Skip to content

Commit

Permalink
Merge branch 'returntocorp:develop' into develop
Browse files Browse the repository at this point in the history
  • Loading branch information
@lfama
lfama authored May 15, 2023
2 parents 1395938 + c4e4670 commit 6872ce6
Show file tree
Hide file tree
Showing 11 changed files with 183 additions and 133 deletions.
9 changes: 3 additions & 6 deletions go/gorm/security/audit/gorm-dangerous-methods-usage.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,9 @@ rules:
- pattern-either:
- pattern: strconv.Atoi(...)
- patterns:
- focus-metavariable: $...X
- pattern-either:
- pattern: <... $...X != $...Y ...>
- pattern: <... $...Y != $...X ...>
- pattern: <... $...X == $...Y ...>
- pattern: <... $...Y == $...X ...>
- pattern: $X != $Y
- pattern: $X == $Y
metadata:
category: security
technology:
Expand All @@ -69,4 +66,4 @@ rules:
- vuln
likelihood: HIGH
impact: MEDIUM
interfile: true
interfile: true
7 changes: 2 additions & 5 deletions go/lang/security/injection/tainted-sql-string.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,6 @@ rules:
- pattern-either:
- pattern: strconv.Atoi(...)
- patterns:
- focus-metavariable: $...X
- pattern-either:
- pattern: <... $...X != $...Y ...>
- pattern: <... $...Y != $...X ...>
- pattern: <... $...X == $...Y ...>
- pattern: <... $...Y == $...X ...>
- pattern: $X != $Y
- pattern: $X == $Y
179 changes: 79 additions & 100 deletions go/lang/security/injection/tainted-url-host.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,101 +1,80 @@
rules:
- id: tainted-url-host
languages:
- go
message: >-
A request was found to be crafted from user-input `$REQUEST`.
This can lead to Server-Side Request Forgery (SSRF) vulnerabilities,
potentially exposing sensitive data. It is recommend where possible
to not allow user-input to craft the base request, but to be treated as part of the path or query
parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best
practices to prevent abuse, including using an allowlist. $URLSTR
metadata:
cwe:
- 'CWE-918: Server-Side Request Forgery (SSRF)'
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://goteleport.com/blog/ssrf-attacks/
category: security
technology:
- go
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
confidence: HIGH
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
impact: MEDIUM
likelihood: MEDIUM
interfile: true
mode: taint
pattern-sources:
- label: INPUT
patterns:
- pattern-either:
- pattern: |
($REQUEST : *http.Request).$ANYTHING
- pattern: |
($REQUEST : http.Request).$ANYTHING
- metavariable-regex:
metavariable: $ANYTHING
regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$
- label: FORMAT
requires: INPUT
patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: fmt.Fprintf($F, "$URLSTR", $INPUT, ...)
- pattern: fmt.Sprintf("$URLSTR", $INPUT, ...)
- pattern: fmt.Printf("$URLSTR", $INPUT, ...)
- metavariable-regex:
metavariable: $URLSTR
regex: ^((http://)|(https://)|(//))%(v|s|q).*
- focus-metavariable: $INPUT
- label: ADD_OR_DIRECT
requires: INPUT
patterns:
- pattern-either:
- pattern: $X + $F
- pattern: $X
- focus-metavariable: $X
- pattern-not-inside: |
fmt.Printf(...)
...
- pattern-not-inside: |
fmt.Sprintf(...)
...
- pattern-not-inside: |
fmt.Fprintf(...)
...
pattern-sanitizers:
- patterns:
- pattern: $F + $X
- metavariable-regex:
metavariable: $F
regex: ".*//[a-zA-Z0-10]+\\..*"
pattern-sinks:
- requires: FORMAT or ADD_OR_DIRECT
patterns:
- pattern-either:
- patterns:
- pattern-either:
- patterns:
- pattern-inside: |
$CLIENT := &http.Client{...}
...
- pattern: $CLIENT.$METHOD($URL, ...)
- pattern: http.$METHOD($URL, ...)
- metavariable-regex:
metavariable: $METHOD
regex: ^(Get|Head|Post|PostForm)$
- pattern: http.Redirect($W, $REQ, $URL, ...)
- patterns:
- pattern: |
http.NewRequest("$METHOD", $URL, ...)
- metavariable-regex:
metavariable: $METHOD
regex: ^(GET|HEAD|POST|POSTFORM)$
- focus-metavariable: $URL
severity: WARNING
- id: tainted-url-host
languages:
- go
message: A request was found to be crafted from user-input `$REQUEST`. This can
lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially
exposing sensitive data. It is recommend where possible to not allow
user-input to craft the base request, but to be treated as part of the
path or query parameter. When user-input is necessary to craft the
request, it is recommended to follow OWASP best practices to prevent
abuse, including using an allowlist.
metadata:
cwe:
- "CWE-918: Server-Side Request Forgery (SSRF)"
owasp:
- A10:2021 - Server-Side Request Forgery (SSRF)
references:
- https://goteleport.com/blog/ssrf-attacks/
category: security
technology:
- go
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
confidence: HIGH
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
impact: MEDIUM
likelihood: MEDIUM
interfile: true
mode: taint
pattern-sources:
- label: INPUT
patterns:
- pattern-either:
- pattern: |
($REQUEST : *http.Request).$ANYTHING
- pattern: |
($REQUEST : http.Request).$ANYTHING
- metavariable-regex:
metavariable: $ANYTHING
regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$
- label: CLEAN
requires: INPUT
patterns:
- pattern-either:
- pattern: |
"$URLSTR" + $INPUT
- patterns:
- pattern-either:
- pattern: fmt.Fprintf($F, "$URLSTR", $INPUT, ...)
- pattern: fmt.Sprintf("$URLSTR", $INPUT, ...)
- pattern: fmt.Printf("$URLSTR", $INPUT, ...)
- metavariable-regex:
metavariable: $URLSTR
regex: .*//[a-zA-Z0-10]+\..*
pattern-sinks:
- requires: INPUT and not CLEAN
patterns:
- pattern-either:
- patterns:
- pattern-either:
- patterns:
- pattern-inside: |
$CLIENT := &http.Client{...}
...
- pattern: $CLIENT.$METHOD($URL, ...)
- pattern: http.$METHOD($URL, ...)
- metavariable-regex:
metavariable: $METHOD
regex: ^(Get|Head|Post|PostForm)$
- pattern: http.Redirect($W, $REQ, $URL, ...)
- patterns:
- pattern: |
http.NewRequest("$METHOD", $URL, ...)
- metavariable-regex:
metavariable: $METHOD
regex: ^(GET|HEAD|POST|POSTFORM)$
- focus-metavariable: $URL
severity: WARNING
7 changes: 2 additions & 5 deletions java/lang/security/audit/formatted-sql-string.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,12 +82,9 @@ rules:
- patterns:
- pattern: (CriteriaBuilder $CB).$ANY(...)
- patterns:
- focus-metavariable: $...X
- pattern-either:
- pattern: <... $...X != $...Y ...>
- pattern: <... $...Y != $...X ...>
- pattern: <... $...X == $...Y ...>
- pattern: <... $...Y == $...X ...>
- pattern: $X != $Y
- pattern: $X == $Y
severity: ERROR
languages:
- java
7 changes: 2 additions & 5 deletions java/lang/security/audit/sqli/tainted-sql-from-http-request.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,6 @@ rules:
regex: (execute|query|executeUpdate)
pattern-sanitizers:
- patterns:
- focus-metavariable: $...X
- pattern-either:
- pattern: <... $...X != $...Y ...>
- pattern: <... $...Y != $...X ...>
- pattern: <... $...X == $...Y ...>
- pattern: <... $...Y == $...X ...>
- pattern: $X != $Y
- pattern: $X == $Y
7 changes: 2 additions & 5 deletions java/spring/security/audit/spring-sqli.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,9 @@ rules:
- pattern-inside: |
new $TYPE(...,$A,...);
- patterns:
- focus-metavariable: $...X
- pattern-either:
- pattern: <... $...X != $...Y ...>
- pattern: <... $...Y != $...X ...>
- pattern: <... $...X == $...Y ...>
- pattern: <... $...Y == $...X ...>
- pattern: $X != $Y
- pattern: $X == $Y
pattern-sinks:
- patterns:
- pattern-either:
Expand Down
1 change: 0 additions & 1 deletion java/spring/security/injection/tainted-html-string.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ rules:
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
interfile: true
mode: taint
pattern-sources:
- label: INPUT
Expand Down
7 changes: 2 additions & 5 deletions java/spring/security/injection/tainted-sql-string.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,6 @@ rules:
regex: (?i)(select|delete|insert|create|update|alter|drop)\b
pattern-sanitizers:
- patterns:
- focus-metavariable: $...X
- pattern-either:
- pattern: <... $...X != $...Y ...>
- pattern: <... $...Y != $...X ...>
- pattern: <... $...X == $...Y ...>
- pattern: <... $...Y == $...X ...>
- pattern: $X != $Y
- pattern: $X == $Y
1 change: 0 additions & 1 deletion java/spring/security/injection/tainted-system-command.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,4 +98,3 @@ rules:
- vuln
likelihood: HIGH
impact: HIGH
interfile: true
49 changes: 49 additions & 0 deletions swift/lang/crypto/insecure-random.swift
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
import Foundation

func example() -> Void {
// ruleid: insecure-random
let randomInt = Int.random(in: 0..<6)
// ruleid: insecure-random
let randomDouble = Double.random(in: 2.71828...3.14159)
// ruleid: insecure-random
let randomBool = Bool.random()

// ruleid: insecure-random
let diceRoll = Int(arc4random_uniform(6) + 1)


// ruleid: insecure-random
let a = Int.random(in: 0 ... 10)

// ruleid: insecure-random
var k: Int = random() % 10;

// ruleid: insecure-random
let randomNumber = arc4random()

var r: Self = 0
// ruleid: insecure-random
arc4random_buf(&r, MemoryLayout<Self>.size)

// ruleid: insecure-random
let x = Int.random(in: 1...100)
// ruleid: insecure-random
var g = SystemRandomNumberGenerator()
// ruleid: insecure-random
let y = Int.random(in: 1...100, using: &g)

// ruleid: insecure-random
if (Int.random(in: 1...100) < 50) {
println("foo")
}

var printRandom = {
// ruleid: insecure-random
let a = Int.random(in: 1...10)
print(a)
}

// okid: insecure-random
Test.random(in: 1...10)
}

42 changes: 42 additions & 0 deletions swift/lang/crypto/insecure-random.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
rules:
- id: insecure-random
message: >-
A random number generator was detected which is **not** *guaranteed* to be
Cryptographically secure. If the source of entropy is used for security
purposes (e.g. with other Cryptographic operations), make sure to use the
`SecCopyRandomBytes` API explicitly.
severity: WARNING
metadata:
likelihood: LOW
impact: LOW
confidence: LOW
category: security
cwe:
- 'CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)'
masvs:
- 'MSTG-CRYPTO-6: All random values are generated using a sufficiently secure random number generator.'
owasp:
- A02:2021 - Cryptographic Failures
references:
- https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements
- https://developer.apple.com/documentation/security/1399291-secrandomcopybytes
- https://developer.apple.com/documentation/security/randomization_services?language=swift
- https://github.com/apple/swift-evolution/blob/main/proposals/0202-random-unification.md
subcategory:
- audit
technology:
- ios
- macos
languages:
- swift
pattern-either:
- pattern: random()
- pattern: Int.random(...)
- pattern: Bool.random(...)
- pattern: Float.random(...)
- pattern: Double.random(...)
- pattern: arc4random()
- pattern: arc4random_buf(...)
- pattern: arc4random_uniform(...)
- pattern: SystemRandomNumberGenerator(...)
- pattern: rand()

0 comments on commit 6872ce6

Please sign in to comment.