diff --git a/package-lock.json b/package-lock.json index 66f8df02..82b8e232 100644 --- a/package-lock.json +++ b/package-lock.json @@ -46,6 +46,7 @@ "arm64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "darwin" @@ -62,6 +63,7 @@ "x64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "darwin" @@ -78,6 +80,7 @@ "arm64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "linux" @@ -94,6 +97,7 @@ "x64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "linux" @@ -110,6 +114,7 @@ "arm64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "win32" @@ -126,6 +131,7 @@ "ia32" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "win32" @@ -142,6 +148,7 @@ "x64" ], "dev": true, + "license": "MIT", "optional": true, "os": [ "win32" diff --git a/rules/swift/security/aes-hardcoded-secret-swift.yml b/rules/swift/security/aes-hardcoded-secret-swift.yml new file mode 100644 index 00000000..29918e62 --- /dev/null +++ b/rules/swift/security/aes-hardcoded-secret-swift.yml @@ -0,0 +1,357 @@ +id: aes-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +ast-grep-essentials: true +utils: + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^AES$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^AES$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + kind: line_str_text + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + + match_pattern_AES_statement_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^AES$ + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^AES$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: line_string_literal + has: + stopBy: end + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_AES_expression_with_instance: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^AES$ + all: + - has: + kind: simple_identifier + regex: '^AES$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^AES$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^AES$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^AES$ + has: + stopBy: end + kind: call_expression + all: + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: end + kind: simple_identifier + regex: '^AES$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_AES_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^AES$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: try_expression + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^AES$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + + - kind: call_expression + any: + - matches: match_pattern_AES_statement_directly + - matches: match_pattern_AES_expression_with_instance + - matches: match_pattern_AES_expression_with_utf8 + +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text + diff --git a/rules/swift/security/blowfish-hardcoded-secret-swift.yml b/rules/swift/security/blowfish-hardcoded-secret-swift.yml new file mode 100644 index 00000000..735078a9 --- /dev/null +++ b/rules/swift/security/blowfish-hardcoded-secret-swift.yml @@ -0,0 +1,357 @@ +id: blowfish-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +ast-grep-essentials: true +utils: + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Blowfish$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^Blowfish$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + kind: line_str_text + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + + match_pattern_Blowfish_statement_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Blowfish$ + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: line_string_literal + has: + stopBy: end + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_Blowfish_expression_with_instance: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Blowfish$ + all: + - has: + kind: simple_identifier + regex: '^Blowfish$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Blowfish$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^Blowfish$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Blowfish$ + has: + stopBy: end + kind: call_expression + all: + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: end + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_Blowfish_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Blowfish$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: try_expression + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^Blowfish$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + + - kind: call_expression + any: + - matches: match_pattern_Blowfish_statement_directly + - matches: match_pattern_Blowfish_expression_with_instance + - matches: match_pattern_Blowfish_expression_with_utf8 + +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text + diff --git a/rules/swift/security/chacha20-hardcoded-secret-swift.yml b/rules/swift/security/chacha20-hardcoded-secret-swift.yml new file mode 100644 index 00000000..8544ac12 --- /dev/null +++ b/rules/swift/security/chacha20-hardcoded-secret-swift.yml @@ -0,0 +1,358 @@ +id: chacha20-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +ast-grep-essentials: true +utils: + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^ChaCha20$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^ChaCha20$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + kind: line_str_text + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + + match_pattern_ChaCha20_statement_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^ChaCha20$ + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: line_string_literal + has: + stopBy: end + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_ChaCha20_expression_with_instance: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^ChaCha20$ + all: + - has: + kind: simple_identifier + regex: '^ChaCha20$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^ChaCha20$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^ChaCha20$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^ChaCha20$ + has: + stopBy: end + kind: call_expression + all: + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: end + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_ChaCha20_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^ChaCha20$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: try_expression + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^ChaCha20$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + + - kind: call_expression + any: + - matches: match_pattern_ChaCha20_statement_directly + - matches: match_pattern_ChaCha20_expression_with_instance + - matches: match_pattern_ChaCha20_expression_with_utf8 + +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text + + diff --git a/rules/swift/security/rabbit-hardcoded-secret-swift.yml b/rules/swift/security/rabbit-hardcoded-secret-swift.yml new file mode 100644 index 00000000..89fdf0ee --- /dev/null +++ b/rules/swift/security/rabbit-hardcoded-secret-swift.yml @@ -0,0 +1,357 @@ +id: rabbit-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +ast-grep-essentials: true +utils: + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Rabbit$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^Rabbit$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + stopBy: neighbor + kind: line_string_literal + has: + kind: line_str_text + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + + match_pattern_Rabbit_statement_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Rabbit$ + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^Rabbit$' + - has: + stopBy: end + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: line_string_literal + has: + stopBy: end + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_Rabbit_expression_with_instance: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Rabbit$ + all: + - has: + kind: simple_identifier + regex: '^Rabbit$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + stopBy: end + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + kind: function_declaration + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Rabbit$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + kind: simple_identifier + regex: '^Rabbit$' + - has: + kind: call_suffix + has: + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: '^key$' + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - any: + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Rabbit$ + has: + stopBy: end + kind: call_expression + all: + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: end + kind: simple_identifier + regex: '^Rabbit$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_Rabbit_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Rabbit$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: try_expression + - has: + stopBy: neighbor + kind: simple_identifier + regex: '^Rabbit$' + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: ^key$ + - has: + stopBy: end + kind: call_expression + pattern: Array($SECRET.utf8) + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + + - kind: call_expression + any: + - matches: match_pattern_Rabbit_statement_directly + - matches: match_pattern_Rabbit_expression_with_instance + - matches: match_pattern_Rabbit_expression_with_utf8 + +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text + diff --git a/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..21a87d48 --- /dev/null +++ b/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,184 @@ +id: aes-hardcoded-secret-swift +snapshots: + ? | + AES(key: "hello", iv: "123") + : labels: + - source: 'AES(key: "hello", iv: "123")' + style: primary + start: 0 + end: 28 + - source: AES + style: secondary + start: 0 + end: 3 + - source: key + style: secondary + start: 4 + end: 7 + - source: hello + style: secondary + start: 10 + end: 15 + - source: '"hello"' + style: secondary + start: 9 + end: 16 + - source: 'key: "hello"' + style: secondary + start: 4 + end: 16 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 3 + end: 28 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 3 + end: 28 + ? | + let password: Array = Array("s33krit".utf8) + AES(key: password, iv: "123") + : labels: + - source: 'AES(key: password, iv: "123")' + style: primary + start: 51 + end: 80 + - source: AES + style: secondary + start: 51 + end: 54 + - source: key + style: secondary + start: 55 + end: 58 + - source: password + style: secondary + start: 60 + end: 68 + - source: 'key: password' + style: secondary + start: 55 + end: 68 + - source: '(key: password, iv: "123")' + style: secondary + start: 54 + end: 80 + - source: '(key: password, iv: "123")' + style: secondary + start: 54 + end: 80 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + let password: Array = Array("s33krit".utf8) + try AES(key: password, iv: "123") + : labels: + - source: 'try AES(key: password, iv: "123")' + style: primary + start: 51 + end: 84 + - source: AES + style: secondary + start: 55 + end: 58 + - source: key + style: secondary + start: 59 + end: 62 + - source: password + style: secondary + start: 64 + end: 72 + - source: 'key: password' + style: secondary + start: 59 + end: 72 + - source: '(key: password, iv: "123")' + style: secondary + start: 58 + end: 84 + - source: '(key: password, iv: "123")' + style: secondary + start: 58 + end: 84 + - source: 'AES(key: password, iv: "123")' + style: secondary + start: 55 + end: 84 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + try AES(key: "hello", iv: "123") + : labels: + - source: 'try AES(key: "hello", iv: "123")' + style: primary + start: 0 + end: 32 + - source: AES + style: secondary + start: 4 + end: 7 + - source: key + style: secondary + start: 8 + end: 11 + - source: hello + style: secondary + start: 14 + end: 19 + - source: '"hello"' + style: secondary + start: 13 + end: 20 + - source: 'key: "hello"' + style: secondary + start: 8 + end: 20 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 7 + end: 32 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 7 + end: 32 + - source: 'AES(key: "hello", iv: "123")' + style: secondary + start: 4 + end: 32 diff --git a/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..b9482edc --- /dev/null +++ b/tests/__snapshots__/blowfish-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,218 @@ +id: blowfish-hardcoded-secret-swift +snapshots: + 'Blowfish(key: "hello", iv: "123")': + labels: + - source: 'Blowfish(key: "hello", iv: "123")' + style: primary + start: 0 + end: 33 + - source: Blowfish + style: secondary + start: 0 + end: 8 + - source: key + style: secondary + start: 9 + end: 12 + - source: hello + style: secondary + start: 15 + end: 20 + - source: '"hello"' + style: secondary + start: 14 + end: 21 + - source: 'key: "hello"' + style: secondary + start: 9 + end: 21 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + ? | + Blowfish(key: "hello", iv: "123") + : labels: + - source: 'Blowfish(key: "hello", iv: "123")' + style: primary + start: 0 + end: 33 + - source: Blowfish + style: secondary + start: 0 + end: 8 + - source: key + style: secondary + start: 9 + end: 12 + - source: hello + style: secondary + start: 15 + end: 20 + - source: '"hello"' + style: secondary + start: 14 + end: 21 + - source: 'key: "hello"' + style: secondary + start: 9 + end: 21 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + ? |- + let password: Array = Array("s33krit".utf8) + Blowfish(key: password, iv: "123") + : labels: + - source: 'Blowfish(key: password, iv: "123")' + style: primary + start: 51 + end: 85 + - source: Blowfish + style: secondary + start: 51 + end: 59 + - source: key + style: secondary + start: 60 + end: 63 + - source: password + style: secondary + start: 65 + end: 73 + - source: 'key: password' + style: secondary + start: 60 + end: 73 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + let password: Array = Array("s33krit".utf8) + try Blowfish(key: password, iv: "123") + : labels: + - source: 'try Blowfish(key: password, iv: "123")' + style: primary + start: 51 + end: 89 + - source: Blowfish + style: secondary + start: 55 + end: 63 + - source: key + style: secondary + start: 64 + end: 67 + - source: password + style: secondary + start: 69 + end: 77 + - source: 'key: password' + style: secondary + start: 64 + end: 77 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: 'Blowfish(key: password, iv: "123")' + style: secondary + start: 55 + end: 89 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + try Blowfish(key: "hello", iv: "123") + : labels: + - source: 'try Blowfish(key: "hello", iv: "123")' + style: primary + start: 0 + end: 37 + - source: Blowfish + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: hello + style: secondary + start: 19 + end: 24 + - source: '"hello"' + style: secondary + start: 18 + end: 25 + - source: 'key: "hello"' + style: secondary + start: 13 + end: 25 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: 'Blowfish(key: "hello", iv: "123")' + style: secondary + start: 4 + end: 37 diff --git a/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..bb3255a8 --- /dev/null +++ b/tests/__snapshots__/chacha20-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,184 @@ +id: chacha20-hardcoded-secret-swift +snapshots: + ? | + ChaCha20(key: "hello", iv: "123") + : labels: + - source: 'ChaCha20(key: "hello", iv: "123")' + style: primary + start: 0 + end: 33 + - source: ChaCha20 + style: secondary + start: 0 + end: 8 + - source: key + style: secondary + start: 9 + end: 12 + - source: hello + style: secondary + start: 15 + end: 20 + - source: '"hello"' + style: secondary + start: 14 + end: 21 + - source: 'key: "hello"' + style: secondary + start: 9 + end: 21 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 8 + end: 33 + ? |- + let password: Array = Array("s33krit".utf8) + ChaCha20(key: password, iv: "123") + : labels: + - source: 'ChaCha20(key: password, iv: "123")' + style: primary + start: 51 + end: 85 + - source: ChaCha20 + style: secondary + start: 51 + end: 59 + - source: key + style: secondary + start: 60 + end: 63 + - source: password + style: secondary + start: 65 + end: 73 + - source: 'key: password' + style: secondary + start: 60 + end: 73 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: '(key: password, iv: "123")' + style: secondary + start: 59 + end: 85 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + let password: Array = Array("s33krit".utf8) + try ChaCha20(key: password, iv: "123") + : labels: + - source: 'try ChaCha20(key: password, iv: "123")' + style: primary + start: 51 + end: 89 + - source: ChaCha20 + style: secondary + start: 55 + end: 63 + - source: key + style: secondary + start: 64 + end: 67 + - source: password + style: secondary + start: 69 + end: 77 + - source: 'key: password' + style: secondary + start: 64 + end: 77 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: '(key: password, iv: "123")' + style: secondary + start: 63 + end: 89 + - source: 'ChaCha20(key: password, iv: "123")' + style: secondary + start: 55 + end: 89 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + try ChaCha20(key: "hello", iv: "123") + : labels: + - source: 'try ChaCha20(key: "hello", iv: "123")' + style: primary + start: 0 + end: 37 + - source: ChaCha20 + style: secondary + start: 4 + end: 12 + - source: key + style: secondary + start: 13 + end: 16 + - source: hello + style: secondary + start: 19 + end: 24 + - source: '"hello"' + style: secondary + start: 18 + end: 25 + - source: 'key: "hello"' + style: secondary + start: 13 + end: 25 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 12 + end: 37 + - source: 'ChaCha20(key: "hello", iv: "123")' + style: secondary + start: 4 + end: 37 diff --git a/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..c56f9648 --- /dev/null +++ b/tests/__snapshots__/rabbit-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,184 @@ +id: rabbit-hardcoded-secret-swift +snapshots: + ? | + Rabbit(key: "hello", iv: "123") + : labels: + - source: 'Rabbit(key: "hello", iv: "123")' + style: primary + start: 0 + end: 31 + - source: Rabbit + style: secondary + start: 0 + end: 6 + - source: key + style: secondary + start: 7 + end: 10 + - source: hello + style: secondary + start: 13 + end: 18 + - source: '"hello"' + style: secondary + start: 12 + end: 19 + - source: 'key: "hello"' + style: secondary + start: 7 + end: 19 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 6 + end: 31 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 6 + end: 31 + ? |- + let password: Array = Array("s33krit".utf8) + Rabbit(key: password, iv: "123") + : labels: + - source: 'Rabbit(key: password, iv: "123")' + style: primary + start: 51 + end: 83 + - source: Rabbit + style: secondary + start: 51 + end: 57 + - source: key + style: secondary + start: 58 + end: 61 + - source: password + style: secondary + start: 63 + end: 71 + - source: 'key: password' + style: secondary + start: 58 + end: 71 + - source: '(key: password, iv: "123")' + style: secondary + start: 57 + end: 83 + - source: '(key: password, iv: "123")' + style: secondary + start: 57 + end: 83 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + let password: Array = Array("s33krit".utf8) + try Rabbit(key: password, iv: "123") + : labels: + - source: 'try Rabbit(key: password, iv: "123")' + style: primary + start: 51 + end: 87 + - source: Rabbit + style: secondary + start: 55 + end: 61 + - source: key + style: secondary + start: 62 + end: 65 + - source: password + style: secondary + start: 67 + end: 75 + - source: 'key: password' + style: secondary + start: 62 + end: 75 + - source: '(key: password, iv: "123")' + style: secondary + start: 61 + end: 87 + - source: '(key: password, iv: "123")' + style: secondary + start: 61 + end: 87 + - source: 'Rabbit(key: password, iv: "123")' + style: secondary + start: 55 + end: 87 + - source: password + style: secondary + start: 4 + end: 12 + - source: password + style: secondary + start: 4 + end: 12 + - source: Array("s33krit".utf8) + style: secondary + start: 29 + end: 50 + - source: 'let password: Array = Array("s33krit".utf8)' + style: secondary + start: 0 + end: 50 + - source: s33krit + style: secondary + start: 36 + end: 43 + ? | + try Rabbit(key: "hello", iv: "123") + : labels: + - source: 'try Rabbit(key: "hello", iv: "123")' + style: primary + start: 0 + end: 35 + - source: Rabbit + style: secondary + start: 4 + end: 10 + - source: key + style: secondary + start: 11 + end: 14 + - source: hello + style: secondary + start: 17 + end: 22 + - source: '"hello"' + style: secondary + start: 16 + end: 23 + - source: 'key: "hello"' + style: secondary + start: 11 + end: 23 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 10 + end: 35 + - source: '(key: "hello", iv: "123")' + style: secondary + start: 10 + end: 35 + - source: 'Rabbit(key: "hello", iv: "123")' + style: secondary + start: 4 + end: 35 diff --git a/tests/__snapshots__/ruby-mysql2-empty-password-ruby-snapshot.yml b/tests/__snapshots__/ruby-mysql2-empty-password-ruby-snapshot.yml index cd7c9aa9..8cd6162a 100644 --- a/tests/__snapshots__/ruby-mysql2-empty-password-ruby-snapshot.yml +++ b/tests/__snapshots__/ruby-mysql2-empty-password-ruby-snapshot.yml @@ -1,5 +1,71 @@ id: ruby-mysql2-empty-password-ruby snapshots: + ? | + $LOAD_PATH.unshift 'lib' + require 'mysql2' + require 'timeout' + Mysql2::Client.new(host: "localhost", username: "root", password: "").query("SELECT sleep(#{overhead}) as result") + : labels: + - source: 'Mysql2::Client.new(host: "localhost", username: "root", password: "")' + style: primary + start: 60 + end: 129 + - source: Mysql2 + style: secondary + start: 60 + end: 66 + - source: Client + style: secondary + start: 68 + end: 74 + - source: Mysql2::Client + style: secondary + start: 60 + end: 74 + - source: new + style: secondary + start: 75 + end: 78 + - source: password + style: secondary + start: 116 + end: 124 + - source: '""' + style: secondary + start: 126 + end: 128 + - source: 'password: ""' + style: secondary + start: 116 + end: 128 + - source: '(host: "localhost", username: "root", password: "")' + style: secondary + start: 78 + end: 129 + - source: require + style: secondary + start: 25 + end: 32 + - source: mysql2 + style: secondary + start: 34 + end: 40 + - source: '''mysql2''' + style: secondary + start: 33 + end: 41 + - source: '''mysql2''' + style: secondary + start: 33 + end: 41 + - source: require 'mysql2' + style: secondary + start: 25 + end: 41 + - source: require 'mysql2' + style: secondary + start: 25 + end: 41 ? | $LOAD_PATH.unshift 'lib' require 'mysql2' diff --git a/tests/swift/aes-hardcoded-secret-swift-test.yml b/tests/swift/aes-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..aa9f359e --- /dev/null +++ b/tests/swift/aes-hardcoded-secret-swift-test.yml @@ -0,0 +1,15 @@ +id: aes-hardcoded-secret-swift +valid: + - | + try AES(key: password, iv: "123") +invalid: + - | + try AES(key: "hello", iv: "123") + - | + AES(key: "hello", iv: "123") + - | + let password: Array = Array("s33krit".utf8) + try AES(key: password, iv: "123") + - | + let password: Array = Array("s33krit".utf8) + AES(key: password, iv: "123") diff --git a/tests/swift/blowfish-hardcoded-secret-swift-test.yml b/tests/swift/blowfish-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..4f5dcfb4 --- /dev/null +++ b/tests/swift/blowfish-hardcoded-secret-swift-test.yml @@ -0,0 +1,15 @@ +id: blowfish-hardcoded-secret-swift +valid: + - | + try Blowfish(key: password, iv: "123") +invalid: + - | + try Blowfish(key: "hello", iv: "123") + - | + Blowfish(key: "hello", iv: "123") + - | + let password: Array = Array("s33krit".utf8) + try Blowfish(key: password, iv: "123") + - | + let password: Array = Array("s33krit".utf8) + Blowfish(key: password, iv: "123") \ No newline at end of file diff --git a/tests/swift/chacha20-hardcoded-secret-swift-test.yml b/tests/swift/chacha20-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..62ce7b25 --- /dev/null +++ b/tests/swift/chacha20-hardcoded-secret-swift-test.yml @@ -0,0 +1,15 @@ +id: chacha20-hardcoded-secret-swift +valid: + - | + try ChaCha20(key: password, iv: "123") +invalid: + - | + try ChaCha20(key: "hello", iv: "123") + - | + ChaCha20(key: "hello", iv: "123") + - | + let password: Array = Array("s33krit".utf8) + try ChaCha20(key: password, iv: "123") + - | + let password: Array = Array("s33krit".utf8) + ChaCha20(key: password, iv: "123") \ No newline at end of file diff --git a/tests/swift/rabbit-hardcoded-secret-swift-test.yml b/tests/swift/rabbit-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..9f1bad27 --- /dev/null +++ b/tests/swift/rabbit-hardcoded-secret-swift-test.yml @@ -0,0 +1,15 @@ +id: rabbit-hardcoded-secret-swift +valid: + - | + try Rabbit(key: password, iv: "123") +invalid: + - | + try Rabbit(key: "hello", iv: "123") + - | + Rabbit(key: "hello", iv: "123") + - | + let password: Array = Array("s33krit".utf8) + try Rabbit(key: password, iv: "123") + - | + let password: Array = Array("s33krit".utf8) + Rabbit(key: password, iv: "123") \ No newline at end of file