Skip to content

Commit fc491b0

Browse files
ESS-ENNESS-ENN
authored
Rules - One C rule and one Ruby rule (#34)
1 parent 2f10d49 commit fc491b0

6 files changed

+490
-0
lines changed

rules/c/security/return-c-str-c.yml

Lines changed: 203 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,203 @@
1+
id: return-c-str-c
2+
language: c
3+
severity: warning
4+
message: >-
5+
`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer
6+
is invalid after `$STR` goes out of scope, which can trigger a use after
7+
free.
8+
note: >-
9+
[CWE-416] Use After Free
10+
[REFERENCES]
11+
- https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations
12+
- https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime
13+
utils:
14+
MATCH_PATTERN_STR_METHOD_WITH_STD_TWO:
15+
kind: return_statement
16+
all:
17+
- has:
18+
stopBy: end
19+
kind: call_expression
20+
all:
21+
- has:
22+
stopBy: end
23+
kind: field_expression
24+
all:
25+
- has:
26+
stopBy: end
27+
kind: identifier
28+
pattern: $E
29+
- has:
30+
stopBy: end
31+
kind: field_identifier
32+
pattern: $METHOD
33+
- has:
34+
stopBy: end
35+
kind: argument_list
36+
- follows:
37+
stopBy: end
38+
kind: labeled_statement
39+
all:
40+
- has:
41+
stopBy: end
42+
kind: statement_identifier
43+
regex: "^std$"
44+
- has:
45+
stopBy: end
46+
kind: identifier
47+
regex: "^basic_string<$TYPE>|string|wstring$"
48+
- has:
49+
stopBy: end
50+
kind: expression_statement
51+
all:
52+
- has:
53+
stopBy: end
54+
kind: identifier
55+
patttern: $E
56+
- inside:
57+
stopBy: end
58+
kind: compound_statement
59+
not:
60+
follows:
61+
stopBy: end
62+
kind: function_declarator
63+
has:
64+
stopBy: neighbor
65+
kind: identifier
66+
regex: "return.*"
67+
MATCH_PATTERN_STR_METHOD_WITH_STD_THREE:
68+
kind: return_statement
69+
all:
70+
- has:
71+
stopBy: end
72+
kind: call_expression
73+
all:
74+
- has:
75+
stopBy: end
76+
kind: field_expression
77+
all:
78+
- has:
79+
stopBy: end
80+
kind: identifier
81+
pattern: $E
82+
- has:
83+
stopBy: end
84+
kind: field_identifier
85+
pattern: $METHOD
86+
- has:
87+
stopBy: end
88+
kind: argument_list
89+
- inside:
90+
stopBy: end
91+
kind: compound_statement
92+
follows:
93+
stopBy: end
94+
kind: pointer_declarator
95+
has:
96+
stopBy: end
97+
kind: parameter_list
98+
all:
99+
- has:
100+
stopBy: end
101+
kind: type_identifier
102+
regex: "^std$"
103+
- has:
104+
stopBy: end
105+
kind: identifier
106+
regex: "^basic_string<$TYPE>|string|wstring$"
107+
- has:
108+
stopBy: end
109+
kind: identifier
110+
pattern: $E
111+
MATCH_PATTERN_STR_METHOD_WITHOUT_STD_THREE:
112+
kind: return_statement
113+
all:
114+
- has:
115+
stopBy: end
116+
kind: call_expression
117+
all:
118+
- has:
119+
stopBy: end
120+
kind: field_expression
121+
all:
122+
- has:
123+
stopBy: end
124+
kind: identifier
125+
pattern: $E
126+
- has:
127+
stopBy: end
128+
kind: field_identifier
129+
pattern: $METHOD
130+
- has:
131+
stopBy: end
132+
kind: argument_list
133+
- inside:
134+
stopBy: end
135+
kind: compound_statement
136+
follows:
137+
stopBy: end
138+
kind: pointer_declarator
139+
has:
140+
stopBy: end
141+
kind: parameter_list
142+
has:
143+
stopBy: end
144+
kind: parameter_declaration
145+
all:
146+
- has:
147+
stopBy: end
148+
kind: type_identifier
149+
regex: "^basic_string<$TYPE>|string|wstring$"
150+
- has:
151+
stopBy: neighbor
152+
kind: identifier
153+
pattern: $E
154+
MATCH_PATTERN_STR_METHOD_WITHOUT_STD_TWO:
155+
kind: return_statement
156+
all:
157+
- has:
158+
stopBy: end
159+
kind: call_expression
160+
all:
161+
- has:
162+
stopBy: end
163+
kind: field_expression
164+
all:
165+
- has:
166+
stopBy: end
167+
kind: identifier
168+
pattern: $T
169+
- has:
170+
stopBy: end
171+
kind: field_identifier
172+
pattern: $METHOD
173+
- has:
174+
stopBy: end
175+
kind: argument_list
176+
- follows:
177+
stopBy: end
178+
kind: declaration
179+
all:
180+
- has:
181+
stopBy: neighbor
182+
kind: type_identifier
183+
regex: "^basic_string<$TYPE>|string|wstring$"
184+
- has:
185+
stopBy: neighbor
186+
kind: identifier
187+
pattern: $T
188+
rule:
189+
any:
190+
- pattern: return basic_string<$TYPE>($$$).$METHOD();
191+
- pattern: return std::basic_string<$TYPE>($$$).$METHOD();
192+
- pattern: return string($$$).$METHOD();
193+
- pattern: return std::string($$$).$METHOD();
194+
- pattern: return wstring($$$).$METHOD();
195+
- pattern: return std::wstring($$$).$METHOD();
196+
- matches: MATCH_PATTERN_STR_METHOD_WITH_STD_TWO
197+
- matches: MATCH_PATTERN_STR_METHOD_WITHOUT_STD_TWO
198+
- matches: MATCH_PATTERN_STR_METHOD_WITH_STD_THREE
199+
- matches: MATCH_PATTERN_STR_METHOD_WITHOUT_STD_THREE
200+
201+
constraints:
202+
METHOD:
203+
regex: "c_str|data"

rules/ruby/security/hardcoded-http-auth-in-controller-copy-ruby.yml

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
id: hardcoded-http-auth-in-controller-copy-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
Detected hardcoded password used in basic authentication in a
6+
controller class. Including this password in version control could expose
7+
this credential. Consider refactoring to use environment variables or
8+
configuration files
9+
note: >-
10+
[CWE-798] Use of Hard-coded Credentials.
11+
[REFERENCES]
12+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
13+
utils:
14+
MATCH_PASSWORD_STRING:
15+
kind: string
16+
inside:
17+
stopBy: end
18+
kind: pair
19+
all:
20+
- has:
21+
stopBy: end
22+
kind: simple_symbol
23+
regex: "^:password$"
24+
- inside:
25+
stopBy: end
26+
kind: argument_list
27+
inside:
28+
stopBy: end
29+
kind: call
30+
all:
31+
- has:
32+
stopBy: neighbor
33+
kind: identifier
34+
regex: "^http_basic_authenticate_with$"
35+
- inside:
36+
stopBy: neighbor
37+
kind: body_statement
38+
inside:
39+
stopBy: end
40+
kind: class
41+
all:
42+
- has:
43+
stopBy: neighbor
44+
kind: constant
45+
- has:
46+
stopBy: end
47+
kind: superclass
48+
has:
49+
stopBy: neighbor
50+
kind: constant
51+
regex: "^ApplicationController$"
52+
53+
rule:
54+
kind: string
55+
matches: MATCH_PASSWORD_STRING

tests/__snapshots__/hardcoded-http-auth-in-controller-copy-ruby-snapshot.yml

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
id: hardcoded-http-auth-in-controller-copy-ruby
2+
snapshots:
3+
? |
4+
class DangerousController < ApplicationController
5+
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
6+
puts "do more stuff"
7+
end
8+
: labels:
9+
- source: '"secret"'
10+
style: primary
11+
start: 108
12+
end: 116
13+
- source: :password
14+
style: secondary
15+
start: 95
16+
end: 104
17+
- source: http_basic_authenticate_with
18+
style: secondary
19+
start: 50
20+
end: 78
21+
- source: DangerousController
22+
style: secondary
23+
start: 6
24+
end: 25
25+
- source: ApplicationController
26+
style: secondary
27+
start: 28
28+
end: 49
29+
- source: < ApplicationController
30+
style: secondary
31+
start: 26
32+
end: 49
33+
- source: |-
34+
class DangerousController < ApplicationController
35+
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
36+
puts "do more stuff"
37+
end
38+
style: secondary
39+
start: 0
40+
end: 160
41+
- source: |-
42+
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
43+
puts "do more stuff"
44+
style: secondary
45+
start: 50
46+
end: 156
47+
- source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
48+
style: secondary
49+
start: 50
50+
end: 135
51+
- source: :name => "dhh", :password => "secret", :except => :index
52+
style: secondary
53+
start: 79
54+
end: 135
55+
- source: :password => "secret"
56+
style: secondary
57+
start: 95
58+
end: 116
59+
? |
60+
class DangerousController < ApplicationController
61+
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
62+
puts "do more stuff""
63+
end
64+
: labels:
65+
- source: '"secret"'
66+
style: primary
67+
start: 108
68+
end: 116
69+
- source: :password
70+
style: secondary
71+
start: 95
72+
end: 104
73+
- source: http_basic_authenticate_with
74+
style: secondary
75+
start: 50
76+
end: 78
77+
- source: DangerousController
78+
style: secondary
79+
start: 6
80+
end: 25
81+
- source: ApplicationController
82+
style: secondary
83+
start: 28
84+
end: 49
85+
- source: < ApplicationController
86+
style: secondary
87+
start: 26
88+
end: 49
89+
- source: |-
90+
class DangerousController < ApplicationController
91+
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
92+
puts "do more stuff""
93+
end
94+
style: secondary
95+
start: 0
96+
end: 161
97+
- source: |-
98+
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
99+
puts "do more stuff""
100+
style: secondary
101+
start: 50
102+
end: 157
103+
- source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
104+
style: secondary
105+
start: 50
106+
end: 135
107+
- source: :name => "dhh", :password => "secret", :except => :index
108+
style: secondary
109+
start: 79
110+
end: 135
111+
- source: :password => "secret"
112+
style: secondary
113+
start: 95
114+
end: 116

0 commit comments

Comments
 (0)