Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge Develop into Release #3127

Closed
wants to merge 41 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
89a5311
Restrict match to single line (#3101)
p4p3r Sep 8, 2023
7d92e4e
Move `interfile: true` under `options` (#3087)
0xDC0DE Sep 11, 2023
c36f630
Add lint to validate options
LewisArdern Sep 12, 2023
357be22
clean
LewisArdern Sep 12, 2023
a7cdc2b
nvm
LewisArdern Sep 12, 2023
d4b175a
add lint
LewisArdern Sep 12, 2023
13a162e
add interfile
LewisArdern Sep 12, 2023
9e79e32
add adt reference
LewisArdern Sep 12, 2023
2da0080
fix naming
LewisArdern Sep 12, 2023
42fc24f
add mccabe615/generated-rule-terraform.yaml
mccabe615 Sep 13, 2023
59b13de
add mccabe615/generated-rule-terraform.tf
mccabe615 Sep 13, 2023
d975e70
Improve gitleaks generic rule to include stopwords
LewisArdern Sep 14, 2023
bba0d10
Fix
LewisArdern Sep 14, 2023
ca24983
update php.lang.security.injection.echoed-request.echoed-request rule
hocnc Sep 14, 2023
2d07ca5
New TF rule: unrestricted-github-oidc-policy (#3089)
minusworld Sep 14, 2023
0e3ccfa
Merge branch 'develop' into AddStopWords
LewisArdern Sep 15, 2023
58c1652
Merge branch 'develop' into fixOptions
LewisArdern Sep 15, 2023
f7a19e4
Merge branch 'develop' into update-php-echoed-request
kurt-r2c Sep 18, 2023
f4a24e1
Merge pull request #3111 from hocnc/update-php-echoed-request
kurt-r2c Sep 18, 2023
91243e7
Merge branch 'develop' into AddStopWords
kurt-r2c Sep 18, 2023
9a43e4e
Merge pull request #3110 from returntocorp/AddStopWords
kurt-r2c Sep 18, 2023
9c836ec
Merge branch 'develop' into semgrep-live-2rg5
kurt-r2c Sep 18, 2023
7bcfbc1
move contributed rules into appropriate directory
kurt-r2c Sep 18, 2023
8071edb
rename rule to aws-provisioner-exec to cover intent of original contr…
kurt-r2c Sep 18, 2023
6ed2b0b
fix metadata error, add CWE-77
kurt-r2c Sep 18, 2023
76fcb03
Merge branch 'develop' into fixOptions
kurt-r2c Sep 20, 2023
5cf6c8e
Changed artifactory to be regex and remove common fps
LewisArdern Sep 20, 2023
5fb332b
remove shield
LewisArdern Sep 20, 2023
6b847b1
move back current rule
LewisArdern Sep 20, 2023
c3bbe95
Update handler-assignment-from-multiple-sources.yaml
LewisArdern Sep 20, 2023
6776add
Merge pull request #3107 from returntocorp/fixOptions
kurt-r2c Sep 20, 2023
6a11466
fix test
LewisArdern Sep 20, 2023
165390a
Merge branch 'develop' into artifactory
kurt-r2c Sep 20, 2023
0f71e70
Merge pull request #3122 from returntocorp/artifactory
kurt-r2c Sep 20, 2023
38c1842
Merge branch 'develop' into semgrep-live-2rg5
kurt-r2c Sep 20, 2023
52bb7b2
Merge pull request #3108 from returntocorp/semgrep-live-2rg5
kurt-r2c Sep 20, 2023
2609069
fix testcases and add import
0xDC0DE Sep 21, 2023
dcaf3a7
add new rule for user-controllable environment variables
0xDC0DE Sep 21, 2023
abfa597
fix formatting
0xDC0DE Sep 21, 2023
1a017d6
Merge pull request #3123 from returntocorp/java-runtime-bugfix
kurt-r2c Sep 21, 2023
36f858d
Used typed mvar for c# javascript deserializer (#3125)
p4p3r Sep 22, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/semgrep-rule-lints.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ jobs:
--config yaml/semgrep/metadata-likelihood-incorrect-value.yaml \
--config yaml/semgrep/metadata-impact-incorrect-value.yaml \
--config yaml/semgrep/metadata-subcategory-incorrect-value.yaml \
--config yaml/semgrep/metadata-incorrect-option.yaml \
--config yaml/semgrep/metadata-technology.yaml \
--config yaml/semgrep/metadata-category.yaml \
--config yaml/semgrep/multi-line-message.yaml \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ public void JavascriptSerializerDeserialization(string json)
// ruleid: insecure-javascriptserializer-deserialization
var serializer = new JavaScriptSerializer(new SimpleTypeResolver());
serializer.DeserializeObject(json);

var resolver = new SimpleTypeResolver()
// ruleid: insecure-javascriptserializer-deserialization
var serializer2 = new JavaScriptSerializer(resolver);
serializer2.DeserializeObject(json);
}
catch (Exception e)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ rules:
using System.Web.Script.Serialization;
...
- pattern: |
new JavaScriptSerializer(new SimpleTypeResolver());
new JavaScriptSerializer((SimpleTypeResolver $RESOLVER))
8 changes: 8 additions & 0 deletions generic/nginx/security/missing-internal.conf
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,11 @@ server {
proxy_pass $1://$2/$3;
}
}

server {
location / {
# ok: missing-internal
proxy_pass http:/backend:42/;
set $false 'positive';
}
}
30 changes: 18 additions & 12 deletions generic/nginx/security/missing-internal.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,24 @@
rules:
- id: missing-internal
options:
generic_ellipsis_max_span: 0
generic_engine: aliengrep
patterns:
- pattern-inside: |
location ... {
...
...
}
- pattern-not-inside: |
location ... {
...
internal;
...
}
- pattern: proxy_pass ...$...;
- pattern-inside: |
location ... {
....
....
}
- pattern-not-inside: |
location ... {
....
internal;
....
}
- pattern: proxy_pass $...URL;
- metavariable-regex:
metavariable: $...URL
regex: (.*\$.*)
paths:
include:
- '*.conf'
Expand Down
6 changes: 3 additions & 3 deletions generic/secrets/gitleaks/generic-api-key.txt
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ private const string UserCreationPasswordSecretKey =@"6da89121079f83b2eb6acccf82
// ruleid: generic-api-key
app.secret=edf10572-880c-4dd9-aaf0-6ec402f678db
// ruleid: generic-api-key
val PASSWORD = "Iv1.6213212547e00438__globPaths__123"
val PASSWORD = "Iv1.6213212547e00438__globaths__123"
eironment:
POSTGRES_DB: postgres
POSTGRES_USER: as2user
Expand All @@ -34,7 +34,7 @@ this.cmfPassword.foo = "thiscmfPassword1"
const connectionToken = `12345-123-abc`;
this._perfKey = 'network_XMLHttpRequest_' + String(friendlyName);

// todook: generic-api-key
// ok: generic-api-key
this.txtCfmPassword.Name = "txtCfmPassword";

// ok: generic-api-key
Expand Down Expand Up @@ -207,4 +207,4 @@ clientToken: "pub4306832bdc5f2b8b980c492ec2c11ef3",
// ok: generic-api-key
keys: 'privkey1.json',
// ok: generic-api-key
"Keywords": "asdsadsadsaUSAdusadusadsa",
"Keywords": "asdsadsadsaUSAdusadusadsa",
5 changes: 4 additions & 1 deletion generic/secrets/gitleaks/generic-api-key.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,7 @@ rules:
regex: (?!(^0x0*|^pub)|.*\.(bin|json|exe)$|.*(?i)(Client|Factory)$|(^__[A-Za-z]+__$)|^(12345|abcd)|^\d+(\.\d+)?$)
# Remove AAAAA, BBBBB, CCCCC, and .....
- pattern-not-regex: (\w|\.)\1{5}

# stopwords from https://github.com/gitleaks/gitleaks/blob/d9f86d6123d9ef2558c4852a522a7a071d6a6fe9/cmd/generate/config/rules/stopwords.go#L4
- metavariable-regex:
metavariable: $CONTENT
regex: (?!(?i).*(client|endpoint|vpn|_ec2_|aws_|authorize|author|define|config|credential|setting|sample|xxxxxx|000000|buffer|delete|aaaaaa|fewfwef|getenv|env_|system|example|ecdsa|sha256|sha1|sha2|md5|alert|wizard|target|onboard|welcome|page|exploit|experiment|expire|rabbitmq|scraper|widget|music|dns_|dns-|yahoo|want|json|action|script|fix_|fix-|develop|compas|stripe|service|master|metric|tech|gitignore|rich|open|stack|irc_|irc-|sublime|kohana|has_|has-|\.\.\.|fabric|wordpres|role|osx_|osx-|boost|addres|queue|working|sandbox|internet|print|vision|tracking|being|generator|traffic|world|pull|rust|watcher|small|auth|full|hash|more|install|auto|complete|learn|paper|installer|research|acces|last|binding|spine|into|chat|algorithm|resource|uploader|video|maker|next|proc|lock|robot|snake|patch|matrix|drill|terminal|term|stuff|genetic|generic|identity|audit|pattern|audio|web_|web-|crud|problem|statu|cms-|cms_|arch|coffee|workflow|changelog|another|uiview|content|kitchen|gnu_|gnu-|gnu.|conf|couchdb|client|opencv|rendering|update|concept|varnish|gui_|gui-|gui.|version|shared|extra|product|still|not_|not-|not.|drop|ring|png_|png-|png.|actively|import|output|backup|start|embedded|registry|pool|semantic|instagram|bash|system|ninja|drupal|jquery|polyfill|physic|league|guide|pack|synopsi|sketch|injection|svg_|svg-|svg.|friendly|wave|convert|manage|camera|link|slide|timer|wrapper|gallery|url_|url-|url.|todomvc|requirej|party|http|payment|async|library|home|coco|gaia|display|universal|func|metadata|hipchat|under|room|config|personal|realtime|resume|database|testing|tiny|basic|forum|meetup|yet_|yet-|yet.|cento|dead|fluentd|editor|utilitie|run_|run-|run.|box_|box-|box.|bot_|bot-|bot.|making|sample|group|monitor|ajax|parallel|cassandra|ultimate|site|get_|get-|get.|gen_|gen-|gen.|gem_|gem-|gem.|extended|image|knife|asset|nested|zero|plugin|bracket|mule|mozilla|number|act_|act-|act.|map_|map-|map.|micro|debug|openshift|chart|expres|backend|task|source|translate|jbos|composer|sqlite|profile|mustache|mqtt|yeoman|have|builder|smart|like|oauth|school|guideline|captcha|filter|bitcoin|bridge|color|toolbox|discovery|new_|new-|new.|dashboard|when|setting|level|post|standard|port|platform|yui_|yui-|yui.|grunt|animation|haskell|icon|latex|cheat|lua_|lua-|lua.|gulp|case|author|without|simulator|wifi|directory|lisp|list|flat|adventure|story|storm|gpu_|gpu-|gpu.|store|caching|attention|solr|logger|demo|shortener|hadoop|finder|phone|pipeline|range|textmate|showcase|app_|app-|app.|idiomatic|edit|our_|our-|our.|out_|out-|out.|sentiment|linked|why_|why-|why.|local|cube|gmail|job_|job-|job.|rpc_|rpc-|rpc.|contest|tcp_|tcp-|tcp.|usage|buildout|weather|transfer|automated|sphinx|issue|sas_|sas-|sas.|parallax|jasmine|addon|machine|solution|dsl_|dsl-|dsl.|episode|menu|theme|best|adapter|debugger|chrome|tutorial|life|step|people|joomla|paypal|developer|solver|team|current|love|visual|date|data|canva|container|future|xml_|xml-|xml.|twig|nagio|spatial|original|sync|archived|refinery|science|mapping|gitlab|play|ext_|ext-|ext.|session|impact|set_|set-|set.|see_|see-|see.|migration|commit|community|shopify|what'|cucumber|statamic|mysql|location|tower|line|code|amqp|hello|send|index|high|notebook|alloy|python|field|document|soap|edition|email|php_|php-|php.|command|transport|official|upload|study|secure|angularj|akka|scalable|package|request|con_|con-|con.|flexible|security|comment|module|flask|graph|flash|apache|change|window|space|lambda|sheet|bookmark|carousel|friend|objective|jekyll|bootstrap|first|article|gwt_|gwt-|gwt.|classic|media|websocket|touch|desktop|real|read|recorder|moved|storage|validator|add-on|pusher|scs_|scs-|scs.|inline|asp_|asp-|asp.|timeline|base|encoding|ffmpeg|kindle|tinymce|pretty|jpa_|jpa-|jpa.|used|user|required|webhook|download|resque|espresso|cloud|mongo|benchmark|pure|cakephp|modx|mode|reactive|fuel|written|flickr|mail|brunch|meteor|dynamic|neo_|neo-|neo.|new_|new-|new.|net_|net-|net.|typo|type|keyboard|erlang|adobe|logging|ckeditor|message|iso_|iso-|iso.|hook|ldap|folder|reference|railscast|www_|www-|www.|tracker|azure|fork|form|digital|exporter|skin|string|template|designer|gollum|fluent|entity|language|alfred|summary|wiki|kernel|calendar|plupload|symfony|foundry|remote|talk|search|dev_|dev-|dev.|del_|del-|del.|token|idea|sencha|selector|interface|create|fun_|fun-|fun.|groovy|query|grail|red_|red-|red.|laravel|monkey|slack|supported|instant|value|center|latest|work|but_|but-|but.|bug_|bug-|bug.|virtual|tweet|statsd|studio|path|real-time|frontend|notifier|coding|tool|firmware|flow|random|mediawiki|bosh|been|beer|lightbox|theory|origin|redmine|hub_|hub-|hub.|require|pro_|pro-|pro.|ant_|ant-|ant.|any_|any-|any.|recipe|closure|mapper|event|todo|model|redi|provider|rvm_|rvm-|rvm.|program|memcached|rail|silex|foreman|activity|license|strategy|batch|streaming|fast|use_|use-|use.|usb_|usb-|usb.|impres|academy|slider|please|layer|cros|now_|now-|now.|miner|extension|own_|own-|own.|app_|app-|app.|debian|symphony|example|feature|serie|tree|project|runner|entry|leetcode|layout|webrtc|logic|login|worker|toolkit|mocha|support|back|inside|device|jenkin|contact|fake|awesome|ocaml|bit_|bit-|bit.|drive|screen|prototype|gist|binary|nosql|rest|overview|dart|dark|emac|mongoid|solarized|homepage|emulator|commander|django|yandex|gradle|xcode|writer|crm_|crm-|crm.|jade|startup|error|using|format|name|spring|parser|scratch|magic|try_|try-|try.|rack|directive|challenge|slim|counter|element|chosen|doc_|doc-|doc.|meta|should|button|packet|stream|hardware|android|infinite|password|software|ghost|xamarin|spec|chef|interview|hubot|mvc_|mvc-|mvc.|exercise|leaflet|launcher|air_|air-|air.|photo|board|boxen|way_|way-|way.|computing|welcome|notepad|portfolio|cat_|cat-|cat.|can_|can-|can.|magento|yaml|domain|card|yii_|yii-|yii.|checker|browser|upgrade|only|progres|aura|ruby_|ruby-|ruby.|polymer|util|lite|hackathon|rule|log_|log-|log.|opengl|stanford|skeleton|history|inspector|help|soon|selenium|lab_|lab-|lab.|scheme|schema|look|ready|leveldb|docker|game|minimal|logstash|messaging|within|heroku|mongodb|kata|suite|picker|win_|win-|win.|wip_|wip-|wip.|panel|started|starter|front-end|detector|deploy|editing|based|admin|capture|spree|page|bundle|goal|rpg_|rpg-|rpg.|setup|side|mean|reader|cookbook|mini|modern|seed|dom_|dom-|dom.|doc_|doc-|doc.|dot_|dot-|dot.|syntax|sugar|loader|website|make|kit_|kit-|kit.|protocol|human|daemon|golang|manager|countdown|connector|swagger|map_|map-|map.|mac_|mac-|mac.|man_|man-|man.|orm_|orm-|orm.|org_|org-|org.|little|zsh_|zsh-|zsh.|shop|show|workshop|money|grid|server|octopres|svn_|svn-|svn.|ember|embed|general|file|important|dropbox|portable|public|docpad|fish|sbt_|sbt-|sbt.|done|para|network|common|readme|popup|simple|purpose|mirror|single|cordova|exchange|object|design|gateway|account|lamp|intellij|math|mit_|mit-|mit.|control|enhanced|emitter|multi|add_|add-|add.|about|socket|preview|vagrant|cli_|cli-|cli.|powerful|top_|top-|top.|radio|watch|fluid|amazon|report|couchbase|automatic|detection|sprite|pyramid|portal|advanced|plu_|plu-|plu.|runtime|git_|git-|git.|uri_|uri-|uri.|haml|node|sql_|sql-|sql.|cool|core|obsolete|handler|iphone|extractor|array|copy|nlp_|nlp-|nlp.|reveal|pop_|pop-|pop.|engine|parse|check|html|nest|all_|all-|all.|chinese|buildpack|what|tag_|tag-|tag.|proxy|style|cookie|feed|restful|compiler|creating|prelude|context|java|rspec|mock|backbone|light|spotify|flex|related|shell|which|clas|webapp|swift|ansible|unity|console|tumblr|export|campfire|conway'|made|riak|hero|here|unix|unit|glas|smtp|how_|how-|how.|hot_|hot-|hot.|debug|release|diff|player|easy|right|old_|old-|old.|animate|time|push|explorer|course|training|nette|router|draft|structure|note|salt|where|spark|trello|power|method|social|via_|via-|via.|vim_|vim-|vim.|select|webkit|github|ftp_|ftp-|ftp.|creator|mongoose|led_|led-|led.|movie|currently|pdf_|pdf-|pdf.|load|markdown|phalcon|input|custom|atom|oracle|phonegap|ubuntu|great|rdf_|rdf-|rdf.|popcorn|firefox|zip_|zip-|zip.|cuda|dotfile|static|openwrt|viewer|powered|graphic|les_|les-|les.|doe_|doe-|doe.|maven|word|eclipse|lab_|lab-|lab.|hacking|steam|analytic|option|abstract|archive|reality|switcher|club|write|kafka|arduino|angular|online|title|don't|contao|notice|analyzer|learning|zend|external|staging|busines|tdd_|tdd-|tdd.|scanner|building|snippet|modular|bower|stm_|stm-|stm.|lib_|lib-|lib.|alpha|mobile|clean|linux|nginx|manifest|some|raspberry|gnome|ide_|ide-|ide.|block|statistic|info|drag|youtube|koan|facebook|paperclip|art_|art-|art.|quality|tab_|tab-|tab.|need|dojo|shield|computer|stat|state|twitter|utility|converter|hosting|devise|liferay|updated|force|tip_|tip-|tip.|behavior|active|call|answer|deck|better|principle|ches|bar_|bar-|bar.|reddit|three|haxe|just|plug-in|agile|manual|tetri|super|beta|parsing|doctrine|minecraft|useful|perl|sharing|agent|switch|view|dash|channel|repo|pebble|profiler|warning|cluster|running|markup|evented|mod_|mod-|mod.|share|csv_|csv-|csv.|response|good|house|connect|built|build|find|ipython|webgl|big_|big-|big.|google|scala|sdl_|sdl-|sdl.|sdk_|sdk-|sdk.|native|day_|day-|day.|puppet|text|routing|helper|linkedin|crawler|host|guard|merchant|poker|over|writing|free|classe|component|craft|nodej|phoenix|longer|quick|lazy|memory|clone|hacker|middleman|factory|motion|multiple|tornado|hack|ssh_|ssh-|ssh.|review|vimrc|driver|driven|blog|particle|table|intro|importer|thrift|xmpp|framework|refresh|react|font|librarie|variou|formatter|analysi|karma|scroll|tut_|tut-|tut.|apple|tag_|tag-|tag.|tab_|tab-|tab.|category|ionic|cache|homebrew|reverse|english|getting|shipping|clojure|boot|book|branch|combination|combo))
13 changes: 2 additions & 11 deletions generic/secrets/security/detected-artifactory-password.txt
Original file line number Diff line number Diff line change
@@ -1,11 +1,5 @@
# ruleid: detected-artifactory-password
AP6xxxxxxxxxx

# ruleid: detected-artifactory-password
AP2xxxxxxxxxx

# ruleid: detected-artifactory-password
artifactoryx:_password=AP6xxxxxxxxxx
artifactoryx:_password=AP6abc1231321

# ok: detected-artifactory-password
integrity sha512-AP1AyUTbi2szylgr+O0OB7gkIxEGzySLITZ2GpsaoX72YMCGI2jYAc+WUhPfvUnZYiauF4zTnN4V4TGuvFjJlw==
Expand All @@ -19,9 +13,6 @@ ImageID: "SHA256:AP1AyUTbi2szylgr266fcae00707e67a2545ef34f9a29354585f93dac906749
# ok: detected-artifactory-password
- hasql-1.6.0.1@sha256:AP1AyUTbi2szylgr+422a3bb776a12d5cf2bb83303778f343106f9a1cc2b4fcdf73,6628

# ruleid: detected-artifactory-password
artifactoryx_password:AP6xxxxxxxxxx

# ok: detected-artifactory-password
X-JFrog-Art-Api: $PASSWORD

Expand Down Expand Up @@ -124,7 +115,7 @@ b3IgcHJvbW90ZSBwcm9kdWN0cyBkZXJpdmVkIGZyb20KIHRoaXMgc29mdHdhcmUgd2l0aG9

-----BEGIN PGP PUBLIC KEY BLOCK-----
# ok: detected-artifactory-password
AP6xxxxxxxxxx
AP6abc1231321
-----END PGP PUBLIC KEY BLOCK-----

apiVersion: appprotectdos.f5.com/v1beta1
Expand Down
31 changes: 6 additions & 25 deletions generic/secrets/security/detected-artifactory-password.yaml
Original file line number Diff line number Diff line change
@@ -1,35 +1,16 @@
rules:
- id: detected-artifactory-password
options:
generic_engine: aliengrep
generic_multiline: false
generic_caseless: true
patterns:
- pattern: $ITEM
- metavariable-regex:
metavariable: $ITEM
regex: \bAP[\dABCDEF][a-zA-Z0-9]{8,}
- pattern-not-inside: |
sha1...
- pattern-not-inside: |
sha2...
- pattern-not-inside: |
sha3...
- pattern-not-inside: |
sha118...
- pattern-not-inside: |
sha256...
- pattern-not-inside: |
sha512...
- pattern-not-inside: |
-BEGIN ...-
....
...-END ...-
- pattern-regex: (?<ITEM>\bAP[\dABCDEF][a-zA-Z0-9]{8,})
- pattern-regex: .*(?i)arti[-_]?factory.*
- pattern-not-regex: .*(?i)sha(1|2|3|118|256|512).*
- pattern-not-regex: (?i)-----\s*?BEGIN[ A-Z0-9_-]*? KEY( BLOCK)?-----[\s\S]*?-----\s*?END[ A-Z0-9_-]*?\s*?-----
- metavariable-analysis:
analyzer: entropy
metavariable: $ITEM
- pattern-not-regex: (\w|\.|\*)\1{4}
languages:
- generic
- regex
paths:
exclude:
- "*.svg"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
rules:
- id: handler-assignment-from-multiple-sources
options:
taint_unified_mvars: true
metadata:
cwe:
- 'CWE-289: Authentication Bypass by Alternate Name'
Expand Down
2 changes: 2 additions & 0 deletions go/gorm/security/audit/gorm-dangerous-methods-usage.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ rules:
- pattern: strconv.Atoi(...)
- pattern: |
($X: bool)
options:
interfile: true
metadata:
category: security
technology:
Expand Down
2 changes: 2 additions & 0 deletions go/jwt-go/security/jwt.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ rules:
being leaked and used by either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve credentials from a secure
vault or HSM (Hardware Security Module).
options:
interfile: true
metadata:
cwe:
- 'CWE-798: Use of Hard-coded Credentials'
Expand Down
2 changes: 2 additions & 0 deletions go/lang/security/audit/md5-used-as-password.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ rules:
secure password hash because it can be cracked by an attacker in a short
amount of time. Use a suitable password hashing function such as bcrypt.
You can use the `golang.org/x/crypto/bcrypt` package.
options:
interfile: true
metadata:
category: security
technology:
Expand Down
2 changes: 2 additions & 0 deletions go/lang/security/filepath-clean-misuse.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ rules:
- pattern: |
"/" + ...
fix: filepath.FromSlash(filepath.Clean("/"+strings.Trim($...INNER, "/")))
options:
interfile: true
metadata:
references:
- https://pkg.go.dev/path#Clean
Expand Down
2 changes: 2 additions & 0 deletions go/lang/security/injection/tainted-sql-string.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ rules:
or manipulate data from the database.
Instead, use prepared statements (`db.Query("SELECT * FROM t WHERE id = ?", id)`)
or a safe library.
options:
interfile: true
metadata:
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
Expand Down
2 changes: 2 additions & 0 deletions go/lang/security/injection/tainted-url-host.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ rules:
path or query parameter. When user-input is necessary to craft the
request, it is recommended to follow OWASP best practices to prevent
abuse, including using an allowlist.
options:
interfile: true
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
Expand Down
2 changes: 2 additions & 0 deletions java/aws-lambda/security/tainted-sql-string.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ rules:
of the database. Instead, use a parameterized query which is available
by default in most database engines. Alternatively, consider using an
object-relational mapper (ORM) such as Sequelize which will protect your queries.
options:
interfile: true
metadata:
references:
- https://owasp.org/www-community/attacks/SQL_Injection
Expand Down
2 changes: 2 additions & 0 deletions java/aws-lambda/security/tainted-sqli.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ rules:
- metavariable-regex:
metavariable: $SQLCMD
regex: (execute|query|executeUpdate)
options:
interfile: true
metadata:
category: security
technology:
Expand Down
7 changes: 5 additions & 2 deletions java/lang/security/audit/tainted-cmd-from-http-request.java
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.Runtime;

@WebServlet(value = "/cmdi-00/BenchmarkTest00006")
public class bad1 extends HttpServlet {
Expand Down Expand Up @@ -111,7 +112,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
Runtime r = Runtime.getRuntime();

try {
// ruleid: tainted-cmd-from-http-request
// this is vulnerable, but considered a separate issue
// ok: tainted-cmd-from-http-request
Process p = r.exec(args, argsEnv);
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
Expand Down Expand Up @@ -172,7 +174,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
Runtime r = Runtime.getRuntime();

try {
// ruleid: tainted-cmd-from-http-request
// this is vulnerable, but considered a separate issue
// ok: tainted-cmd-from-http-request
Process p = r.exec(args, argsEnv);
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
Expand Down
Loading