-
Notifications
You must be signed in to change notification settings - Fork 84
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Ruby policy for insecure communication (SSL not enforced) (#187)
* feat: Ruby policy for insecure communication (SSL not enforced) * chore: Add integration test for Ruby insecure SMTP policy
- Loading branch information
Showing
20 changed files
with
385 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 31 additions & 0 deletions
31
integration/policies/.snapshots/TestPolicies-insecure_communication_with_sensitive_data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
medium: | ||
- policy_name: Insecure communication | ||
policy_description: Insecure communication in an application processing sensitive data | ||
line_number: 8 | ||
filename: testdata/ruby/insecure_communication/with_sensitive_data.rb | ||
category_group: Sensitive data | ||
parent_line_number: 1 | ||
parent_content: |- | ||
# Insecure communication | ||
|
||
class User | ||
attr_reader :name, :email, :password, :ethnicity | ||
end | ||
|
||
# Should match | ||
Rails.application.configure do | ||
config.force_ssl = false | ||
end | ||
|
||
# Should not match | ||
Rails.application.configure do | ||
config.force_ssl = true | ||
end | ||
|
||
Rails.application.configure do | ||
# config.force_ssl = false | ||
end | ||
|
||
|
||
-- | ||
|
5 changes: 5 additions & 0 deletions
5
integration/policies/.snapshots/TestPolicies-insecure_communication_without_sensitive_data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{} | ||
|
||
|
||
-- | ||
|
81 changes: 81 additions & 0 deletions
81
integration/policies/.snapshots/TestPolicies-insecure_smtp_with_sensitive_data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
medium: | ||
- policy_name: Insecure SMTP | ||
policy_description: Communication with insecure SMTP in an application processing sensitive data | ||
line_number: 8 | ||
filename: testdata/ruby/insecure_smtp/with_sensitive_data.rb | ||
category_group: Sensitive data | ||
parent_line_number: 1 | ||
parent_content: |- | ||
# Insecure SMTP | ||
|
||
class User | ||
attr_reader :name, :email, :password, :ethnicity | ||
end | ||
|
||
## Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "none" | ||
} | ||
end | ||
|
||
## Not Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "peer" | ||
} | ||
end | ||
- policy_name: Insecure SMTP | ||
policy_description: Communication with insecure SMTP in an application processing sensitive data | ||
line_number: 14 | ||
filename: testdata/ruby/insecure_smtp/with_sensitive_data.rb | ||
category_group: Sensitive data | ||
parent_line_number: 1 | ||
parent_content: |- | ||
# Insecure SMTP | ||
|
||
class User | ||
attr_reader :name, :email, :password, :ethnicity | ||
end | ||
|
||
## Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "none" | ||
} | ||
end | ||
|
||
## Not Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "peer" | ||
} | ||
end | ||
|
||
|
||
-- | ||
|
5 changes: 5 additions & 0 deletions
5
integration/policies/.snapshots/TestPolicies-insecure_smtp_without_sensitive_data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{} | ||
|
||
|
||
-- | ||
|
12 changes: 12 additions & 0 deletions
12
integration/policies/.snapshots/TestPolicies-logger_leaking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
critical: | ||
- policy_name: Logger leaking | ||
policy_description: Logger leaks detected | ||
line_number: 1 | ||
filename: testdata/ruby/logger_leaking.rb | ||
category_group: Personal data | ||
parent_line_number: 1 | ||
parent_content: logger.info(user.address) | ||
|
||
|
||
-- | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
integration/policies/testdata/ruby/insecure_communication/with_sensitive_data.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Insecure communication | ||
|
||
class User | ||
attr_reader :name, :email, :password, :ethnicity | ||
end | ||
|
||
# Should match | ||
Rails.application.configure do | ||
config.force_ssl = false | ||
end | ||
|
||
# Should not match | ||
Rails.application.configure do | ||
config.force_ssl = true | ||
end | ||
|
||
Rails.application.configure do | ||
# config.force_ssl = false | ||
end |
19 changes: 19 additions & 0 deletions
19
integration/policies/testdata/ruby/insecure_communication/without_sensitive_data.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Insecure communication | ||
|
||
class User | ||
attr_reader :name, :email, :password | ||
end | ||
|
||
# Should match | ||
Rails.application.configure do | ||
config.force_ssl = false | ||
end | ||
|
||
# Should not match | ||
Rails.application.configure do | ||
config.force_ssl = true | ||
end | ||
|
||
Rails.application.configure do | ||
# config.force_ssl = false | ||
end |
31 changes: 31 additions & 0 deletions
31
integration/policies/testdata/ruby/insecure_smtp/with_sensitive_data.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Insecure SMTP | ||
|
||
class User | ||
attr_reader :name, :email, :password, :ethnicity | ||
end | ||
|
||
## Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "none" | ||
} | ||
end | ||
|
||
## Not Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "peer" | ||
} | ||
end |
31 changes: 31 additions & 0 deletions
31
integration/policies/testdata/ruby/insecure_smtp/without_sensitive_data.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Insecure SMTP | ||
|
||
class User | ||
attr_reader :name, :email, :password | ||
end | ||
|
||
## Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "none" | ||
} | ||
end | ||
|
||
## Not Detected | ||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER | ||
} | ||
end | ||
|
||
Rails.application.configure do | ||
config.action_mailer.smtp_settings = { | ||
openssl_verify_mode: "peer" | ||
} | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
logger.info(user.address) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
24 changes: 24 additions & 0 deletions
24
pkg/commands/process/settings/policies/insecure_communication.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
package bearer.insecure_communication | ||
|
||
import future.keywords | ||
|
||
sensitive_data_group_uuid := "f6a0c071-5908-4420-bac2-bba28d41223e" | ||
|
||
medium[item] { | ||
some data_type in input.dataflow.data_types | ||
some data_category in input.data_categories | ||
data_category.uuid == data_type.category_uuid | ||
data_category.group_uuid == sensitive_data_group_uuid | ||
|
||
some detector in input.dataflow.risks | ||
detector.detector_id == input.policy_id | ||
|
||
location = detector.locations[_] | ||
item := { | ||
"category_group": data_category.group_name, | ||
"filename": location.filename, | ||
"line_number": location.line_number, | ||
"parent_line_number": location.parent.line_number, | ||
"parent_content": location.parent.content | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
pkg/detectors/custom/.snapshots/TestInsecureCommunicationJSON
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
[ | ||
{ | ||
"type": "custom_risk", | ||
"detector_type": "detect_rails_insecure_communication", | ||
"source": { | ||
"filename": "config.rb", | ||
"language": "Ruby", | ||
"language_type": "programming", | ||
"line_number": 3, | ||
"column_number": 1, | ||
"text": "Rails.application.configure do\n config.force_ssl = false\nend\n" | ||
}, | ||
"value": { | ||
"line_number": 1, | ||
"content": "# Insecure communication\n## Detected\nRails.application.configure do\n config.force_ssl = false\nend\n\n## Not Detected\nRails.application.configure do\n config.force_ssl = true\nend\n\nRails.application.configure do\n # config.force_ssl = false\nend" | ||
} | ||
} | ||
] |
Oops, something went wrong.