From 1162b6fbd93d8ae9d11f1aa7744e085f656828ac Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Wed, 16 Oct 2024 10:35:01 +0530 Subject: [PATCH 1/2] gorilla-csrf-hardcoded-auth-key-go --- .../gorilla-csrf-hardcoded-auth-key-go.yml | 65 ++++++++++++++++++ ...la-csrf-hardcoded-auth-key-go-snapshot.yml | 66 +++++++++++++++++++ ...orilla-csrf-hardcoded-auth-key-go-test.yml | 19 ++++++ 3 files changed, 150 insertions(+) create mode 100644 rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml create mode 100644 tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml create mode 100644 tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml diff --git a/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml b/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml new file mode 100644 index 00000000..7c2b6a46 --- /dev/null +++ b/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml @@ -0,0 +1,65 @@ +id: gorilla-csrf-hardcoded-auth-key-go +language: go +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. It is + recommended to rotate the secret and retrieve them from a secure secret + vault or Hardware Security Module (HSM), alternatively environment + variables can be used if allowed by your company policy. +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures +utils: + MATCH_PATTERN_ONE: + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "^csrf$" + - has: + stopBy: neighbor + kind: field_identifier + regex: "^Protect$" + - has: + stopBy: neighbor + kind: argument_list + any: + - has: + stopBy: neighbor + kind: type_conversion_expression + all: + - has: + stopBy: neighbor + kind: slice_type + has: + stopBy: neighbor + kind: type_identifier + regex: "^byte$" + - has: + stopBy: neighbor + kind: interpreted_string_literal + - has: + stopBy: neighbor + kind: interpreted_string_literal + - inside: + stopBy: end + kind: function_declaration + follows: + stopBy: end + kind: import_declaration + has: + stopBy: end + kind: import_spec + regex: "github.com/gorilla/csrf" +rule: + kind: call_expression + any: + - matches: MATCH_PATTERN_ONE diff --git a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml new file mode 100644 index 00000000..11c87f57 --- /dev/null +++ b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml @@ -0,0 +1,66 @@ +id: gorilla-csrf-hardcoded-auth-key-go +snapshots: + ? | + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte("32-byte-long-auth-key"))(r)) + } + : labels: + - source: csrf.Protect([]byte("32-byte-long-auth-key")) + style: primary + start: 84 + end: 129 + - source: csrf + style: secondary + start: 84 + end: 88 + - source: Protect + style: secondary + start: 89 + end: 96 + - source: csrf.Protect + style: secondary + start: 84 + end: 96 + - source: byte + style: secondary + start: 99 + end: 103 + - source: '[]byte' + style: secondary + start: 97 + end: 103 + - source: '"32-byte-long-auth-key"' + style: secondary + start: 104 + end: 127 + - source: '[]byte("32-byte-long-auth-key")' + style: secondary + start: 97 + end: 128 + - source: ([]byte("32-byte-long-auth-key")) + style: secondary + start: 96 + end: 129 + - source: '"github.com/gorilla/csrf"' + style: secondary + start: 9 + end: 34 + - source: |- + import ( + "github.com/gorilla/csrf" + ) + style: secondary + start: 0 + end: 36 + - source: |- + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte("32-byte-long-auth-key"))(r)) + } + style: secondary + start: 37 + end: 138 diff --git a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml new file mode 100644 index 00000000..374fc510 --- /dev/null +++ b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml @@ -0,0 +1,19 @@ +id: gorilla-csrf-hardcoded-auth-key-go +valid: + - | + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte(os.Getenv("CSRF_AUTH_KEY")))(r)) + } +invalid: + - | + import ( + "github.com/gorilla/csrf" + ) + func main() { + http.ListenAndServe(":8000", + csrf.Protect([]byte("32-byte-long-auth-key"))(r)) + } From d292cd4b477bbd7e5efceb78cc31addf70589cc1 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Wed, 16 Oct 2024 10:36:03 +0530 Subject: [PATCH 2/2] gorilla-cookie-store-hardcoded-session-key-go --- ...-cookie-store-hardcoded-session-key-go.yml | 63 +++++++++++++++++++ ...tore-hardcoded-session-key-go-snapshot.yml | 44 +++++++++++++ ...ie-store-hardcoded-session-key-go-test.yml | 16 +++++ 3 files changed, 123 insertions(+) create mode 100644 rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml create mode 100644 tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml create mode 100644 tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml diff --git a/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml b/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml new file mode 100644 index 00000000..ef440f8f --- /dev/null +++ b/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml @@ -0,0 +1,63 @@ +id: gorilla-cookie-store-hardcoded-session-key-go +language: go +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. It is + recommended to rotate the secret and retrieve them from a secure secret + vault or Hardware Security Module (HSM), alternatively environment + variables can be used if allowed by your company policy. +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures +utils: + MATCH_PATTERN_ONE: + kind: expression_list + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: selector_expression + all: + - has: + stopBy: neighbor + kind: identifier + regex: "sessions" + - has: + stopBy: neighbor + kind: field_identifier + regex: "^NewCookieStore$" + - has: + stopBy: neighbor + kind: argument_list + any: + - has: + stopBy: neighbor + kind: type_conversion_expression + all: + - has: + stopBy: neighbor + kind: slice_type + has: + stopBy: neighbor + kind: type_identifier + regex: "^byte$" + - has: + stopBy: neighbor + pattern: $$$ + - not: + has: + stopBy: neighbor + kind: call_expression + - has: + stopBy: neighbor + kind: interpreted_string_literal + +rule: + kind: expression_list + any: + - matches: MATCH_PATTERN_ONE diff --git a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml new file mode 100644 index 00000000..8ed0060e --- /dev/null +++ b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml @@ -0,0 +1,44 @@ +id: gorilla-cookie-store-hardcoded-session-key-go +snapshots: + ? "import (\n\"github.com/gorilla/sessions\"\n)\n \tvar store = sessions.NewCookieStore([]byte(\"hardcoded-session-key-here\"))\n var store = sessions.NewCookieStore(\n []byte(\"new-authentication-key\"),\n []byte(\"new-encryption-key\"),\n []byte(\"old-authentication-key\"),\n []byte(\"old-encryption-key\"),\n )\n" + : labels: + - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here")) + style: primary + start: 55 + end: 116 + - source: sessions + style: secondary + start: 55 + end: 63 + - source: NewCookieStore + style: secondary + start: 64 + end: 78 + - source: sessions.NewCookieStore + style: secondary + start: 55 + end: 78 + - source: byte + style: secondary + start: 81 + end: 85 + - source: '[]byte' + style: secondary + start: 79 + end: 85 + - source: '[]byte' + style: secondary + start: 79 + end: 85 + - source: '[]byte("hardcoded-session-key-here")' + style: secondary + start: 79 + end: 115 + - source: ([]byte("hardcoded-session-key-here")) + style: secondary + start: 78 + end: 116 + - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here")) + style: secondary + start: 55 + end: 116 diff --git a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml new file mode 100644 index 00000000..27fb5c13 --- /dev/null +++ b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml @@ -0,0 +1,16 @@ +id: gorilla-cookie-store-hardcoded-session-key-go +valid: + - | + var store = sessions.NewCookieStore([]byte(os.Getenv("SESSION_KEY"))) +invalid: + - | + import ( + "github.com/gorilla/sessions" + ) + var store = sessions.NewCookieStore([]byte("hardcoded-session-key-here")) + var store = sessions.NewCookieStore( + []byte("new-authentication-key"), + []byte("new-encryption-key"), + []byte("old-authentication-key"), + []byte("old-encryption-key"), + )