diff --git a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml new file mode 100644 index 00000000..e6a073e4 --- /dev/null +++ b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml @@ -0,0 +1,43 @@ +id: documentbuilderfactory-external-general-entities-true-java +language: java +severity: warning +message: >- + External entities are allowed for $DBFACTORY. This is vulnerable to XML + external entity attacks. Disable this by setting the feature + "http://xml.org/sax/features/external-general-entities" to false. +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + https://blog.sonarsource.com/secure-xml-processor +utils: + match_expression_statement: + kind: expression_statement + has: + stopBy: end + kind: method_invocation + all: + - has: + stopBy: end + kind: identifier + - has: + stopBy: end + kind: identifier + regex: 'setFeature' + has: + stopBy: end + kind: argument_list + field: arguments + all: + - has: + stopBy: end + kind: string_literal + regex: 'http://xml.org/sax/features/external-general-entities' + - has: + stopBy: end + regex: '^true$' + +rule: + any: + - matches: match_expression_statement + diff --git a/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml new file mode 100644 index 00000000..a4c22c70 --- /dev/null +++ b/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml @@ -0,0 +1,13 @@ +id: documentbuilderfactory-external-parameter-entities-true-java +severity: warning +language: java +message: >- + External entities are allowed for $DBFACTORY. This is vulnerable to XML + external entity attacks. Disable this by setting the feature + "http://xml.org/sax/features/external-parameter-entities" to false. +note: >- + [CWE-611] Improper Restriction of XML External Entity Reference. + [REFERENCES] + - https://blog.sonarsource.com/secure-xml-processor +rule: + pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities",true); diff --git a/rules/java/security/drivermanager-hardcoded-secret-java.yml b/rules/java/security/drivermanager-hardcoded-secret-java.yml new file mode 100644 index 00000000..6f135fd6 --- /dev/null +++ b/rules/java/security/drivermanager-hardcoded-secret-java.yml @@ -0,0 +1,152 @@ +id: drivermanager-hardcoded-secret-java +severity: warning +language: java +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + MATCH_PATTERN_DriverManager.getConnection: + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^DriverManager$' + - has: + stopBy: neighbor + kind: identifier + regex: '^getConnection$' + - has: + stopBy: end + kind: argument_list + nthChild: 3 + has: + stopBy: end + kind: string_literal + nthChild: 3 + pattern: $I + + MATCH_PATTERN_DriverManager.getConnection_With_Instance: + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + regex: '^DriverManager$' + - has: + stopBy: neighbor + kind: identifier + regex: '^getConnection$' + - has: + stopBy: end + kind: argument_list + has: + stopBy: end + kind: identifier + nthChild: 3 + pattern: $Q + - inside: + stopBy: end + kind: local_variable_declaration + follows: + stopBy: end + kind: local_variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: end + kind: identifier + pattern: $Q + - has: + stopBy: end + kind: string_literal + pattern: $Z + + MATCH_PATTERN_DriverManagerDataSource: + kind: expression_statement + has: + stopBy: neighbor + kind: object_creation_expression + all: + - has: + stopBy: neighbor + kind: type_identifier + regex: '^DriverManagerDataSource$' + - has: + stopBy: end + kind: argument_list + has: + stopBy: end + kind: string_literal + nthChild: 3 + not: + regex: ^""$ + + MATCH_PATTERN_DriverManagerDataSource_With_Instance: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: identifier + regex: '^setPassword$' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: string_literal + not: + regex: ^""$ + + - follows: + stopBy: end + kind: local_variable_declaration + all: + - has: + stopBy: neighbor + kind: type_identifier + regex: '^DriverManagerDataSource$' + - has: + stopBy: neighbor + kind: variable_declarator + has: + stopBy: neighbor + kind: identifier + pattern: $R +rule: + any: + - kind: method_invocation + any: + - matches: MATCH_PATTERN_DriverManager.getConnection + - matches: MATCH_PATTERN_DriverManager.getConnection_With_Instance + - kind: expression_statement + any: + - matches: MATCH_PATTERN_DriverManagerDataSource + - matches: MATCH_PATTERN_DriverManagerDataSource_With_Instance + +constraints: + Z: + not: + regex: ^""$ + I: + not: + regex: ^""$ + + diff --git a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml new file mode 100644 index 00000000..d9aa1381 --- /dev/null +++ b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml @@ -0,0 +1,64 @@ +id: documentbuilderfactory-external-general-entities-true-java +snapshots: + ? | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + : labels: + - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + style: primary + start: 0 + end: 79 + - source: dbf + style: secondary + start: 0 + end: 3 + - source: setFeature + style: secondary + start: 4 + end: 14 + - source: '"http://xml.org/sax/features/external-general-entities"' + style: secondary + start: 15 + end: 70 + - source: 'true' + style: secondary + start: 73 + end: 77 + - source: ("http://xml.org/sax/features/external-general-entities" , true) + style: secondary + start: 14 + end: 78 + - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true) + style: secondary + start: 0 + end: 78 + ? | + spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + : labels: + - source: spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + style: primary + start: 0 + end: 79 + - source: spf + style: secondary + start: 0 + end: 3 + - source: setFeature + style: secondary + start: 4 + end: 14 + - source: '"http://xml.org/sax/features/external-general-entities"' + style: secondary + start: 15 + end: 70 + - source: 'true' + style: secondary + start: 73 + end: 77 + - source: ("http://xml.org/sax/features/external-general-entities" , true) + style: secondary + start: 14 + end: 78 + - source: spf.setFeature("http://xml.org/sax/features/external-general-entities" , true) + style: secondary + start: 0 + end: 78 diff --git a/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml new file mode 100644 index 00000000..1faa03f3 --- /dev/null +++ b/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml @@ -0,0 +1,16 @@ +id: documentbuilderfactory-external-parameter-entities-true-java +snapshots: + ? | + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); + : labels: + - source: dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); + style: primary + start: 0 + end: 81 + ? | + spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); + : labels: + - source: spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); + style: primary + start: 0 + end: 81 diff --git a/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml new file mode 100644 index 00000000..be412d1f --- /dev/null +++ b/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml @@ -0,0 +1,137 @@ +id: drivermanager-hardcoded-secret-java +snapshots: + ? | + Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); + : labels: + - source: DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password") + style: primary + start: 17 + end: 101 + - source: DriverManager + style: secondary + start: 17 + end: 30 + - source: getConnection + style: secondary + start: 31 + end: 44 + - source: '"password"' + style: secondary + start: 90 + end: 100 + - source: ("jdbc:oracle:thin:@localhost:1521:o92", "a", "password") + style: secondary + start: 44 + end: 101 + ? | + DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(); + driverManagerDataSource.setPassword("a"); + : labels: + - source: driverManagerDataSource.setPassword("a"); + style: primary + start: 81 + end: 122 + - source: driverManagerDataSource + style: secondary + start: 81 + end: 104 + - source: setPassword + style: secondary + start: 105 + end: 116 + - source: '"a"' + style: secondary + start: 117 + end: 120 + - source: ("a") + style: secondary + start: 116 + end: 121 + - source: driverManagerDataSource.setPassword("a") + style: secondary + start: 81 + end: 121 + - source: DriverManagerDataSource + style: secondary + start: 0 + end: 23 + - source: driverManagerDataSource + style: secondary + start: 24 + end: 47 + - source: driverManagerDataSource = new DriverManagerDataSource() + style: secondary + start: 24 + end: 79 + - source: DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(); + style: secondary + start: 0 + end: 80 + ? | + DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(); + new DriverManagerDataSource("aaaa", "root", "123456"); + : labels: + - source: new DriverManagerDataSource("aaaa", "root", "123456"); + style: primary + start: 81 + end: 135 + - source: DriverManagerDataSource + style: secondary + start: 85 + end: 108 + - source: '"123456"' + style: secondary + start: 125 + end: 133 + - source: ("aaaa", "root", "123456") + style: secondary + start: 108 + end: 134 + - source: new DriverManagerDataSource("aaaa", "root", "123456") + style: secondary + start: 81 + end: 134 + ? | + String password = "a"; + Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password); + : labels: + - source: DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password) + style: primary + start: 40 + end: 122 + - source: DriverManager + style: secondary + start: 40 + end: 53 + - source: getConnection + style: secondary + start: 54 + end: 67 + - source: password + style: secondary + start: 113 + end: 121 + - source: ("jdbc:oracle:thin:@localhost:1521:o92", "a", password) + style: secondary + start: 67 + end: 122 + - source: password + style: secondary + start: 7 + end: 15 + - source: '"a"' + style: secondary + start: 18 + end: 21 + - source: password = "a" + style: secondary + start: 7 + end: 21 + - source: String password = "a"; + style: secondary + start: 0 + end: 22 + - source: Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password); + style: secondary + start: 23 + end: 123 diff --git a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml new file mode 100644 index 00000000..86f12a96 --- /dev/null +++ b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml @@ -0,0 +1,10 @@ +id: documentbuilderfactory-external-general-entities-true-java +valid: + - | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , false); + spf.setFeature("http://xml.org/sax/features/external-general-entities" , false); +invalid: + - | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + - | + spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); diff --git a/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml new file mode 100644 index 00000000..4a51e6ee --- /dev/null +++ b/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml @@ -0,0 +1,9 @@ +id: documentbuilderfactory-external-parameter-entities-true-java +valid: + - | + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , false); +invalid: + - | + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); + - | + spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); diff --git a/tests/java/drivermanager-hardcoded-secret-java-test.yml b/tests/java/drivermanager-hardcoded-secret-java-test.yml new file mode 100644 index 00000000..547499a7 --- /dev/null +++ b/tests/java/drivermanager-hardcoded-secret-java-test.yml @@ -0,0 +1,16 @@ +id: drivermanager-hardcoded-secret-java +valid: + - | + Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92","a"); +invalid: + - | + String password = "a"; + Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password); + - | + Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); + - | + DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(); + driverManagerDataSource.setPassword("a"); + - | + DriverManagerDataSource driverManagerDataSource = new DriverManagerDataSource(); + new DriverManagerDataSource("aaaa", "root", "123456");