From f7ab10e06fe551de49c1e0d4b20b9aa249876e7d Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Tue, 3 Dec 2024 12:36:06 +0530 Subject: [PATCH] Removing all rules except those tested on live pipeline --- d | 65 +++++++++++++++++++ package-lock.json | 64 +++++++++--------- package.json | 4 +- .../info-leak-on-non-formated-string.yml | 13 ---- .../c/security/insecure-use-gets-function.yml | 12 ---- rules/c/security/insecure-use-memset.yml | 14 ---- .../security/insecure-use-scanf-function.yml | 12 ---- .../security/insecure-use-strcat-function.yml | 15 ----- .../insecure-use-string-copy-function.yml | 15 ----- .../security/insecure-use-strtok-function.yml | 12 ---- rules/csharp/security/binary-formatter.yml | 12 ---- .../security/data-contract-resolver.yml | 14 ---- rules/csharp/security/html-raw-json.yml | 18 ----- .../insecure-fspickler-deserialization.yml | 12 ---- ...secure-netdatacontract-deserialization.yml | 12 ---- rules/csharp/security/los-formatter.yml | 12 ---- .../blowfish-insufficient-key-size-java.yml | 62 ++++++++++++++++++ .../java/security/cbc-padding-oracle-java.yml | 17 +++++ rules/java/security/cbc-padding-oracle.yml | 16 ----- .../security/cookie-missing-httponly-java.yml | 23 +++++++ .../cookie-missing-secure-flag-java.yml | 53 +++++++++++++++ .../java/security/des-is-deprecated-java.yml | 16 +++++ ...owfish-insufficient-key-size-java-test.yml | 13 ++++ tests/java/cbc-padding-oracle-java-test.yml | 7 ++ tests/java/cbc-padding-oracle-test.yml | 11 ---- .../cookie-missing-httponly-java-test.yml | 19 ++++++ .../cookie-missing-secure-flag-java-test.yml | 18 +++++ tests/java/des-is-deprecated-java-test.yml | 7 ++ 28 files changed, 334 insertions(+), 234 deletions(-) create mode 100644 d delete mode 100644 rules/c/security/info-leak-on-non-formated-string.yml delete mode 100644 rules/c/security/insecure-use-gets-function.yml delete mode 100644 rules/c/security/insecure-use-memset.yml delete mode 100644 rules/c/security/insecure-use-scanf-function.yml delete mode 100644 rules/c/security/insecure-use-strcat-function.yml delete mode 100644 rules/c/security/insecure-use-string-copy-function.yml delete mode 100644 rules/c/security/insecure-use-strtok-function.yml delete mode 100644 rules/csharp/security/binary-formatter.yml delete mode 100644 rules/csharp/security/data-contract-resolver.yml delete mode 100644 rules/csharp/security/html-raw-json.yml delete mode 100644 rules/csharp/security/insecure-fspickler-deserialization.yml delete mode 100644 rules/csharp/security/insecure-netdatacontract-deserialization.yml delete mode 100644 rules/csharp/security/los-formatter.yml create mode 100644 rules/java/security/blowfish-insufficient-key-size-java.yml create mode 100644 rules/java/security/cbc-padding-oracle-java.yml delete mode 100644 rules/java/security/cbc-padding-oracle.yml create mode 100644 rules/java/security/cookie-missing-httponly-java.yml create mode 100644 rules/java/security/cookie-missing-secure-flag-java.yml create mode 100644 rules/java/security/des-is-deprecated-java.yml create mode 100644 tests/java/blowfish-insufficient-key-size-java-test.yml create mode 100644 tests/java/cbc-padding-oracle-java-test.yml delete mode 100644 tests/java/cbc-padding-oracle-test.yml create mode 100644 tests/java/cookie-missing-httponly-java-test.yml create mode 100644 tests/java/cookie-missing-secure-flag-java-test.yml create mode 100644 tests/java/des-is-deprecated-java-test.yml diff --git a/d b/d new file mode 100644 index 00000000..d8b8a0c0 --- /dev/null +++ b/d @@ -0,0 +1,65 @@ +a281adc (HEAD -> main, origin/main, origin/HEAD) Removing empty password rules (#60) +5578d80 Removing missing-httponly-java rule (#59) +add1b51 Update @ast-grep/cli dependency version in package.json to ^0.30.1 (#57) +d27dbf6 Update README.md +85fc9fa Update README.md +3ff3dc2 Update README.md +16ba3be Update CodeRabbit Reviews badge in README for improved stats display +5208707 update cr badge link (#55) +4000c69 Update README to rename dynamic JSON badge for CodeRabbit reviews (#54) +a925b71 Add dynamic JSON badge to README for CodeRabbit reviews (#53) +36cd7bc Modified rule - python-couchbase-empty-password-python (#50) +2a2a0b5 Add security rules for Java and Swift applications for cookie and secret management +c8b07de Add YAML Configs for Swift Webview Security Rules and Test Cases +00526ee Add security rules for socket binding and Flask debug mode detection +2b74515 Add Swift webview security rules and test cases for JS window handling +3195f93 Rules- std-vector-invalidation - c/cpp (#32) +6e4fca9 Two python rules 16Oct2024 (#31) +f4cbffa insecure-binaryformatter-deserialization-csharp (#30) +006dfaa Two openai go rules (#29) +b7edd27 Two openai go rules (#28) +5c6b9ec Rules - file-stat-before-action c/cpp (#27) +d476976 Rules - file-access-before-action-c/cpp (#23) +bf7cb81 Rules - insecure-hash-c/cpp (#22) +cbe37c4 insecure-cipher-algorithm-rc4-python (#21) +72e144d Rules - One php and one java rule (#20) +2e7cc23 Rules: null-function-library-c/cpp (#19) +cd70510 Two python rules (#33) +fc491b0 Rules - One C rule and one Ruby rule (#34) +2f10d49 Two Rust rules (#35) +deb96b1 Two Rust rules (#36) +c752f2e Two java rules (#37) +2b863ae avoid_app_run_with_bad_host-python (#38) +3592c52 Rules - One go and one java rule - 11Oct2024 (#18) +f43b4ed Rules - dont-call-system c/cpp (#17) +c30bdb6 Two Java rules 10Oct2024 (#16) +7fc798f Two Go rules 10Oct2024 (#15) +330dc1f Two Java rules (#14) +cb2b69f One java and one rust rule (#13) +92aa3ae Rules - node-rsa-weak-key in Js/Ts (#12) +466b1c4 Rules - Express-jwt-hardcoded-secret in Js/Ts (#11) +55859ed New Rules #2 (#9) +1cb4625 More Rules +5c87db3 Update ast-grep CLI & add Java cookie management rules +aa2c433 Pull request for 10 rules ESS-ENN (#5) +1521a46 update test scripts +37c8068 ignore snapshots dir +4206290 update readme file +4675eec update readme file +6651c18 update readme file (#3) +7f0bbc8 Create LICENSE +eb2b142 Create CODE_OF_CONDUCT.md +a6405dd Add initial testing structure +5e88d14 Update doc with rule structure +467affb Add readme file content with the package structure +4502fd7 Add basic ruby, rust & kotlin rules +9ab4718 Add basic Java rules +8f64638 Add basic CSharp rules +96628d6 Add basic C rules +7b90ba8 Add note field to all existing rules +2dce5c8 Add new security rules +de295e4 Remove unused ast-grep dependency +efc39ea Add initial testing structure +14e6e61 Remove testing initial rules +7b20bd5 Change severity to "warning" instead of "error" for javascript/no-eval rule +799ea62 Initial commit with default rules for typescript and javascript diff --git a/package-lock.json b/package-lock.json index e27fa3a8..5baf8101 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,13 +9,13 @@ "version": "1.0.0", "license": "ISC", "devDependencies": { - "@ast-grep/cli": "^0.20.2" + "@ast-grep/cli": "^0.30.1" } }, "node_modules/@ast-grep/cli": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli/-/cli-0.20.2.tgz", - "integrity": "sha512-PhDdxSiyLTyZZ4udvKrthGPNDoNp1Euqfvql66eh5m4F+/PYjMwTPz/5lwYvHZpIr2MozZ1Jqm9W2btjwE3fnw==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli/-/cli-0.30.1.tgz", + "integrity": "sha512-or1izzRdiqMCwM7/XbJhu2GSIwlf5iwjS8lXnCdEEPTPMVbmbsg0u872C2tU1oEsC8gluF6gI4xWUCGt4H1N5w==", "dev": true, "hasInstallScript": true, "dependencies": { @@ -29,19 +29,19 @@ "node": ">= 12.0.0" }, "optionalDependencies": { - "@ast-grep/cli-darwin-arm64": "0.20.2", - "@ast-grep/cli-darwin-x64": "0.20.2", - "@ast-grep/cli-linux-arm64-gnu": "0.20.2", - "@ast-grep/cli-linux-x64-gnu": "0.20.2", - "@ast-grep/cli-win32-arm64-msvc": "0.20.2", - "@ast-grep/cli-win32-ia32-msvc": "0.20.2", - "@ast-grep/cli-win32-x64-msvc": "0.20.2" + "@ast-grep/cli-darwin-arm64": "0.30.1", + "@ast-grep/cli-darwin-x64": "0.30.1", + "@ast-grep/cli-linux-arm64-gnu": "0.30.1", + "@ast-grep/cli-linux-x64-gnu": "0.30.1", + "@ast-grep/cli-win32-arm64-msvc": "0.30.1", + "@ast-grep/cli-win32-ia32-msvc": "0.30.1", + "@ast-grep/cli-win32-x64-msvc": "0.30.1" } }, "node_modules/@ast-grep/cli-darwin-arm64": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-arm64/-/cli-darwin-arm64-0.20.2.tgz", - "integrity": "sha512-gBjMyd42ajDzzRjVKMg81slI7Nkp+0BWIBcCa3ZD0jqf9yQ5I+lAHKkDuC31kzcXw6XF2SSlIICRn9mEQhr21w==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-arm64/-/cli-darwin-arm64-0.30.1.tgz", + "integrity": "sha512-/ORnqrAnIieWVNmH1SxTLuitGbsImbtFB77feK9oYqCTOFrcCP5W1ldzXBtspm96nynA+X6e1TxGwDwG7Gr1og==", "cpu": [ "arm64" ], @@ -55,9 +55,9 @@ } }, "node_modules/@ast-grep/cli-darwin-x64": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-x64/-/cli-darwin-x64-0.20.2.tgz", - "integrity": "sha512-sllsHYgRceB4dt1ncnIjVCO449/fewNt8eqcygmomOkdQzRR81UIcuR/ruIZdVti1rqNhMNKhE5mf+GUITA1GQ==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-x64/-/cli-darwin-x64-0.30.1.tgz", + "integrity": "sha512-oTe0nvGqwlI40qC1cGOSEU+tPLWi7KHolwEXWoWOqYwy9JKh9KTNvz7wuA9uKAxe/JEBNEbTPpgLlwN8wHyONg==", "cpu": [ "x64" ], @@ -71,9 +71,9 @@ } }, "node_modules/@ast-grep/cli-linux-arm64-gnu": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-0.20.2.tgz", - "integrity": "sha512-7gm6ei4oiMA1u8BXbKBX6+daQhlmS1DqhliQdFmIrOJLv3oB5fBMIk3gn+0UMDthDHZIeoJn+ig2BOcfqaoyGg==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-0.30.1.tgz", + "integrity": "sha512-v+YhYb7wAs7j8X6m1WemNajy/Uo6+ng8tPBSgWsPzYS4+BHbHaD3+MLMyw5uRY5N0sRDpDLQcMemLEUFyVSDpg==", "cpu": [ "arm64" ], @@ -87,9 +87,9 @@ } }, "node_modules/@ast-grep/cli-linux-x64-gnu": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-x64-gnu/-/cli-linux-x64-gnu-0.20.2.tgz", - "integrity": "sha512-mAd1msrGRmsk7omlqPhqEUiBjs4Q/C+xUBAIw2yX18g5Aq07zPc2KWwA2wGwaa9dBYr0gnZd1o9DiSrDeUJpEA==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-x64-gnu/-/cli-linux-x64-gnu-0.30.1.tgz", + "integrity": "sha512-201roQu7EEi9h3wLFXHhr1j3VHPAnaqYPwJgR8OhKd82IWYSy2Cm245Xdesgav0BDk/3gZ2u/9drBdPaFd27mA==", "cpu": [ "x64" ], @@ -103,9 +103,9 @@ } }, "node_modules/@ast-grep/cli-win32-arm64-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-0.20.2.tgz", - "integrity": "sha512-VJEum6wD+jfkWR7mxT9DlXovY0SZMIlgvTx/3dmQAiEbk0NiKwit6kofKW3+smHQlVxdtznDSLfKcfll+WhEmA==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-0.30.1.tgz", + "integrity": "sha512-7NEdAQKH+k/yT6tcjrPJi6YdOed8On+qNeXXTWQXdqDKHlG+PWpmKDrD56ud1Q+fRicZ3VC3w5AqtCoXS3g4AQ==", "cpu": [ "arm64" ], @@ -119,9 +119,9 @@ } }, "node_modules/@ast-grep/cli-win32-ia32-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-0.20.2.tgz", - "integrity": "sha512-d2hlxWVENNsRNN9XTiuxv6UhjbfMj8F+4D6D/Uyfyah35E3UejyNxf9K3NymoCOSdpp+YX2iiP9pW1aMQjurgw==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-0.30.1.tgz", + "integrity": "sha512-TP4goLFd2Da9MvPGcWv5kUkFByPiq2MctduP36w8jwIYx03QjXQU8AqDjA7Ym03420Q1ReFnOOLUcedOsgNN0g==", "cpu": [ "ia32" ], @@ -135,9 +135,9 @@ } }, "node_modules/@ast-grep/cli-win32-x64-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-x64-msvc/-/cli-win32-x64-msvc-0.20.2.tgz", - "integrity": "sha512-j25nRYCD1qItZYPagWMqQCwHt8MyEUEFYXMJnQDbieS5OwKz98ErC3TnlRa3XRWGEk/4tIldzTGNQlAGpQKMYQ==", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-x64-msvc/-/cli-win32-x64-msvc-0.30.1.tgz", + "integrity": "sha512-EXXiCAbAXqcFTMj8RGU3ut4oThpgHmdPZ7bJOLtB0or5otkyGrcVYPYElN/GTZjDY+hpxS1gkAtrvRVciOa/WQ==", "cpu": [ "x64" ], diff --git a/package.json b/package.json index 6a7ebc07..4e30e75a 100644 --- a/package.json +++ b/package.json @@ -10,6 +10,6 @@ "author": "", "license": "ISC", "devDependencies": { - "@ast-grep/cli": "^0.20.2" + "@ast-grep/cli": "^0.30.1" } -} +} \ No newline at end of file diff --git a/rules/c/security/info-leak-on-non-formated-string.yml b/rules/c/security/info-leak-on-non-formated-string.yml deleted file mode 100644 index ff0aa5dd..00000000 --- a/rules/c/security/info-leak-on-non-formated-string.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: info-leak-on-non-formated-string -language: c -severity: warning -message: >- - Information leak on non-formatted string detected. This can lead to security - vulnerabilities. Use formatted strings to prevent information leaks. -note: >- - [CWE-532] Insertion of Sensitive Information into Log File - [OWASP A09:2021] Security Logging and Monitoring Failures - [REFERENCES] - - http://nebelwelt.net/files/13PPREW.pdf -rule: - pattern: 'printf($A);' \ No newline at end of file diff --git a/rules/c/security/insecure-use-gets-function.yml b/rules/c/security/insecure-use-gets-function.yml deleted file mode 100644 index 302ca852..00000000 --- a/rules/c/security/insecure-use-gets-function.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: insecure-use-gets-function -language: c -message: >- - Avoid 'gets()' function, it does not consider buffer boundaries and can lead - to buffer overflows. Use 'fgets()' or 'gets_s()' instead. -note: >- - [CWE-676] Use of Potentially Dangerous Function - [REFERENCES] - - https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s -severity: warning -rule: - pattern: gets($$$); \ No newline at end of file diff --git a/rules/c/security/insecure-use-memset.yml b/rules/c/security/insecure-use-memset.yml deleted file mode 100644 index 3b2d18a0..00000000 --- a/rules/c/security/insecure-use-memset.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: insecure-use-memset-function -language: c -message: >- - Avoid 'memset()' function, it does not consider buffer boundaries and can lead - to buffer overflows. Use 'memset_s()' instead. -severity: warning -note: >- - [CWE-14]: Compiler Removal of Code to Clear Buffers - [OWASP A04:2021] Insecure Design - [REFERENCES] - - https://cwe.mitre.org/data/definitions/14.html - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ -rule: - pattern: memset($$$); \ No newline at end of file diff --git a/rules/c/security/insecure-use-scanf-function.yml b/rules/c/security/insecure-use-scanf-function.yml deleted file mode 100644 index 5acefcb2..00000000 --- a/rules/c/security/insecure-use-scanf-function.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: insecure-use-scanf-function -language: c -message: >- - Avoid 'scanf()' function, it does not consider buffer boundaries and can lead - to buffer overflows. Use 'fgets()' or 'scanf_s()' instead. -severity: warning -note: >- - [CWE-676]: Use of Potentially Dangerous Function - [REFERENCES] - - http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html -rule: - pattern: scanf($$$); \ No newline at end of file diff --git a/rules/c/security/insecure-use-strcat-function.yml b/rules/c/security/insecure-use-strcat-function.yml deleted file mode 100644 index 804ca02e..00000000 --- a/rules/c/security/insecure-use-strcat-function.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: insecure-use-strcat-function -language: c -message: >- - Avoid 'strcat()' or 'strncat()' functions, it does not consider buffer boundaries and can lead - to buffer overflows. Use 'strcat_s()' instead. -severity: warning -note: >- - [CWE-676]: Use of Potentially Dangerous Function - [REFERENCES] - - https://nvd.nist.gov/vuln/detail/CVE-2019-12553 - - https://techblog.mediaservice.net/2020/04/cve-2020-2851-stack-based-buffer-overflow-in-cde-libdtsvc/ -rule: - any: - - pattern: strcat($$$); - - pattern: strncat($$$); \ No newline at end of file diff --git a/rules/c/security/insecure-use-string-copy-function.yml b/rules/c/security/insecure-use-string-copy-function.yml deleted file mode 100644 index c373ffde..00000000 --- a/rules/c/security/insecure-use-string-copy-function.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: insecure-use-string-copy-function -language: c -severity: warning -message: >- - Avoid 'strcpy()' or 'strncpy()' function, it does not consider buffer boundaries and can lead - to buffer overflows. Use 'strcpy_s()' instead. -note: >- - [CWE-676]: Use of Potentially Dangerous Function - [REFERENCES] - - https://cwe.mitre.org/data/definitions/676 - - https://nvd.nist.gov/vuln/detail/CVE-2019-11365 -rule: - any: - - pattern: strcpy($$$); - - pattern: strncpy($$$); \ No newline at end of file diff --git a/rules/c/security/insecure-use-strtok-function.yml b/rules/c/security/insecure-use-strtok-function.yml deleted file mode 100644 index f91fbd39..00000000 --- a/rules/c/security/insecure-use-strtok-function.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: insecure-use-strtok-function -language: c -severity: warning -message: >- - Avoid 'strtok()' function, it is not reentrant and can lead to security - vulnerabilities. Use 'strtok_r()' instead. -note: >- - [CWE-676]: Use of Potentially Dangerous Function - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/STR06-C.+Do+not+assume+that+strtok%28%29+leaves+the+parse+string+unchanged -rule: - pattern: strtok($$$); \ No newline at end of file diff --git a/rules/csharp/security/binary-formatter.yml b/rules/csharp/security/binary-formatter.yml deleted file mode 100644 index cbed2320..00000000 --- a/rules/csharp/security/binary-formatter.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: binary-formatter -language: csharp -message: 'Avoid using BinaryFormatter, it is insecure and can lead to remote code execution' -severity: warning -note: >- - [CWE-502]: Deserialization of Untrusted Data - [OWASP A08:2017]: Insecure Deserialization - [OWASP A08:2021]: Software and Data Integrity Failures - [REFERENCES] - - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide -rule: - pattern: new BinaryFormatter() \ No newline at end of file diff --git a/rules/csharp/security/data-contract-resolver.yml b/rules/csharp/security/data-contract-resolver.yml deleted file mode 100644 index e52a0081..00000000 --- a/rules/csharp/security/data-contract-resolver.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: data-contract-resolver -language: csharp -note: >- - [CWE-502]: Deserialization of Untrusted Data - [OWASP A08:2017]: Insecure Deserialization - [OWASP A08:2021]: Software and Data Integrity Failures - [REFERENCES] - - https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide -message: >- - Use DataContractResolver if you are sure that the data is safe to deserialize. -severity: warning -rule: - pattern: | - class $DCR : DataContractResolver { $$$ } \ No newline at end of file diff --git a/rules/csharp/security/html-raw-json.yml b/rules/csharp/security/html-raw-json.yml deleted file mode 100644 index c2736373..00000000 --- a/rules/csharp/security/html-raw-json.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: html-raw-json -language: csharp -message: >- - Avoid using '@Html.Raw(Json.Encode())', '@Html.Raw(JsonConvert.SerializeObject())' or '@Html.Raw().ToJson()' to prevent Cross-Site Scripting (XSS) attacks. - Use '@Html.Raw()' only when necessary and ensure that the data is properly sanitized. - For more information checkout the references. -note: >- - [CWE-79]: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - [OWASP Top 10 2017]: A07:2017 - Cross-Site Scripting (XSS) - [OWASP Top 10 2021]: A03:2021 - Injection - [REFERENCES] - - https://owasp.org/Top10/A03_2021-Injection -severity: warning -rule: - any: - - pattern: '@Html.Raw(Json.Encode($$$))' - - pattern: '@Html.Raw(JsonConvert.SerializeObject($$$))' - - pattern: '@Html.Raw($$$ToJson($$$))' \ No newline at end of file diff --git a/rules/csharp/security/insecure-fspickler-deserialization.yml b/rules/csharp/security/insecure-fspickler-deserialization.yml deleted file mode 100644 index 8b2139b5..00000000 --- a/rules/csharp/security/insecure-fspickler-deserialization.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: insecure-fspickler-deserialization -severity: warning -language: csharp -message: Avoid using FSPickler, it is insecure and can lead to remote code execution -note: >- - [CWE-502]: Deserialization of Untrusted Data - [OWASP A08:2017]: Insecure Deserialization - [OWASP A08:2021]: Software and Data Integrity Failures - [REFERENCES] - - https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution -rule: - pattern: FsPickler.CreateJsonSerializer() \ No newline at end of file diff --git a/rules/csharp/security/insecure-netdatacontract-deserialization.yml b/rules/csharp/security/insecure-netdatacontract-deserialization.yml deleted file mode 100644 index 88854865..00000000 --- a/rules/csharp/security/insecure-netdatacontract-deserialization.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: insecure-netdatacontract-deserialization -severity: warning -language: csharp -message: Avoid using NetDataContractSerializer, it is insecure and can lead to remote code execution -note: >- - [CWE-502]: Deserialization of Untrusted Data - [OWASP A08:2017]: Insecure Deserialization - [OWASP A08:2021]: Software and Data Integrity Failures - [REFERENCES] - - https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.netdatacontractserializer?view=netframework-4.8 -rule: - pattern: new NetDataContractSerializer() \ No newline at end of file diff --git a/rules/csharp/security/los-formatter.yml b/rules/csharp/security/los-formatter.yml deleted file mode 100644 index 83b24a79..00000000 --- a/rules/csharp/security/los-formatter.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: los-formatter -language: csharp -message: 'Avoid using LosFormatter, it is insecure and can lead to remote code execution' -severity: warning -note: >- - [CWE-502]: Deserialization of Untrusted Data - [OWASP A08:2017]: Insecure Deserialization - [OWASP A08:2021]: Software and Data Integrity Failures - [REFERENCES] - - https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.webcontrols.losformatter?view=netframework-4.8 -rule: - pattern: new LosFormatter() \ No newline at end of file diff --git a/rules/java/security/blowfish-insufficient-key-size-java.yml b/rules/java/security/blowfish-insufficient-key-size-java.yml new file mode 100644 index 00000000..733e8702 --- /dev/null +++ b/rules/java/security/blowfish-insufficient-key-size-java.yml @@ -0,0 +1,62 @@ +id: blowfish-insufficient-key-size-java +severity: warning +language: java +message: >- + Using less than 128 bits for Blowfish is considered insecure. Use 128 + bits or more, or switch to use AES instead. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures +utils: + MATCH_PATTERN_KEYGENERATOR: + kind: expression_statement + all: + - has: + stopBy: end + kind: method_invocation + all: + - has: + stopBy: end + kind: identifier + - has: + stopBy: neighbor + kind: identifier + regex: '\binit\b' + - has: + stopBy: end + kind: argument_list + has: + stopBy: end + kind: decimal_integer_literal + pattern: $R + - follows: + stopBy: end + kind: local_variable_declaration + has: + stopBy: end + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + regex: '\bKeyGenerator\b' + - has: + stopBy: neighbor + kind: identifier + regex: '\bgetInstance\b' + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: string_literal + regex: '\bBlowfish\b' + +rule: + kind: expression_statement + matches: MATCH_PATTERN_KEYGENERATOR + +constraints: + R: + regex: ^(?:[1-9]?[0-9]|1[01][0-9]|127)$ diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml new file mode 100644 index 00000000..78f11cef --- /dev/null +++ b/rules/java/security/cbc-padding-oracle-java.yml @@ -0,0 +1,17 @@ +id: cbc-padding-oracle-java +severity: warning +language: java +message: >- + Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A + malicious actor could discern the difference between plaintext with valid + or invalid padding. Further, CBC mode does not include any integrity + checks. Use 'AES/GCM/NoPadding' instead. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://capec.mitre.org/data/definitions/463.html +rule: + pattern: Cipher.getInstance($MODE) +constraints: + MODE: + regex: ".*/CBC/PKCS5Padding" diff --git a/rules/java/security/cbc-padding-oracle.yml b/rules/java/security/cbc-padding-oracle.yml deleted file mode 100644 index 0cb62145..00000000 --- a/rules/java/security/cbc-padding-oracle.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: cbd-padding-oracle -severity: warning -language: java -message: >- - Using CBC with PKCS5Padding is susceptible to padding oracle attacks. - Use a secure mode of operation like GCM or CCM instead. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://capec.mitre.org/data/definitions/463.html - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes - - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY -rule: - pattern: Cipher.getInstance("AES/CBC/PKCS5Padding") \ No newline at end of file diff --git a/rules/java/security/cookie-missing-httponly-java.yml b/rules/java/security/cookie-missing-httponly-java.yml new file mode 100644 index 00000000..57fa66aa --- /dev/null +++ b/rules/java/security/cookie-missing-httponly-java.yml @@ -0,0 +1,23 @@ +id: cookie-missing-httponly-java +severity: warning +language: java +message: >- + A cookie was detected without setting the 'HttpOnly' flag. The + 'HttpOnly' flag for cookies instructs the browser to forbid client-side + scripts from reading the cookie. Set the 'HttpOnly' flag by calling + 'cookie.setHttpOnly(true); +note: >- + [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag. + [REFERENCES] + - https://owasp.org/www-community/HttpOnly +rule: + pattern: $RESPONSE.addCookie($COOKIE); + all: + - not: + follows: + stopBy: end + pattern: $COOKIE.setValue(""); + - not: + follows: + stopBy: end + pattern: $COOKIE.setHttpOnly($$$); diff --git a/rules/java/security/cookie-missing-secure-flag-java.yml b/rules/java/security/cookie-missing-secure-flag-java.yml new file mode 100644 index 00000000..fc75bbb6 --- /dev/null +++ b/rules/java/security/cookie-missing-secure-flag-java.yml @@ -0,0 +1,53 @@ +id: cookie-missing-secure-flag-java +language: java +severity: warning +message: >- + A cookie was detected without setting the 'secure' flag. The 'secure' + flag for cookies prevents the client from transmitting the cookie over + insecure channels such as HTTP. Set the 'secure' flag by calling + '$COOKIE.setSecure(true);'. +note: >- + [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. + [REFERENCES] + - https://owasp.org/www-community/controls/SecureCookieAttribute +utils: + MATCH_RESPONSE_COOKIE_STATEMENT: + kind: expression_statement + all: + - has: + stopBy: neighbor + kind: method_invocation + all: + - has: + stopBy: neighbor + kind: identifier + regex: "response" + - has: + stopBy: neighbor + kind: identifier + regex: "addCookie" + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: identifier + - not: + follows: + stopBy: end + kind: expression_statement + all: + - has: + stopBy: end + kind: identifier + - has: + stopBy: end + kind: identifier + regex: "setSecure|setValue" + - has: + stopBy: end + kind: argument_list + +rule: + kind: expression_statement + matches: MATCH_RESPONSE_COOKIE_STATEMENT diff --git a/rules/java/security/des-is-deprecated-java.yml b/rules/java/security/des-is-deprecated-java.yml new file mode 100644 index 00000000..8ce1895b --- /dev/null +++ b/rules/java/security/des-is-deprecated-java.yml @@ -0,0 +1,16 @@ +id: des-is-deprecated-java +severity: warning +language: java +message: >- + DES is considered deprecated. AES is the recommended cipher. Upgrade to + use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard + for more information. +note: >- + [CWE-326] Inadequate Encryption Strength. + [REFERENCES] + - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard +rule: + pattern: $CIPHER.getInstance($SAS) +constraints: + SAS: + regex: "DES" diff --git a/tests/java/blowfish-insufficient-key-size-java-test.yml b/tests/java/blowfish-insufficient-key-size-java-test.yml new file mode 100644 index 00000000..cb412a9c --- /dev/null +++ b/tests/java/blowfish-insufficient-key-size-java-test.yml @@ -0,0 +1,13 @@ +id: blowfish-insufficient-key-size-java +valid: + - | + public void safeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(128); + } +invalid: + - | + public void unsafeKeySize() { + KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); + keyGen.init(64); + } diff --git a/tests/java/cbc-padding-oracle-java-test.yml b/tests/java/cbc-padding-oracle-java-test.yml new file mode 100644 index 00000000..8a0336cf --- /dev/null +++ b/tests/java/cbc-padding-oracle-java-test.yml @@ -0,0 +1,7 @@ +id: cbc-padding-oracle-java +valid: + - | + Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("AES/CBC/PKCS5Padding"); diff --git a/tests/java/cbc-padding-oracle-test.yml b/tests/java/cbc-padding-oracle-test.yml deleted file mode 100644 index 2085aa72..00000000 --- a/tests/java/cbc-padding-oracle-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: cbc-padding-oracle -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); - c.init(Cipher.ENCRYPT_MODE, k, iv); - byte[] cipherText = c.doFinal(plainText); -invalid: - - | - Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); - IvParameterSpec iv = new IvParameterSpec(new byte[16]); - cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(new byte[16], "AES"), iv); \ No newline at end of file diff --git a/tests/java/cookie-missing-httponly-java-test.yml b/tests/java/cookie-missing-httponly-java-test.yml new file mode 100644 index 00000000..18e55379 --- /dev/null +++ b/tests/java/cookie-missing-httponly-java-test.yml @@ -0,0 +1,19 @@ +id: cookie-missing-httponly-java +valid: + - | + existingCookie.setValue(""); + existingCookie.setMaxAge(0); + response.addCookie(existingCookie); +invalid: + - | + @RequestMapping(value = "/cookie1", method = "GET") + public void setCookie(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + response.addCookie(cookie); + } + @RequestMapping(value = "/cookie2", method = "GET") + public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + cookie.setSecure(true); + response.addCookie(cookie); + } diff --git a/tests/java/cookie-missing-secure-flag-java-test.yml b/tests/java/cookie-missing-secure-flag-java-test.yml new file mode 100644 index 00000000..06940e03 --- /dev/null +++ b/tests/java/cookie-missing-secure-flag-java-test.yml @@ -0,0 +1,18 @@ +id: cookie-missing-secure-flag-java +valid: + - | + @RequestMapping(value = "/cookie2", method = "GET") + public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + cookie.setSecure(true); + response.addCookie(cookie); + } +invalid: + - | + public class CookieController { + + @RequestMapping(value = "/cookie1", method = "GET") + public void setCookie(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + response.addCookie(cookie); + } diff --git a/tests/java/des-is-deprecated-java-test.yml b/tests/java/des-is-deprecated-java-test.yml new file mode 100644 index 00000000..bc26dbd7 --- /dev/null +++ b/tests/java/des-is-deprecated-java-test.yml @@ -0,0 +1,7 @@ +id: des-is-deprecated-java +valid: + - | + Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); +invalid: + - | + Cipher.getInstance("DES/ECB/PKCS5Padding");