From bb7b8e1ad0e345862980a163b688f4554ebc1df8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 13:09:06 +0000 Subject: [PATCH 1/4] removed missing-secure-java --- rules/java/security/missing-secure-java.yml | 70 ------------------- .../missing-secure-java-snapshot.yml | 32 --------- tests/java/missing-secure-java-test.yml | 15 ---- 3 files changed, 117 deletions(-) delete mode 100644 rules/java/security/missing-secure-java.yml delete mode 100644 tests/__snapshots__/missing-secure-java-snapshot.yml delete mode 100644 tests/java/missing-secure-java-test.yml diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 755e6660..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - - match_instance: - kind: local_variable_declaration - has: - stopBy: end - kind: identifier - follows: - stopBy: end - kind: variable_declarator - - match_identifier_with_simplecookie: - kind: identifier - inside: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: '^SimpleCookie$|^Cookie$' - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: object_creation_expression - - not: - precedes: - stopBy: neighbor - kind: expression_statement -rule: - any: - - matches: match_instance - - matches: match_without_httponly - - matches: match_cookie_last - - matches: match_identifier_with_simplecookie diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 3931463b..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - : labels: - - source: s - style: primary - start: 13 - end: 14 - - source: SimpleCookie - style: secondary - start: 0 - end: 12 - - source: s - style: secondary - start: 13 - end: 14 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 0 - end: 48 diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 507f951f..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-secure-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie c = new NettyCookie("foo", "bar"); - c.secure(true); - NettyCookie r = new NettyCookie("foo", "bar").secure(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); From 1a79552c30b7218db7a97755a9a80dd570fda4c4 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Mon, 20 Jan 2025 10:40:31 +0530 Subject: [PATCH 2/4] small-key-size-c --- rules/c/security/small-key-size-c.yml | 41 +++++++++++++++++++ .../return-c-str-cpp-snapshot.yml | 9 ++++ .../small-key-size-c-snapshot.yml | 23 +++++++++++ tests/c/small-key-size-c-test.yml | 14 +++++++ 4 files changed, 87 insertions(+) create mode 100644 rules/c/security/small-key-size-c.yml create mode 100644 tests/__snapshots__/small-key-size-c-snapshot.yml create mode 100644 tests/c/small-key-size-c-test.yml diff --git a/rules/c/security/small-key-size-c.yml b/rules/c/security/small-key-size-c.yml new file mode 100644 index 00000000..3ade90df --- /dev/null +++ b/rules/c/security/small-key-size-c.yml @@ -0,0 +1,41 @@ +id: small-key-size-c +language: c +severity: warning +message: >- + $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is + less than the recommended key size of 2048 bits. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A02:2021]: Cryptographic Failures + [OWASP A03:2017]: Sensitive Data Exposure + [REFERENCES] + https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf + https://owasp.org/Top10/A02_2021-Cryptographic_Failures + +rule: + kind: call_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - not: + has: + stopBy: end + kind: field_identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + any: + - kind: number_literal + - kind: binary_expression + - kind: unary_expression + nthChild: 2 + regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$ + - not: + has: + stopBy: end + kind: ERROR diff --git a/tests/__snapshots__/return-c-str-cpp-snapshot.yml b/tests/__snapshots__/return-c-str-cpp-snapshot.yml index 56d09ba6..e577adf6 100644 --- a/tests/__snapshots__/return-c-str-cpp-snapshot.yml +++ b/tests/__snapshots__/return-c-str-cpp-snapshot.yml @@ -27,3 +27,12 @@ snapshots: style: primary start: 28 end: 57 + ? | + char *return_namespace_directly() { + return std::string("foo").c_str(); + } + : labels: + - source: return std::string("foo").c_str(); + style: primary + start: 38 + end: 72 diff --git a/tests/__snapshots__/small-key-size-c-snapshot.yml b/tests/__snapshots__/small-key-size-c-snapshot.yml new file mode 100644 index 00000000..75ad82af --- /dev/null +++ b/tests/__snapshots__/small-key-size-c-snapshot.yml @@ -0,0 +1,23 @@ +id: small-key-size-c +snapshots: + ? | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + : labels: + - source: DH_generate_parameters_ex(NULL, 1024) + style: primary + start: 15 + end: 52 + - source: DH_generate_parameters_ex + style: secondary + start: 15 + end: 40 + - source: '1024' + style: secondary + start: 47 + end: 51 + - source: (NULL, 1024) + style: secondary + start: 40 + end: 52 diff --git a/tests/c/small-key-size-c-test.yml b/tests/c/small-key-size-c-test.yml new file mode 100644 index 00000000..053e0974 --- /dev/null +++ b/tests/c/small-key-size-c-test.yml @@ -0,0 +1,14 @@ +id: small-key-size-c +valid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 2049); + } + +invalid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + + From 6ac3676d3719a4d8f649c112911dc3d3e7ed1153 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Mon, 20 Jan 2025 10:41:43 +0530 Subject: [PATCH 3/4] small-key-size-cpp --- rules/cpp/small-key-size-cpp.yml | 41 +++++++++++++++++++ .../small-key-size-cpp-snapshot.yml | 23 +++++++++++ tests/cpp/small-key-size-cpp-test.yml | 14 +++++++ 3 files changed, 78 insertions(+) create mode 100644 rules/cpp/small-key-size-cpp.yml create mode 100644 tests/__snapshots__/small-key-size-cpp-snapshot.yml create mode 100644 tests/cpp/small-key-size-cpp-test.yml diff --git a/rules/cpp/small-key-size-cpp.yml b/rules/cpp/small-key-size-cpp.yml new file mode 100644 index 00000000..af2dd598 --- /dev/null +++ b/rules/cpp/small-key-size-cpp.yml @@ -0,0 +1,41 @@ +id: small-key-size-cpp +language: cpp +severity: warning +message: >- + $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is + less than the recommended key size of 2048 bits. +note: >- + [CWE-326]: Inadequate Encryption Strength + [OWASP A02:2021]: Cryptographic Failures + [OWASP A03:2017]: Sensitive Data Exposure + [REFERENCES] + https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf + https://owasp.org/Top10/A02_2021-Cryptographic_Failures + +rule: + kind: call_expression + all: + - has: + stopBy: end + kind: identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - not: + has: + stopBy: end + kind: field_identifier + regex: ^(DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips)$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + any: + - kind: number_literal + - kind: binary_expression + - kind: unary_expression + nthChild: 2 + regex: ^([+-]*\(*[+-]*((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|((0|[1-9][0-9]{0,2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?\/[1-9][0-9]*)|(\.[0-9]+)|(\.[0-9]+\/[1-9][0-9]*))\)*)$ + - not: + has: + stopBy: end + kind: ERROR diff --git a/tests/__snapshots__/small-key-size-cpp-snapshot.yml b/tests/__snapshots__/small-key-size-cpp-snapshot.yml new file mode 100644 index 00000000..b4051940 --- /dev/null +++ b/tests/__snapshots__/small-key-size-cpp-snapshot.yml @@ -0,0 +1,23 @@ +id: small-key-size-cpp +snapshots: + ? | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + : labels: + - source: DH_generate_parameters_ex(NULL, 1024) + style: primary + start: 15 + end: 52 + - source: DH_generate_parameters_ex + style: secondary + start: 15 + end: 40 + - source: '1024' + style: secondary + start: 47 + end: 51 + - source: (NULL, 1024) + style: secondary + start: 40 + end: 52 diff --git a/tests/cpp/small-key-size-cpp-test.yml b/tests/cpp/small-key-size-cpp-test.yml new file mode 100644 index 00000000..25513102 --- /dev/null +++ b/tests/cpp/small-key-size-cpp-test.yml @@ -0,0 +1,14 @@ +id: small-key-size-cpp +valid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 2049); + } + +invalid: + - | + void foo() { + DH_generate_parameters_ex(NULL, 1024); + } + + From d9d5c5673d87c43dabb497dc373be56ee2b8d8e7 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Mon, 20 Jan 2025 12:52:28 +0530 Subject: [PATCH 4/4] Adding ast-grep-essentials: true to small-key-size rule for both c and cpp --- rules/c/security/small-key-size-c.yml | 1 + rules/cpp/small-key-size-cpp.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/c/security/small-key-size-c.yml b/rules/c/security/small-key-size-c.yml index 3ade90df..c826a55f 100644 --- a/rules/c/security/small-key-size-c.yml +++ b/rules/c/security/small-key-size-c.yml @@ -11,6 +11,7 @@ note: >- [REFERENCES] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf https://owasp.org/Top10/A02_2021-Cryptographic_Failures +ast-grep-essentials: true rule: kind: call_expression diff --git a/rules/cpp/small-key-size-cpp.yml b/rules/cpp/small-key-size-cpp.yml index af2dd598..f4a69291 100644 --- a/rules/cpp/small-key-size-cpp.yml +++ b/rules/cpp/small-key-size-cpp.yml @@ -11,6 +11,7 @@ note: >- [REFERENCES] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf https://owasp.org/Top10/A02_2021-Cryptographic_Failures +ast-grep-essentials: true rule: kind: call_expression