Skip to content

Add YAML-based AST security rules and tests for C#, Java, Ruby #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 34 commits into from
Mar 26, 2025
Merged

Add YAML-based AST security rules and tests for C#, Java, Ruby #186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
bb7b8e1
removed missing-secure-java
Dec 16, 2024
308e947
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 6, 2025
46efd55
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
3ac0204
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 8, 2025
7caba92
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 9, 2025
d3a2776
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 10, 2025
2e86380
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 14, 2025
b072db7
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 20, 2025
65dce29
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 22, 2025
12bb3aa
httponly-false-csharp
ESS-ENN Jan 22, 2025
2c5ea88
use-of-md5-digest-utils-java
ESS-ENN Jan 22, 2025
d3067f1
removing use-of-md5-digest-utils and httponly-false-csharp
ESS-ENN Jan 22, 2025
56d4011
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 28, 2025
f7f1d72
Merge branch 'coderabbitai:main' into main
ESS-ENN Jan 29, 2025
0d53f8e
Merge branch 'coderabbitai:main' into main
ESS-ENN Feb 4, 2025
b622bca
Merge branch 'coderabbitai:main' into main
ESS-ENN Feb 6, 2025
67459bf
Merge branch 'coderabbitai:main' into main
ESS-ENN Feb 7, 2025
b8b2adb
Merge branch 'coderabbitai:main' into main
ESS-ENN Feb 18, 2025
9b29d0a
Merge branch 'coderabbitai:main' into main
ESS-ENN Mar 3, 2025
24510d4
Merge branch 'coderabbitai:main' into main
ESS-ENN Mar 4, 2025
6c6d229
Merge remote-tracking branch 'upstream/main' into main
ESS-ENN Mar 4, 2025
c5f0d85
Merge branch 'main' of https://github.com/ESS-ENN/ast-grep-essentials…
ESS-ENN Mar 4, 2025
4104e61
Merge branch 'coderabbitai:main' into main
ESS-ENN Mar 5, 2025
36b1114
Merge remote-tracking branch 'upstream/main' into main
ESS-ENN Mar 5, 2025
befc6b0
Merge branch 'main' of https://github.com/ESS-ENN/ast-grep-essentials…
ESS-ENN Mar 5, 2025
7bc886d
Merge branch 'coderabbitai:main' into main
ESS-ENN Mar 10, 2025
fc13546
Merge remote-tracking branch 'upstream/main' into main
ESS-ENN Mar 10, 2025
e4a1853
Merge branch 'main' of https://github.com/ESS-ENN/ast-grep-essentials…
ESS-ENN Mar 10, 2025
b6203b0
Merge branch 'coderabbitai:main' into main
ESS-ENN Mar 18, 2025
5327545
Merge remote-tracking branch 'upstream/main' into main
ESS-ENN Mar 20, 2025
f59e083
Merge remote-tracking branch 'upstream/main' into main
ESS-ENN Mar 25, 2025
d89449e
stacktrace-disclosure-csharp
ESS-ENN Mar 26, 2025
bc2b9aa
weak-ssl-context-java
ESS-ENN Mar 26, 2025
c2a58ce
hardcoded-secret-rsa-passphrase-ruby
ESS-ENN Mar 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions rules/csharp/security/stacktrace-disclosure-csharp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
id: stacktrace-disclosure-csharp
severity: warning
language: csharp
message: >-
Stacktrace information is displayed in a non-Development environment.
Accidentally disclosing sensitive stack trace information in a production
environment aids an attacker in reconnaissance and information gathering.
note: >-
[CWE-209] Generation of Error Message Containing Sensitive Information.
[REFERENCES]
- https://cwe.mitre.org/data/definitions/209.html
- https://owasp.org/Top10/A04_2021-Insecure_Design/

ast-grep-essentials: true

utils:
$APP.UseDeveloperExceptionPage(...):
kind: invocation_expression
pattern: $APP.UseDeveloperExceptionPage($$$)
all:
- not:
inside:
stopBy: end
any:
- kind: postfix_unary_expression
- kind: member_access_expression
inside:
kind: invocation_expression
- not:
inside:
stopBy: neighbor
kind: block
follows:
stopBy: end
any:
- kind: invocation_expression
pattern: $ENV.IsDevelopment()
- kind: parenthesized_expression
has:
kind: invocation_expression
pattern: $ENV.IsDevelopment()
inside:
kind: if_statement
rule:
matches: $APP.UseDeveloperExceptionPage(...)
79 changes: 79 additions & 0 deletions rules/java/security/weak-ssl-context-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
id: weak-ssl-context-java
language: java
severity: warning
message: >-
'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all
SSL versions are considered weak encryption and are deprecated. Use
SSLContext.getInstance("TLSv1.2") for the best security.'
note: >-
[CWE-326] Inadequate Encryption Strength
[REFERENCES]
- https://tools.ietf.org/html/rfc7568
- https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html

ast-grep-essentials: true

# rule:
# all:
# - pattern: SSLContext.getInstance($CONTEXT)

# constraints:
# CONTEXT:
# any:
# - kind: string_literal
# has:
# kind: string_fragment
# all:
# - not:
# regex: ^TLSv1.2$
# - not:
# regex: ^TLSv1.3$
# - kind: string_literal
# not:
# has:
# kind: string_fragment

rule:
kind: method_invocation
not:
has:
stopBy: end
kind: method_invocation
all:
- has:
kind: identifier
field: object
nthChild: 1
regex: ^SSLContext$
- has:
kind: identifier
field: name
nthChild: 2
regex: ^getInstance$
- has:
kind: argument_list
field: arguments
nthChild: 3
has:
nthChild:
position: 1
ofRule:
kind: string_literal
any:
- not:
has:
kind: string_fragment
- has:
kind: string_fragment
all:
- not:
regex: ^TLSv1.2$
- not:
regex: ^TLSv1.3$
not:
has:
nthChild:
position: 2
ofRule:
not:
kind: line_comment
232 changes: 232 additions & 0 deletions rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@
id: hardcoded-secret-rsa-passphrase-ruby
language: ruby
severity: warning
message: >-
Found the use of an hardcoded passphrase for RSA. The passphrase can be
easily discovered, and therefore should not be stored in source-code. It
is recommended to remove the passphrase from source-code, and use system
environment variables or a restricted configuration file.
note: >-
[CWE-798]: Use of Hard-coded Credentials
[OWASP A07:2021]: Identification and Authentication Failures
[REFERENCES]
https://cwe.mitre.org/data/definitions/522.html

ast-grep-essentials: true

utils:
OpenSSL::PKey::RSA.new(..., '...'):
kind: call
all:
- has:
stopBy: neighbor
kind: scope_resolution
regex: ^OpenSSL::PKey::RSA$
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^new$
- has:
stopBy: neighbor
kind: argument_list
all:
- has:
stopBy: neighbor
kind: string
nthChild: 2
has:
stopBy: neighbor
kind: string_content

OpenSSL::PKey::RSA.new(...).to_pem(..., '...'):
kind: call
all:
- has:
stopBy: neighbor
kind: call
pattern: OpenSSL::PKey::RSA.new($$$)
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^to_pem|export$
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: neighbor
kind: string
nthChild:
position: 2
ofRule:
not:
kind: comment
not:
precedes:
stopBy: end
nthChild: 3

OpenSSL::PKey::RSA.new(..., '...')_with_instance:
kind: call
all:
- has:
stopBy: neighbor
kind: scope_resolution
regex: ^OpenSSL::PKey::RSA$
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^new$
- has:
stopBy: neighbor
kind: argument_list
all:
- has:
stopBy: neighbor
pattern: $SECRET
nthChild: 2

- inside:
stopBy: end
kind: class
has:
stopBy: end
kind: assignment
pattern: $SECRET = '$SECRET_VALUE'

OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance:
kind: call
all:
- has:
stopBy: neighbor
kind: call
pattern: OpenSSL::PKey::RSA.new($$$)
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^to_pem|export$
- has:
stopBy: neighbor
kind: argument_list
all:
- has:
stopBy: neighbor
pattern: $SECRET
nthChild: 2

- inside:
stopBy: end
kind: class
has:
stopBy: end
kind: assignment
pattern: $SECRET = '$SECRET_VALUE'

$OPENSSL.export(...,'...'):
kind: call
all:
- has:
stopBy: neighbor
pattern: $OPENSSL
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^export|to_pem$
- has:
stopBy: neighbor
kind: argument_list
all:
- has:
stopBy: neighbor
kind: string
nthChild: 2
has:
stopBy: neighbor
kind: string_content

- inside:
stopBy: end
kind: class
has:
stopBy: end
kind: assignment
pattern: $OPENSSL = OpenSSL::PKey::RSA.new

$OPENSSL.to_pem(...,$ASSIGN):
kind: call
all:
- has:
stopBy: neighbor
pattern: $OPENSSL
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^export|to_pem$
- has:
stopBy: neighbor
kind: argument_list
all:
- has:
stopBy: neighbor
pattern: $SECRET
nthChild: 2
- inside:
stopBy: end
kind: class
all:
- has:
stopBy: end
kind: assignment
pattern: $OPENSSL = OpenSSL::PKey::RSA.new
- has:
stopBy: end
kind: assignment
pattern: $SECRET = '$SECRET_STRING'

match_call:
kind: call
all:
- has:
stopBy: end
kind: identifier
field: receiver
- has:
stopBy: end
kind: identifier
field: method
- has:
stopBy: end
kind: argument_list
field: arguments
all:
- has:
kind: call
- has:
kind: string
rule:
kind: call
any:
- matches: OpenSSL::PKey::RSA.new(..., '...')
- matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')
- matches: OpenSSL::PKey::RSA.new(..., '...')_with_instance
- matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance
- matches: $OPENSSL.export(...,'...')
- matches: $OPENSSL.to_pem(...,$ASSIGN)
- matches: match_call
Loading