add dangerous-exec rule (#1176)

ruby/lang/security/dangerous-exec.rb

@@ -0,0 +1,23 @@
+require 'open3'
+
+def test_calls(user_input)
+# ruleid: dangerous-exec
+  exec("ls -lah #{user_input}")
+
+# ruleid: dangerous-exec
+  Process.spawn([user_input, "smth"])
+
+  commands = "ls -lah /raz/dva"
+# ok: dangerous-exec
+  system(commands)
+
+  cmd_name = "sh"
+# ok: dangerous-exec
+  Process.exec([cmd_name, "ls", "-la"])
+# ok: dangerous-exec
+  Open3.capture2({"FOO" => "BAR"}, [cmd_name, "smth"])
+# ok: dangerous-exec
+  system("ls -lah /tmp")
+# ok: dangerous-exec
+  exec(["ls", "-lah", "/tmp"])
+end

ruby/lang/security/dangerous-exec.yaml

@@ -0,0 +1,27 @@
+rules:
+- id: dangerous-exec
+  patterns:
+  - pattern-either:
+    - pattern: |
+        $EXEC(...)
+  - pattern-not: |
+      $EXEC("...",...)
+  - pattern-not: |
+      $EXEC(["...",...],...)
+  - pattern-not: |
+      $EXEC({...},"...",...)
+  - pattern-not: |
+      $EXEC({...},["...",...],...)
+  - metavariable-regex:
+      metavariable: $EXEC
+      regex: ^(system|exec|Process.exec|Process.spawn|Open3.capture2|Open3.capture2e|Open3.capture3|Open3.popen2|Open3.popen2e|Open3.popen3|IO.popen|Gem::Util.popen|PTY.spawn)$
+  message: |
+    Detected non-static command inside $EXEC. Audit the input to '$EXEC'.
+    If unverified user data can reach this call site, this is a code injection
+    vulnerability. A malicious actor can inject a malicious script to execute
+    arbitrary code.
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    owasp: 'A1: Injection'
+  severity: WARNING
+  languages: [ruby]

ruby/lang/security/dangerous-open.rb

@@ -0,0 +1,20 @@
+# ok:dangerous-open
+cmd = open("|date")
+print cmd.gets
+cmd.close
+
+filename = "testfile"
+# ok:dangerous-open
+open(filename) do |f|
+  print f.gets
+end
+
+# ruleid:dangerous-open
+cmd = open("|%s" % user_input)
+print cmd.gets
+cmd.close
+
+# ruleid:dangerous-open
+cmd = open(Kernel::sprintf("|%s", user_input))
+print cmd.gets
+cmd.close

ruby/lang/security/dangerous-open.yaml

@@ -0,0 +1,20 @@
+rules:
+- id: dangerous-open
+  patterns:
+  - pattern: |
+      open($CMD,...)
+  - pattern-not: |
+      open("...",...)
+  - metavariable-regex:
+      metavariable: $CMD
+      regex: '|'
+  message: |
+    Detected non-static command inside 'open'. Audit the input to 'open'.
+    If unverified user data can reach this call site, this is a code injection
+    vulnerability. A malicious actor can inject a malicious script to execute
+    arbitrary code.
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    owasp: 'A1: Injection'
+  severity: WARNING
+  languages: [ruby]

ruby/lang/security/dangerous-open3-pipeline.rb

@@ -0,0 +1,21 @@
+require 'open3'
+
+fname = "/usr/share/man/man1/ruby.1.gz"
+# ok:dangerous-open3-pipeline
+p Open3.pipeline(["zcat", fname], "nroff -man", "less")
+
+fname = "/usr/share/man/man1/ls.1.gz"
+# ok:dangerous-open3-pipeline
+Open3.pipeline(["zcat", fname], "nroff -man", "colcrt")
+
+# ok:dangerous-open3-pipeline
+Open3.pipeline("sort", "uniq -c", :in=>"names.txt", :out=>"count")
+
+r,w = IO.pipe
+w.print "ibase=14\n10\n"
+# ok:dangerous-open3-pipeline
+Open3.pipeline("bc", "tee /dev/tty", :in=>r, :out=>w)
+
+pdf_file = "paper.pdf"
+# ruleid:dangerous-open3-pipeline
+Open3.pipeline(["pdftops", pdf_file, "-"], ["lpr", "-P#{user_input}"])

ruby/lang/security/dangerous-open3-pipeline.yaml

@@ -0,0 +1,20 @@
+rules:
+- id: dangerous-open3-pipeline
+  patterns:
+  - pattern: |
+      Open3.$PIPE(...)
+  - pattern-not: |
+      Open3.$PIPE(...,"...",...)
+  - metavariable-regex:
+      metavariable: $PIPE
+      regex: ^(pipeline|pipeline_r|pipeline_rw|pipeline_start|pipeline_w)$
+  message: |
+    Detected non-static command inside $PIPE. Audit the input to '$PIPE'.
+    If unverified user data can reach this call site, this is a code injection
+    vulnerability. A malicious actor can inject a malicious script to execute
+    arbitrary code.
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    owasp: 'A1: Injection'
+  severity: WARNING
+  languages: [ruby]

ruby/lang/security/dangerous-syscall.rb

@@ -0,0 +1,4 @@
+def test
+  # ruleid:dangerous-syscall
+  syscall 4, 1, "hello\n", 6   # '4' is write(2) on our box
+end

ruby/lang/security/dangerous-syscall.yaml

@@ -0,0 +1,11 @@
+rules:
+- id: dangerous-syscall
+  pattern: |
+    syscall
+  message: |
+    'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.
+  metadata:
+    cwe: "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    owasp: 'A1: Injection'
+  severity: WARNING
+  languages: [ruby]

ruby/lang/security/no-eval.rb

@@ -59,3 +59,18 @@ class Thing
 # ruleid:ruby-eval
 Thing.module_eval(a)
 puts Thing.new.hello()
+
+
+def get_binding(param)
+  binding
+end
+b = get_binding("hello")
+# ruleid:ruby-eval
+b.eval("param")
+
+# ruleid:ruby-eval
+RubyVM::InstructionSequence.compile("1 + 2").eval
+
+iseq = RubyVM::InstructionSequence.compile('num = 1 + 2')
+# ruleid:ruby-eval
+iseq.eval

ruby/lang/security/no-eval.yaml

@@ -3,6 +3,7 @@ rules:
   patterns:
   - pattern-either:
     - pattern: eval(...)
+    - pattern: $BIND.eval(...)
     - pattern: |
         $CLASS.class_eval do
           ...
@@ -21,6 +22,14 @@ rules:
         $CLASS.instance_eval(...)
     - pattern: |
         $CLASS.module_eval(...)
+    - pattern: |
+        $VM.compile(...).eval
+    - patterns:
+      - pattern: |
+          $IS.eval
+      - pattern-inside: |
+          $IS = $VM.compile(...)
+          ...
   message: |
     Use of eval detected. This can run arbitrary code. Ensure external data
     does not reach here, otherwise this is a security vulnerability.