Skip to content

Add security rules for Java and Swift applications for cookie and secret management #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 29, 2024
Merged

Add security rules for Java and Swift applications for cookie and secret management #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c09abdf
cookie-missing-samesite-java
ESS-ENN Oct 22, 2024
fc2171a
aes-hardcoded-secret-swift
ESS-ENN Oct 22, 2024
6adaf60
Merge branch 'main' into one-java-one-swift-rules
petrisorcoderabbit Oct 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions rules/java/security/cookie-missing-samesite-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
id: cookie-missing-samesite-java
severity: warning
language: java
message: >-
The application does not appear to verify inbound requests which can
lead to a Cross-site request forgery (CSRF) vulnerability. If the
application uses cookie-based authentication, an attacker can trick users
into sending authenticated HTTP requests without their knowledge from any
arbitrary domain they visit. To prevent this vulnerability start by
identifying if the framework or library leveraged has built-in features or
offers plugins for CSRF protection. CSRF tokens should be unique and
securely random. The `Synchronizer Token` or `Double Submit Cookie`
patterns with defense-in-depth mechanisms such as the `sameSite` cookie
flag can help prevent CSRF. For more information, see: [Cross-site request
forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Req\
uest_Forgery_Prevention_Cheat_Sheet.html).
note: >-
[CWE-352] Cross-Site Request Forgery (CSRF).
[REFERENCES]
- https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application
rule:
any:
- pattern: $RESP.setHeader("Set-Cookie", $T);
inside:
stopBy: end
kind: block
follows:
stopBy: end
kind: formal_parameters
has:
stopBy: end
kind: formal_parameter
all:
- has:
stopBy: end
kind: type_identifier
regex: "^HttpServletResponse$"
- has:
stopBy: neighbor
kind: identifier
- pattern: $RESP.addCookie($$$);
not:
follows:
stopBy: end
kind: expression_statement
pattern: $RESP.setHeader("Set-Cookie", $T);
inside:
stopBy: end
kind: block
follows:
stopBy: end
kind: formal_parameters
has:
stopBy: end
kind: formal_parameter
all:
- has:
stopBy: end
kind: type_identifier
regex: "^HttpServletResponse$"
- has:
stopBy: neighbor
kind: identifier
constraints:
T:
not:
regex: ".*SameSite=.*|null"
285 changes: 285 additions & 0 deletions rules/swift/security/aes-hardcoded-secret-swift.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,285 @@
id: aes-hardcoded-secret-swift
language: swift
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[OWASP A07:2021]:Identification and Authentication Failures
[CWE-272]: Least Privilege Violation
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_pattern_try_expression_directly:
kind: try_expression
has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^AES$"
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_arguments
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^key$"
- has:
stopBy: neighbor
kind: line_string_literal
has:
stopBy: end
kind: line_str_text

match_pattern_AES_statement_directly:
kind: call_expression
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^AES$"
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_arguments
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^key$"
- has:
stopBy: end
kind: line_string_literal
has:
stopBy: neighbor
kind: line_str_text
- not:
inside:
stopBy: end
kind: try_expression

match_pattern_AES_expression_with_instance:
kind: call_expression
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^AES$"
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_arguments
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^key$"
- has:
stopBy: end
kind: simple_identifier
nthChild: 2
pattern: $R
- not:
inside:
stopBy: neighbor
kind: try_expression
- follows:
stopBy: end
kind: property_declaration
all:
- has:
stopBy: end
kind: pattern
has:
stopBy: end
kind: simple_identifier
pattern: $R
- has:
stopBy: neighbor
kind: call_expression
pattern: Array("$$$".utf8)

match_pattern_try_expression_with_instance:
kind: try_expression
all:
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^AES$"
- has:
stopBy: end
kind: call_suffix
has:
stopBy: end
kind: value_arguments
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^key$"
- has:
stopBy: end
kind: simple_identifier
nthChild: 2
pattern: $R
- follows:
stopBy: end
kind: property_declaration
all:
- has:
stopBy: end
kind: pattern
has:
stopBy: end
kind: simple_identifier
pattern: $R
- has:
stopBy: neighbor
kind: call_expression
pattern: Array("$$$".utf8)

match_pattern_AES_expression_with_utf8:
kind: call_expression
all:
- has:
stopBy: neighbor
kind: simple_identifier
regex: "^AES$"
- has:
stopBy: neighbor
kind: call_suffix
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: end
kind: simple_identifier
regex: "^key$"
- has:
stopBy: end
kind: call_expression
all:
- has:
stopBy: neighbor
kind: simple_identifier
regex: "^Array$"
- has:
stopBy: neighbor
kind: call_suffix
has:
stopBy: end
kind: value_argument
has:
stopBy: neighbor
kind: navigation_expression
all:
- has:
stopBy: neighbor
kind: line_string_literal
has:
stopBy: neighbor
kind: line_str_text
- has:
stopBy: neighbor
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: "^utf8$"

match_pattern_try_expression_with_utf8:
kind: try_expression
has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: simple_identifier
regex: "^AES$"
- has:
stopBy: neighbor
kind: call_suffix
has:
stopBy: end
kind: value_argument
all:
- has:
stopBy: neighbor
kind: simple_identifier
regex: "^key$"
- has:
stopBy: neighbor
kind: call_expression
all:
- has:
stopBy: neighbor
kind: simple_identifier
regex: "^Array$"
- has:
stopBy: neighbor
kind: call_suffix
has:
stopBy: end
kind: value_argument
has:
stopBy: neighbor
kind: navigation_expression
all:
- has:
stopBy: neighbor
kind: line_string_literal
has:
stopBy: neighbor
kind: line_str_text
- has:
stopBy: neighbor
kind: navigation_suffix
has:
stopBy: neighbor
kind: simple_identifier
regex: "^utf8$"
rule:
any:
- kind: try_expression
any:
- matches: match_pattern_try_expression_directly
- matches: match_pattern_try_expression_with_instance
- matches: match_pattern_try_expression_with_utf8

- kind: call_expression
any:
- matches: match_pattern_AES_statement_directly
- matches: match_pattern_AES_expression_with_instance
- matches: match_pattern_AES_expression_with_utf8
Loading