From bb7b8e1ad0e345862980a163b688f4554ebc1df8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 13:09:06 +0000 Subject: [PATCH 1/3] removed missing-secure-java --- rules/java/security/missing-secure-java.yml | 70 ------------------- .../missing-secure-java-snapshot.yml | 32 --------- tests/java/missing-secure-java-test.yml | 15 ---- 3 files changed, 117 deletions(-) delete mode 100644 rules/java/security/missing-secure-java.yml delete mode 100644 tests/__snapshots__/missing-secure-java-snapshot.yml delete mode 100644 tests/java/missing-secure-java-test.yml diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 755e6660..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - - match_instance: - kind: local_variable_declaration - has: - stopBy: end - kind: identifier - follows: - stopBy: end - kind: variable_declarator - - match_identifier_with_simplecookie: - kind: identifier - inside: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: '^SimpleCookie$|^Cookie$' - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: object_creation_expression - - not: - precedes: - stopBy: neighbor - kind: expression_statement -rule: - any: - - matches: match_instance - - matches: match_without_httponly - - matches: match_cookie_last - - matches: match_identifier_with_simplecookie diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 3931463b..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - : labels: - - source: s - style: primary - start: 13 - end: 14 - - source: SimpleCookie - style: secondary - start: 0 - end: 12 - - source: s - style: secondary - start: 13 - end: 14 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 0 - end: 48 diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 507f951f..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-secure-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie c = new NettyCookie("foo", "bar"); - c.secure(true); - NettyCookie r = new NettyCookie("foo", "bar").secure(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); From 3271f1105c24d1290aed36f4c82cb03908b49e50 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Thu, 9 Jan 2025 13:29:58 +0530 Subject: [PATCH 2/3] use-of-rc4-java --- rules/java/security/use-of-rc4-java.yml | 42 +++++++++++++++++++ .../use-of-rc4-java-snapshot.yml | 24 +++++++++++ tests/java/use-of-rc4-java-test.yml | 9 ++++ 3 files changed, 75 insertions(+) create mode 100644 rules/java/security/use-of-rc4-java.yml create mode 100644 tests/__snapshots__/use-of-rc4-java-snapshot.yml create mode 100644 tests/java/use-of-rc4-java-test.yml diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml new file mode 100644 index 00000000..c2a33fbd --- /dev/null +++ b/rules/java/security/use-of-rc4-java.yml @@ -0,0 +1,42 @@ +id: use-of-rc4-java +language: java +severity: warning +message: >- + 'Use of RC4 was detected. RC4 is vulnerable to several attacks, + including stream cipher attacks and bit flipping attacks. Instead, use a + strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See + https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions + for more information.' +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + +rule: + pattern: $CIPHER.getInstance($ARGUMENT) + +constraints: + ARGUMENT: + any: + - has: + stopBy: end + kind: string_literal + has: + kind: string_fragment + regex: ^RC4$ + - kind: string_literal + has: + kind: string_fragment + regex: ^RC4$ + + all: + - not: + has: + nthChild: 2 + - not: + has: + stopBy: end + any: + - kind: array_access + diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml new file mode 100644 index 00000000..7aa25950 --- /dev/null +++ b/tests/__snapshots__/use-of-rc4-java-snapshot.yml @@ -0,0 +1,24 @@ +id: use-of-rc4-java +snapshots: + ? | + Cipher.getInstance("RC4"); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 0 + end: 25 + - source: RC4 + style: secondary + start: 20 + end: 23 + ? | + useCipher(Cipher.getInstance("RC4")); + : labels: + - source: Cipher.getInstance("RC4") + style: primary + start: 10 + end: 35 + - source: RC4 + style: secondary + start: 30 + end: 33 diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml new file mode 100644 index 00000000..a82db3b3 --- /dev/null +++ b/tests/java/use-of-rc4-java-test.yml @@ -0,0 +1,9 @@ +id: use-of-rc4-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + Cipher.getInstance("RC4"); + - | + useCipher(Cipher.getInstance("RC4")); From a832faa9625032c23feacf22c84e16568983d864 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Thu, 9 Jan 2025 13:31:54 +0530 Subject: [PATCH 3/3] use-of-rc2-java --- rules/java/security/use-of-rc2-java.yml | 88 +++++++++ .../use-of-rc2-java-snapshot.yml | 168 ++++++++++++++++++ tests/java/use-of-rc2-java-test.yml | 39 ++++ 3 files changed, 295 insertions(+) create mode 100644 rules/java/security/use-of-rc2-java.yml create mode 100644 tests/__snapshots__/use-of-rc2-java-snapshot.yml create mode 100644 tests/java/use-of-rc2-java-test.yml diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml new file mode 100644 index 00000000..57c344c6 --- /dev/null +++ b/rules/java/security/use-of-rc2-java.yml @@ -0,0 +1,88 @@ +id: use-of-rc2-java +language: java +severity: warning +message: >- + Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and + is therefore considered non-compliant. Instead, use a strong, secure. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html + +utils: + $CIPHER.getInstance("RC2"): + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + nthchild: 1 + - has: + stopBy: neighbor + kind: identifier + nthchild: 2 + regex: ^getInstance$ + - has: + stopBy: neighbor + kind: argument_list + all: + - has: + stopBy: end + kind: string_fragment + regex: ^RC2$ + - not: + has: + stopBy: end + kind: array_access + + $CIPHER.getInstance("RC2")_with_instance: + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + nthchild: 1 + - has: + stopBy: neighbor + kind: identifier + nthchild: 2 + regex: ^getInstance$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: identifier + pattern: $RC2 + not: + inside: + stopBy: end + kind: array_access + - inside: + stopBy: end + follows: + stopBy: end + kind: local_variable_declaration + has: + stopBy: end + kind: variable_declarator + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $RC2 + - has: + stopBy: neighbor + kind: string_literal + has: + stopBy: neighbor + kind: string_fragment + regex: ^RC2$ + + +rule: + kind: method_invocation + any: + - matches: $CIPHER.getInstance("RC2") + - matches: $CIPHER.getInstance("RC2")_with_instance diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml new file mode 100644 index 00000000..c8361e71 --- /dev/null +++ b/tests/__snapshots__/use-of-rc2-java-snapshot.yml @@ -0,0 +1,168 @@ +id: use-of-rc2-java +snapshots: + ? | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 99 + end: 124 + - source: Cipher + style: secondary + start: 99 + end: 105 + - source: getInstance + style: secondary + start: 106 + end: 117 + - source: RC2 + style: secondary + start: 119 + end: 122 + - source: ("RC2") + style: secondary + start: 117 + end: 124 + ? |- + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + : labels: + - source: Cipher.getInstance(algorithm) + style: primary + start: 109 + end: 138 + - source: Cipher + style: secondary + start: 109 + end: 115 + - source: getInstance + style: secondary + start: 116 + end: 127 + - source: algorithm + style: secondary + start: 128 + end: 137 + - source: (algorithm) + style: secondary + start: 127 + end: 138 + - source: algorithm + style: secondary + start: 39 + end: 48 + - source: RC2 + style: secondary + start: 52 + end: 55 + - source: '"RC2"' + style: secondary + start: 51 + end: 56 + - source: algorithm = "RC2" + style: secondary + start: 39 + end: 56 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + ? | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + : labels: + - source: Cipher.getInstance(algorithm) + style: primary + start: 109 + end: 138 + - source: Cipher + style: secondary + start: 109 + end: 115 + - source: getInstance + style: secondary + start: 116 + end: 127 + - source: algorithm + style: secondary + start: 128 + end: 137 + - source: (algorithm) + style: secondary + start: 127 + end: 138 + - source: algorithm + style: secondary + start: 39 + end: 48 + - source: RC2 + style: secondary + start: 52 + end: 55 + - source: '"RC2"' + style: secondary + start: 51 + end: 56 + - source: algorithm = "RC2" + style: secondary + start: 39 + end: 56 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + - source: String algorithm = "RC2"; + style: secondary + start: 32 + end: 57 + ? | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 10 + end: 35 + - source: Cipher + style: secondary + start: 10 + end: 16 + - source: getInstance + style: secondary + start: 17 + end: 28 + - source: RC2 + style: secondary + start: 30 + end: 33 + - source: ("RC2") + style: secondary + start: 28 + end: 35 diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml new file mode 100644 index 00000000..7b084ff7 --- /dev/null +++ b/tests/java/use-of-rc2-java-test.yml @@ -0,0 +1,39 @@ +id: use-of-rc2-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } + - | + public void testRC2InMap() { + Map cipherMap = new HashMap<>(); + cipherMap.put("RC2", Cipher.getInstance("RC2")); + } + - | + public void testRC2InSwitch() { + String algorithm = "RC2"; + switch (algorithm) { + case "RC2": + try { + Cipher.getInstance(algorithm); + } catch (Exception e) { + e.printStackTrace(); + } + break; + } + } \ No newline at end of file