From fb64ebca6434a4b43fbe3292902fa70c3f1c68d4 Mon Sep 17 00:00:00 2001
From: Claudio <claudio@r2c.dev>
Date: Thu, 5 Oct 2023 13:33:12 +0200
Subject: [PATCH] Add sha1 and xxe rules

---
 .../security/documentbuilderfactory-xxe.clj   | 41 +++++++++++
 .../security/documentbuilderfactory-xxe.yaml  | 68 +++++++++++++++++++
 clojure/lang/security/use-of-sha1.clj         | 56 +++++++++++++++
 clojure/lang/security/use-of-sha1.yaml        | 35 ++++++++++
 4 files changed, 200 insertions(+)
 create mode 100644 clojure/lang/security/documentbuilderfactory-xxe.clj
 create mode 100644 clojure/lang/security/documentbuilderfactory-xxe.yaml
 create mode 100644 clojure/lang/security/use-of-sha1.clj
 create mode 100644 clojure/lang/security/use-of-sha1.yaml

diff --git a/clojure/lang/security/documentbuilderfactory-xxe.clj b/clojure/lang/security/documentbuilderfactory-xxe.clj
new file mode 100644
index 0000000000..5bd928550b
--- /dev/null
+++ b/clojure/lang/security/documentbuilderfactory-xxe.clj
@@ -0,0 +1,41 @@
+(ns vulnerable-1
+  (:require [clojure.xml :as xml]))
+
+(defn vulnerable [x]
+  // ruleid: documentbuilderfactory-xxe
+  (clojure.xml/parse x))
+
+(defn startparse-sax-doctype [s ch]
+  (..
+    (doto (javax.xml.parsers.SAXParserFactory/newInstance)
+      // ruleid: documentbuilderfactory-xxe
+      (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" false)
+      (.setFeature "http://xml.org/sax/features/external-general-entities" true)
+      (.setFeature "http://xml.org/sax/features/external-parameter-entities" true))
+    (newSAXParser)
+    (parse s ch)))
+
+(def vulnerable [input]
+  (clojure.xml/parse input startparse-sax-doctype))
+
+(defn startparse-sax-no-doctype [s ch]
+  (..
+    (doto (javax.xml.parsers.SAXParserFactory/newInstance)
+      // ok: documentbuilderfactory-xxe
+      (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" true)
+      (.setFeature "http://xml.org/sax/features/external-general-entities" true)
+      (.setFeature "http://xml.org/sax/features/external-parameter-entities" true))
+    (newSAXParser)
+    (parse s ch)))
+
+(defn startparse-sax-doctype-no-entities [s ch]
+  (..
+    (doto (javax.xml.parsers.SAXParserFactory/newInstance)
+      // ok: documentbuilderfactory-xxe
+      (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" false)
+      (.setFeature "http://xml.org/sax/features/external-general-entities" false)
+      (.setFeature "http://xml.org/sax/features/external-parameter-entities" false))
+    (newSAXParser)
+    (parse s ch)))
+
+
diff --git a/clojure/lang/security/documentbuilderfactory-xxe.yaml b/clojure/lang/security/documentbuilderfactory-xxe.yaml
new file mode 100644
index 0000000000..18065817c0
--- /dev/null
+++ b/clojure/lang/security/documentbuilderfactory-xxe.yaml
@@ -0,0 +1,68 @@
+rules:
+  - id: documentbuilderfactory-xxe
+    languages:
+      - clojure
+    severity: ERROR
+    metadata:
+      cwe:
+      - 'CWE-611: Improper Restriction of XML External Entity Reference'
+      owasp:
+      - A04:2017 - XML External Entities (XXE)
+      - A05:2021 - Security Misconfiguration
+      asvs:
+        section: V5 Validation, Sanitization and Encoding
+        control_id: 5.5.2 Insecue XML Deserialization
+        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v55-deserialization-prevention
+        version: '4'
+      references:
+      - https://semgrep.dev/blog/2022/xml-security-in-java
+      - https://semgrep.dev/docs/cheat-sheets/java-xxe/
+      - https://xerces.apache.org/xerces2-j/features.html
+      source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/blob/main/security/xxe-clojure-xml/xxe-clojure-xml.yml
+      category: security
+      technology:
+      - clojure
+      - xml
+      cwe2022-top25: true
+      cwe2021-top25: true
+      subcategory:
+      - vuln
+      likelihood: LOW
+      impact: HIGH
+      confidence: HIGH
+    message: >-
+      DOCTYPE declarations are enabled for javax.xml.parsers.SAXParserFactory.
+      Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks.
+      Disable this by setting the feature "http://apache.org/xml/features/disallow-doctype-decl" to true.
+      Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations.
+      This can be done by setting the features "http://xml.org/sax/features/external-general-entities" and
+      "http://xml.org/sax/features/external-parameter-entities" to false.
+    patterns:
+      - pattern-inside: |
+          (ns ... (:require [clojure.xml :as ...]))
+          ...
+      - pattern-either:
+          - pattern-inside: |
+              (def ... ... ( ... ))
+          - pattern-inside: |
+              (defn ... ... ( ... ))
+      - pattern-either:
+        - pattern: (clojure.xml/parse $INPUT)
+        - patterns:
+          - pattern-inside: |
+              (doto (javax.xml.parsers.SAXParserFactory/newInstance) ...)
+          - pattern: (.setFeature "http://apache.org/xml/features/disallow-doctype-decl" false)
+          - pattern-not-inside: |
+              (doto (javax.xml.parsers.SAXParserFactory/newInstance)
+                ...
+                (.setFeature "http://xml.org/sax/features/external-general-entities" false)
+                ...
+                (.setFeature "http://xml.org/sax/features/external-parameter-entities" false)
+                ...)
+          - pattern-not-inside: |
+              (doto (javax.xml.parsers.SAXParserFactory/newInstance)
+                ...
+                (.setFeature "http://xml.org/sax/features/external-parameter-entities" false)
+                ...
+                (.setFeature "http://xml.org/sax/features/external-general-entities" false)
+                ...)
diff --git a/clojure/lang/security/use-of-sha1.clj b/clojure/lang/security/use-of-sha1.clj
new file mode 100644
index 0000000000..e7dedde903
--- /dev/null
+++ b/clojure/lang/security/use-of-sha1.clj
@@ -0,0 +1,56 @@
+(import 'java.security.MessageDigest
+        'java.math.BigInteger)
+
+(defn sha1 [s]
+  // ruleid: use-of-sha1
+  (let [algorithm (MessageDigest/getInstance "SHA-1")
+        size (* 2 (.getDigestLength algorithm))
+        raw (.digest algorithm (.getBytes s))
+        sig (.toString (BigInteger. 1 raw) 16)
+        padding (apply str (repeat (- size (count sig)) "0"))]
+    (str padding sig)))
+
+(defn sha1b [s]
+  // ruleid: use-of-sha1
+  (let [algorithm (MessageDigest/getInstance MessageDigestAlgorithms/SHA-1)
+        size (* 2 (.getDigestLength algorithm))
+        raw (.digest algorithm (.getBytes s))
+        sig (.toString (BigInteger. 1 raw) 16)
+        padding (apply str (repeat (- size (count sig)) "0"))]
+    (str padding sig)))
+
+(defn sha1c [s]
+  // ruleid: use-of-sha1
+  (let [algorithm (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/SHA-1)
+        size (* 2 (.getDigestLength algorithm))
+        raw (.digest algorithm (.getBytes s))
+        sig (.toString (BigInteger. 1 raw) 16)
+        padding (apply str (repeat (- size (count sig)) "0"))]
+    (str padding sig)))
+
+(defn sha256 [s]
+  // ok: use-of-sha1
+  (let [algorithm (MessageDigest/getInstance "SHA-256")
+        size (* 2 (.getDigestLength algorithm))
+        raw (.digest algorithm (.getBytes s))
+        sig (.toString (BigInteger. 1 raw) 16)
+        padding (apply str (repeat (- size (count sig)) "0"))]
+    (str padding sig)))
+
+(defn sha256b [s]
+  // ok: use-of-sha1
+  (let [algorithm (MessageDigest/getInstance MessageDigestAlgorithms/SHA-256)
+        size (* 2 (.getDigestLength algorithm))
+        raw (.digest algorithm (.getBytes s))
+        sig (.toString (BigInteger. 1 raw) 16)
+        padding (apply str (repeat (- size (count sig)) "0"))]
+    (str padding sig)))
+
+(defn sha256c [s]
+  // ok: use-of-sha1
+  (let [algorithm (MessageDigest/getInstance org.apache.commons.codec.digest.MessageDigestAlgorithms/SHA-256)
+        size (* 2 (.getDigestLength algorithm))
+        raw (.digest algorithm (.getBytes s))
+        sig (.toString (BigInteger. 1 raw) 16)
+        padding (apply str (repeat (- size (count sig)) "0"))]
+    (str padding sig)))
diff --git a/clojure/lang/security/use-of-sha1.yaml b/clojure/lang/security/use-of-sha1.yaml
new file mode 100644
index 0000000000..05fdcb9d22
--- /dev/null
+++ b/clojure/lang/security/use-of-sha1.yaml
@@ -0,0 +1,35 @@
+rules:
+  - id: use-of-sha1
+    languages:
+      - clojure
+    severity: WARNING
+    message: >-
+      Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
+      collision resistant and is therefore not suitable as a cryptographic
+      signature. Instead, use PBKDF2 for password hashing
+      or SHA256 or SHA512 for other hash function applications.
+    metadata:
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
+        - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+      technology:
+        - clojure
+      owasp:
+        - A03:2017 - Sensitive Data Exposure
+        - A02:2021 - Cryptographic Failures
+      cwe:
+        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+        - "CWE-328: Use of Weak Hash"
+      category: security
+      subcategory:
+        - vuln
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+    patterns:
+      - pattern-either:
+        - pattern: (MessageDigest/getInstance $ALGO)
+        - pattern: (java.security.MessageDigest/getInstance $ALGO)
+      - metavariable-regex:
+          metavariable: $ALGO
+          regex: (((org\.apache\.commons\.codec\.digest\.)?MessageDigestAlgorithms/)?"?(SHA-1|SHA1)"?)