feat: add scope detection filter option (#1008)

* feat: add rule reference type * refactor: introduce scope * fix: debug and refactor * test: add scope tests
Bearer · May 25, 2023 · 45d1835 · 45d1835
1 parent 1e7c1fa
commit 45d1835
Show file tree

Hide file tree

Showing 36 changed files with 631 additions and 144 deletions.
diff --git a/new/detector/composition/java/.snapshots/TestScope--scope.yml b/new/detector/composition/java/.snapshots/TestScope--scope.yml
@@ -0,0 +1,74 @@
+high:
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 1
+      filename: scope.java
+      parent_line_number: 1
+      snippet: scopeCursor(request.getParameter("oops"))
+      fingerprint: bdbeee20feb34c6881d975716e2fe09f_0
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 5
+      filename: scope.java
+      parent_line_number: 5
+      snippet: scopeNested(request.getParameter("oops"))
+      fingerprint: bdbeee20feb34c6881d975716e2fe09f_1
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 6
+      filename: scope.java
+      parent_line_number: 6
+      snippet: 'scopeNested(x ? request.getParameter("oops") : y)'
+      fingerprint: bdbeee20feb34c6881d975716e2fe09f_2
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 7
+      filename: scope.java
+      parent_line_number: 7
+      snippet: 'scopeNested(request.getParameter("oops") ? x : y)'
+      fingerprint: bdbeee20feb34c6881d975716e2fe09f_3
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 9
+      filename: scope.java
+      parent_line_number: 9
+      snippet: scopeResult(request.getParameter("oops"))
+      fingerprint: bdbeee20feb34c6881d975716e2fe09f_4
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 10
+      filename: scope.java
+      parent_line_number: 10
+      snippet: 'scopeResult(x ? request.getParameter("oops") : y)'
+      fingerprint: bdbeee20feb34c6881d975716e2fe09f_5
+
diff --git a/new/detector/composition/java/java.go b/new/detector/composition/java/java.go
@@ -193,7 +193,13 @@ func (composition *Composition) DetectFromFileWithTypes(file *file.FileInfo, det
 	var result []*detectortypes.Detection
 	for _, detectorType := range detectorTypes {
 		rule := composition.rules[detectorType]
-		detections, err := evaluator.ForTree(tree.RootNode(), detectorType, rule.SanitizerRuleID, false)
+		detections, err := evaluator.Evaluate(
+			tree.RootNode(),
+			detectorType,
+			rule.SanitizerRuleID,
+			settings.NESTED_SCOPE,
+			false,
+		)
 		if err != nil {
 			return nil, err
 		}

diff --git a/new/detector/composition/java/java_test.go b/new/detector/composition/java/java_test.go
@@ -10,7 +10,15 @@ import (
 //go:embed testdata/logger.yml
 var loggerRule []byte
 
+//go:embed testdata/scope_rule.yml
+var scopeRule []byte
+
 func TestFlow(t *testing.T) {
 	t.Parallel()
-	testhelper.GetRunner(t, loggerRule, "Javascript").RunTest(t, "./testdata/testcases/flow", ".snapshots/flow/")
+	testhelper.GetRunner(t, loggerRule, "Java").RunTest(t, "./testdata/testcases/flow", ".snapshots/flow/")
+}
+
+func TestScope(t *testing.T) {
+	t.Parallel()
+	testhelper.GetRunner(t, scopeRule, "Java").RunTest(t, "./testdata/scope", ".snapshots/")
 }
diff --git a/new/detector/composition/java/testdata/scope/scope.java b/new/detector/composition/java/testdata/scope/scope.java
@@ -0,0 +1,11 @@
+scopeCursor(request.getParameter("oops"))
+scopeCursor(x ? request.getParameter("ok") : y)
+scopeCursor(request.getParameter("ok") ? x : y)
+
+scopeNested(request.getParameter("oops"))
+scopeNested(x ? request.getParameter("oops") : y)
+scopeNested(request.getParameter("oops") ? x : y)
+
+scopeResult(request.getParameter("oops"))
+scopeResult(x ? request.getParameter("oops") : y)
+scopeResult(request.getParameter("ok") ? x : y)
diff --git a/new/detector/composition/java/testdata/scope_rule.yml b/new/detector/composition/java/testdata/scope_rule.yml
@@ -0,0 +1,29 @@
+languages:
+  - java
+patterns:
+  - pattern: scopeCursor($<USER_INPUT>)
+    filters:
+      - variable: USER_INPUT
+        detection: scope_test_user_input
+        scope: cursor
+  - pattern: scopeNested($<USER_INPUT>)
+    filters:
+      - variable: USER_INPUT
+        detection: scope_test_user_input
+        scope: nested
+  - pattern: scopeResult($<USER_INPUT>)
+    filters:
+      - variable: USER_INPUT
+        detection: scope_test_user_input
+        scope: result
+auxiliary:
+  - id: scope_test_user_input
+    patterns:
+      - request.getParameter()
+severity: high
+metadata:
+  description: Test detection filter scopes
+  remediation_message: Test detection filter scopes
+  cwe_id:
+    - 42
+  id: scope_test
diff --git a/new/detector/composition/javascript/.snapshots/TestScope--scope.yml b/new/detector/composition/javascript/.snapshots/TestScope--scope.yml
@@ -0,0 +1,74 @@
+high:
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 1
+      filename: scope.js
+      parent_line_number: 1
+      snippet: scopeCursor(req.params.oops)
+      fingerprint: 408407aa362e0520faf6b66c3d59bb8c_0
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 5
+      filename: scope.js
+      parent_line_number: 5
+      snippet: scopeNested(req.params.oops)
+      fingerprint: 408407aa362e0520faf6b66c3d59bb8c_1
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 6
+      filename: scope.js
+      parent_line_number: 6
+      snippet: 'scopeNested(x ? req.params.oops : y)'
+      fingerprint: 408407aa362e0520faf6b66c3d59bb8c_2
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 7
+      filename: scope.js
+      parent_line_number: 7
+      snippet: 'scopeNested(req.params.oops ? x : y)'
+      fingerprint: 408407aa362e0520faf6b66c3d59bb8c_3
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 9
+      filename: scope.js
+      parent_line_number: 9
+      snippet: scopeResult(req.params.oops)
+      fingerprint: 408407aa362e0520faf6b66c3d59bb8c_4
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 10
+      filename: scope.js
+      parent_line_number: 10
+      snippet: 'scopeResult(x ? req.params.oops : y)'
+      fingerprint: 408407aa362e0520faf6b66c3d59bb8c_5
+
diff --git a/new/detector/composition/javascript/javascript.go b/new/detector/composition/javascript/javascript.go
@@ -193,7 +193,13 @@ func (composition *Composition) DetectFromFileWithTypes(file *file.FileInfo, det
 	var result []*detectortypes.Detection
 	for _, detectorType := range detectorTypes {
 		rule := composition.rules[detectorType]
-		detections, err := evaluator.ForTree(tree.RootNode(), detectorType, rule.SanitizerRuleID, false)
+		detections, err := evaluator.Evaluate(
+			tree.RootNode(),
+			detectorType,
+			rule.SanitizerRuleID,
+			settings.NESTED_SCOPE,
+			false,
+		)
 		if err != nil {
 			return nil, err
 		}

diff --git a/new/detector/composition/javascript/javascript_test.go b/new/detector/composition/javascript/javascript_test.go
@@ -16,6 +16,9 @@ var datatypeRule []byte
 //go:embed testdata/deconstructing.yml
 var deconstructingRule []byte
 
+//go:embed testdata/scope_rule.yml
+var scopeRule []byte
+
 func TestFlow(t *testing.T) {
 	t.Parallel()
 	testhelper.GetRunner(t, datatypeRule, "Javascript").RunTest(t, "./testdata/testcases/flow", ".snapshots/flow/")
@@ -30,3 +33,8 @@ func TestString(t *testing.T) {
 	t.Parallel()
 	testhelper.GetRunner(t, insecureURLRule, "Javascript").RunTest(t, "./testdata/testcases/string", ".snapshots/string/")
 }
+
+func TestScope(t *testing.T) {
+	t.Parallel()
+	testhelper.GetRunner(t, scopeRule, "Javascript").RunTest(t, "./testdata/scope", ".snapshots/")
+}
diff --git a/new/detector/composition/javascript/testdata/scope/scope.js b/new/detector/composition/javascript/testdata/scope/scope.js
@@ -0,0 +1,11 @@
+scopeCursor(req.params.oops)
+scopeCursor(x ? req.params.ok : y)
+scopeCursor(req.params.ok ? x : y)
+
+scopeNested(req.params.oops)
+scopeNested(x ? req.params.oops : y)
+scopeNested(req.params.oops ? x : y)
+
+scopeResult(req.params.oops)
+scopeResult(x ? req.params.oops : y)
+scopeResult(req.params.ok ? x : y)
diff --git a/new/detector/composition/javascript/testdata/scope_rule.yml b/new/detector/composition/javascript/testdata/scope_rule.yml
@@ -0,0 +1,29 @@
+languages:
+  - javascript
+patterns:
+  - pattern: scopeCursor($<USER_INPUT>)
+    filters:
+      - variable: USER_INPUT
+        detection: scope_test_user_input
+        scope: cursor
+  - pattern: scopeNested($<USER_INPUT>)
+    filters:
+      - variable: USER_INPUT
+        detection: scope_test_user_input
+        scope: nested
+  - pattern: scopeResult($<USER_INPUT>)
+    filters:
+      - variable: USER_INPUT
+        detection: scope_test_user_input
+        scope: result
+auxiliary:
+  - id: scope_test_user_input
+    patterns:
+      - req.params.$<_>
+severity: high
+metadata:
+  description: Test detection filter scopes
+  remediation_message: Test detection filter scopes
+  cwe_id:
+    - 42
+  id: scope_test
diff --git a/new/detector/composition/ruby/.snapshots/TestScope--scope.yml b/new/detector/composition/ruby/.snapshots/TestScope--scope.yml
@@ -0,0 +1,74 @@
+high:
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 1
+      filename: scope.rb
+      parent_line_number: 1
+      snippet: scope_cursor(params[:oops])
+      fingerprint: 23e17866f80f43957a84e824da9ce255_0
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 5
+      filename: scope.rb
+      parent_line_number: 5
+      snippet: scope_nested(params[:oops])
+      fingerprint: 23e17866f80f43957a84e824da9ce255_1
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 6
+      filename: scope.rb
+      parent_line_number: 6
+      snippet: 'scope_nested(x ? params[:oops] : y)'
+      fingerprint: 23e17866f80f43957a84e824da9ce255_2
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 7
+      filename: scope.rb
+      parent_line_number: 7
+      snippet: 'scope_nested(params[:oops] ? x : y)'
+      fingerprint: 23e17866f80f43957a84e824da9ce255_3
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 9
+      filename: scope.rb
+      parent_line_number: 9
+      snippet: scope_result(params[:oops])
+      fingerprint: 23e17866f80f43957a84e824da9ce255_4
+    - rule:
+        cwe_ids:
+            - "42"
+        id: scope_test
+        title: Test detection filter scopes
+        description: Test detection filter scopes
+        documentation_url: ""
+      line_number: 10
+      filename: scope.rb
+      parent_line_number: 10
+      snippet: 'scope_result(x ? params[:oops] : y)'
+      fingerprint: 23e17866f80f43957a84e824da9ce255_5
+
diff --git a/new/detector/composition/ruby/ruby.go b/new/detector/composition/ruby/ruby.go
@@ -192,7 +192,13 @@ func (composition *Composition) DetectFromFileWithTypes(file *file.FileInfo, det
 	var result []*detectortypes.Detection
 	for _, detectorType := range detectorTypes {
 		rule := composition.rules[detectorType]
-		detections, err := evaluator.ForTree(tree.RootNode(), detectorType, rule.SanitizerRuleID, false)
+		detections, err := evaluator.Evaluate(
+			tree.RootNode(),
+			detectorType,
+			rule.SanitizerRuleID,
+			settings.NESTED_SCOPE,
+			false,
+		)
 		if err != nil {
 			return nil, err
 		}