-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Ruby policy for insecure FTP when sensitive data is processed (#…
…193)
- Loading branch information
Showing
13 changed files
with
238 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
integration/policies/.snapshots/TestPolicies-insecure_ftp_with_sensitive_data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
medium: | ||
- policy_name: Insecure FTP | ||
policy_description: Communication with insecure FTP in an application processing sensitive data | ||
line_number: 10 | ||
filename: testdata/ruby/insecure_ftp/with_sensitive_data.rb | ||
category_group: sensitive data | ||
parent_line_number: 10 | ||
parent_content: Net::FTP::new("ftp.ruby-lang.org") | ||
|
||
|
||
-- | ||
|
5 changes: 5 additions & 0 deletions
5
integration/policies/.snapshots/TestPolicies-insecure_ftp_without_sensitive_data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{} | ||
|
||
|
||
-- | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
integration/policies/testdata/ruby/insecure_ftp/with_sensitive_data.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Insecure FTP | ||
|
||
class User | ||
attr_reader :name, :email, :password, :ethnicity | ||
end | ||
|
||
## Detected | ||
require "net/ftp" | ||
|
||
ftp = Net::FTP::new("ftp.ruby-lang.org") | ||
ftp.login("anonymous", "matz@ruby-lang.org") | ||
ftp.chdir("/pub/ruby") | ||
tgz = ftp.list("ruby-*.tar.gz").sort.last | ||
ftp.getbinaryfile(tgz, tgz) | ||
ftp.close | ||
|
||
## Not detected | ||
require "net/sftp" | ||
|
||
Net::SFTP.start("localhost", "user") do |sftp| | ||
sftp.upload! "/local/file.tgz", "/remote/file.tgz" | ||
end |
22 changes: 22 additions & 0 deletions
22
integration/policies/testdata/ruby/insecure_ftp/without_sensitive_data.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Insecure FTP | ||
|
||
class User | ||
attr_reader :name, :email, :password | ||
end | ||
|
||
## Detected | ||
require "net/ftp" | ||
|
||
ftp = Net::FTP::new("ftp.ruby-lang.org") | ||
ftp.login("anonymous", "matz@ruby-lang.org") | ||
ftp.chdir("/pub/ruby") | ||
tgz = ftp.list("ruby-*.tar.gz").sort.last | ||
ftp.getbinaryfile(tgz, tgz) | ||
ftp.close | ||
|
||
## Not detected | ||
require "net/sftp" | ||
|
||
Net::SFTP.start("localhost", "user") do |sftp| | ||
sftp.upload! "/local/file.tgz", "/remote/file.tgz" | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
package bearer.insecure_ftp | ||
|
||
import future.keywords | ||
|
||
sensitive_data_group_uuid := "f6a0c071-5908-4420-bac2-bba28d41223e" | ||
|
||
has_sensitive_data if { | ||
some data_type in input.dataflow.data_types | ||
some data_category in input.data_categories | ||
data_category.uuid == data_type.category_uuid | ||
data_category.group_uuid == sensitive_data_group_uuid | ||
} | ||
|
||
medium[item] { | ||
has_sensitive_data == true | ||
|
||
some detector in input.dataflow.risks | ||
detector.detector_id == input.policy_id | ||
|
||
location = detector.locations[_] | ||
item := { | ||
"category_group": "sensitive data", | ||
"filename": location.filename, | ||
"line_number": location.line_number, | ||
"parent_line_number": location.parent.line_number, | ||
"parent_content": location.parent.content | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
[ | ||
{ | ||
"type": "custom_risk", | ||
"detector_type": "detect_rails_insecure_ftp", | ||
"source": { | ||
"filename": "config.rb", | ||
"language": "Ruby", | ||
"language_type": "programming", | ||
"line_number": 5, | ||
"column_number": 7, | ||
"text": "Net::FTP::new\n" | ||
}, | ||
"value": { | ||
"line_number": 5, | ||
"content": "Net::FTP::new(\"ftp.ruby-lang.org\")" | ||
} | ||
} | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
detect_rails_insecure_ftp: | ||
type: "risk" | ||
patterns: | ||
- | | ||
Net::FTP::new | ||
languages: | ||
- ruby | ||
detect_presence: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Insecure FTP | ||
## Detected | ||
require "net/ftp" | ||
|
||
ftp = Net::FTP::new("ftp.ruby-lang.org") | ||
ftp.login("anonymous", "matz@ruby-lang.org") | ||
ftp.chdir("/pub/ruby") | ||
tgz = ftp.list("ruby-*.tar.gz").sort.last | ||
ftp.getbinaryfile(tgz, tgz) | ||
ftp.close | ||
|
||
## Not detected | ||
require "net/sftp" | ||
|
||
Net::SFTP.start("localhost", "user") do |sftp| | ||
sftp.upload! "/local/file.tgz", "/remote/file.tgz" | ||
end |