diff --git a/package-lock.json b/package-lock.json index e27fa3a8..3fc6cfdd 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,13 +9,13 @@ "version": "1.0.0", "license": "ISC", "devDependencies": { - "@ast-grep/cli": "^0.20.2" + "@ast-grep/cli": "^0.26.0" } }, "node_modules/@ast-grep/cli": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli/-/cli-0.20.2.tgz", - "integrity": "sha512-PhDdxSiyLTyZZ4udvKrthGPNDoNp1Euqfvql66eh5m4F+/PYjMwTPz/5lwYvHZpIr2MozZ1Jqm9W2btjwE3fnw==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli/-/cli-0.26.3.tgz", + "integrity": "sha512-5HiNeR4uuwVd01VqGW8J6v76PpmcEHG+1YzObXBGfr8XTV7zyYtx4KEVv7hi/PhTpeYylqsir0aRoPk1jlTjsA==", "dev": true, "hasInstallScript": true, "dependencies": { @@ -29,19 +29,19 @@ "node": ">= 12.0.0" }, "optionalDependencies": { - "@ast-grep/cli-darwin-arm64": "0.20.2", - "@ast-grep/cli-darwin-x64": "0.20.2", - "@ast-grep/cli-linux-arm64-gnu": "0.20.2", - "@ast-grep/cli-linux-x64-gnu": "0.20.2", - "@ast-grep/cli-win32-arm64-msvc": "0.20.2", - "@ast-grep/cli-win32-ia32-msvc": "0.20.2", - "@ast-grep/cli-win32-x64-msvc": "0.20.2" + "@ast-grep/cli-darwin-arm64": "0.26.3", + "@ast-grep/cli-darwin-x64": "0.26.3", + "@ast-grep/cli-linux-arm64-gnu": "0.26.3", + "@ast-grep/cli-linux-x64-gnu": "0.26.3", + "@ast-grep/cli-win32-arm64-msvc": "0.26.3", + "@ast-grep/cli-win32-ia32-msvc": "0.26.3", + "@ast-grep/cli-win32-x64-msvc": "0.26.3" } }, "node_modules/@ast-grep/cli-darwin-arm64": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-arm64/-/cli-darwin-arm64-0.20.2.tgz", - "integrity": "sha512-gBjMyd42ajDzzRjVKMg81slI7Nkp+0BWIBcCa3ZD0jqf9yQ5I+lAHKkDuC31kzcXw6XF2SSlIICRn9mEQhr21w==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-arm64/-/cli-darwin-arm64-0.26.3.tgz", + "integrity": "sha512-RM9g0sbcMfiNrxmHfMkfzkSNQFQrHQjcHYtHFnHFVj5uTJP6gXjQnUVLEJiB/glPDVRHCiMkSt/CY7WNaPcyew==", "cpu": [ "arm64" ], @@ -55,9 +55,9 @@ } }, "node_modules/@ast-grep/cli-darwin-x64": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-x64/-/cli-darwin-x64-0.20.2.tgz", - "integrity": "sha512-sllsHYgRceB4dt1ncnIjVCO449/fewNt8eqcygmomOkdQzRR81UIcuR/ruIZdVti1rqNhMNKhE5mf+GUITA1GQ==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-darwin-x64/-/cli-darwin-x64-0.26.3.tgz", + "integrity": "sha512-6ayT5opqNr57vJYyAUYgrF5oRLlCzZ/c8t+bcIdkxGcugnqbOcKmleoaC4v3R/wWTAjil6DR12NCOnoouR99lw==", "cpu": [ "x64" ], @@ -71,9 +71,9 @@ } }, "node_modules/@ast-grep/cli-linux-arm64-gnu": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-0.20.2.tgz", - "integrity": "sha512-7gm6ei4oiMA1u8BXbKBX6+daQhlmS1DqhliQdFmIrOJLv3oB5fBMIk3gn+0UMDthDHZIeoJn+ig2BOcfqaoyGg==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-arm64-gnu/-/cli-linux-arm64-gnu-0.26.3.tgz", + "integrity": "sha512-dTDbJqUgzkWxXjTJjeUJSAVgB7uL3M/34a8OoTB+VEZxGg2N/RSBSRinrTG4lIjeFk4OMJuM+2AppAjhaMTD+g==", "cpu": [ "arm64" ], @@ -87,9 +87,9 @@ } }, "node_modules/@ast-grep/cli-linux-x64-gnu": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-x64-gnu/-/cli-linux-x64-gnu-0.20.2.tgz", - "integrity": "sha512-mAd1msrGRmsk7omlqPhqEUiBjs4Q/C+xUBAIw2yX18g5Aq07zPc2KWwA2wGwaa9dBYr0gnZd1o9DiSrDeUJpEA==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-linux-x64-gnu/-/cli-linux-x64-gnu-0.26.3.tgz", + "integrity": "sha512-V2s+xFXmLKRidoVY6GLZCbofSgPGNXJgJehzhV8JdCVJw7yasl+03x6YSusan8vDon+LWtxjrKe6KDgWOMPEkw==", "cpu": [ "x64" ], @@ -103,9 +103,9 @@ } }, "node_modules/@ast-grep/cli-win32-arm64-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-0.20.2.tgz", - "integrity": "sha512-VJEum6wD+jfkWR7mxT9DlXovY0SZMIlgvTx/3dmQAiEbk0NiKwit6kofKW3+smHQlVxdtznDSLfKcfll+WhEmA==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-arm64-msvc/-/cli-win32-arm64-msvc-0.26.3.tgz", + "integrity": "sha512-7FUCYHf6NonovqPSJ5dCEcI1cW8ipeX+jz+MTSLaI4lak2/FBkkYIjtRuRvpviUnjKHx0Ah7AmO6G1OGiKhzzg==", "cpu": [ "arm64" ], @@ -119,9 +119,9 @@ } }, "node_modules/@ast-grep/cli-win32-ia32-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-0.20.2.tgz", - "integrity": "sha512-d2hlxWVENNsRNN9XTiuxv6UhjbfMj8F+4D6D/Uyfyah35E3UejyNxf9K3NymoCOSdpp+YX2iiP9pW1aMQjurgw==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-ia32-msvc/-/cli-win32-ia32-msvc-0.26.3.tgz", + "integrity": "sha512-phMsiig9GzQBJQJ75wOh98ug8uptbonBkLAAlkpJ2RF0QVrCWG+MqgYBHpSpJiaM/uRJ7IlFclLFc8kpON5cVQ==", "cpu": [ "ia32" ], @@ -135,9 +135,9 @@ } }, "node_modules/@ast-grep/cli-win32-x64-msvc": { - "version": "0.20.2", - "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-x64-msvc/-/cli-win32-x64-msvc-0.20.2.tgz", - "integrity": "sha512-j25nRYCD1qItZYPagWMqQCwHt8MyEUEFYXMJnQDbieS5OwKz98ErC3TnlRa3XRWGEk/4tIldzTGNQlAGpQKMYQ==", + "version": "0.26.3", + "resolved": "https://registry.npmjs.org/@ast-grep/cli-win32-x64-msvc/-/cli-win32-x64-msvc-0.26.3.tgz", + "integrity": "sha512-gGX0AR4bpge4ITSD2I/6FaLtzeovujSVvkSSKTjI6PCZx6MMvJ3+8zcXEgwJSib7SliVquhabePjBpF4DLBC6g==", "cpu": [ "x64" ], diff --git a/package.json b/package.json index ee4c8bcc..bb3dd417 100644 --- a/package.json +++ b/package.json @@ -12,6 +12,6 @@ "author": "", "license": "ISC", "devDependencies": { - "@ast-grep/cli": "^0.20.2" + "@ast-grep/cli": "^0.26.0" } -} +} \ No newline at end of file diff --git a/rules/java/security/cookie-secure-flag-false-java.yml b/rules/java/security/cookie-secure-flag-false-java.yml new file mode 100644 index 00000000..cd5418f4 --- /dev/null +++ b/rules/java/security/cookie-secure-flag-false-java.yml @@ -0,0 +1,14 @@ +id: cookie-secure-flag-false-java +language: java +severity: warning +message: >- + A cookie was detected without setting the 'secure' flag. The 'secure' + flag for cookies prevents the client from transmitting the cookie over + insecure channels such as HTTP. Set the 'secure' flag by calling + '$COOKIE.setSecure(true);'. +note: >- + [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. + [REFERENCES] + - https://owasp.org/www-community/controls/SecureCookieAttribute +rule: + pattern: $COOKIE.setSecure(false); diff --git a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml new file mode 100644 index 00000000..6599fe87 --- /dev/null +++ b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml @@ -0,0 +1,16 @@ +id: documentbuilderfactory-external-general-entities-true-java +language: java +severity: warning +message: >- + External entities are allowed for $DBFACTORY. This is vulnerable to XML + external entity attacks. Disable this by setting the feature + "http://xml.org/sax/features/external-general-entities" to false. +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://blog.sonarsource.com/secure-xml-processor +rule: + pattern: + $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities", + true); diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml new file mode 100644 index 00000000..ad7a2401 --- /dev/null +++ b/rules/java/security/use-of-rc2-java.yml @@ -0,0 +1,13 @@ +id: use-of-rc2-java +language: java +severity: warning +message: >- + Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and + is therefore considered non-compliant. Instead, use a strong, secure. +note: >- + [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html +rule: + pattern: $CIPHER.getInstance("RC2") diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml index 9ba9cb7f..732fddc9 100644 --- a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml +++ b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml @@ -19,7 +19,4 @@ rule: - pattern: new XMLInputFactory($$$) precedes: not: - pattern: $XMLFACTORY.setProperty($MODE, false) -constraints: - MODE: - regex: "javax.xml.stream.isSupportingExternalEntities" + pattern: $XMLFACTORY.setProperty(javax.xml.stream.isSupportingExternalEntities, false) diff --git a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml new file mode 100644 index 00000000..b4c1bec6 --- /dev/null +++ b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml @@ -0,0 +1,9 @@ +id: cookie-secure-flag-false-java +snapshots: + ? | + cookie.setSecure(false); + : labels: + - source: cookie.setSecure(false); + style: primary + start: 0 + end: 24 diff --git a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml new file mode 100644 index 00000000..238311e7 --- /dev/null +++ b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml @@ -0,0 +1,10 @@ +id: documentbuilderfactory-external-general-entities-true-java +snapshots: + ? | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + : labels: + - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + style: primary + start: 0 + end: 79 diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml new file mode 100644 index 00000000..7ac4199f --- /dev/null +++ b/tests/__snapshots__/use-of-rc2-java-snapshot.yml @@ -0,0 +1,10 @@ +id: use-of-rc2-java +snapshots: + ? | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2"); + : labels: + - source: Cipher.getInstance("RC2") + style: primary + start: 10 + end: 35 diff --git a/tests/java/cookie-secure-flag-false-java-test.yml b/tests/java/cookie-secure-flag-false-java-test.yml new file mode 100644 index 00000000..4d2b0fdb --- /dev/null +++ b/tests/java/cookie-secure-flag-false-java-test.yml @@ -0,0 +1,10 @@ +id: cookie-secure-flag-false-java +valid: + - | + response.addCookie(cookie); + cookie.setSecure(true); + cookie.setHttpOnly(true); + response.addCookie(cookie); +invalid: + - | + cookie.setSecure(false); diff --git a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml new file mode 100644 index 00000000..a56a6eb5 --- /dev/null +++ b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml @@ -0,0 +1,9 @@ +id: documentbuilderfactory-external-general-entities-true-java +valid: + - | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , false); + spf.setFeature("http://xml.org/sax/features/external-general-entities" , false); +invalid: + - | + dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); + spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml new file mode 100644 index 00000000..74f8d6d3 --- /dev/null +++ b/tests/java/use-of-rc2-java-test.yml @@ -0,0 +1,8 @@ +id: use-of-rc2-java +valid: + - | + Cipher.getInstance("AES/CBC/PKCS7PADDING"); +invalid: + - | + useCipher(Cipher.getInstance("RC2")); + Cipher.getInstance("RC2");