From bb7b8e1ad0e345862980a163b688f4554ebc1df8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 13:09:06 +0000 Subject: [PATCH 1/3] removed missing-secure-java --- rules/java/security/missing-secure-java.yml | 70 ------------------- .../missing-secure-java-snapshot.yml | 32 --------- tests/java/missing-secure-java-test.yml | 15 ---- 3 files changed, 117 deletions(-) delete mode 100644 rules/java/security/missing-secure-java.yml delete mode 100644 tests/__snapshots__/missing-secure-java-snapshot.yml delete mode 100644 tests/java/missing-secure-java-test.yml diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 755e6660..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - - match_instance: - kind: local_variable_declaration - has: - stopBy: end - kind: identifier - follows: - stopBy: end - kind: variable_declarator - - match_identifier_with_simplecookie: - kind: identifier - inside: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: '^SimpleCookie$|^Cookie$' - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: object_creation_expression - - not: - precedes: - stopBy: neighbor - kind: expression_statement -rule: - any: - - matches: match_instance - - matches: match_without_httponly - - matches: match_cookie_last - - matches: match_identifier_with_simplecookie diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 3931463b..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - : labels: - - source: s - style: primary - start: 13 - end: 14 - - source: SimpleCookie - style: secondary - start: 0 - end: 12 - - source: s - style: secondary - start: 13 - end: 14 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 0 - end: 48 diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 507f951f..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-secure-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie c = new NettyCookie("foo", "bar"); - c.secure(true); - NettyCookie r = new NettyCookie("foo", "bar").secure(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); From ae5dc84d526f609570c16c342916d83a889b4ba9 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 15 Jan 2025 19:05:13 +0530 Subject: [PATCH 2/3] return-c-str-cpp --- rules/cpp/return-c-str-c.yml | 27 +++++++++++++++++ .../return-c-str-cpp-snapshot.yml | 29 +++++++++++++++++++ .../sizeof-this-cpp-snapshot.yml | 13 ++++++++- tests/cpp/return-c-str-cpp-test.yml | 24 +++++++++++++++ 4 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 rules/cpp/return-c-str-c.yml create mode 100644 tests/__snapshots__/return-c-str-cpp-snapshot.yml create mode 100644 tests/cpp/return-c-str-cpp-test.yml diff --git a/rules/cpp/return-c-str-c.yml b/rules/cpp/return-c-str-c.yml new file mode 100644 index 00000000..b6f2ea92 --- /dev/null +++ b/rules/cpp/return-c-str-c.yml @@ -0,0 +1,27 @@ +id: return-c-str-cpp +language: cpp +severity: warning +message: >- + "`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer + is invalid after `$STR` goes out of scope, which can trigger a use after + free." +note: >- + [CWE-416] Use After Free + [REFERENCES] + - https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations + - https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime + +rule: + kind: return_statement + any: + - pattern: return basic_string<$TYPE>($$$).$METHOD(); + - pattern: return std::basic_string<$TYPE>($$$).$METHOD(); + - pattern: return string($$$).$METHOD(); + - pattern: return std::string($$$).$METHOD(); + - pattern: return wstring($$$).$METHOD(); + - pattern: return std::wstring($$$).$METHOD(); + +constraints: + METHOD: + regex: ^(c_str|data)$ + diff --git a/tests/__snapshots__/return-c-str-cpp-snapshot.yml b/tests/__snapshots__/return-c-str-cpp-snapshot.yml new file mode 100644 index 00000000..56d09ba6 --- /dev/null +++ b/tests/__snapshots__/return-c-str-cpp-snapshot.yml @@ -0,0 +1,29 @@ +id: return-c-str-cpp +snapshots: + ? | + char *return_basic_string_directly() { + return std::basic_string("foo").c_str(); + } + : labels: + - source: return std::basic_string("foo").c_str(); + style: primary + start: 41 + end: 87 + ? | + char *return_data_directly() { + return std::string("foo").data(); + } + : labels: + - source: return std::string("foo").data(); + style: primary + start: 33 + end: 66 + ? | + char *return_directly() { + return string("foo").c_str(); + } + : labels: + - source: return string("foo").c_str(); + style: primary + start: 28 + end: 57 diff --git a/tests/__snapshots__/sizeof-this-cpp-snapshot.yml b/tests/__snapshots__/sizeof-this-cpp-snapshot.yml index 9875c137..16d1c43f 100644 --- a/tests/__snapshots__/sizeof-this-cpp-snapshot.yml +++ b/tests/__snapshots__/sizeof-this-cpp-snapshot.yml @@ -1,2 +1,13 @@ id: sizeof-this-cpp -snapshots: {} +snapshots: + ? | + return sizeof(this); + : labels: + - source: sizeof(this) + style: primary + start: 7 + end: 19 + - source: this + style: secondary + start: 14 + end: 18 diff --git a/tests/cpp/return-c-str-cpp-test.yml b/tests/cpp/return-c-str-cpp-test.yml new file mode 100644 index 00000000..4aefc3d1 --- /dev/null +++ b/tests/cpp/return-c-str-cpp-test.yml @@ -0,0 +1,24 @@ +id: return-c-str-cpp +valid: + - | + std::string return_directly() { + // ok: return-c-str + return std::string("foo"); + } +invalid: + - | + char *return_namespace_directly() { + return std::string("foo").c_str(); + } + - | + char *return_directly() { + return string("foo").c_str(); + } + - | + char *return_basic_string_directly() { + return std::basic_string("foo").c_str(); + } + - | + char *return_data_directly() { + return std::string("foo").data(); + } From 45e72ac0a3b690ebba28e57a9334675f171c821c Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 15 Jan 2025 19:07:28 +0530 Subject: [PATCH 3/3] avoid-bind-to-all-interfaces-go --- .../avoid-bind-to-all-interfaces-go.yml | 30 +++++++++++++++++++ ...oid-bind-to-all-interfaces-go-snapshot.yml | 16 ++++++++++ .../avoid-bind-to-all-interfaces-go-test.yml | 9 ++++++ 3 files changed, 55 insertions(+) create mode 100644 rules/go/security/avoid-bind-to-all-interfaces-go.yml create mode 100644 tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml create mode 100644 tests/go/avoid-bind-to-all-interfaces-go-test.yml diff --git a/rules/go/security/avoid-bind-to-all-interfaces-go.yml b/rules/go/security/avoid-bind-to-all-interfaces-go.yml new file mode 100644 index 00000000..9ac2e644 --- /dev/null +++ b/rules/go/security/avoid-bind-to-all-interfaces-go.yml @@ -0,0 +1,30 @@ +id: avoid-bind-to-all-interfaces-go +language: go +severity: warning +message: >- + "Detected a network listener listening on 0.0.0.0 or an empty string. + This could unexpectedly expose the server publicly as it binds to all + available interfaces. Instead, specify another IP address that is not + 0.0.0.0 nor the empty string." +note: >- + [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor + [REFERENCES] + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + +rule: + not: + has: + stopBy: end + kind: ERROR + any: + - pattern: tls.Listen($NETWORK, $IP $$$) + - pattern: net.Listen($NETWORK, $IP $$$) + +constraints: + IP: + any: + - kind: interpreted_string_literal + regex: ^"0.0.0.0:.*"$|^":.*"$|^'0.0.0.0:.*'$|^':.*'$ + - kind: raw_string_literal + regex: ^`0.0.0.0:.*`$|^`:.*`$ + diff --git a/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml b/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml new file mode 100644 index 00000000..7c22130f --- /dev/null +++ b/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml @@ -0,0 +1,16 @@ +id: avoid-bind-to-all-interfaces-go +snapshots: + ? | + l, err := net.Listen("tcp", "0.0.0.0:2000") + : labels: + - source: net.Listen("tcp", "0.0.0.0:2000") + style: primary + start: 10 + end: 43 + ? | + l, err := net.Listen("tcp", ":2000") + : labels: + - source: net.Listen("tcp", ":2000") + style: primary + start: 10 + end: 36 diff --git a/tests/go/avoid-bind-to-all-interfaces-go-test.yml b/tests/go/avoid-bind-to-all-interfaces-go-test.yml new file mode 100644 index 00000000..4aebe122 --- /dev/null +++ b/tests/go/avoid-bind-to-all-interfaces-go-test.yml @@ -0,0 +1,9 @@ +id: avoid-bind-to-all-interfaces-go +valid: + - | + l, err := net.Listen("tcp", "192.168.1.101:2000") +invalid: + - | + l, err := net.Listen("tcp", "0.0.0.0:2000") + - | + l, err := net.Listen("tcp", ":2000")