feat: Ruby policy for insecure communication (SSL not enforced) (#187)

* feat: Ruby policy for insecure communication (SSL not enforced) * chore: Add integration test for Ruby insecure SMTP policy
Bearer · Dec 2, 2022 · ffcb0b1 · ffcb0b1
1 parent 53146ee
commit ffcb0b1
Show file tree

Hide file tree

Showing 20 changed files with 385 additions and 3 deletions.
diff --git a/integration/flags/.snapshots/TestInitCommand-init b/integration/flags/.snapshots/TestInitCommand-init
@@ -26,6 +26,24 @@ scan:
             metavars: {}
             stored: false
             detect_presence: false
+        detect_rails_insecure_communication:
+            disabled: false
+            type: risk
+            languages:
+                - ruby
+            patterns:
+                - pattern: |
+                    Rails.application.configure do
+                      config.force_ssl = false
+                    end
+                  filters: []
+            param_parenting: false
+            processors: []
+            root_singularize: false
+            root_lowercase: false
+            metavars: {}
+            stored: false
+            detect_presence: true
         detect_rails_insecure_smtp:
             disabled: false
             type: risk

diff --git a/integration/policies/.snapshots/TestPolicies-insecure_communication_with_sensitive_data b/integration/policies/.snapshots/TestPolicies-insecure_communication_with_sensitive_data
@@ -0,0 +1,31 @@
+medium:
+    - policy_name: Insecure communication
+      policy_description: Insecure communication in an application processing sensitive data
+      line_number: 8
+      filename: testdata/ruby/insecure_communication/with_sensitive_data.rb
+      category_group: Sensitive data
+      parent_line_number: 1
+      parent_content: |-
+        # Insecure communication
+
+        class User
+          attr_reader :name, :email, :password, :ethnicity
+        end
+
+        # Should match
+        Rails.application.configure do
+          config.force_ssl = false
+        end
+
+        # Should not match
+        Rails.application.configure do
+          config.force_ssl = true
+        end
+
+        Rails.application.configure do
+          # config.force_ssl = false
+        end
+
+
+--
+
diff --git a/integration/policies/.snapshots/TestPolicies-insecure_communication_without_sensitive_data b/integration/policies/.snapshots/TestPolicies-insecure_communication_without_sensitive_data
@@ -0,0 +1,5 @@
+{}
+
+
+--
+
diff --git a/integration/policies/.snapshots/TestPolicies-insecure_smtp_with_sensitive_data b/integration/policies/.snapshots/TestPolicies-insecure_smtp_with_sensitive_data
@@ -0,0 +1,81 @@
+medium:
+    - policy_name: Insecure SMTP
+      policy_description: Communication with insecure SMTP in an application processing sensitive data
+      line_number: 8
+      filename: testdata/ruby/insecure_smtp/with_sensitive_data.rb
+      category_group: Sensitive data
+      parent_line_number: 1
+      parent_content: |-
+        # Insecure SMTP
+
+        class User
+          attr_reader :name, :email, :password, :ethnicity
+        end
+
+        ## Detected
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE
+          }
+        end
+
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: "none"
+          }
+        end
+
+        ## Not Detected
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER
+          }
+        end
+
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: "peer"
+          }
+        end
+    - policy_name: Insecure SMTP
+      policy_description: Communication with insecure SMTP in an application processing sensitive data
+      line_number: 14
+      filename: testdata/ruby/insecure_smtp/with_sensitive_data.rb
+      category_group: Sensitive data
+      parent_line_number: 1
+      parent_content: |-
+        # Insecure SMTP
+
+        class User
+          attr_reader :name, :email, :password, :ethnicity
+        end
+
+        ## Detected
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE
+          }
+        end
+
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: "none"
+          }
+        end
+
+        ## Not Detected
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER
+          }
+        end
+
+        Rails.application.configure do
+          config.action_mailer.smtp_settings = {
+            openssl_verify_mode: "peer"
+          }
+        end
+
+
+--
+
diff --git a/integration/policies/.snapshots/TestPolicies-insecure_smtp_without_sensitive_data b/integration/policies/.snapshots/TestPolicies-insecure_smtp_without_sensitive_data
@@ -0,0 +1,5 @@
+{}
+
+
+--
+
diff --git a/integration/policies/.snapshots/TestPolicies-logger_leaking b/integration/policies/.snapshots/TestPolicies-logger_leaking
@@ -0,0 +1,12 @@
+critical:
+    - policy_name: Logger leaking
+      policy_description: Logger leaks detected
+      line_number: 1
+      filename: testdata/ruby/logger_leaking.rb
+      category_group: Personal data
+      parent_line_number: 1
+      parent_content: logger.info(user.address)
+
+
+--
+
diff --git a/integration/policies/policies_test.go b/integration/policies/policies_test.go
@@ -29,7 +29,12 @@ func newPolicyTest(name string, testFiles []string) testhelper.TestCase {
 
 func TestPolicies(t *testing.T) {
 	tests := []testhelper.TestCase{
+		newPolicyTest("logger_leaking", []string{"ruby/logger_leaking.rb"}),
 		newPolicyTest("http_get_parameters", []string{"ruby/http_get_parameters.rb"}),
+		newPolicyTest("insecure_smtp_with_sensitive_data", []string{"ruby/insecure_smtp/with_sensitive_data.rb"}),
+		newPolicyTest("insecure_smtp_without_sensitive_data", []string{"ruby/insecure_smtp/without_sensitive_data.rb"}),
+		newPolicyTest("insecure_communication_with_sensitive_data", []string{"ruby/insecure_communication/with_sensitive_data.rb"}),
+		newPolicyTest("insecure_communication_without_sensitive_data", []string{"ruby/insecure_communication/without_sensitive_data.rb"}),
 	}
 
 	testhelper.RunTests(t, tests)

diff --git a/integration/policies/testdata/ruby/insecure_communication/with_sensitive_data.rb b/integration/policies/testdata/ruby/insecure_communication/with_sensitive_data.rb
@@ -0,0 +1,19 @@
+# Insecure communication
+
+class User
+  attr_reader :name, :email, :password, :ethnicity
+end
+
+# Should match
+Rails.application.configure do
+  config.force_ssl = false
+end
+
+# Should not match
+Rails.application.configure do
+  config.force_ssl = true
+end
+
+Rails.application.configure do
+  # config.force_ssl = false
+end
diff --git a/integration/policies/testdata/ruby/insecure_communication/without_sensitive_data.rb b/integration/policies/testdata/ruby/insecure_communication/without_sensitive_data.rb
@@ -0,0 +1,19 @@
+# Insecure communication
+
+class User
+  attr_reader :name, :email, :password
+end
+
+# Should match
+Rails.application.configure do
+  config.force_ssl = false
+end
+
+# Should not match
+Rails.application.configure do
+  config.force_ssl = true
+end
+
+Rails.application.configure do
+  # config.force_ssl = false
+end
diff --git a/integration/policies/testdata/ruby/insecure_smtp/with_sensitive_data.rb b/integration/policies/testdata/ruby/insecure_smtp/with_sensitive_data.rb
@@ -0,0 +1,31 @@
+# Insecure SMTP
+
+class User
+  attr_reader :name, :email, :password, :ethnicity
+end
+
+## Detected
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE
+  }
+end
+
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: "none"
+  }
+end
+
+## Not Detected
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER
+  }
+end
+
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: "peer"
+  }
+end
diff --git a/integration/policies/testdata/ruby/insecure_smtp/without_sensitive_data.rb b/integration/policies/testdata/ruby/insecure_smtp/without_sensitive_data.rb
@@ -0,0 +1,31 @@
+# Insecure SMTP
+
+class User
+  attr_reader :name, :email, :password
+end
+
+## Detected
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: OpenSSL::SSL::VERIFY_NONE
+  }
+end
+
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: "none"
+  }
+end
+
+## Not Detected
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: OpenSSL::SSL::VERIFY_PEER
+  }
+end
+
+Rails.application.configure do
+  config.action_mailer.smtp_settings = {
+    openssl_verify_mode: "peer"
+  }
+end
diff --git a/integration/policies/testdata/ruby/logger_leaking.rb b/integration/policies/testdata/ruby/logger_leaking.rb
@@ -0,0 +1 @@
+logger.info(user.address)
diff --git a/pkg/commands/process/settings/custom_detector.yml b/pkg/commands/process/settings/custom_detector.yml
@@ -144,3 +144,13 @@ detect_rails_insecure_smtp:
   languages:
     - ruby
   detect_presence: true
+detect_rails_insecure_communication:
+  type: "risk"
+  patterns:
+    - |
+      Rails.application.configure do
+        config.force_ssl = false
+      end
+  languages:
+    - ruby
+  detect_presence: true
diff --git a/pkg/commands/process/settings/policies.yml b/pkg/commands/process/settings/policies.yml
@@ -66,3 +66,12 @@ http_get_parameters:
   modules:
     - path: policies/http_get_parameters.rego
       name: bearer.http_get_parameters
+insecure_communication_processing_sensitive_data:
+  description: "Insecure communication in an application processing sensitive data"
+  name: "Insecure communication"
+  id: "detect_rails_insecure_communication"
+  query: |
+    medium = data.bearer.insecure_communication.medium
+  modules:
+    - path: policies/insecure_communication.rego
+      name: bearer.insecure_communication
diff --git a/pkg/commands/process/settings/policies/insecure_communication.rego b/pkg/commands/process/settings/policies/insecure_communication.rego
@@ -0,0 +1,24 @@
+package bearer.insecure_communication
+
+import future.keywords
+
+sensitive_data_group_uuid := "f6a0c071-5908-4420-bac2-bba28d41223e"
+
+medium[item] {
+    some data_type in input.dataflow.data_types
+    some data_category in input.data_categories
+    data_category.uuid == data_type.category_uuid
+    data_category.group_uuid == sensitive_data_group_uuid
+
+    some detector in input.dataflow.risks
+    detector.detector_id == input.policy_id
+
+    location = detector.locations[_]
+    item := {
+      "category_group": data_category.group_name,
+      "filename": location.filename,
+      "line_number": location.line_number,
+      "parent_line_number": location.parent.line_number,
+      "parent_content": location.parent.content
+    }
+}
diff --git a/pkg/commands/process/settings/policies/insecure_smtp.rego b/pkg/commands/process/settings/policies/insecure_smtp.rego
@@ -2,16 +2,23 @@ package bearer.insecure_smtp
 
 import future.keywords
 
+sensitive_data_group_uuid := "f6a0c071-5908-4420-bac2-bba28d41223e"
+
 medium[item] {
+    some data_type in input.dataflow.data_types
+    some data_category in input.data_categories
+    data_category.uuid == data_type.category_uuid
+    data_category.group_uuid == sensitive_data_group_uuid
+
     some detector in input.dataflow.risks
     detector.detector_id == input.policy_id
 
     location = detector.locations[_]
     item := {
-        "category_group": "Insecure communication",
+        "category_group": data_category.group_name,
         "filename": location.filename,
         "line_number": location.line_number,
-        "parent_line_number": location.line_number,
-        "parent_content": location.content
+        "parent_line_number": location.parent.line_number,
+        "parent_content": location.parent.content
     }
 }
diff --git a/pkg/detectors/custom/.snapshots/TestInsecureCommunicationJSON b/pkg/detectors/custom/.snapshots/TestInsecureCommunicationJSON
@@ -0,0 +1,18 @@
+[
+ {
+  "type": "custom_risk",
+  "detector_type": "detect_rails_insecure_communication",
+  "source": {
+   "filename": "config.rb",
+   "language": "Ruby",
+   "language_type": "programming",
+   "line_number": 3,
+   "column_number": 1,
+   "text": "Rails.application.configure do\n  config.force_ssl = false\nend\n"
+  },
+  "value": {
+   "line_number": 1,
+   "content": "# Insecure communication\n## Detected\nRails.application.configure do\n  config.force_ssl = false\nend\n\n## Not Detected\nRails.application.configure do\n  config.force_ssl = true\nend\n\nRails.application.configure do\n  # config.force_ssl = false\nend"
+  }
+ }
+]