Adding Semgrep Rules for SSRF in Java

[salecharohit]

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as TEXT
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR covers issue #457

Thank you again for your contribution 😃

[mackowski]

@salecharohit thank you for PR! I will review it this week as I want to review rules also :) But it looks solid on first glance

[salecharohit]

@salecharohit thank you for PR! I will review it this week as I want to review rules also :) But it looks solid on first glance

Sure. I have a PR pending at Semgrep side as well. It'll be reviewed soon and will be published too.

[mackowski]

I reviewed the rules and it looks fine but I think that the url will change after they will merge it on sempgrep side.

[mackowski]

I see that this link is to semgrep.dev/salecharohit:owsap_java_ssrf will it change after they merge your PR? Should we wait with this PR until they merge it master?

[mackowski]

@salecharohit any updates on this? Is your PR at Semgrep side merged?

[salecharohit]

@salecharohit any updates on this? Is your PR at Semgrep side merged?

Yep. Here is the files in github
The Semgrep URL for testing these rules are here

Let me know if any other details are required.

[mackowski]

@salecharohit apologies for late replay but I was on a short break last week :)
I think that it will be better to link to GH https://github.com/returntocorp/semgrep-rules/blob/develop/contrib/owasp/java/ssrf.yaml in line 385 what do you think?

[salecharohit]

@salecharohit apologies for late replay but I was on a short break last week :)
I think that it will be better to link to GH https://github.com/returntocorp/semgrep-rules/blob/develop/contrib/owasp/java/ssrf.yaml in line 385 what do you think?

Absolutely fine , please don't apologise :-)

Yep sure absolutely no problem. The only reason why I added the link to semgrep.live is because people can quickly run the rule and see the results.
Let me know your thoughts on this and I'll accordingly take action.

Update : The link mentioned by you is no longer valid. We had a re-arrangement of folders and below is the new link
https://github.com/returntocorp/semgrep-rules/blob/develop/contrib/owasp/java/ssrf/ssrf.yaml

[salecharohit]

Hi @mackowski awaiting your decision as my XXE rules are also ready to integrate. I'd rather wait to send a PR for XXE once the SSRF is approved.

[mackowski]

Looks good

[mackowski]

@salecharohit go ahead and create PR for XXE - thank you for your contribution and apologies for long reply.