Skip to content

Commit dcafc76

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add Ruby security rules for RSA key size, AWS SDK and Faraday secrets (#159)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * ruby-faraday-hardcoded-secret-ruby * ruby-aws-sdk-hardcoded-secret-ruby * insufficient-rsa-key-size-ruby --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent db9abf2 commit dcafc76

9 files changed

+1153
-0
lines changed

rules/ruby/security/insufficient-rsa-key-size-ruby.yml

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
id: insufficient-rsa-key-size-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
The RSA key size $SIZE is insufficent by NIST standards. It is
6+
recommended to use a key length of 2048 or higher.
7+
note: >-
8+
[CWE-326] Inadequate Encryption Strength.
9+
[REFERENCES]
10+
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
11+
12+
ast-grep-essentials: true
13+
14+
utils:
15+
OpenSSL::PKey::RSA.generate($SIZE,...):
16+
# OpenSSL::PKey::RSA.generate($SIZE,...)
17+
kind: call
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: scope_resolution
22+
regex: ^OpenSSL::PKey::RSA$
23+
- has:
24+
stopBy: neighbor
25+
regex: ^.$
26+
- has:
27+
stopBy: neighbor
28+
kind: identifier
29+
regex: ^(new|generate)$
30+
- has:
31+
stopBy: neighbor
32+
kind: argument_list
33+
has:
34+
pattern: $KEYS
35+
any:
36+
- regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'
37+
- regex: ^-\d+(\.\d+)?(/(\d+(\.\d+)?))?$
38+
nthChild:
39+
position: 1
40+
ofRule:
41+
not:
42+
kind: comment
43+
44+
OpenSSL::PKey::RSA.new($ASSIGN, ...):
45+
# $ASSIGN = $SIZE
46+
# OpenSSL::PKey::RSA.new($ASSIGN, ...)
47+
kind: call
48+
all:
49+
- has:
50+
stopBy: neighbor
51+
kind: scope_resolution
52+
regex: ^OpenSSL::PKey::RSA$
53+
- has:
54+
stopBy: neighbor
55+
regex: ^.$
56+
- has:
57+
stopBy: neighbor
58+
kind: identifier
59+
regex: ^(new|generate)$
60+
- has:
61+
stopBy: neighbor
62+
kind: argument_list
63+
has:
64+
stopBy: neighbor
65+
pattern: $BIT
66+
nthChild:
67+
position: 1
68+
ofRule:
69+
not:
70+
kind: comment
71+
- any:
72+
- inside:
73+
stopBy: end
74+
follows:
75+
stopBy: end
76+
kind: assignment
77+
pattern: $BIT = $KEY
78+
- follows:
79+
stopBy: end
80+
kind: assignment
81+
pattern: $BIT = $KEY
82+
rule:
83+
kind: call
84+
any:
85+
- matches: OpenSSL::PKey::RSA.generate($SIZE,...)
86+
- matches: OpenSSL::PKey::RSA.new($ASSIGN, ...)
87+
constraints:
88+
KEY:
89+
any:
90+
- regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'
91+
- regex: ^-\d+(\.\d+)?(/(\d+(\.\d+)?))?$

rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml

Lines changed: 149 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,149 @@
1+
id: ruby-aws-sdk-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
Aws::Credentials.new($X, "...", ...):
19+
# Aws::Credentials.new($X, "...", ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: scope_resolution
25+
regex: ^Aws::Credentials$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^new$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: neighbor
38+
kind: string
39+
nthChild:
40+
position: 2
41+
ofRule:
42+
not:
43+
kind: comment
44+
any:
45+
- has:
46+
nthChild: 1
47+
not:
48+
kind: pair
49+
has:
50+
nthChild: 1
51+
kind: hash_key_symbol
52+
53+
- any:
54+
- inside:
55+
stopBy: end
56+
follows:
57+
stopBy: end
58+
kind: call
59+
pattern: require 'aws-sdk-core'
60+
- follows:
61+
stopBy: end
62+
kind: call
63+
pattern: require 'aws-sdk-core'
64+
Aws::Credentials.new($X, "...", ...)_instance:
65+
# Aws::Credentials.new($X, $VAR, ...)
66+
kind: call
67+
all:
68+
- has:
69+
stopBy: neighbor
70+
kind: scope_resolution
71+
regex: ^Aws::Credentials$
72+
- has:
73+
stopBy: neighbor
74+
regex: ^.$
75+
- has:
76+
stopBy: neighbor
77+
kind: identifier
78+
regex: ^new$
79+
- has:
80+
stopBy: neighbor
81+
kind: argument_list
82+
has:
83+
stopBy: neighbor
84+
kind: identifier
85+
pattern: $VAR
86+
nthChild:
87+
position: 2
88+
ofRule:
89+
not:
90+
kind: comment
91+
any:
92+
- has:
93+
nthChild: 1
94+
not:
95+
kind: pair
96+
has:
97+
nthChild: 1
98+
kind: hash_key_symbol
99+
- any:
100+
- follows:
101+
stopBy: end
102+
kind: assignment
103+
all:
104+
- has:
105+
kind: identifier
106+
pattern: $VAR
107+
- has:
108+
kind: string
109+
has:
110+
kind: string_content
111+
- inside:
112+
stopBy: end
113+
follows:
114+
stopBy: end
115+
kind: assignment
116+
all:
117+
- has:
118+
kind: identifier
119+
pattern: $VAR
120+
- has:
121+
kind: string
122+
has:
123+
kind: string_content
124+
- any:
125+
- inside:
126+
stopBy: end
127+
follows:
128+
stopBy: end
129+
kind: call
130+
pattern: require 'aws-sdk-core'
131+
- follows:
132+
stopBy: end
133+
kind: call
134+
pattern: require 'aws-sdk-core'
135+
136+
rule:
137+
kind: call
138+
any:
139+
- matches: Aws::Credentials.new($X, "...", ...)
140+
- matches: Aws::Credentials.new($X, "...", ...)_instance
141+
all:
142+
- not:
143+
has:
144+
stopBy: end
145+
kind: ERROR
146+
- not:
147+
inside:
148+
stopBy: end
149+
kind: ERROR

0 commit comments

Comments
 (0)