables or a restricted configuration file.
9+
note: >-
10+
[CWE-798]: Use of Hard-coded Credentials
11+
[OWASP A07:2021]: Identification and Authentication Failures
12+
[REFERENCES]
13+
https://cwe.mitre.org/data/definitions/522.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
OpenSSL::PKey::RSA.new(..., '...'):
19+
kind: call
20+
all:
21+
- has:
22+
stopBy: neighbor
23+
kind: scope_resolution
24+
regex: ^OpenSSL::PKey::RSA$
25+
- has:
26+
stopBy: neighbor
27+
regex: ^.$
28+
- has:
29+
stopBy: neighbor
30+
kind: identifier
31+
regex: ^new$
32+
- has:
33+
stopBy: neighbor
34+
kind: argument_list
35+
all:
36+
- has:
37+
stopBy: neighbor
38+
kind: string
39+
nthChild: 2
40+
has:
41+
stopBy: neighbor
42+
kind: string_content
43+
44+
OpenSSL::PKey::RSA.new(...).to_pem(..., '...'):
45+
kind: call
46+
all:
47+
- has:
48+
stopBy: neighbor
49+
kind: call
50+
pattern: OpenSSL::PKey::RSA.new($$$)
51+
- has:
52+
stopBy: neighbor
53+
regex: ^.$
54+
- has:
55+
stopBy: neighbor
56+
kind: identifier
57+
regex: ^to_pem|export$
58+
- has:
59+
stopBy: neighbor
60+
kind: argument_list
61+
has:
62+
stopBy: neighbor
63+
kind: string
64+
nthChild:
65+
position: 2
66+
ofRule:
67+
not:
68+
kind: comment
69+
not:
70+
precedes:
71+
stopBy: end
72+
nthChild: 3
73+
74+
OpenSSL::PKey::RSA.new(..., '...')_with_instance:
75+
kind: call
76+
all:
77+
- has:
78+
stopBy: neighbor
79+
kind: scope_resolution
80+
regex: ^OpenSSL::PKey::RSA$
81+
- has:
82+
stopBy: neighbor
83+
regex: ^.$
84+
- has:
85+
stopBy: neighbor
86+
kind: identifier
87+
regex: ^new$
88+
- has:
89+
stopBy: neighbor
90+
kind: argument_list
91+
all:
92+
- has:
93+
stopBy: neighbor
94+
pattern: $SECRET
95+
nthChild: 2
96+
97+
- inside:
98+
stopBy: end
99+
kind: class
100+
has:
101+
stopBy: end
102+
kind: assignment
103+
pattern: $SECRET = '$SECRET_VALUE'
104+
105+
OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance:
106+
kind: call
107+
all:
108+
- has:
109+
stopBy: neighbor
110+
kind: call
111+
pattern: OpenSSL::PKey::RSA.new($$$)
112+
- has:
113+
stopBy: neighbor
114+
regex: ^.$
115+
- has:
116+
stopBy: neighbor
117+
kind: identifier
118+
regex: ^to_pem|export$
119+
- has:
120+
stopBy: neighbor
121+
kind: argument_list
122+
all:
123+
- has:
124+
stopBy: neighbor
125+
pattern: $SECRET
126+
nthChild: 2
127+
128+
- inside:
129+
stopBy: end
130+
kind: class
131+
has:
132+
stopBy: end
133+
kind: assignment
134+
pattern: $SECRET = '$SECRET_VALUE'
135+
136+
$OPENSSL.export(...,'...'):
137+
kind: call
138+
all:
139+
- has:
140+
stopBy: neighbor
141+
pattern: $OPENSSL
142+
- has:
143+
stopBy: neighbor
144+
regex: ^.$
145+
- has:
146+
stopBy: neighbor
147+
kind: identifier
148+
regex: ^export|to_pem$
149+
- has:
150+
stopBy: neighbor
151+
kind: argument_list
152+
all:
153+
- has:
154+
stopBy: neighbor
155+
kind: string
156+
nthChild: 2
157+
has:
158+
stopBy: neighbor
159+
kind: string_content
160+
161+
- inside:
162+
stopBy: end
163+
kind: class
164+
has:
165+
stopBy: end
166+
kind: assignment
167+
pattern: $OPENSSL = OpenSSL::PKey::RSA.new
168+
169+
$OPENSSL.to_pem(...,$ASSIGN):
170+
kind: call
171+
all:
172+
- has:
173+
stopBy: neighbor
174+
pattern: $OPENSSL
175+
- has:
176+
stopBy: neighbor
177+
regex: ^.$
178+
- has:
179+
stopBy: neighbor
180+
kind: identifier
181+
regex: ^export|to_pem$
182+
- has:
183+
stopBy: neighbor
184+
kind: argument_list
185+
all:
186+
- has:
187+
stopBy: neighbor
188+
pattern: $SECRET
189+
nthChild: 2
190+
- inside:
191+
stopBy: end
192+
kind: class
193+
all:
194+
- has:
195+
stopBy: end
196+
kind: assignment
197+
pattern: $OPENSSL = OpenSSL::PKey::RSA.new
198+
- has:
199+
stopBy: end
200+
kind: assignment
201+
pattern: $SECRET = '$SECRET_STRING'
202+
203+
match_call:
204+
kind: call
205+
all:
206+
- has:
207+
stopBy: end
208+
kind: identifier
209+
field: receiver
210+
- has:
211+
stopBy: end
212+
kind: identifier
213+
field: method
214+
- has:
215+
stopBy: end
216+
kind: argument_list
217+
field: arguments
218+
all:
219+
- has:
220+
kind: call
221+
- has:
222+
kind: string
223+
rule:
224+
kind: call
225+
any:
226+
- matches: OpenSSL::PKey::RSA.new(..., '...')
227+
- matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')
228+
- matches: OpenSSL::PKey::RSA.new(..., '...')_with_instance
229+
- matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance
230+
- matches: $OPENSSL.export(...,'...')
231+
- matches: $OPENSSL.to_pem(...,$ASSIGN)
232+
- matches: match_call

0 commit comments

Comments
 (0)