Skip to content

Rules - One C rule and one Ruby rule #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Oct 21, 2024
Merged

Rules - One C rule and one Ruby rule #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e58fbb2
hardcoded-http-auth-in-controller-copy-ruby
ESS-ENN Oct 17, 2024
2a336c7
return-c-str-c
ESS-ENN Oct 17, 2024
799a11d
changes in hardcoded-http-auth-in-controller-copy-ruby rule
ESS-ENN Oct 18, 2024
5a55e6f
Merge branch 'main' into one-c-one-ruby-rule
ESS-ENN Oct 18, 2024
1aefdb9
Merge branch 'main' into one-c-one-ruby-rule
petrisorcoderabbit Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
203 changes: 203 additions & 0 deletions rules/c/security/return-c-str-c.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,203 @@
id: return-c-str-c
language: c
severity: warning
message: >-
`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer
is invalid after `$STR` goes out of scope, which can trigger a use after
free.
note: >-
[CWE-416] Use After Free
[REFERENCES]
- https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations
- https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime
utils:
MATCH_PATTERN_STR_METHOD_WITH_STD_TWO:
kind: return_statement
all:
- has:
stopBy: end
kind: call_expression
all:
- has:
stopBy: end
kind: field_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: field_identifier
pattern: $METHOD
- has:
stopBy: end
kind: argument_list
- follows:
stopBy: end
kind: labeled_statement
all:
- has:
stopBy: end
kind: statement_identifier
regex: "^std$"
- has:
stopBy: end
kind: identifier
regex: "^basic_string<$TYPE>|string|wstring$"
- has:
stopBy: end
kind: expression_statement
all:
- has:
stopBy: end
kind: identifier
patttern: $E
- inside:
stopBy: end
kind: compound_statement
not:
follows:
stopBy: end
kind: function_declarator
has:
stopBy: neighbor
kind: identifier
regex: "return.*"
MATCH_PATTERN_STR_METHOD_WITH_STD_THREE:
kind: return_statement
all:
- has:
stopBy: end
kind: call_expression
all:
- has:
stopBy: end
kind: field_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: field_identifier
pattern: $METHOD
- has:
stopBy: end
kind: argument_list
- inside:
stopBy: end
kind: compound_statement
follows:
stopBy: end
kind: pointer_declarator
has:
stopBy: end
kind: parameter_list
all:
- has:
stopBy: end
kind: type_identifier
regex: "^std$"
- has:
stopBy: end
kind: identifier
regex: "^basic_string<$TYPE>|string|wstring$"
- has:
stopBy: end
kind: identifier
pattern: $E
MATCH_PATTERN_STR_METHOD_WITHOUT_STD_THREE:
kind: return_statement
all:
- has:
stopBy: end
kind: call_expression
all:
- has:
stopBy: end
kind: field_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $E
- has:
stopBy: end
kind: field_identifier
pattern: $METHOD
- has:
stopBy: end
kind: argument_list
- inside:
stopBy: end
kind: compound_statement
follows:
stopBy: end
kind: pointer_declarator
has:
stopBy: end
kind: parameter_list
has:
stopBy: end
kind: parameter_declaration
all:
- has:
stopBy: end
kind: type_identifier
regex: "^basic_string<$TYPE>|string|wstring$"
- has:
stopBy: neighbor
kind: identifier
pattern: $E
MATCH_PATTERN_STR_METHOD_WITHOUT_STD_TWO:
kind: return_statement
all:
- has:
stopBy: end
kind: call_expression
all:
- has:
stopBy: end
kind: field_expression
all:
- has:
stopBy: end
kind: identifier
pattern: $T
- has:
stopBy: end
kind: field_identifier
pattern: $METHOD
- has:
stopBy: end
kind: argument_list
- follows:
stopBy: end
kind: declaration
all:
- has:
stopBy: neighbor
kind: type_identifier
regex: "^basic_string<$TYPE>|string|wstring$"
- has:
stopBy: neighbor
kind: identifier
pattern: $T
rule:
any:
- pattern: return basic_string<$TYPE>($$$).$METHOD();
- pattern: return std::basic_string<$TYPE>($$$).$METHOD();
- pattern: return string($$$).$METHOD();
- pattern: return std::string($$$).$METHOD();
- pattern: return wstring($$$).$METHOD();
- pattern: return std::wstring($$$).$METHOD();
- matches: MATCH_PATTERN_STR_METHOD_WITH_STD_TWO
- matches: MATCH_PATTERN_STR_METHOD_WITHOUT_STD_TWO
- matches: MATCH_PATTERN_STR_METHOD_WITH_STD_THREE
- matches: MATCH_PATTERN_STR_METHOD_WITHOUT_STD_THREE

constraints:
METHOD:
regex: "c_str|data"
55 changes: 55 additions & 0 deletions rules/ruby/security/hardcoded-http-auth-in-controller-copy-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
id: hardcoded-http-auth-in-controller-copy-ruby
language: ruby
severity: warning
message: >-
Detected hardcoded password used in basic authentication in a
controller class. Including this password in version control could expose
this credential. Consider refactoring to use environment variables or
configuration files
note: >-
[CWE-798] Use of Hard-coded Credentials.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
MATCH_PASSWORD_STRING:
kind: string
inside:
stopBy: end
kind: pair
all:
- has:
stopBy: end
kind: simple_symbol
regex: "^:password$"
- inside:
stopBy: end
kind: argument_list
inside:
stopBy: end
kind: call
all:
- has:
stopBy: neighbor
kind: identifier
regex: "^http_basic_authenticate_with$"
- inside:
stopBy: neighbor
kind: body_statement
inside:
stopBy: end
kind: class
all:
- has:
stopBy: neighbor
kind: constant
- has:
stopBy: end
kind: superclass
has:
stopBy: neighbor
kind: constant
regex: "^ApplicationController$"

rule:
kind: string
matches: MATCH_PASSWORD_STRING
114 changes: 114 additions & 0 deletions tests/__snapshots__/hardcoded-http-auth-in-controller-copy-ruby-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
id: hardcoded-http-auth-in-controller-copy-ruby
snapshots:
? |
class DangerousController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff"
end
: labels:
- source: '"secret"'
style: primary
start: 108
end: 116
- source: :password
style: secondary
start: 95
end: 104
- source: http_basic_authenticate_with
style: secondary
start: 50
end: 78
- source: DangerousController
style: secondary
start: 6
end: 25
- source: ApplicationController
style: secondary
start: 28
end: 49
- source: < ApplicationController
style: secondary
start: 26
end: 49
- source: |-
class DangerousController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff"
end
style: secondary
start: 0
end: 160
- source: |-
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff"
style: secondary
start: 50
end: 156
- source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
style: secondary
start: 50
end: 135
- source: :name => "dhh", :password => "secret", :except => :index
style: secondary
start: 79
end: 135
- source: :password => "secret"
style: secondary
start: 95
end: 116
? |
class DangerousController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff""
end
: labels:
- source: '"secret"'
style: primary
start: 108
end: 116
- source: :password
style: secondary
start: 95
end: 104
- source: http_basic_authenticate_with
style: secondary
start: 50
end: 78
- source: DangerousController
style: secondary
start: 6
end: 25
- source: ApplicationController
style: secondary
start: 28
end: 49
- source: < ApplicationController
style: secondary
start: 26
end: 49
- source: |-
class DangerousController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff""
end
style: secondary
start: 0
end: 161
- source: |-
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff""
style: secondary
start: 50
end: 157
- source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
style: secondary
start: 50
end: 135
- source: :name => "dhh", :password => "secret", :except => :index
style: secondary
start: 79
end: 135
- source: :password => "secret"
style: secondary
start: 95
end: 116
Loading