coderabbitai · ESS-ENN · Dec 16, 2024 · Dec 16, 2024 · Dec 16, 2024
diff --git a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml
@@ -0,0 +1,43 @@
+id: documentbuilderfactory-external-general-entities-true-java
+language: java
+severity: warning
+message: >-
+    External entities are allowed for $DBFACTORY. This is vulnerable to XML
+    external entity attacks. Disable this by setting the feature
+    "http://xml.org/sax/features/external-general-entities" to false.
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://blog.sonarsource.com/secure-xml-processor
+utils:
+  match_expression_statement:
+   kind: expression_statement
+   has:
+    stopBy: end
+    kind: method_invocation
+    all:
+      - has:
+         stopBy: end
+         kind: identifier
+      - has:
+         stopBy: end
+         kind: identifier 
+         regex: 'setFeature'
+    has:
+      stopBy: end
+      kind: argument_list   
+      field: arguments
+      all:
+        - has: 
+           stopBy: end
+           kind: string_literal
+           regex: 'http://xml.org/sax/features/external-general-entities'
+        - has:
+           stopBy: end
+           regex: '^true$'
+
+rule:
+  any:
+    - matches: match_expression_statement
+
diff --git a/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml
@@ -0,0 +1,13 @@
+id: documentbuilderfactory-external-parameter-entities-true-java
+severity: warning
+language: java
+message: >-
+      External entities are allowed for $DBFACTORY. This is vulnerable to XML
+      external entity attacks. Disable this by setting the feature
+      "http://xml.org/sax/features/external-parameter-entities" to false.
+note: >-
+  [CWE-611] Improper Restriction of XML External Entity Reference.
+  [REFERENCES]
+      - https://blog.sonarsource.com/secure-xml-processor
+rule:
+  pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities",true);
diff --git a/rules/java/security/drivermanager-hardcoded-secret-java.yml b/rules/java/security/drivermanager-hardcoded-secret-java.yml
@@ -0,0 +1,152 @@
+id: drivermanager-hardcoded-secret-java
+severity: warning
+language: java
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  MATCH_PATTERN_DriverManager.getConnection:
+   kind: method_invocation
+   all:
+        - has:
+            stopBy: neighbor
+            kind: identifier
+            regex: '^DriverManager$'
+        - has:
+            stopBy: neighbor
+            kind: identifier
+            regex: '^getConnection$'
+        - has:
+            stopBy: end
+            kind: argument_list
+            nthChild: 3
+            has:
+                 stopBy: end
+                 kind: string_literal
+                 nthChild: 3
+                 pattern: $I
+
+  MATCH_PATTERN_DriverManager.getConnection_With_Instance:
+    kind: method_invocation
+    all:
+        - has:
+            stopBy: neighbor
+            kind: identifier
+            regex: '^DriverManager$'
+        - has:
+            stopBy: neighbor
+            kind: identifier
+            regex: '^getConnection$'
+        - has:
+            stopBy: end
+            kind: argument_list
+            has:
+                 stopBy: end
+                 kind: identifier
+                 nthChild: 3
+                 pattern: $Q
+        - inside:
+            stopBy: end
+            kind: local_variable_declaration
+            follows:
+              stopBy: end
+              kind: local_variable_declaration
+              has:
+                stopBy: end
+                kind: variable_declarator
+                all:
+                  - has:
+                      stopBy: end
+                      kind: identifier
+                      pattern: $Q
+                  - has:
+                      stopBy: end
+                      kind: string_literal
+                      pattern: $Z
+
+  MATCH_PATTERN_DriverManagerDataSource:
+   kind: expression_statement
+   has:
+     stopBy: neighbor
+     kind: object_creation_expression 
+     all:
+       - has:
+           stopBy: neighbor
+           kind: type_identifier
+           regex: '^DriverManagerDataSource$'
+       - has:
+            stopBy: end
+            kind: argument_list
+            has:
+                 stopBy: end
+                 kind: string_literal
+                 nthChild: 3
+                 not:
+                  regex: ^""$
+
+  MATCH_PATTERN_DriverManagerDataSource_With_Instance:
+   kind: expression_statement
+   all:
+     - has:
+        stopBy: neighbor
+        kind: method_invocation
+        all:
+        - has:
+           stopBy: neighbor
+           kind: identifier
+           pattern: $R
+        - has:
+           stopBy: neighbor
+           kind: identifier
+           regex: '^setPassword$'
+        - has:
+            stopBy: neighbor
+            kind: argument_list
+            has:
+              stopBy: neighbor
+              kind: string_literal
+              not:
+                regex: ^""$
+
+     - follows:
+         stopBy: end
+         kind: local_variable_declaration
+         all:
+           - has:
+               stopBy: neighbor
+               kind: type_identifier
+               regex: '^DriverManagerDataSource$'
+           - has:
+               stopBy: neighbor
+               kind: variable_declarator
+               has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $R
+rule:
+  any:
+    - kind: method_invocation
+      any:
+        - matches: MATCH_PATTERN_DriverManager.getConnection
+        - matches: MATCH_PATTERN_DriverManager.getConnection_With_Instance
+    - kind: expression_statement
+      any:
+        - matches: MATCH_PATTERN_DriverManagerDataSource
+        - matches: MATCH_PATTERN_DriverManagerDataSource_With_Instance
+
+constraints:
+  Z:
+    not:
+      regex: ^""$
+  I:
+    not:
+      regex: ^""$
+
+
diff --git a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml
@@ -0,0 +1,64 @@
+id: documentbuilderfactory-external-general-entities-true-java
+snapshots:
+  ? |
+    dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+  : labels:
+    - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+      style: primary
+      start: 0
+      end: 79
+    - source: dbf
+      style: secondary
+      start: 0
+      end: 3
+    - source: setFeature
+      style: secondary
+      start: 4
+      end: 14
+    - source: '"http://xml.org/sax/features/external-general-entities"'
+      style: secondary
+      start: 15
+      end: 70
+    - source: 'true'
+      style: secondary
+      start: 73
+      end: 77
+    - source: ("http://xml.org/sax/features/external-general-entities" , true)
+      style: secondary
+      start: 14
+      end: 78
+    - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true)
+      style: secondary
+      start: 0
+      end: 78
+  ? |
+    spf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+  : labels:
+    - source: spf.setFeature("http://xml.org/sax/features/external-general-entities" , true);
+      style: primary
+      start: 0
+      end: 79
+    - source: spf
+      style: secondary
+      start: 0
+      end: 3
+    - source: setFeature
+      style: secondary
+      start: 4
+      end: 14
+    - source: '"http://xml.org/sax/features/external-general-entities"'
+      style: secondary
+      start: 15
+      end: 70
+    - source: 'true'
+      style: secondary
+      start: 73
+      end: 77
+    - source: ("http://xml.org/sax/features/external-general-entities" , true)
+      style: secondary
+      start: 14
+      end: 78
+    - source: spf.setFeature("http://xml.org/sax/features/external-general-entities" , true)
+      style: secondary
+      start: 0
+      end: 78
diff --git a/...s/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml b/...s/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml
@@ -0,0 +1,16 @@
+id: documentbuilderfactory-external-parameter-entities-true-java
+snapshots:
+  ? |
+    dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true);
+  : labels:
+    - source: dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true);
+      style: primary
+      start: 0
+      end: 81
+  ? |
+    spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true);
+  : labels:
+    - source: spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true);
+      style: primary
+      start: 0
+      end: 81