diff --git a/d b/d deleted file mode 100644 index d8b8a0c0..00000000 --- a/d +++ /dev/null @@ -1,65 +0,0 @@ -a281adc (HEAD -> main, origin/main, origin/HEAD) Removing empty password rules (#60) -5578d80 Removing missing-httponly-java rule (#59) -add1b51 Update @ast-grep/cli dependency version in package.json to ^0.30.1 (#57) -d27dbf6 Update README.md -85fc9fa Update README.md -3ff3dc2 Update README.md -16ba3be Update CodeRabbit Reviews badge in README for improved stats display -5208707 update cr badge link (#55) -4000c69 Update README to rename dynamic JSON badge for CodeRabbit reviews (#54) -a925b71 Add dynamic JSON badge to README for CodeRabbit reviews (#53) -36cd7bc Modified rule - python-couchbase-empty-password-python (#50) -2a2a0b5 Add security rules for Java and Swift applications for cookie and secret management -c8b07de Add YAML Configs for Swift Webview Security Rules and Test Cases -00526ee Add security rules for socket binding and Flask debug mode detection -2b74515 Add Swift webview security rules and test cases for JS window handling -3195f93 Rules- std-vector-invalidation - c/cpp (#32) -6e4fca9 Two python rules 16Oct2024 (#31) -f4cbffa insecure-binaryformatter-deserialization-csharp (#30) -006dfaa Two openai go rules (#29) -b7edd27 Two openai go rules (#28) -5c6b9ec Rules - file-stat-before-action c/cpp (#27) -d476976 Rules - file-access-before-action-c/cpp (#23) -bf7cb81 Rules - insecure-hash-c/cpp (#22) -cbe37c4 insecure-cipher-algorithm-rc4-python (#21) -72e144d Rules - One php and one java rule (#20) -2e7cc23 Rules: null-function-library-c/cpp (#19) -cd70510 Two python rules (#33) -fc491b0 Rules - One C rule and one Ruby rule (#34) -2f10d49 Two Rust rules (#35) -deb96b1 Two Rust rules (#36) -c752f2e Two java rules (#37) -2b863ae avoid_app_run_with_bad_host-python (#38) -3592c52 Rules - One go and one java rule - 11Oct2024 (#18) -f43b4ed Rules - dont-call-system c/cpp (#17) -c30bdb6 Two Java rules 10Oct2024 (#16) -7fc798f Two Go rules 10Oct2024 (#15) -330dc1f Two Java rules (#14) -cb2b69f One java and one rust rule (#13) -92aa3ae Rules - node-rsa-weak-key in Js/Ts (#12) -466b1c4 Rules - Express-jwt-hardcoded-secret in Js/Ts (#11) -55859ed New Rules #2 (#9) -1cb4625 More Rules -5c87db3 Update ast-grep CLI & add Java cookie management rules -aa2c433 Pull request for 10 rules ESS-ENN (#5) -1521a46 update test scripts -37c8068 ignore snapshots dir -4206290 update readme file -4675eec update readme file -6651c18 update readme file (#3) -7f0bbc8 Create LICENSE -eb2b142 Create CODE_OF_CONDUCT.md -a6405dd Add initial testing structure -5e88d14 Update doc with rule structure -467affb Add readme file content with the package structure -4502fd7 Add basic ruby, rust & kotlin rules -9ab4718 Add basic Java rules -8f64638 Add basic CSharp rules -96628d6 Add basic C rules -7b90ba8 Add note field to all existing rules -2dce5c8 Add new security rules -de295e4 Remove unused ast-grep dependency -efc39ea Add initial testing structure -14e6e61 Remove testing initial rules -7b20bd5 Change severity to "warning" instead of "error" for javascript/no-eval rule -799ea62 Initial commit with default rules for typescript and javascript diff --git a/rules/c/security/dont-call-system-c.yml b/rules/c/security/dont-call-system-c.yml deleted file mode 100644 index 90a7242b..00000000 --- a/rules/c/security/dont-call-system-c.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: dont-call-system-c -language: c -severity: warning -message: >- - Don't call `system`. It's a high-level wrapper that allows for stacking - multiple commands. Always prefer a more restrictive API such as calling - `execve` from the `exec` family. -note: >- - [CWE-78] Improper Neutralization of Special Elements used in an OS - Command ('OS Command Injection'). - [REFERENCES] - - https://owasp.org/Top10/A03_2021-Injection -utils: - PATTERN_SYSTEM: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^system$" - - has: - stopBy: neighbor - kind: argument_list -rule: - kind: call_expression - matches: PATTERN_SYSTEM diff --git a/rules/c/security/file-access-before-action-c.yml b/rules/c/security/file-access-before-action-c.yml deleted file mode 100644 index 5d6498ab..00000000 --- a/rules/c/security/file-access-before-action-c.yml +++ /dev/null @@ -1,78 +0,0 @@ -id: file-access-before-action-c -language: c -severity: warning -message: >- - A check is done with `access` and then the file is later used. There is - no guarantee that the status of the file has not changed since the call to - `access` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files -utils: - match_unlink_identifier: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - inside: - kind: call_expression - inside: - kind: expression_statement - inside: - kind: compound_statement - inside: - stopBy: end - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - kind: identifier - pattern: $R - - has: - kind: argument_list - all: - - has: - kind: identifier - regex: ^original_key - - has: - kind: identifier - regex: F_OK|R_OK|W_OK|X_OK - - match_fopen_identifier: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - inside: - kind: call_expression - inside: - stopBy: end - kind: compound_statement - inside: - stopBy: end - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - kind: identifier - pattern: $L - - has: - kind: argument_list - all: - - has: - kind: identifier - regex: ^original_key - - has: - kind: identifier - regex: F_OK|R_OK|W_OK|X_OK - -rule: - any: - - matches: match_unlink_identifier - - matches: match_fopen_identifier -constraints: - R: - regex: ^(access|faccessat|faccessat2|)$ - L: - regex: ^(access|faccessat|faccessat2|)$ diff --git a/rules/c/security/file-stat-before-action-c.yml b/rules/c/security/file-stat-before-action-c.yml deleted file mode 100644 index 9a612fe1..00000000 --- a/rules/c/security/file-stat-before-action-c.yml +++ /dev/null @@ -1,82 +0,0 @@ -id: file-stat-before-action-c -language: c -severity: warning -message: >- - A check is done with `stat` and then the file is used. There is no - guarantee that the status of the file has not changed since the call to - `stat` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files -utils: - match_fopen_identifier: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - all: - - inside: - kind: call_expression - inside: - stopBy: end - kind: expression_statement - inside: - kind: compound_statement - inside: - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - kind: identifier - regex: ^(fstatat|_fstatat)$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - - has: - stopBy: neighbor - kind: argument_list - - match_fopen_identifier_2: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - all: - - inside: - kind: call_expression - inside: - stopBy: end - kind: expression_statement - inside: - kind: compound_statement - inside: - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^stat|_stat|lstat|_lstat$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - -rule: - any: - - matches: match_fopen_identifier - - matches: match_fopen_identifier_2 diff --git a/rules/c/security/insecure-hash-c.yml b/rules/c/security/insecure-hash-c.yml deleted file mode 100644 index 6ed80bae..00000000 --- a/rules/c/security/insecure-hash-c.yml +++ /dev/null @@ -1,109 +0,0 @@ -id: insecure-hash-c -language: c -severity: warning -message: >- - This hashing algorithm is insecure. If this hash is used in a security - context, such as password hashing, it should be converted to a stronger - hashing algorithm. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - MATCH_PATTERN_ONE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$ - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_TWO: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_TWO_with_instance: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: pointer_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_THREE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: identifier - regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$ -rule: - any: - - kind: expression_statement - any: - - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO - - matches: MATCH_PATTERN_TWO_with_instance - - matches: MATCH_PATTERN_THREE diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml deleted file mode 100644 index 81d9c7f2..00000000 --- a/rules/c/security/libxml2-audit-parser-c.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: libxml2-audit-parser-c -language: c -severity: warning -message: >- - The libxml2 library is used to parse XML. When auditing such code, make - sure that either the document being parsed is trusted or that the parsing - options are safe to consume untrusted documents. In such case make sure - DTD or XInclude documents cannot be loaded and there is no network access. -note: >- - [CWE-611] Improper Restriction of XML External Entity Reference. - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -rule: - any: - - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST) - - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS) - - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) diff --git a/rules/c/security/null-library-function-c.yml b/rules/c/security/null-library-function-c.yml deleted file mode 100644 index 8467b3c0..00000000 --- a/rules/c/security/null-library-function-c.yml +++ /dev/null @@ -1,187 +0,0 @@ -id: null-library-function-c -language: C -severity: warning -message: >- - The `$SOURCE` function returns NULL on error and this line dereferences - the return value without checking for NULL. -note: >- - [CWE-476] NULL Pointer Dereference. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointers -utils: - MATCH_PATTERN_ONE: - kind: return_statement - has: - stopBy: neighbor - kind: field_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - MATCH_PATTERN_THREE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: end - kind: argument_list - - MATCH_PATTERN_FOUR: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - regex: "=" - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_FIVE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^bcopy|::bcopy|std::bcopy|memccpy|::memccpy|std::memccpy|memcpy|::memcpy|std::memcpy|memmove|::memmove|std::memmove|stpncpy|::stpncpy|std::stpncpy|strcat|::strcat|std::strcat|strcpy|::strcpy|std::strcpy|strcpy|::strcpy|std::strcpy|strlcat|::strlcat|std::strlcat|strlcpy|::strlcpy|std::strlcpy|strncat|::strncat|std::strncat|strpcpy|::strpcpy|std::strpcpy|wcpcpy|::wcpcpy|std::wcpcpy|wcpncpy|::wcpncpy|std::wcpncpy$" - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - pattern: $$$ - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $$$ - - MATCH_PATTERN_SIX: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fwrite|::fwrite|std::fwrite$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_TWO: - kind: subscript_expression - all: - - has: - stopBy: neighbor - kind: parenthesized_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $$$ - - has: - stopBy: neighbor - pattern: $$$ - - MATCH_PATTERN_SEVEN: - kind: subscript_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - - has: - stopBy: neighbor - pattern: $$$ - -rule: - any: - - kind: return_statement - any: - - matches: MATCH_PATTERN_ONE - - kind: call_expression - any: - - matches: MATCH_PATTERN_THREE - - matches: MATCH_PATTERN_FOUR - - matches: MATCH_PATTERN_FIVE - - matches: MATCH_PATTERN_SIX - - kind: subscript_expression - any: - - matches: MATCH_PATTERN_TWO - - matches: MATCH_PATTERN_SEVEN diff --git a/rules/c/security/return-c-str-c.yml b/rules/c/security/return-c-str-c.yml deleted file mode 100644 index b1a913f3..00000000 --- a/rules/c/security/return-c-str-c.yml +++ /dev/null @@ -1,203 +0,0 @@ -id: return-c-str-c -language: c -severity: warning -message: >- - `$FUNC` returns a pointer to the memory owned by `$STR`. This pointer - is invalid after `$STR` goes out of scope, which can trigger a use after - free. -note: >- - [CWE-416] Use After Free - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations - - https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime -utils: - MATCH_PATTERN_STR_METHOD_WITH_STD_TWO: - kind: return_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: field_identifier - pattern: $METHOD - - has: - stopBy: end - kind: argument_list - - follows: - stopBy: end - kind: labeled_statement - all: - - has: - stopBy: end - kind: statement_identifier - regex: "^std$" - - has: - stopBy: end - kind: identifier - regex: "^basic_string<$TYPE>|string|wstring$" - - has: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: identifier - patttern: $E - - inside: - stopBy: end - kind: compound_statement - not: - follows: - stopBy: end - kind: function_declarator - has: - stopBy: neighbor - kind: identifier - regex: "return.*" - MATCH_PATTERN_STR_METHOD_WITH_STD_THREE: - kind: return_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: field_identifier - pattern: $METHOD - - has: - stopBy: end - kind: argument_list - - inside: - stopBy: end - kind: compound_statement - follows: - stopBy: end - kind: pointer_declarator - has: - stopBy: end - kind: parameter_list - all: - - has: - stopBy: end - kind: type_identifier - regex: "^std$" - - has: - stopBy: end - kind: identifier - regex: "^basic_string<$TYPE>|string|wstring$" - - has: - stopBy: end - kind: identifier - pattern: $E - MATCH_PATTERN_STR_METHOD_WITHOUT_STD_THREE: - kind: return_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: field_identifier - pattern: $METHOD - - has: - stopBy: end - kind: argument_list - - inside: - stopBy: end - kind: compound_statement - follows: - stopBy: end - kind: pointer_declarator - has: - stopBy: end - kind: parameter_list - has: - stopBy: end - kind: parameter_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: "^basic_string<$TYPE>|string|wstring$" - - has: - stopBy: neighbor - kind: identifier - pattern: $E - MATCH_PATTERN_STR_METHOD_WITHOUT_STD_TWO: - kind: return_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: field_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $T - - has: - stopBy: end - kind: field_identifier - pattern: $METHOD - - has: - stopBy: end - kind: argument_list - - follows: - stopBy: end - kind: declaration - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: "^basic_string<$TYPE>|string|wstring$" - - has: - stopBy: neighbor - kind: identifier - pattern: $T -rule: - any: - - pattern: return basic_string<$TYPE>($$$).$METHOD(); - - pattern: return std::basic_string<$TYPE>($$$).$METHOD(); - - pattern: return string($$$).$METHOD(); - - pattern: return std::string($$$).$METHOD(); - - pattern: return wstring($$$).$METHOD(); - - pattern: return std::wstring($$$).$METHOD(); - - matches: MATCH_PATTERN_STR_METHOD_WITH_STD_TWO - - matches: MATCH_PATTERN_STR_METHOD_WITHOUT_STD_TWO - - matches: MATCH_PATTERN_STR_METHOD_WITH_STD_THREE - - matches: MATCH_PATTERN_STR_METHOD_WITHOUT_STD_THREE - -constraints: - METHOD: - regex: "c_str|data" diff --git a/rules/c/security/sizeof-this-c.yml b/rules/c/security/sizeof-this-c.yml deleted file mode 100644 index bb024aa2..00000000 --- a/rules/c/security/sizeof-this-c.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: sizeof-this-c -language: c -severity: warning -message: >- - Do not use `sizeof(this)` to get the number of bytes of the object in - memory. It returns the size of the pointer, not the size of the object. -note: >- - [CWE-467]: Use of sizeof() on a Pointer Type - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array -rule: - any: - - pattern: "sizeof(this)" diff --git a/rules/c/security/small-key-size-c.yml b/rules/c/security/small-key-size-c.yml deleted file mode 100644 index 661c9a41..00000000 --- a/rules/c/security/small-key-size-c.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: small-key-size-c -language: c -severity: warning -message: >- - $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is - less than the recommended key size of 2048 bits. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A02:2021]: Cryptographic Failures - [OWASP A03:2017]: Sensitive Data Exposure - [REFERENCES] - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - Match_pattern_with_prefix_statement: - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $AST - - has: - stopBy: end - kind: argument_list - has: - stopby: end - kind: identifier - pattern: $Q - - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $Q - - has: - stopBy: end - kind: number_literal - pattern: $AASS - -rule: - kind: expression_statement - matches: Match_pattern_with_prefix_statement -constraints: - AST: - regex: (DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips) - AASS: - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/c/security/std-return-data-c.yml b/rules/c/security/std-return-data-c.yml deleted file mode 100644 index 6f10adff..00000000 --- a/rules/c/security/std-return-data-c.yml +++ /dev/null @@ -1,109 +0,0 @@ -id: std-return-data-c -language: c -severity: warning -message: >- - $FUNC` returns a pointer to the memory owned by `$VAR`. This pointer - is invalid after `$VAR` goes out of scope, which can trigger a use after - free. -note: >- - [CWE-416: Use After Free. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations -utils: - MATCH_RETURN_STATEMENT_WITH_STD: - kind: return_statement - all: - - has: - stopBy: end - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - stopBy: end - kind: identifier - pattern: $R - - follows: - stopBy: end - kind: labeled_statement - all: - - has: - stopBy: end - kind: statement_identifier - regex: ^std - - has: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: binary_expression - all: - - has: - stopBy: end - kind: binary_expression - all: - - has: - stopBy: end - kind: identifier - regex: (vector|array|deque|forward_list|list|map|multimap|multiset|set|unordered_map|unordered_multimap|unordered_multiset|unordered_set) - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: identifier - pattern: $R - inside: - stopBy: end - kind: function_definition - has: - stopBy: end - kind: primitive_type - - MATCH_RETURN_STATEMENT_WITHOUT_STD: - kind: return_statement - all: - - has: - stopBy: end - kind: call_expression - has: - stopBy: end - kind: field_expression - has: - stopBy: end - kind: identifier - pattern: $R - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: binary_expression - all: - - has: - stopBy: end - kind: binary_expression - all: - - has: - stopBy: end - kind: identifier - regex: (vector|array|deque|forward_list|list|map|multimap|multiset|set|unordered_map|unordered_multimap|unordered_multiset|unordered_set) - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: identifier - pattern: $R - inside: - stopBy: end - kind: function_definition - has: - stopBy: end - kind: primitive_type - -rule: - kind: return_statement - any: - - matches: MATCH_RETURN_STATEMENT_WITH_STD - - matches: MATCH_RETURN_STATEMENT_WITHOUT_STD diff --git a/rules/c/security/std-vector-invalidation-c.yml b/rules/c/security/std-vector-invalidation-c.yml deleted file mode 100644 index b602ca81..00000000 --- a/rules/c/security/std-vector-invalidation-c.yml +++ /dev/null @@ -1,53 +0,0 @@ -id: std-vector-invalidation-c -language: c -severity: warning -message: >- - Modifying an `std::vector` while iterating over it could cause the - container to reallocate, triggering memory corruption. -note: >- - [CWE-416: Use After Free. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory - - https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime -rule: - kind: call_expression - all: - - pattern: $CONTAINER.$R($$$) - inside: - stopBy: end - kind: for_statement - any: - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(); $IT!= $CONTAINER.end(); ++$IT){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(); $IT!= $CONTAINER.end(); $IT++){$$$} - - pattern: - for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(); $IT!= $CONTAINER.rend(); ++$IT) - {$$$} - - pattern: - for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(); $IT!= $CONTAINER.rend(); $IT++) - {$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(),$IT_END = $CONTAINER.end(); $IT !=$IT_END; ++$IT){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(), - $IT_END = $CONTAINER.end(); $IT != $IT_END; $IT++){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), - $IT_END = $CONTAINER.rend(); $IT != $IT_END; ++$IT){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), - $IT_END = $CONTAINER.rend(); $IT != $IT_END; $IT++){$$$} - - inside: - not: - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $IT - - has: - stopBy: neighbor - regex: "^=$" - - has: - stopBy: neighbor - kind: call_expression - pattern: $CONTAINER.$R($IT) - -constraints: - R: - regex: "^erase|assign|clear|insert|resize|push_back|reserve|shrink_to_fit|resize|pop_back$" diff --git a/rules/cpp/file-access-before-action-cpp.yml b/rules/cpp/file-access-before-action-cpp.yml deleted file mode 100644 index c29b83b0..00000000 --- a/rules/cpp/file-access-before-action-cpp.yml +++ /dev/null @@ -1,78 +0,0 @@ -id: file-access-before-action-cpp -language: cpp -severity: warning -message: >- - A check is done with `access` and then the file is later used. There is - no guarantee that the status of the file has not changed since the call to - `access` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files -utils: - match_unlink_identifier: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - inside: - kind: call_expression - inside: - kind: expression_statement - inside: - kind: compound_statement - inside: - stopBy: end - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - kind: identifier - pattern: $R - - has: - kind: argument_list - all: - - has: - kind: identifier - regex: ^original_key - - has: - kind: identifier - regex: F_OK|R_OK|W_OK|X_OK - - match_fopen_identifier: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - inside: - kind: call_expression - inside: - stopBy: end - kind: compound_statement - inside: - stopBy: end - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - kind: identifier - pattern: $L - - has: - kind: argument_list - all: - - has: - kind: identifier - regex: ^original_key - - has: - kind: identifier - regex: F_OK|R_OK|W_OK|X_OK - -rule: - any: - - matches: match_unlink_identifier - - matches: match_fopen_identifier -constraints: - R: - regex: ^(access|faccessat|faccessat2|)$ - L: - regex: ^(access|faccessat|faccessat2|)$ diff --git a/rules/cpp/security/dont-call-system-cpp.yml b/rules/cpp/security/dont-call-system-cpp.yml deleted file mode 100644 index 96e34119..00000000 --- a/rules/cpp/security/dont-call-system-cpp.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: dont-call-system-cpp -language: cpp -severity: warning -message: >- - Don't call `system`. It's a high-level wrapper that allows for stacking - multiple commands. Always prefer a more restrictive API such as calling - `execve` from the `exec` family. -note: >- - [CWE-78] Improper Neutralization of Special Elements used in an OS - Command ('OS Command Injection'). - [REFERENCES] - - https://owasp.org/Top10/A03_2021-Injection -utils: - PATTERN_SYSTEM: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^system$" - - has: - stopBy: neighbor - kind: argument_list -rule: - kind: call_expression - matches: PATTERN_SYSTEM diff --git a/rules/cpp/security/file-stat-before-action-cpp.yml b/rules/cpp/security/file-stat-before-action-cpp.yml deleted file mode 100644 index cab3931b..00000000 --- a/rules/cpp/security/file-stat-before-action-cpp.yml +++ /dev/null @@ -1,82 +0,0 @@ -id: file-stat-before-action-cpp -language: cpp -severity: warning -message: >- - A check is done with `stat` and then the file is used. There is no - guarantee that the status of the file has not changed since the call to - `stat` which may allow attackers to bypass permission checks. -note: >- - [CWE-367]: Time-of-check Time-of-use (TOCTOU) Race Condition - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/FIO45-C.+Avoid+TOCTOU+race+conditions+while+accessing+files -utils: - match_fopen_identifier: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - all: - - inside: - kind: call_expression - inside: - stopBy: end - kind: expression_statement - inside: - kind: compound_statement - inside: - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - kind: identifier - regex: ^(fstatat|_fstatat)$ - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - - has: - stopBy: neighbor - kind: argument_list - - match_fopen_identifier_2: - kind: identifier - regex: unlink|fopen|freopen|remove|rename|access|open|stat|lstat|unlink|mkdir|rmdir|chdir|folly::readFile|folly::writeFile|folly::writeFileAtomic|folly::writeFileAtomicNoThrow|folly::File - all: - - inside: - kind: call_expression - inside: - stopBy: end - kind: expression_statement - inside: - kind: compound_statement - inside: - kind: if_statement - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^stat|_stat|lstat|_lstat$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - -rule: - any: - - matches: match_fopen_identifier - - matches: match_fopen_identifier_2 diff --git a/rules/cpp/security/insecure-hash-cpp.yml b/rules/cpp/security/insecure-hash-cpp.yml deleted file mode 100644 index 7aa44cc6..00000000 --- a/rules/cpp/security/insecure-hash-cpp.yml +++ /dev/null @@ -1,109 +0,0 @@ -id: insecure-hash-cpp -language: cpp -severity: warning -message: >- - This hashing algorithm is insecure. If this hash is used in a security - context, such as password hashing, it should be converted to a stronger - hashing algorithm. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - MATCH_PATTERN_ONE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: ^(EVP_md2|MD2|MD2_Final|MD2_Init|MD2_Update|MD2_options|EVP_md4|MD4|MD4_Final|MD4_Init|MD4_Transform|MD4_Update|EVP_md5|MD5|MD5_Final|MD5_Init|MD5_Transform|MD5_Update|EVP_sha1|SHA1_Final|SHA1_Init|SHA1_Transform|SHA1_Update)$ - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_TWO: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_TWO_with_instance: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(EVP_MD_fetch|EVP_get_digestbyname)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: neighbor - kind: pointer_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $Q - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - regex: ^(MD2|MD4|MD5|SHA1|SHA-1)$ - - MATCH_PATTERN_THREE: - kind: expression_statement - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^(gcry_md_open|gcry_md_enable|gcry_md_read|gcry_md_extract|gcry_md_hash_buffers|gcry_md_hash_buffer)$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: identifier - regex: ^(GCRY_MD_MD2|GCRY_MD_MD4|GCRY_MD_MD5|GCRY_MD_SHA1)$ -rule: - any: - - kind: expression_statement - any: - - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO - - matches: MATCH_PATTERN_TWO_with_instance - - matches: MATCH_PATTERN_THREE diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml deleted file mode 100644 index 84ee43f9..00000000 --- a/rules/cpp/security/libxml2-audit-parser-cpp.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: libxml2-audit-parser-cpp -language: Cpp -severity: warning -message: >- - The libxml2 library is used to parse XML. When auditing such code, make - sure that either the document being parsed is trusted or that the parsing - options are safe to consume untrusted documents. In such case make sure - DTD or XInclude documents cannot be loaded and there is no network access. -note: >- - [CWE-611] Improper Restriction of XML External Entity Reference. - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -rule: - any: - - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST) - - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS) - - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS) - - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) diff --git a/rules/cpp/security/null-library-function-cpp.yml b/rules/cpp/security/null-library-function-cpp.yml deleted file mode 100644 index 91856c05..00000000 --- a/rules/cpp/security/null-library-function-cpp.yml +++ /dev/null @@ -1,193 +0,0 @@ -id: null-library-function-cpp -language: Cpp -severity: warning -message: >- - The `$SOURCE` function returns NULL on error and this line dereferences - the return value without checking for NULL. -note: >- - [CWE-476] NULL Pointer Dereference. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointers -utils: - MATCH_PATTERN_ONE: - kind: return_statement - has: - stopBy: neighbor - kind: field_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - MATCH_PATTERN_TWO: - kind: subscript_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - - has: - stopBy: neighbor - kind: subscript_argument_list - has: - stopBy: neighbor - pattern: $$$ - - MATCH_PATTERN_THREE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: end - kind: argument_list - - MATCH_PATTERN_FOUR: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^atof|::atof|std::atof|atoi|::atoi|std::atoi|atol_l|::atol_l|std::atol_l|atol|::atol|std::atol|atoll_l|::atoll_l|std::atoll_l|atoll|::atoll|std::atoll|getc|::getc|std::getc|fprintf|::fprintf|std::fprintf|fgetpos|::fgetpos|std::fgetpos|fseek|::fseek|std::fseek|fseeko|::fseeko|std::fseeko|fsetpos|::fsetpos|std::fsetpos|ftell|::ftell|std::ftell|ftello|::ftello|std::ftello|rewind|::rewind|std::rewind|strlen|::strlen|std::strlen|strtoimax|::strtoimax|std::strtoimax|strtod|::strtod|std::strtod|strtol|::strtol|std::strtol|strtoul|::strtoul|std::strtoul|strtoll|::strtoll|std::strtoll|strtoq|::strtoq|std::strtoq$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - regex: "=" - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_FIVE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^bcopy|::bcopy|std::bcopy|memccpy|::memccpy|std::memccpy|memcpy|::memcpy|std::memcpy|memmove|::memmove|std::memmove|stpncpy|::stpncpy|std::stpncpy|strcat|::strcat|std::strcat|strcpy|::strcpy|std::strcpy|strcpy|::strcpy|std::strcpy|strlcat|::strlcat|std::strlcat|strlcpy|::strlcpy|std::strlcpy|strncat|::strncat|std::strncat|strpcpy|::strpcpy|std::strpcpy|wcpcpy|::wcpcpy|std::wcpcpy|wcpncpy|::wcpncpy|std::wcpncpy$" - - has: - stopBy: neighbor - kind: argument_list - all: - - has: - stopBy: neighbor - pattern: $$$ - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - pattern: $$$ - - MATCH_PATTERN_SIX: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fwrite|::fwrite|std::fwrite$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: argument_list - - MATCH_PATTERN_SEVEN: - kind: subscript_expression - all: - - has: - stopBy: neighbor - kind: parenthesized_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^fgets|::fgets|std::fgets|fopen|::fopen|std::fopen|getenv|::getenv|std::getenv|getgrent|::getgrent|std::getgrent|getgrgid|::getgrgid|std::getgrgid|getgrnam|::getgrnam|std::getgrnam|getlogin|::getlogin|std::getlogin|getpwent|::getpwent|std::getpwent|getpwnam|::getpwnam|std::getpwnam|getpwuid|::getpwuid|std::getpwuid|getpwuuid|::getpwuuid|std::getpwuuid|gets|::gets|std::gets|inet_ntop|::inet_ntop|std::inet_ntop|realpath|::realpath|std::realpath|tempnam|::tempnam|std::tempnam|tmpfile|::tmpfile|std::tmpfile|tmpnam|::tmpnam|std::tmpnam|memchr|::memchr|std::memchr|strcasestr_l|::strcasestr_l|std::strcasestr_l|strcasestr|::strcasestr|std::strcasestr|strchr|::strchr|std::strchr|strnstr|::strnstr|std::strnstr|strpbrk|::strpbrk|std::strpbrk|strrchr|::strrchr|std::strrchr|strstr|::strstr|std::strstr|strtok_r|::strtok_r|std::strtok_r|strtok|::strtok|std::strtok$" - - has: - stopBy: neighbor - kind: subscript_argument_list - has: - stopBy: neighbor - pattern: $$$ - -rule: - any: - - kind: return_statement - any: - - matches: MATCH_PATTERN_ONE - - kind: subscript_expression - any: - - matches: MATCH_PATTERN_TWO - - matches: MATCH_PATTERN_SEVEN - - kind: call_expression - any: - - matches: MATCH_PATTERN_THREE - - matches: MATCH_PATTERN_FOUR - - matches: MATCH_PATTERN_FIVE - - matches: MATCH_PATTERN_SIX diff --git a/rules/cpp/security/return-c-str-cpp.yml b/rules/cpp/security/return-c-str-cpp.yml deleted file mode 100644 index 59bcae84..00000000 --- a/rules/cpp/security/return-c-str-cpp.yml +++ /dev/null @@ -1,109 +0,0 @@ -id: return-c-str-cpp -language: cpp -severity: warning -message: >- - "`$FUNC` returns a pointer to the memory owned by `$STR`. This pointer - is invalid after `$STR` goes out of scope, which can trigger a use after - free." -note: >- - [CWE-416] Use After Free - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations - - https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime - -utils: - util_for_declaration_inside_function: - kind: return_statement - pattern: return $STR.$METHOD(); - follows: - kind: declaration - stopBy: end - any: - - pattern: string $STR; - - pattern: wstring $STR; - - pattern: basic_string $STR; - - pattern: std::string $STR; - - pattern: std::wstring $STR; - - pattern: std::basic_string<$TYPE> $STR; - - util_for_assignment_inside_function: - kind: return_statement - pattern: return $STR.$METHOD(); - follows: - kind: declaration - stopBy: end - any: - - pattern: string $STR = string($STRING); - - pattern: wstring $STR = wstring($STRING); - - pattern: basic_string<$TYPE> $STR = basic_string<$TYPE>($STRING); - - pattern: std::string $STR = std::string($STRING); - - pattern: std::wstring $STR = std::wstring($STRING); - - pattern: std::basic_string<$TYPE> $STR = std::basic_string<$TYPE>($STRING); - - util_for_func_params: - kind: return_statement - pattern: return $STR.$METHOD(); - inside: - stopBy: end - kind: function_definition - has: - stopBy: end - kind: parameter_list - has: - stopBy: end - kind: parameter_declaration - has: - stopBy: end - kind: identifier - field: declarator - pattern: $STR - any: - - has: - any: - - kind: type_identifier - pattern: $IDENTIFIFER - - kind: qualified_identifier - any: - - all: - - has: - kind: namespace_identifier - pattern: $NAMESPACE_IDEN - - has: - kind: template_type - all: - - has: - kind: type_identifier - field: name - pattern: $BASIC_STR - precedes: - kind: template_argument_list - - pattern: $IDENTIFIFER - - kind: template_type - has: - kind: type_identifier - field: name - pattern: $BASIC_STR - precedes: - kind: template_argument_list - -rule: - any: - - matches: util_for_declaration_inside_function - - matches: util_for_assignment_inside_function - - matches: util_for_func_params - - pattern: return basic_string<$TYPE>($$$).$METHOD(); - - pattern: return std::basic_string<$TYPE>($$$).$METHOD(); - - pattern: return string($$$).$METHOD(); - - pattern: return std::string($$$).$METHOD(); - - pattern: return wstring($$$).$METHOD(); - - pattern: return std::wstring($$$).$METHOD(); - -constraints: - METHOD: - regex: ^(c_str|data)$ - IDENTIFIFER: - regex: ^(string|wstring|std::string|std::wstring)$ - BASIC_STR: - regex: ^(basic_string)$ - NAMESPACE_IDEN: - regex: ^(std)$ diff --git a/rules/cpp/security/sizeof-this-cpp.yml b/rules/cpp/security/sizeof-this-cpp.yml deleted file mode 100644 index a32bbd6a..00000000 --- a/rules/cpp/security/sizeof-this-cpp.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: sizeof-this-cpp -language: cpp -severity: warning -message: >- - Do not use `sizeof(this)` to get the number of bytes of the object in - memory. It returns the size of the pointer, not the size of the object. -note: >- - [CWE-467]: Use of sizeof() on a Pointer Type - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array -rule: - any: - - pattern: "sizeof(this)" diff --git a/rules/cpp/security/small-key-size-cpp.yml b/rules/cpp/security/small-key-size-cpp.yml deleted file mode 100644 index 94a5bc48..00000000 --- a/rules/cpp/security/small-key-size-cpp.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: small-key-size-cpp -language: cpp -severity: warning -message: >- - $KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is - less than the recommended key size of 2048 bits. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A02:2021]: Cryptographic Failures - [OWASP A03:2017]: Sensitive Data Exposure - [REFERENCES] - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - Match_pattern_with_prefix_statement: - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $AST - - has: - stopBy: end - kind: argument_list - has: - stopby: end - kind: identifier - pattern: $Q - - follows: - stopBy: end - kind: declaration - has: - stopBy: end - kind: init_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $Q - - has: - stopBy: end - kind: number_literal - pattern: $AASS - -rule: - kind: expression_statement - matches: Match_pattern_with_prefix_statement -constraints: - AST: - regex: (DH_generate_parameters_ex|DSA_generate_parameters_ex|EVP_PKEY_CTX_set_dh_paramgen_prime_len|EVP_PKEY_CTX_set_dsa_paramgen_bits|EVP_PKEY_CTX_set_rsa_keygen_bits|RSA_generate_key_ex|RSA_generate_key_fips) - AASS: - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/cpp/security/std-return-data-cpp.yml b/rules/cpp/security/std-return-data-cpp.yml deleted file mode 100644 index e36e1637..00000000 --- a/rules/cpp/security/std-return-data-cpp.yml +++ /dev/null @@ -1,124 +0,0 @@ -id: std-return-data-cpp -language: cpp -severity: warning -message: >- - $FUNC` returns a pointer to the memory owned by `$VAR`. This pointer - is invalid after `$VAR` goes out of scope, which can trigger a use after - free. -note: >- - [CWE-416: Use After Free. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations -utils: - MATCH_RETURN_STATEMENT_WITH_STD: - kind: return_statement - has: - kind: call_expression - has: - kind: field_expression - has: - kind: identifier - pattern: $VAR - inside: - stopBy: end - kind: return_statement - follows: - stopBy: end - kind: declaration - all: - - has: - stopBy: end - kind: identifier - pattern: $VAR - - has: - stopBy: end - kind: template_type - has: - stopBy: end - kind: type_identifier - regex: (^vector|^array$|^deque$|^forward_list$|^list$|^map$|^multimap$|^multiset$|^set$|^unordered_map$|^unordered_multimap$|^unordered_multiset$|^unordered_set$) - - has: - stopBy: end - kind: qualified_identifier - has: - stopBy: end - kind: namespace_identifier - pattern: $I - inside: - stopBy: end - kind: compound_statement - all: - - follows: - stopBy: end - kind: pointer_declarator - has: - stopBy: end - kind: function_declarator - has: - stopBy: end - kind: identifier - regex: ^return.* - - follows: - stopBy: end - kind: primitive_type - pattern: $J - MATCH_RETURN_STATEMENT_WITHOUT_STD: - kind: return_statement - has: - kind: call_expression - has: - kind: field_expression - has: - kind: identifier - pattern: $VAR - inside: - stopBy: end - kind: return_statement - follows: - stopBy: end - kind: declaration - all: - - has: - stopBy: end - kind: identifier - pattern: $VAR - - has: - stopBy: end - kind: template_type - has: - stopBy: end - kind: type_identifier - regex: (^vector|^array$|^deque$|^forward_list$|^list$|^map$|^multimap$|^multiset$|^set$|^unordered_map$|^unordered_multimap$|^unordered_multiset$|^unordered_set$) - inside: - stopBy: end - kind: compound_statement - all: - - follows: - stopBy: end - kind: pointer_declarator - has: - stopBy: end - kind: function_declarator - all: - - has: - stopBy: end - kind: identifier - regex: ^return.* - - has: - stopBy: end - kind: parameter_list - - follows: - stopBy: end - kind: primitive_type - pattern: $J -rule: - kind: return_statement - any: - - matches: MATCH_RETURN_STATEMENT_WITH_STD - - matches: MATCH_RETURN_STATEMENT_WITHOUT_STD - -constraints: - I: - regex: "^std$" - J: - regex: ^(int|char|float)$ diff --git a/rules/cpp/security/std-vector-invalidation-cpp.yml b/rules/cpp/security/std-vector-invalidation-cpp.yml deleted file mode 100644 index 1c6833d7..00000000 --- a/rules/cpp/security/std-vector-invalidation-cpp.yml +++ /dev/null @@ -1,53 +0,0 @@ -id: std-vector-invalidation-cpp -language: cpp -severity: warning -message: >- - Modifying an `std::vector` while iterating over it could cause the - container to reallocate, triggering memory corruption. -note: >- - [CWE-416: Use After Free. - [REFERENCES] - - https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory - - https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime -rule: - kind: call_expression - all: - - pattern: $CONTAINER.$R($$$) - inside: - stopBy: end - kind: for_statement - any: - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(); $IT!= $CONTAINER.end(); ++$IT){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(); $IT!= $CONTAINER.end(); $IT++){$$$} - - pattern: - for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(); $IT!= $CONTAINER.rend(); ++$IT) - {$$$} - - pattern: - for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(); $IT!= $CONTAINER.rend(); $IT++) - {$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(),$IT_END = $CONTAINER.end(); $IT !=$IT_END; ++$IT){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.begin(), - $IT_END = $CONTAINER.end(); $IT != $IT_END; $IT++){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), - $IT_END = $CONTAINER.rend(); $IT != $IT_END; ++$IT){$$$} - - pattern: for(std::vector<$TY>::$IT_TYPE $IT = $CONTAINER.rbegin(), - $IT_END = $CONTAINER.rend(); $IT != $IT_END; $IT++){$$$} - - inside: - not: - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $IT - - has: - stopBy: neighbor - regex: "^=$" - - has: - stopBy: neighbor - kind: call_expression - pattern: $CONTAINER.$R($IT) - -constraints: - R: - regex: "^erase|assign|clear|insert|resize|push_back|reserve|shrink_to_fit|resize|pop_back$" diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml deleted file mode 100644 index f874ec84..00000000 --- a/rules/csharp/security/httponly-false-csharp.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: httponly-false-csharp -language: csharp -severity: warning -message: >- - "Detected a cookie where the `HttpOnly` flag is either missing or - disabled. The `HttpOnly` cookie flag instructs the browser to forbid - client-side JavaScript to read the cookie. If JavaScript interaction is - required, you can ignore this finding. However, set the `HttpOnly` flag to - `true` in all other cases. If this wasn't intentional, it's recommended to - set the HttpOnly flag to true so the cookie will not be accessible through - client-side scripts or to use the Cookie Policy Middleware to globally set - the HttpOnly flag. You can then use the CookieOptions class when - instantiating the cookie, which inherits these settings and will require - future developers to have to explicitly override them on a case-by-case - basis if needed. This approach ensures cookies are secure by default." -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" - [REFERENCES] - - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware - - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -rule: - any: - - pattern: $BUILDER.Cookie.HttpOnly = false; - - pattern: $COOKIE.HttpOnly = false; diff --git a/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml b/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml deleted file mode 100644 index 64bfb867..00000000 --- a/rules/csharp/security/jwt-tokenvalidationparameters-no-expiry-validation-csharp.yml +++ /dev/null @@ -1,90 +0,0 @@ -id: jwt-tokenvalidationparameters-no-expiry-validation-csharp -severity: warning -language: csharp -message: >- - The TokenValidationParameters.$LIFETIME is set to $FALSE, this means - the JWT tokens lifetime is not validated. This can lead to an JWT token - being used after it has expired, which has security implications. It is - recommended to validate the JWT lifetime to ensure only valid tokens are - used. -note: >- - [CWE-613] Insufficient Session Expiration. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ - - https://cwe.mitre.org/data/definitions/613.html - - https://docs.microsoft.com/en-us/dotnet/api/microsoft.identitymodel.tokens.tokenvalidationparameters?view=azure-dotnet -utils: - MATCH_PATTERN_ONE: - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^ValidateLifetime$|^RequireExpirationTime$" - - has: - stopBy: neighbor - regex: "^=$" - - has: - stopBy: neighbor - kind: boolean_literal - regex: "^false$" - - inside: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: object_creation_expression - has: - stopBy: neighbor - kind: identifier - regex: "^TokenValidationParameters$" - - MATCH_PATTERN_TWO: - kind: assignment_expression - all: - - has: - stopBy: neighbor - kind: member_access_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: identifier - regex: "^ValidateIssuer$|^RequireExpirationTime$" - - has: - stopBy: neighbor - regex: "^=$" - - has: - stopBy: neighbor - kind: boolean_literal - regex: "^false$" - - inside: - stopBy: end - kind: global_statement - follows: - stopBy: end - kind: global_statement - has: - stopBy: end - kind: variable_declaration - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^TokenValidationParameters$" - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $T - -rule: - kind: assignment_expression - any: - - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO diff --git a/rules/go/gorilla/session-cookie-missing-httponly.yml b/rules/go/gorilla/session-cookie-missing-httponly.yml deleted file mode 100644 index 4b7bd60a..00000000 --- a/rules/go/gorilla/session-cookie-missing-httponly.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: session-cookie-missing-httponly -language: go -message: >- - A session cookie was detected without setting the 'HttpOnly' flag. - The 'HttpOnly' flag for cookies instructs the browser to forbid - client-side scripts from reading the cookie which mitigates XSS - attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' - in the Options struct. -severity: warning -note: >- - [OWASP A05:2021] Security Misconfiguration - [REFERENCES] - - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69 -rule: - any: - - pattern: "&sessions.Options{ $$$, HttpOnly: false, $$$ }" - - pattern: "&sessions.Options{ $$$, HttpOnly: false}" - - pattern: "&sessions.Options{ HttpOnly: false, $$$}" diff --git a/rules/go/gorilla/session-cookie-missing-secure.yml b/rules/go/gorilla/session-cookie-missing-secure.yml deleted file mode 100644 index cdb83fb3..00000000 --- a/rules/go/gorilla/session-cookie-missing-secure.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: session-cookie-missing-secure -language: go -message: >- - A session cookie was detected without setting the 'Secure' flag. - The 'secure' flag for cookies prevents the client from transmitting - the cookie over insecure channels such as HTTP. Set the 'Secure' - flag by setting 'Secure' to 'true' in the Options struct. -severity: warning -note: >- - [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021] Security Misconfiguration - [REFERENCES] - - https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go -rule: - any: - - pattern: "&sessions.Options{ $$$, Secure: false, $$$ }" - - pattern: "&sessions.Options{ $$$, Secure: false}" - - pattern: "&sessions.Options{ Secure: false, $$$}" diff --git a/rules/go/grpc/grpc-client-insecure-connection-go.yml b/rules/go/grpc/grpc-client-insecure-connection-go.yml deleted file mode 100644 index f77fdb12..00000000 --- a/rules/go/grpc/grpc-client-insecure-connection-go.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: grpc-client-insecure-connection-go -language: go -severity: warning -message: >- - Found an insecure gRPC connection using 'grpc.WithInsecure()'. This - creates a connection without encryption to a gRPC server. A malicious - attacker could tamper with the gRPC message, which could compromise the - machine. Instead, establish a secure connection with an SSL certificate - using the 'grpc.WithTransportCredentials()' function. You can create a - create credentials using a 'tls.Config{}' struct with - 'credentials.NewTLS()'. The final fix looks like this: - 'grpc.WithTransportCredentials(credentials.NewTLS())'. -note: >- - [CWE-300] Channel Accessible by Non-Endpoint. - [REFERENCES] - - https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption -rule: - any: - - pattern: $GRPC.Dial($ADDR, $$$, $GRPC.WithInsecure($$$), $$$) - - pattern: $GRPC.Dial($ADDR, $GRPC.WithInsecure($$$)) diff --git a/rules/go/injection/bad-tmp.yml b/rules/go/injection/bad-tmp.yml deleted file mode 100644 index 4d342912..00000000 --- a/rules/go/injection/bad-tmp.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: bad-tmp-go -language: go -message: File creation in shared tmp directory without using ioutil.Tempfile -severity: warning -note: >- - [CWE-377] Insecure Temporary File - [OWASP A01:2021] Broken Access Control - [REFERENCES] - - https://owasp.org/Top10/A01_2021-Broken_Access_Control -rule: - any: - - pattern: ioutil.WriteFile("=~//tmp/.*$/", $$$) - - pattern: os.Create("=~//tmp/.*$/", $$$) \ No newline at end of file diff --git a/rules/go/jwt-go/jwt-go-none-algorithm-go.yml b/rules/go/jwt-go/jwt-go-none-algorithm-go.yml deleted file mode 100644 index 5a40fa82..00000000 --- a/rules/go/jwt-go/jwt-go-none-algorithm-go.yml +++ /dev/null @@ -1,38 +0,0 @@ -id: jwt-go-none-algorithm-go -language: go -severity: warning -message: >- - Detected use of the 'none' algorithm in a JWT token. The 'none' - algorithm assumes the integrity of the token has already been verified. - This would allow a malicious actor to forge a JWT token that will - automatically be verified. Do not explicitly use the 'none' algorithm. - Instead, use an algorithm such as 'HS256'. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - after_declaration: - inside: - stopBy: end - kind: function_declaration - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec_list - pattern: $IMPORT_MOD -rule: - kind: selector_expression - all: - - pattern: $JWT_FUNC - - matches: after_declaration - -constraints: - JWT_FUNC: - regex: (jwt.SigningMethodNone|jwt.UnsafeAllowNoneSignatureType) - IMPORT_MOD: - regex: ("github.com/golang-jwt/jwt"|"github.com/dgrijalva/jwt-go") diff --git a/rules/go/jwt-go/jwt-go-none-algorithm.yml b/rules/go/jwt-go/jwt-go-none-algorithm.yml deleted file mode 100644 index 9d16f8bb..00000000 --- a/rules/go/jwt-go/jwt-go-none-algorithm.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: jwt-go-none-algorithm -language: go -message: >- - Detected use of the 'none' algorithm in a JWT token. - The 'none' algorithm assumes the integrity of the token has already - been verified. This would allow a malicious actor to forge a JWT token - that will automatically be verified. Do not explicitly use the 'none' - algorithm. Instead, use an algorithm such as 'HS256'. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017] Sensitive Data Exposure - [OWASP A02:2021] Cryptographic Failures - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - regex: "jwt.UnsafeAllowNoneSignatureType" - kind: selector_expression - - regex: "jwt.SigningMethodNone" - kind: selector_expression diff --git a/rules/go/jwt-go/jwt-go-parse-unverified.yml b/rules/go/jwt-go/jwt-go-parse-unverified.yml deleted file mode 100644 index 145da621..00000000 --- a/rules/go/jwt-go/jwt-go-parse-unverified.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: jwt-go-parse-unverified -language: go -message: >- - Detected the decoding of a JWT token without a verify step. - Don't use `ParseUnverified` unless you know what you're doing - This method parses the token but doesn't validate the signature. It's only ever useful in cases where - you know the signature is valid (because it has been checked previously in the stack) and you want - to extract values from it. -note: >- - [CWE-345] Insufficient Verification of Data Authenticity - [OWASP A08:2021] Software and Data Integrity Failures - [REFERENCES] - - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures -rule: - any: - - pattern: "$$$.ParseUnverified($$$)" - - pattern: "new($$$).ParseUnverified($$$)" diff --git a/rules/go/jwt-go/jwt.yml b/rules/go/jwt-go/jwt.yml deleted file mode 100644 index b52db30b..00000000 --- a/rules/go/jwt-go/jwt.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: jwt-go -language: go -message: >- - A hard-coded credential was detected. It is not recommended to store credentials in source-code, - as this risks secrets - being leaked and used by either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve credentials from a secure - vault or HSM (Hardware Security Module). -severity: warning -note: >- - [CWE-798] Use of Hard-coded Credentials - [OWASP A07:2021] Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -rule: - pattern: "$TOKEN.SignedString([]byte($SECRET))" \ No newline at end of file diff --git a/rules/go/security/avoid-bind-to-all-interfaces-go.yml b/rules/go/security/avoid-bind-to-all-interfaces-go.yml deleted file mode 100644 index ec13e207..00000000 --- a/rules/go/security/avoid-bind-to-all-interfaces-go.yml +++ /dev/null @@ -1,21 +0,0 @@ -id: avoid-bind-to-all-interfaces-go -language: go -severity: warning -message: >- - "Detected a network listener listening on 0.0.0.0 or an empty string. - This could unexpectedly expose the server publicly as it binds to all - available interfaces. Instead, specify another IP address that is not - 0.0.0.0 nor the empty string." -note: >- - [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor - [REFERENCES] - - https://owasp.org/Top10/A01_2021-Broken_Access_Control -rule: - any: - - pattern: tls.Listen($NETWORK, $IP $$$) - - pattern: net.Listen($NETWORK, $IP $$$) - -constraints: - IP: - kind: interpreted_string_literal - regex: ^"0.0.0.0:.*"$|^":.*"$|^'0.0.0.0:.*'$|^':.*'$ diff --git a/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml b/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml deleted file mode 100644 index ef440f8f..00000000 --- a/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml +++ /dev/null @@ -1,63 +0,0 @@ -id: gorilla-cookie-store-hardcoded-session-key-go -language: go -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_PATTERN_ONE: - kind: expression_list - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "sessions" - - has: - stopBy: neighbor - kind: field_identifier - regex: "^NewCookieStore$" - - has: - stopBy: neighbor - kind: argument_list - any: - - has: - stopBy: neighbor - kind: type_conversion_expression - all: - - has: - stopBy: neighbor - kind: slice_type - has: - stopBy: neighbor - kind: type_identifier - regex: "^byte$" - - has: - stopBy: neighbor - pattern: $$$ - - not: - has: - stopBy: neighbor - kind: call_expression - - has: - stopBy: neighbor - kind: interpreted_string_literal - -rule: - kind: expression_list - any: - - matches: MATCH_PATTERN_ONE diff --git a/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml b/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml deleted file mode 100644 index 7c2b6a46..00000000 --- a/rules/go/security/gorilla-csrf-hardcoded-auth-key-go.yml +++ /dev/null @@ -1,65 +0,0 @@ -id: gorilla-csrf-hardcoded-auth-key-go -language: go -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_PATTERN_ONE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^csrf$" - - has: - stopBy: neighbor - kind: field_identifier - regex: "^Protect$" - - has: - stopBy: neighbor - kind: argument_list - any: - - has: - stopBy: neighbor - kind: type_conversion_expression - all: - - has: - stopBy: neighbor - kind: slice_type - has: - stopBy: neighbor - kind: type_identifier - regex: "^byte$" - - has: - stopBy: neighbor - kind: interpreted_string_literal - - has: - stopBy: neighbor - kind: interpreted_string_literal - - inside: - stopBy: end - kind: function_declaration - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec - regex: "github.com/gorilla/csrf" -rule: - kind: call_expression - any: - - matches: MATCH_PATTERN_ONE diff --git a/rules/go/security/missing-ssl-minversion-go.yml b/rules/go/security/missing-ssl-minversion-go.yml deleted file mode 100644 index 88ae3f9a..00000000 --- a/rules/go/security/missing-ssl-minversion-go.yml +++ /dev/null @@ -1,31 +0,0 @@ -id: missing-ssl-minversion-go -language: go -severity: warning -message: >- - MinVersion` is missing from this TLS configuration. By default, TLS - 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 - when acting as a server. General purpose web applications should default - to TLS 1.3 with all other protocols disabled. Only where it is known that - a web server must support legacy clients with unsupported an insecure - browsers (such as Internet Explorer 10), it may be necessary to enable TLS - 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS - configuration to bump the minimum version to TLS 1.3. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - match_tls_without_minversion: - kind: composite_literal - pattern: $R - inside: - stopBy: end - kind: assignment_statement -rule: - any: - - matches: match_tls_without_minversion -constraints: - R: - regex: ^(tls.Config) diff --git a/rules/go/security/openai-empty-secret-go.yml b/rules/go/security/openai-empty-secret-go.yml deleted file mode 100644 index 57646223..00000000 --- a/rules/go/security/openai-empty-secret-go.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: openai-empty-secret-go -language: go -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_openai.NewClient: - kind: expression_list - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^openai$" - - has: - stopBy: neighbor - kind: field_identifier - regex: "^NewClient$" - - has: - stopBy: neighbor - kind: argument_list - regex: \(\s*\"\"\s*\) - - inside: - stopBy: end - kind: function_declaration - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" -rule: - kind: expression_list - matches: MATCH_openai.NewClient diff --git a/rules/go/security/openai-hardcoded-secret-go.yml b/rules/go/security/openai-hardcoded-secret-go.yml deleted file mode 100644 index 6c6f1c31..00000000 --- a/rules/go/security/openai-hardcoded-secret-go.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: openai-hardcoded-secret-go -language: go -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_openai.NewClient: - kind: expression_list - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: selector_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^openai$" - - has: - stopBy: neighbor - kind: field_identifier - regex: "^NewClient$" - - has: - stopBy: neighbor - kind: argument_list - - inside: - stopBy: end - kind: function_declaration - follows: - stopBy: end - kind: import_declaration - has: - stopBy: end - kind: import_spec - regex: "github.com/sashabaranov/go-openai" -rule: - kind: expression_list - matches: MATCH_openai.NewClient diff --git a/rules/go/security/ssl-v3-is-insecure-go.yml b/rules/go/security/ssl-v3-is-insecure-go.yml deleted file mode 100644 index 114aeabe..00000000 --- a/rules/go/security/ssl-v3-is-insecure-go.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: ssl-v3-is-insecure-go -language: go -severity: warning -message: >- - SSLv3 is insecure because it has known vulnerabilities. Starting with - go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://golang.org/doc/go1.14#crypto/tls - https://www.us-cert.gov/ncas/alerts/TA14-290A -rule: - kind: composite_literal - all: - - pattern: "tls.Config{$$$, MinVersion: tls.VersionSSL30, $$$}" diff --git a/rules/go/security/tls-with-insecure-cipher-go.yml b/rules/go/security/tls-with-insecure-cipher-go.yml deleted file mode 100644 index 745ca85c..00000000 --- a/rules/go/security/tls-with-insecure-cipher-go.yml +++ /dev/null @@ -1,53 +0,0 @@ -id: tls-with-insecure-cipher-go -language: go -severity: warning -message: >- - Detected an insecure CipherSuite via the 'tls' module. This suite is - considered weak. Use the function 'tls.CipherSuites()' to get a list of - good cipher suites. See - https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what - other cipher suites to use. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - match_tls_ciphersuite: - kind: literal_element - has: - stopBy: end - kind: composite_literal - all: - - has: - stopBy: end - kind: qualified_type - regex: ^(tls.CipherSuite) - - has: - stopBy: end - kind: literal_value - has: - stopBy: end - kind: literal_element - pattern: $R - regex: TLS_RSA_WITH_RC4_128_SHA|TLS_RSA_WITH_3DES_EDE_CBC_SHA|TLS_RSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_RC4_128_SHA|TLS_ECDHE_RSA_WITH_RC4_128_SHA|TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - method_tls_config: - kind: composite_literal - all: - - has: - kind: qualified_type - regex: ^(tls.Config) - - has: - stopBy: end - kind: literal_value - has: - stopBy: end - kind: literal_element - pattern: $F - regex: tls.TLS_RSA_WITH_RC4_128_SHA|tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA|tls.TLS_RSA_WITH_AES_128_CBC_SHA256|tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA|tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA|tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA|tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - -rule: - any: - - matches: match_tls_ciphersuite - - matches: method_tls_config diff --git a/rules/go/security/use-of-weak-rsa-key-go.yml b/rules/go/security/use-of-weak-rsa-key-go.yml deleted file mode 100644 index 783411a8..00000000 --- a/rules/go/security/use-of-weak-rsa-key-go.yml +++ /dev/null @@ -1,36 +0,0 @@ -id: use-of-weak-rsa-key-go -language: go -severity: warning -message: >- - RSA keys should be at least 2048 bits. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -utils: - statement_match_pattern_one: - kind: expression_list - all: - - has: - stopBy: end - kind: selector_expression - pattern: $JWT - - has: - stopBy: end - kind: argument_list - - has: - stopBy: end - kind: int_literal - pattern: $BITS - -rule: - kind: expression_list - any: - - matches: statement_match_pattern_one - -constraints: - JWT: - regex: (rsa.GenerateMultiPrimeKey|rsa.GenerateKey) - - BITS: - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/go/templates/go-insecure-types.yml b/rules/go/templates/go-insecure-types.yml deleted file mode 100644 index d19c12bf..00000000 --- a/rules/go/templates/go-insecure-types.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: go-template-insecure-types -language: go -message: >- - usage of insecure template types. They are documented as a security risk. See https://golang.org/pkg/html/template/#HTML. -severity: warning -note: >- - [CWE-79] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - [OWASP A07:2017] Cross-Site Scripting (XSS) - [OWASP A03:2021] Injection - [REFERENCES] - - https://golang.org/pkg/html/template/#HTML - - https://twitter.com/empijei/status/1275177219011350528 -rule: - any: - - pattern: var $VAR template.HTML = $$$ - - pattern: var $VAR template.CSS = $$$ - - pattern: var $VAR template.HTMLAttr = $$$ - - pattern: var $VAR template.JS = $$$ - - pattern: var $VAR template.JSStr = $$$ - - pattern: var $VAR template.Srcset = $$$ \ No newline at end of file diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml deleted file mode 100644 index 0e0dbfb7..00000000 --- a/rules/html/security/plaintext-http-link-html.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: plaintext-http-link-html -language: html -severity: warning -message: >- - "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible." -note: >- - [CWE-319] Authentication Bypass by Primary Weakness - [REFERENCES] - - https://cwe.mitre.org/data/definitions/319.html -rule: - pattern: $C -constraints: - URL: - regex: ^['"`]?([Hh][Tt][Tt][Pp]://) diff --git a/rules/java/security/blowfish-insufficient-key-size-java.yml b/rules/java/security/blowfish-insufficient-key-size-java.yml deleted file mode 100644 index 733e8702..00000000 --- a/rules/java/security/blowfish-insufficient-key-size-java.yml +++ /dev/null @@ -1,62 +0,0 @@ -id: blowfish-insufficient-key-size-java -severity: warning -language: java -message: >- - Using less than 128 bits for Blowfish is considered insecure. Use 128 - bits or more, or switch to use AES instead. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -utils: - MATCH_PATTERN_KEYGENERATOR: - kind: expression_statement - all: - - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: '\binit\b' - - has: - stopBy: end - kind: argument_list - has: - stopBy: end - kind: decimal_integer_literal - pattern: $R - - follows: - stopBy: end - kind: local_variable_declaration - has: - stopBy: end - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - regex: '\bKeyGenerator\b' - - has: - stopBy: neighbor - kind: identifier - regex: '\bgetInstance\b' - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - regex: '\bBlowfish\b' - -rule: - kind: expression_statement - matches: MATCH_PATTERN_KEYGENERATOR - -constraints: - R: - regex: ^(?:[1-9]?[0-9]|1[01][0-9]|127)$ diff --git a/rules/java/security/cookie-httponly-false-java.yml b/rules/java/security/cookie-httponly-false-java.yml deleted file mode 100644 index 5916d17b..00000000 --- a/rules/java/security/cookie-httponly-false-java.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: cookie-httponly-false-java -language: java -message: >- - A cookie was detected without setting the 'HttpOnly' flag. The - 'HttpOnly' flag for cookies instructs the browser to forbid client-side - scripts from reading the cookie. Set the 'HttpOnly' flag by calling - 'cookie.setHttpOnly(true);' -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag. - [REFERENCES] - - https://capec.mitre.org/data/definitions/463.html -rule: - pattern: $COOKIE.setHttpOnly(false); diff --git a/rules/java/security/cookie-missing-samesite-java.yml b/rules/java/security/cookie-missing-samesite-java.yml deleted file mode 100644 index 58ec9d7b..00000000 --- a/rules/java/security/cookie-missing-samesite-java.yml +++ /dev/null @@ -1,67 +0,0 @@ -id: cookie-missing-samesite-java -severity: warning -language: java -message: >- - The application does not appear to verify inbound requests which can - lead to a Cross-site request forgery (CSRF) vulnerability. If the - application uses cookie-based authentication, an attacker can trick users - into sending authenticated HTTP requests without their knowledge from any - arbitrary domain they visit. To prevent this vulnerability start by - identifying if the framework or library leveraged has built-in features or - offers plugins for CSRF protection. CSRF tokens should be unique and - securely random. The `Synchronizer Token` or `Double Submit Cookie` - patterns with defense-in-depth mechanisms such as the `sameSite` cookie - flag can help prevent CSRF. For more information, see: [Cross-site request - forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Req\ - uest_Forgery_Prevention_Cheat_Sheet.html). -note: >- - [CWE-352] Cross-Site Request Forgery (CSRF). - [REFERENCES] - - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application -rule: - any: - - pattern: $RESP.setHeader("Set-Cookie", $T); - inside: - stopBy: end - kind: block - follows: - stopBy: end - kind: formal_parameters - has: - stopBy: end - kind: formal_parameter - all: - - has: - stopBy: end - kind: type_identifier - regex: "^HttpServletResponse$" - - has: - stopBy: neighbor - kind: identifier - - pattern: $RESP.addCookie($$$); - not: - follows: - stopBy: end - kind: expression_statement - pattern: $RESP.setHeader("Set-Cookie", $T); - inside: - stopBy: end - kind: block - follows: - stopBy: end - kind: formal_parameters - has: - stopBy: end - kind: formal_parameter - all: - - has: - stopBy: end - kind: type_identifier - regex: "^HttpServletResponse$" - - has: - stopBy: neighbor - kind: identifier -constraints: - T: - not: - regex: ".*SameSite=.*|null" diff --git a/rules/java/security/cookie-secure-flag-false-java.yml b/rules/java/security/cookie-secure-flag-false-java.yml deleted file mode 100644 index cd5418f4..00000000 --- a/rules/java/security/cookie-secure-flag-false-java.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: cookie-secure-flag-false-java -language: java -severity: warning -message: >- - A cookie was detected without setting the 'secure' flag. The 'secure' - flag for cookies prevents the client from transmitting the cookie over - insecure channels such as HTTP. Set the 'secure' flag by calling - '$COOKIE.setSecure(true);'. -note: >- - [CWE-614] Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. - [REFERENCES] - - https://owasp.org/www-community/controls/SecureCookieAttribute -rule: - pattern: $COOKIE.setSecure(false); diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml deleted file mode 100644 index 6db7b4c9..00000000 --- a/rules/java/security/desede-is-deprecated-java.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: desede-is-deprecated-java -language: java -severity: warning -message: >- - Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE - - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA -rule: - any: - - pattern: $CIPHER.getInstance("=~/DESede.*/") - - pattern: $CRYPTO.KeyGenerator.getInstance("DES") diff --git a/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml b/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml deleted file mode 100644 index 345a3663..00000000 --- a/rules/java/security/documentbuilderfactory-disallow-doctype-decl-false-java.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: documentbuilderfactory-disallow-doctype-decl-false-java -language: java -severity: warning -message: >- - DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting - external entity declarations, this is vulnerable to XML external entity - attacks. Disable this by setting the feature - "http://apache.org/xml/features/disallow-doctype-decl" to true. - Alternatively, allow DOCTYPE declarations and only prohibit external - entities declarations. This can be done by setting the features - "http://xml.org/sax/features/external-general-entities" and - "http://xml.org/sax/features/external-parameter-entities" to false. -note: >- - [CWE-611]: mproper Restriction of XML External Entity Reference - [OWASP A04:2017]: XML External Entities (XXE) - [OWASP A05:2021 - Security Misconfiguration] - [REFERENCES] - https://blog.sonarsource.com/secure-xml-processor - https://xerces.apache.org/xerces2-j/features.html -rule: - any: - - pattern: $D.setFeature("http://apache.org/xml/features/disallow-doctype-decl",false); - follows: - pattern: DocumentBuilderFactory $D = $_; - stopBy: end - - pattern: $S.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - follows: - pattern: SAXParserFactory $S = $_; - stopBy: end diff --git a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml deleted file mode 100644 index 6599fe87..00000000 --- a/rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: documentbuilderfactory-external-general-entities-true-java -language: java -severity: warning -message: >- - External entities are allowed for $DBFACTORY. This is vulnerable to XML - external entity attacks. Disable this by setting the feature - "http://xml.org/sax/features/external-general-entities" to false. -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://blog.sonarsource.com/secure-xml-processor -rule: - pattern: - $DBFACTORY.setFeature("http://xml.org/sax/features/external-general-entities", - true); diff --git a/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml b/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml deleted file mode 100644 index 7dcccba7..00000000 --- a/rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: documentbuilderfactory-external-parameter-entities-true-java -severity: warning -language: java -message: >- - External entities are allowed for $DBFACTORY. This is vulnerable to XML - external entity attacks. Disable this by setting the feature - "http://xml.org/sax/features/external-parameter-entities" to false. -note: >- - [CWE-611] Improper Restriction of XML External Entity Reference. - [REFERENCES] - - https://blog.sonarsource.com/secure-xml-processor -rule: - pattern: $DBFACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities",true); diff --git a/rules/java/security/drivermanager-hardcoded-secret-java.yml b/rules/java/security/drivermanager-hardcoded-secret-java.yml deleted file mode 100644 index b8ff92ca..00000000 --- a/rules/java/security/drivermanager-hardcoded-secret-java.yml +++ /dev/null @@ -1,135 +0,0 @@ -id: drivermanager-hardcoded-secret-java -severity: warning -language: java -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_PATTERN_DriverManager.getConnection: - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^DriverManager$" - - has: - stopBy: neighbor - kind: identifier - regex: "^getConnection$" - - has: - stopBy: end - kind: argument_list - nthChild: 3 - has: - stopBy: end - kind: string_literal - nthChild: 3 - - MATCH_PATTERN_DriverManager.getConnection_With_Instance: - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^DriverManager$" - - has: - stopBy: neighbor - kind: identifier - regex: "^getConnection$" - - has: - stopBy: end - kind: argument_list - has: - stopBy: end - kind: identifier - nthChild: 3 - pattern: $Q - - inside: - stopBy: end - kind: local_variable_declaration - follows: - stopBy: end - kind: local_variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $Q - - has: - stopBy: end - kind: string_literal - - MATCH_PATTERN_DriverManagerDataSource: - kind: expression_statement - has: - stopBy: neighbor - kind: object_creation_expression - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: "^DriverManagerDataSource$" - - has: - stopBy: end - kind: argument_list - has: - stopBy: end - kind: string_literal - nthChild: 3 - - MATCH_PATTERN_DriverManagerDataSource_With_Instance: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: "^setPassword$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: "^DriverManagerDataSource$" - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R -rule: - any: - - kind: method_invocation - any: - - matches: MATCH_PATTERN_DriverManager.getConnection - - matches: MATCH_PATTERN_DriverManager.getConnection_With_Instance - - kind: expression_statement - any: - - matches: MATCH_PATTERN_DriverManagerDataSource - - matches: MATCH_PATTERN_DriverManagerDataSource_With_Instance diff --git a/rules/java/security/ecb-cipher-java.yml b/rules/java/security/ecb-cipher-java.yml deleted file mode 100644 index 1ab3a112..00000000 --- a/rules/java/security/ecb-cipher-java.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: ecb-cipher-java -severity: warning -language: java -message: >- - Cipher in ECB mode is detected. ECB mode produces the same output for - the same input each time which allows an attacker to intercept and replay - the data. Further, ECB mode does not provide any integrity checking. See - https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - pattern: Cipher $VAR = $CIPHER.getInstance($MODE); -constraints: - MODE: - regex: .*ECB.* diff --git a/rules/java/security/gcm-nonce-reuse-java.yml b/rules/java/security/gcm-nonce-reuse-java.yml deleted file mode 100644 index a6cc2749..00000000 --- a/rules/java/security/gcm-nonce-reuse-java.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: gcm-nonce-reuse-java -language: java -severity: warning -message: >- - GCM IV/nonce is reused: encryption can be totally useless. -note: >- - [CWE-323] Reusing a Nonce, Key Pair in Encryption. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: GCMParameterSpec $$$ = new GCMParameterSpec(GCM_TAG_LENGTH * 8, $A); - follows: - pattern: byte[] $A = $_; - stopBy: end - - pattern: new GCMParameterSpec($$$, "$$$".getBytes($$$), $$$) diff --git a/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml b/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml deleted file mode 100644 index 86150201..00000000 --- a/rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml +++ /dev/null @@ -1,248 +0,0 @@ -id: jedis-jedisfactory-hardcoded-password-java -language: java -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_PATTERN_JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: "^setPassword$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: "^JedisFactory$|^jedis.ConnectionFactory$" - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: object_creation_expression - - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - has: - stopBy: neighbor - kind: scoped_identifier - all: - - has: - stopBy: end - kind: identifier - regex: "^redis$" - - has: - stopBy: end - kind: identifier - regex: "^clients$" - - MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: "^setPassword$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: "^clients$" - - has: - stopBy: neighbor - kind: type_identifier - regex: "^jedis$" - - has: - stopBy: neighbor - kind: type_identifier - regex: "^JedisFactory$|^ConnectionFactory$" - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - all: - - has: - stopBy: end - kind: identifier - regex: "^redis$" - - has: - stopBy: end - kind: asterisk - - MATCH_PATTERN_JEDIS.JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: "^setPassword$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: type_identifier - regex: "^jedis$" - - has: - stopBy: neighbor - kind: type_identifier - regex: "^JedisFactory$|^ConnectionFactory$" - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: neighbor - kind: identifier - pattern: $R - - MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: method_invocation - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: identifier - regex: "^setPassword$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string_literal - - follows: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: neighbor - kind: scoped_type_identifier - all: - - has: - stopBy: end - kind: type_identifier - regex: "^redis$" - - has: - stopBy: end - kind: type_identifier - regex: "^clients$" - - has: - stopBy: end - kind: type_identifier - regex: "^jedis$" - - has: - stopBy: end - kind: type_identifier - regex: "^ConnectionFactory$|^JedisFactory$" - - has: - stopBy: neighbor - kind: variable_declarator - has: - stopBy: end - kind: identifier - pattern: $R -rule: - kind: expression_statement - any: - - matches: MATCH_PATTERN_JEDISFACTORY - - matches: MATCH_PATTERN_CLIENT_JEDIS.JEDISFACTORY - - matches: MATCH_PATTERN_JEDIS.JEDISFACTORY - - matches: MATCH_PATTERN_REDIS_CLIENT_JEDIS.JEDISFACTORY diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 31a5d733..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - - match_instance: - kind: local_variable_declaration - has: - stopBy: end - kind: identifier - follows: - stopBy: end - kind: variable_declarator - - match_identifier_with_simplecookie: - kind: identifier - inside: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: "^SimpleCookie$|^Cookie$" - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: object_creation_expression - - not: - precedes: - stopBy: neighbor - kind: expression_statement -rule: - any: - - matches: match_instance - - matches: match_without_httponly - - matches: match_cookie_last - - matches: match_identifier_with_simplecookie diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml deleted file mode 100644 index b5eee11a..00000000 --- a/rules/java/security/no-null-cipher-java.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: no-null-cipher-java -severity: warning -language: java -message: >- - NullCipher was detected. This will not encrypt anything; the cipher - text will be the same as the plain text. Use a valid, secure cipher: - Cipher.getInstance("AES/CBC/PKCS7PADDING"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: new NullCipher($$$) - - pattern: new javax.crypto.NullCipher($$$) diff --git a/rules/java/security/object-deserialization.yaml b/rules/java/security/object-deserialization.yaml deleted file mode 100644 index 884e51af..00000000 --- a/rules/java/security/object-deserialization.yaml +++ /dev/null @@ -1,13 +0,0 @@ -id: object-deserialization -severity: warning -language: java -message: Avoid using ObjectInputStream, it is insecure and can lead to remote code execution -note: >- - [CWE-502]: Deserialization of Untrusted Data - [OWASP A08:2017]: Insecure Deserialization - [OWASP A08:2021]: Software and Data Integrity Failures - [REFERENCES] - - https://www.owasp.org/index.php/Deserialization_of_untrusted_data - - https://www.oracle.com/java/technologies/javase/seccodeguide.html#8 -rule: - pattern: new ObjectInputStream($$$) \ No newline at end of file diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml deleted file mode 100644 index c9466216..00000000 --- a/rules/java/security/rsa-no-padding-java.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: rsa-no-padding-java -severity: warning -language: java -message: >- - Using RSA without OAEP mode weakens the encryption. -note: >- - [CWE-326] Inadequate Encryption Strength - [REFERENCES] - - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ -rule: - pattern: $YST.getInstance($MODE) -constraints: - MODE: - regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/rules/java/security/simple-command-injection-direct-input-java.yml b/rules/java/security/simple-command-injection-direct-input-java.yml deleted file mode 100644 index 592c8724..00000000 --- a/rules/java/security/simple-command-injection-direct-input-java.yml +++ /dev/null @@ -1,55 +0,0 @@ -id: simple-command-injection-direct-input-java -language: java -severity: warning -message: >- - "Untrusted input might be injected into a command executed by the - application, which can lead to a command injection vulnerability. An - attacker can execute arbitrary commands, potentially gaining complete - control of the system. To prevent this vulnerability, avoid executing OS - commands with user input. If this is unavoidable, validate and sanitize - the input, and use safe methods for executing the commands. For more - information, see: [Java command injection - prevention]" -note: >- - [CWE-78] Improper Neutralization of Special Elements used in an OS - [REFERENCES] - - https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html - - https://owasp.org/Top10/A03_2021-Injection - -rule: - kind: method_invocation - pattern: Runtime.getRuntime().exec($SOURCE) - inside: - kind: method_declaration - stopBy: end - has: - stopBy: end - kind: formal_parameter - has: - kind: modifiers - any: - - has: - kind: marker_annotation - has: - kind: identifier - pattern: $REQ - - has: - kind: annotation - all: - - has: - kind: identifier - pattern: $REQ - - has: - kind: annotation_argument_list - precedes: - kind: type_identifier - pattern: $TYPE - precedes: - kind: identifier - pattern: $SOURCE - -constraints: - REQ: - regex: ^(RequestBody|PathVariable|RequestParam|RequestHeader|CookieValue|ModelAttribute) - TYPE: - regex: ^[^I].*|^I[^n].*|^In[^t].*|^Int[^e].*|^Inte[^g].*|^Integ[^e].*|^Inge[^r].*|^L[^o].*|^Lo[^n].*|^Lon[^g].*|^F[^l].*|^Fl[^o].*|^Flo[^a].*|^Floa[^t].*|^D[^o].*|^Do[^u].*|^Dou[^b].*|^Doub[^l].*|^Doubl[^e].*|^C[^h].*|^Ch[^a].*|^Cha[^r].*|^B[^o].*|^Bo[^o].*|^Boo[^l].*|^Bool[^e].*|^Boole[^a].*|^Boolea[^n].*|^i[^n].*|^in[^t].*|^l[^o].*|^lo[^n].*|^lon[^g].*|^f[^l].*|^fl[^o].*|^flo[^a].*|^floa[^t].*|^d[^o].*|^do[^u].*|^dou[^b].*|^doub[^l].*|^doubl[^e].*|^c[^h].*|^ch[^a].*|^cha[^r].*|^b[^o].*|^bo[^o].*|^boo[^l].*|^bool[^e].*|^boole[^a].*|^boolea[^n].* diff --git a/rules/java/security/system-setproperty-hardcoded-secret-java.yml b/rules/java/security/system-setproperty-hardcoded-secret-java.yml deleted file mode 100644 index 537a16a3..00000000 --- a/rules/java/security/system-setproperty-hardcoded-secret-java.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: system-setproperty-hardcoded-secret-java -language: java -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -rule: - all: - - any: - - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD); - - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD); -constraints: - PWD: - regex: '^"' diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml deleted file mode 100644 index 2b8540a5..00000000 --- a/rules/java/security/unencrypted-socket-java.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: unencrypted-socket-java -language: java -severity: info -message: >- - "Detected use of a Java socket that is not encrypted. As a result, the - traffic could be read by an attacker intercepting the network traffic. Use - an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' - instead." -note: >- - [CWE-319] Cleartext Transmission of Sensitive Information - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: new ServerSocket($$$) - - pattern: new Socket($$$) diff --git a/rules/java/security/use-of-aes-ecb-java.yml b/rules/java/security/use-of-aes-ecb-java.yml deleted file mode 100644 index 9e28e0b2..00000000 --- a/rules/java/security/use-of-aes-ecb-java.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: use-of-aes-ecb-java -language: java -severity: warning -message: >- - Use of AES with ECB mode detected. ECB doesn't provide message - confidentiality and is not semantically secure so should not be used. - Instead, use a strong, secure cipher: - Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html -rule: - pattern: $CIPHER.getInstance($MATCHES) -constraints: - MATCHES: - regex: ".*AES/ECB/.*" diff --git a/rules/java/security/use-of-blowfish-java.yml b/rules/java/security/use-of-blowfish-java.yml deleted file mode 100644 index 512745a2..00000000 --- a/rules/java/security/use-of-blowfish-java.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: use-of-blowfish-java -language: java -severity: info -message: >- - Use of Blowfish was detected. Blowfish uses a 64-bit block size - that makes it vulnerable to birthday attacks, and is therefore considered - non-compliant. Instead, use a strong, secure cipher: - Cipher.getInstance("AES/CBC/PKCS7PADDING"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html -rule: - pattern: $CIPHER.getInstance("Blowfish") diff --git a/rules/java/security/use-of-default-aes-java.yml b/rules/java/security/use-of-default-aes-java.yml deleted file mode 100644 index 081ab8d8..00000000 --- a/rules/java/security/use-of-default-aes-java.yml +++ /dev/null @@ -1,89 +0,0 @@ -id: use-of-default-aes-java -language: java -severity: warning -message: >- - Use of AES with no settings detected. By default, java.crypto.Cipher - uses ECB mode. ECB doesn't provide message confidentiality and is not - semantically secure so should not be used. Instead, use a strong, secure - cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html -rule: - any: - - pattern: Cipher.getInstance("AES") - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.* - - pattern: import javax - - pattern: crypto.Cipher.getInstance("AES") - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.* - - pattern: import javax - - pattern: javax.crypto.Cipher.getInstance("AES") - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.* - - pattern: import javax - - pattern: $D.getInstance("AES"); - all: - - follows: - stopBy: end - pattern: Cipher $D = $$$ - - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.* - - pattern: import javax - - pattern: $D.getInstance("AES"); - all: - - follows: - stopBy: end - pattern: javax.crypto.Cipher $D = $$$ - - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.* - - pattern: import javax - - pattern: $D.getInstance("AES"); - all: - - follows: - stopBy: end - pattern: crypto.Cipher $D = $$$ - - inside: - stopBy: end - kind: class_declaration - follows: - stopBy: end - kind: import_declaration - any: - - pattern: import javax.* - - pattern: import javax diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml deleted file mode 100644 index 77778a46..00000000 --- a/rules/java/security/use-of-md5-digest-utils-java.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: use-of-md5-digest-utils-java -language: java -severity: warning -message: >- - 'Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use HMAC instead.' -note: >- - [CWE-328] Use of Weak Hash - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - pattern: DigestUtils.getMd5Digest($$$).digest($$$) diff --git a/rules/java/security/use-of-md5-java.yml b/rules/java/security/use-of-md5-java.yml deleted file mode 100644 index a7835c21..00000000 --- a/rules/java/security/use-of-md5-java.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: use-of-md5-java -severity: warning -language: java -message: >- - Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use HMAC instead. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: java.security.MessageDigest.getInstance($ALGO) - - pattern: java.security.MessageDigest.getInstance($ALGO, $$$) - - pattern: MessageDigest.getInstance($ALGO) - - pattern: MessageDigest.getInstance($ALGO, $$$) -constraints: - ALGO: - regex: "MD5" diff --git a/rules/java/security/use-of-rc2-java.yml b/rules/java/security/use-of-rc2-java.yml deleted file mode 100644 index ad7a2401..00000000 --- a/rules/java/security/use-of-rc2-java.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: use-of-rc2-java -language: java -severity: warning -message: >- - Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and - is therefore considered non-compliant. Instead, use a strong, secure. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html -rule: - pattern: $CIPHER.getInstance("RC2") diff --git a/rules/java/security/use-of-rc4-java.yml b/rules/java/security/use-of-rc4-java.yml deleted file mode 100644 index 2356d208..00000000 --- a/rules/java/security/use-of-rc4-java.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: use-of-rc4-java -language: java -severity: warning -message: >- - 'Use of RC4 was detected. RC4 is vulnerable to several attacks, - including stream cipher attacks and bit flipping attacks. Instead, use a - strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See - https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions - for more information.' -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - - https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html -rule: - pattern: $CIPHER.getInstance("RC4") diff --git a/rules/java/security/use-of-sha1-java.yml b/rules/java/security/use-of-sha1-java.yml deleted file mode 100644 index 1c24f3e3..00000000 --- a/rules/java/security/use-of-sha1-java.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: use-of-sha1-java -language: java -severity: warning -message: >- - Detected SHA1 hash algorithm which is considered insecure. SHA1 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 - for other hash function applications. -note: >- - [CWE-328] Use of Weak Hash. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: $DU.getSha1Digest().digest($$$) - - pattern: MessageDigest.getInstance($ALGO) - - pattern: java.security.MessageDigest.getInstance($ALGO,$$$) -constraints: - ALGO: - regex: "SHA1|SHA-1" diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml deleted file mode 100644 index 8f7c96aa..00000000 --- a/rules/java/security/use-of-weak-rsa-key-java.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: use-of-weak-rsa-key-java -language: java -severity: warning -message: >- - RSA keys should be at least 2048 bits based on NIST recommendation. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -rule: - pattern: | - $KEY.initialize($AST) -follows: KeyPairGenerator $KEY = $G.getInstance("RSA"); -constraints: - AST: - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/java/security/weak-ssl-context-java.yml b/rules/java/security/weak-ssl-context-java.yml deleted file mode 100644 index 411ca262..00000000 --- a/rules/java/security/weak-ssl-context-java.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: weak-ssl-context-java -language: java -severity: warning -message: >- - 'An insecure SSL context was detected. TLS versions 1.0, 1.1, and all - SSL versions are considered weak encryption and are deprecated. Use - SSLContext.getInstance("TLSv1.2") for the best security.' -note: >- - [CWE-326] Inadequate Encryption Strength - [REFERENCES] - - https://tools.ietf.org/html/rfc7568 - - https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html -rule: - all: - - pattern: SSLContext.getInstance($CONTEXT) - - not: - pattern: SSLContext.getInstance("TLSv1.3") - - not: - pattern: SSLContext.getInstance("TLSv1.2") -constraints: - CONTEXT: - regex: (TLS|SSL) diff --git a/rules/javascript/.gitkeep b/rules/javascript/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/rules/javascript/audit/detect-replaceall-sanitization.yml b/rules/javascript/audit/detect-replaceall-sanitization.yml deleted file mode 100644 index e88ee31c..00000000 --- a/rules/javascript/audit/detect-replaceall-sanitization.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: detect-replaceall-sanitization -language: javascript -message: >- - Detected a call to replace or replaceAll in an attempt to HTML escape the string `$STR`. - Manually sanitizing input through a manually built list can be circumvented - in many situations, and it's better to use a well known sanitization library - such as `sanitize-html` or `DOMPurify`. -note: >- - [OWASP A07:2017] https://owasp.org/www-project-top-ten/2017/A07_2017-Cross-Site_Scripting_(XSS).html - [OWASP A03:2021] https://owasp.org/www-project-top-ten/2021/A03_2021-Injection.html - [CWE-79] https://cwe.mitre.org/data/definitions/79.html - [REFERENCES] - - https://www.npmjs.com/package/dompurify - - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html -rule: - any: - - pattern: $STR.replace('<', '<') - - pattern: $STR.replaceAll('<', '<') - - pattern: $STR.replace('>', '>') - - pattern: $STR.replaceAll('>', '>') - - pattern: $STR.replace('"', '"') - - pattern: $STR.replaceAll('"', '"') - - pattern: $STR.replace("'", ''') - - pattern: $STR.replaceAll("'", ''') - - pattern: $STR.replace('&', '&') - - pattern: $STR.replaceAll('&', '&') diff --git a/rules/javascript/browser/wildcard-postmessage-configuration.yml b/rules/javascript/browser/wildcard-postmessage-configuration.yml deleted file mode 100644 index 94de03ec..00000000 --- a/rules/javascript/browser/wildcard-postmessage-configuration.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: wildcard-postmessage-configuration -language: javascript -severity: warning -message: >- - Wildcard postMessage configuration detected. This allows any origin to send - messages to the target window. This can lead to security vulnerabilities. - Set the targetOrigin parameter to the specific origin you expect messages from. -note: >- - [CWE-345] Insufficient Verification of Data Authenticity - [OWASP A08:2021] Software and Data Integrity Failures - [REFERENCES] - - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures -rule: - any: - - pattern: $_.postMessage($A, '*') - - pattern: $_.postMessage($A, "*") diff --git a/rules/javascript/jwt/jwt-none-alg-javascript.yml b/rules/javascript/jwt/jwt-none-alg-javascript.yml deleted file mode 100644 index d5234c1b..00000000 --- a/rules/javascript/jwt/jwt-none-alg-javascript.yml +++ /dev/null @@ -1,46 +0,0 @@ -id: jwt-none-alg-javascript -language: javascript -severity: warning -message: >- - Detected use of the 'none' algorithm in a JWT token. The 'none' - algorithm assumes the integrity of the token has already been verified. - This would allow a malicious actor to forge a JWT token that will - automatically be verified. Do not explicitly use the 'none' algorithm. - Instead, use an algorithm such as 'HS256'. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: const $T = JWT.verify($P, JWK.None); - follows: - pattern: const { JWK, JWT } = $JOSE; - follows: - pattern: const $JOSE = require("jose"); - - pattern: $T = JWT.verify($P, JWK.None); - follows: - pattern: const { JWK, JWT } = $JOSE; - follows: - pattern: const $JOSE = require("jose"); - - pattern: JWT.verify($P, JWK.None); - follows: - pattern: const { JWK, JWT } = $JOSE; - follows: - pattern: const $JOSE = require("jose"); - - - pattern: var $T = JWT.verify($P, JWK.None); - follows: - pattern: var { JWK, JWT } = $JOSE; - follows: - pattern: var $JOSE = require("jose"); - - pattern: $T = JWT.verify($P, JWK.None); - follows: - pattern: var { JWK, JWT } = $JOSE; - follows: - pattern: var $JOSE = require("jose"); - - pattern: JWT.verify($P, JWK.None); - follows: - pattern: var { JWK, JWT } = $JOSE; - follows: - pattern: var $JOSE = require("jose"); diff --git a/rules/javascript/jwt/jwt-simple-noverify-astgrep.yml b/rules/javascript/jwt/jwt-simple-noverify-astgrep.yml deleted file mode 100644 index f0134a78..00000000 --- a/rules/javascript/jwt/jwt-simple-noverify-astgrep.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: jwt-simple-noverify-astgrep -language: javascript -severity: warning -message: >- - Detected the decoding of a JWT token without a verify step. - JWT tokens must be verified before use, otherwise the token's - integrity is unknown. This means a malicious actor could forge - a JWT token with any claims. Set 'verify' to `true` before using the token. -note: >- - [CWE-287] Improper Authentication - [CWE-345] Insufficient Verification of Data Authenticity - [CWE-347] Improper Verification of Cryptographic Signature - [OWASP A05:2021] Security Misconfiguration - [OWASP A07:2021] Identification and Authentication Failures - [REFERENCES] - - https://www.npmjs.com/package/jwt-simple - - https://cwe.mitre.org/data/definitions/287 - - https://cwe.mitre.org/data/definitions/345 - - https://cwe.mitre.org/data/definitions/347 - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -rule: - all: - - any: - - pattern: $JWT.decode($TOKEN, $SECRET, true) - - pattern: $JWT.decode($TOKEN, $SECRET, true, $$$) diff --git a/rules/javascript/jwt/jwt-simple-noverify-js.yml b/rules/javascript/jwt/jwt-simple-noverify-js.yml deleted file mode 100644 index 09f57f28..00000000 --- a/rules/javascript/jwt/jwt-simple-noverify-js.yml +++ /dev/null @@ -1,45 +0,0 @@ -id: jwt-simple-noverify-js -language: JavaScript -severity: warning -message: >- - "Detected the decoding of a JWT token without a verify step. JWT tokens - must be verified before use, otherwise the token's integrity is unknown. - This means a malicious actor could forge a JWT token with any claims. Set - 'verify' to `true` before using the token." -note: >- - [CWE-287] Improper Authentication - [CWE-345] Insufficient Verification of Data Authenticity - [CWE-347] Improper Verification of Cryptographic Signature - [REFERENCES] - - https://www.npmjs.com/package/jwt-simple - - https://cwe.mitre.org/data/definitions/287 - - https://cwe.mitre.org/data/definitions/345 - - https://cwe.mitre.org/data/definitions/347 -rule: - kind: call_expression - any: - - pattern: $JWT.decode($TOKEN, $SECRET, true $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, "$$$" $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, '$$$' $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, `$$$` $$$) - inside: - kind: expression_statement - stopBy: end - follows: - stopBy: end - any: - - kind: lexical_declaration - all: - - has: - stopBy: end - kind: identifier - pattern: $JWT - - has: - stopBy: end - kind: call_expression - pattern: require('jwt-simple') - - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - pattern: $JWT = require('jwt-simple') diff --git a/rules/javascript/security/detect-angular-sce-disabled-javascript.yml b/rules/javascript/security/detect-angular-sce-disabled-javascript.yml deleted file mode 100644 index 184059f0..00000000 --- a/rules/javascript/security/detect-angular-sce-disabled-javascript.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: detect-angular-sce-disabled-javascript -language: javascript -severity: warning -message: >- - $sceProvider is set to false. Disabling Strict Contextual escaping - (SCE) in an AngularJS application could provide additional attack surface - for XSS vulnerabilities. -note: >- - [CWE-79] Improper Neutralization of Input During Web Page Generation. - [REFERENCES] - - https://docs.angularjs.org/api/ng/service/$sce - - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf -rule: - pattern: | - $sceProvider.enabled(false); diff --git a/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml b/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml deleted file mode 100644 index 62e0dcfe..00000000 --- a/rules/javascript/security/express-jwt-hardcoded-secret-javascript.yml +++ /dev/null @@ -1,288 +0,0 @@ -id: express-jwt-hardcoded-secret-javascript -language: javascript -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_SECRET_DIRECTLY: - kind: pair - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: "^secret$" - - has: - stopBy: neighbor - kind: string - - - any: - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - MATCH_PATTERN_WITH_INSTANCE: - kind: pair - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: "^secret$" - - has: - stopBy: neighbor - kind: identifier - pattern: $F - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $F - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - - any: - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - -rule: - kind: pair - any: - - matches: MATCH_SECRET_DIRECTLY - - matches: MATCH_PATTERN_WITH_INSTANCE diff --git a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml b/rules/javascript/security/express-session-hardcoded-secret-javascript.yml deleted file mode 100644 index 19e76c81..00000000 --- a/rules/javascript/security/express-session-hardcoded-secret-javascript.yml +++ /dev/null @@ -1,256 +0,0 @@ -id: express-session-hardcoded-secret-javascript -language: javascript -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_SECRET: - kind: pair - pattern: $C - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - pattern: $C - all: - - has: - stopBy: end - kind: property_identifier - pattern: $S - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - - - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - MATCH_SECRET_INSIDE_APP: - kind: pair - pattern: $C - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: property_identifier - regex: "^use$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $T - - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - pattern: $C - all: - - has: - stopBy: end - kind: property_identifier - pattern: $S - - any: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: string - - - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - all: - - has: - stopBy: end - kind: named_imports - has: - stopBy: end - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $T - - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" -rule: - kind: pair - any: - - matches: MATCH_SECRET - - matches: MATCH_SECRET_INSIDE_APP - -constraints: - S: - regex: "^secret$" diff --git a/rules/javascript/security/node-rsa-weak-key-javascript.yml b/rules/javascript/security/node-rsa-weak-key-javascript.yml deleted file mode 100644 index c2faaa01..00000000 --- a/rules/javascript/security/node-rsa-weak-key-javascript.yml +++ /dev/null @@ -1,577 +0,0 @@ -id: node-rsa-weak-key-javascript -language: javascript -severity: warning -message: >- - Use of RSA-$BITS, which is considered weak. Based on NIST standards, - RSA keys should be at least 2048 bits. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -utils: - MATCH_BITS_DIRECTLY_NODE_FORGE: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $A - - has: - stopBy: end - kind: property_identifier - regex: "^rsa$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $A - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: neighbor - kind: property_identifier - regex: "^pki$" - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - MATCH_BITS_DIRECTLY_NODE_RSA: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - - has: - stopBy: neighbor - kind: number - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - MATCH_BITS_WITHIN_FUNCTION_WITH_NODE_FORGE: - kind: number - pattern: $R - inside: - stopBy: end - kind: variable_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO_AND_PROMISIFY: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - has: - stopBy: end - kind: property_identifier - regex: "^promisify$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^rsa$" - - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - regex: "^modulusLength$" - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^rsa$" - - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - regex: "^modulusLength$" - - has: - stopBy: neighbor - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $S - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" -rule: - kind: number - any: - - matches: MATCH_BITS_DIRECTLY_NODE_FORGE - - matches: MATCH_BITS_DIRECTLY_NODE_RSA - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_NODE_FORGE - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO_AND_PROMISIFY - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO - -constraints: - R: - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml b/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml deleted file mode 100644 index ae91bd16..00000000 --- a/rules/javascript/security/node-sequelize-hardcoded-secret-argument-javascript.yml +++ /dev/null @@ -1,77 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-javascript -language: javascript -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_BLANK_PASSWORD: - kind: string - pattern: $Q - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string - nthChild: 3 - pattern: $Q - has: - stopBy: end - kind: string_fragment - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - -rule: - kind: string - matches: MATCH_BLANK_PASSWORD diff --git a/rules/kotlin/security/command-injection-formatted-runtime-call.yml b/rules/kotlin/security/command-injection-formatted-runtime-call.yml deleted file mode 100644 index 9c8552d5..00000000 --- a/rules/kotlin/security/command-injection-formatted-runtime-call.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: command-injection-formatted-runtime-call -language: kotlin -severity: warning -message: >- - A formatted or concatenated string was detected as input to a java.lang.Runtime - call. This is dangerous if a variable is controlled by user input and could result in a - command injection. -note: >- - [CWE-78]: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - [OWASP A01:2017]: Injection - [OWASP A03:2021]: Injection - [REFERENCES] - - https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION -rule: - any: - - pattern: $RUNTIME.exec($X + $Y) - - pattern: $RUNTIME.exec(String.format($$$)) - - pattern: $RUNTIME.loadLibrary($X + $Y) - - pattern: $RUNTIME.loadLibrary(String.format($$$)) \ No newline at end of file diff --git a/rules/kotlin/security/des-is-deprecated-kotlin.yml b/rules/kotlin/security/des-is-deprecated-kotlin.yml deleted file mode 100644 index 377e3ed5..00000000 --- a/rules/kotlin/security/des-is-deprecated-kotlin.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: des-is-deprecated-kotlin -severity: warning -language: kotlin -message: >- - DES is considered deprecated. AES is the recommended cipher. Upgrade to - use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard - for more information. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard -rule: - pattern: $CIPHER.getInstance($SAS) -constraints: - SAS: - regex: "DES" diff --git a/rules/kotlin/security/desede-is-deprecated-kotlin.yml b/rules/kotlin/security/desede-is-deprecated-kotlin.yml deleted file mode 100644 index f0a7351a..00000000 --- a/rules/kotlin/security/desede-is-deprecated-kotlin.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: desede-is-deprecated-kotlin -language: kotlin -severity: warning -message: >- - Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES. -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE - - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA -rule: - any: - - pattern: $CIPHER.getInstance("=~/DESede.*/") - - pattern: $CRYPTO.KeyGenerator.getInstance("DES") diff --git a/rules/kotlin/security/rsa-no-padding-kotlin.yml b/rules/kotlin/security/rsa-no-padding-kotlin.yml deleted file mode 100644 index 49e07e7b..00000000 --- a/rules/kotlin/security/rsa-no-padding-kotlin.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: rsa-no-padding-kotlin -severity: warning -language: kotlin -message: >- - Using RSA without OAEP mode weakens the encryption. -note: >- - [CWE-326] Inadequate Encryption Strength - [REFERENCES] - - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ -rule: - pattern: $YST.getInstance($MODE) -constraints: - MODE: - regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding" diff --git a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml b/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml deleted file mode 100644 index 06635555..00000000 --- a/rules/kotlin/security/system-setproperty-hardcoded-secret-kotlin.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: system-setproperty-hardcoded-secret-kotlin -language: kotlin -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -rule: - all: - - any: - - pattern: System.setProperty("javax.net.ssl.keyStorePassword", $PWD); - - pattern: System.setProperty("javax.net.ssl.trustStorePassword", $PWD); -constraints: - PWD: - regex: '^"' diff --git a/rules/kotlin/security/unencrypted-socket.yml b/rules/kotlin/security/unencrypted-socket.yml deleted file mode 100644 index c5afc711..00000000 --- a/rules/kotlin/security/unencrypted-socket.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: unencrypted-socket -language: kotlin -severity: warning -message: >- - The socket is not encrypted. Use a secure protocol such as TLS/SSL to encrypt the data. - SSLSocketFactory and SSLServerSocketFactory should be used to create secure sockets. -note: >- - [CWE-319]: Cleartext Transmission of Sensitive Information - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: Socket($$$) - - pattern: ServerSocket($$$) \ No newline at end of file diff --git a/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml deleted file mode 100644 index 1620ce16..00000000 --- a/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: use-of-weak-rsa-key-kotlin -language: kotlin -severity: warning -message: >- - RSA keys should be at least 2048 bits based on NIST recommendation -note: >- - [CWE-326]: Inadequate Encryption Strength - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -rule: - pattern: | - $KEY.initialize($BITS) -follows: KEY = $G.getInstance("RSA"); -constraints: - BITS: - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/php/security/openssl-cbc-static-iv-php.yml b/rules/php/security/openssl-cbc-static-iv-php.yml deleted file mode 100644 index 710d8118..00000000 --- a/rules/php/security/openssl-cbc-static-iv-php.yml +++ /dev/null @@ -1,190 +0,0 @@ -id: openssl-cbc-static-iv-php -language: php -severity: warning -message: >- - Static IV used with AES in CBC mode. Static IVs enable chosen-plaintext - attacks against encrypted data. -note: >- - [CWE-329] Generation of Predictable IV with CBC Mode. - [REFERENCES] - - https://csrc.nist.gov/publications/detail/sp/800-38a/final -utils: - Match_pattern_with_prefix_openssl_encrypt: - kind: expression_statement - all: - - has: - stopBy: end - kind: function_call_expression - all: - - has: - stopBy: end - kind: name - regex: (openssl_decrypt|openssl_encrypt) - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: 2 - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: argument - nthChild: 5 - has: - stopBy: end - kind: variable_name - pattern: $T - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: "^.*-CBC" - - Match_pattern_with_prefix_openssl_decrypt: - kind: return_statement - all: - - has: - stopBy: end - kind: function_call_expression - regex: (openssl_decrypt|openssl_encrypt) - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: 2 - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: argument - nthChild: 5 - has: - stopBy: end - kind: variable_name - pattern: $T - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $R - - has: - stopBy: end - kind: encapsed_string - regex: "^.*-CBC" - - Match_pattern_directly_with_prefix_openssl_encrypt: - kind: expression_statement - all: - - has: - stopBy: end - kind: function_call_expression - all: - - has: - stopBy: end - kind: name - regex: (openssl_decrypt|openssl_encrypt) - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - nthChild: 2 - has: - stopBy: end - kind: encapsed_string - regex: "^.*-CBC" - - - has: - stopBy: end - kind: argument - nthChild: 5 - has: - stopBy: end - kind: variable_name - pattern: $T - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - all: - - has: - stopBy: end - kind: variable_name - pattern: $T - - has: - stopBy: end - kind: encapsed_string - -rule: - any: - - kind: expression_statement - any: - - matches: Match_pattern_with_prefix_openssl_encrypt - - matches: Match_pattern_directly_with_prefix_openssl_encrypt - - kind: return_statement - any: - - matches: Match_pattern_with_prefix_openssl_decrypt diff --git a/rules/php/security/search-active-debug-php.yml b/rules/php/security/search-active-debug-php.yml deleted file mode 100644 index f41e03d5..00000000 --- a/rules/php/security/search-active-debug-php.yml +++ /dev/null @@ -1,91 +0,0 @@ -id: search-active-debug-php -language: php -severity: warning -message: >- - Debug logging is explicitly enabled. This can potentially disclose - sensitive information and should never be active on production systems. -note: >- - [CWE-489] Active Debug Code. - [REFERENCES] - - https://www.php.net/manual/en/function.setcookie.php -utils: - Match_pattern_one: - kind: expression_statement - has: - stopBy: end - kind: function_call_expression - pattern: $C - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - pattern: $A - - has: - stopBy: end - kind: boolean - pattern: $B - - Match_pattern_two_with_integer: - kind: expression_statement - has: - stopBy: end - kind: function_call_expression - pattern: $C - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - pattern: $A - - has: - stopBy: end - kind: integer - pattern: $D - - Match_pattern_three_with_string: - kind: expression_statement - has: - stopBy: end - kind: function_call_expression - pattern: $C - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: argument - pattern: $A - - has: - stopBy: end - kind: argument - has: - stopBy: end - kind: encapsed_string - has: - stopBy: neighbor - pattern: $S - -rule: - kind: expression_statement - any: - - matches: Match_pattern_one - - matches: Match_pattern_two_with_integer - - matches: Match_pattern_three_with_string - -constraints: - C: - regex: (define|ini_set) - A: - regex: (WP_DEBUG|display_errors) - B: - regex: "true" - D: - regex: "1" - S: - regex: on diff --git a/rules/python/security/avoid-bind-to-all-interfaces-python.yml b/rules/python/security/avoid-bind-to-all-interfaces-python.yml deleted file mode 100644 index c3867b2b..00000000 --- a/rules/python/security/avoid-bind-to-all-interfaces-python.yml +++ /dev/null @@ -1,64 +0,0 @@ -id: avoid-bind-to-all-interfaces-python -severity: warning -language: python -message: >- - Running `socket.bind` to 0.0.0.0, or empty string could unexpectedly - expose the server publicly as it binds to all available interfaces. - Consider instead getting correct address from an environment variable or - configuration file. -note: >- - [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. - [REFERENCES] - - https://owasp.org/Top10/A01_2021-Broken_Access_Control -utils: - MATCH_PATTERN_$S.bind: - kind: expression_statement - all: - - has: - stopBy: neighbor - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: identifier - regex: "^bind$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: tuple - has: - stopBy: neighbor - kind: string - regex: ^'0.0.0.0'|'::'|''$ - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: call - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^socket$" - - has: - stopBy: neighbor - kind: identifier - regex: "^socket$" - -rule: - kind: expression_statement - any: - - matches: MATCH_PATTERN_$S.bind diff --git a/rules/python/security/avoid-mktemp-python.yml b/rules/python/security/avoid-mktemp-python.yml deleted file mode 100644 index 24104809..00000000 --- a/rules/python/security/avoid-mktemp-python.yml +++ /dev/null @@ -1,37 +0,0 @@ -id: avoid-mktemp-python -language: python -severity: warning -message: >- - The function `mktemp` is deprecated. When using this function, it is - possible for an attacker to modify the created file before the filename is - returned. Use `NamedTemporaryFile()` instead and pass it the - `delete=False` parameter. -note: >- - [CWE-377]: Insecure Temporary File - [OWASP A01:2021]: Broken Access Control - [REFERENCES] - https://docs.python.org/3/library/tempfile.html#tempfile.mktemp - https://owasp.org/Top10/A01_2021-Broken_Access_Control -utils: - match_mktemp: - kind: call - has: - kind: identifier - pattern: $R - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - field: name - has: - stopBy: end - kind: identifier - pattern: $R -rule: - all: - - matches: match_mktemp diff --git a/rules/python/security/avoid_app_run_with_bad_host-python.yml b/rules/python/security/avoid_app_run_with_bad_host-python.yml deleted file mode 100644 index ccab8332..00000000 --- a/rules/python/security/avoid_app_run_with_bad_host-python.yml +++ /dev/null @@ -1,73 +0,0 @@ -id: avoid_app_run_with_bad_host-python -language: python -severity: warning -message: >- - Running flask app with host 0.0.0.0 could expose the server publicly. -note: >- - [CWE-668]: Exposure of Resource to Wrong Sphere - [OWASP A01:2021]: Broken Access Control - [REFERENCES] - https://owasp.org/Top10/A01_2021-Broken_Access_Control -utils: - MATCH_PATTERN_app.run: - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^app$" - - has: - stopBy: neighbor - kind: identifier - regex: "^run$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: string - regex: ^"0.0.0.0"$ - - MATCH_PATTERN_app.run_HOST: - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^app$" - - has: - stopBy: neighbor - kind: identifier - regex: "^run$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^host$" - - has: - stopBy: neighbor - kind: string - regex: ^"0.0.0.0"$ - - has: - stopBy: neighbor - regex: "^=$" - -rule: - kind: call - any: - - matches: MATCH_PATTERN_app.run - - matches: MATCH_PATTERN_app.run_HOST diff --git a/rules/python/security/debug-enabled-python.yml b/rules/python/security/debug-enabled-python.yml deleted file mode 100644 index 3e13e3c5..00000000 --- a/rules/python/security/debug-enabled-python.yml +++ /dev/null @@ -1,92 +0,0 @@ -id: debug-enabled-python -severity: warning -language: python -message: >- - Detected Flask app with debug=True. Do not deploy to production with - this flag enabled as it will leak sensitive information. Instead, consider - using Flask configuration variables or setting 'debug' using system - environment variables. -note: >- - [CWE-489] Active Debug Code. - [REFERENCES] - - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ -utils: - MATCH_PATTERN_debug=True: - kind: call - all: - - has: - stopBy: neighbor - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^app$" - - has: - stopBy: neighbor - kind: identifier - regex: "^run$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: keyword_argument - regex: "^debug=True$" - - any: - - inside: - stopBy: end - kind: if_statement - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" - - inside: - stopBy: end - kind: function_definition - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" - - inside: - stopBy: end - kind: decorated_definition - follows: - stopBy: end - kind: import_from_statement - has: - stopBy: end - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^Flask$" -rule: - kind: call - any: - - matches: MATCH_PATTERN_debug=True diff --git a/rules/python/security/empty-aes-key.yml b/rules/python/security/empty-aes-key.yml deleted file mode 100644 index 851d5e9b..00000000 --- a/rules/python/security/empty-aes-key.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: empty-aes-key -language: python -severity: warning -message: >- - The AES cipher should not be initialized with an empty key. This can lead to - insecure encryption and decryption. The key should be at least 16 bytes long - for AES-128, 24 bytes long for AES-192, and 32 bytes long for AES-256. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [CWE-310]: Cryptographic Issues - [OWASP A06:2017]: Security Misconfiguration - [REFERENCES] - - https://cwe.mitre.org/data/definitions/327.html - - https://cwe.mitre.org/data/definitions/310.html -rule: - pattern: AES.new("", $$$) \ No newline at end of file diff --git a/rules/python/security/hashids-with-django-secret-python.yml b/rules/python/security/hashids-with-django-secret-python.yml deleted file mode 100644 index d861b038..00000000 --- a/rules/python/security/hashids-with-django-secret-python.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: hashids-with-django-secret-python -language: python -severity: warning -message: >- - The Django secret key is used as salt in HashIDs. The HashID mechanism - is not secure. By observing sufficient HashIDs, the salt used to construct - them can be recovered. This means the Django secret key can be obtained by - attackers, through the HashIDs. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY - http://carnage.github.io/2015/08/cryptanalysis-of-hashids -rule: - any: - - pattern: Hashids(salt=settings.SECRET_KEY, $$$) - - pattern: Hashids(settings.SECRET_KEY, $$$) diff --git a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml b/rules/python/security/insecure-cipher-algorithm-rc4-python.yml deleted file mode 100644 index 08ff4579..00000000 --- a/rules/python/security/insecure-cipher-algorithm-rc4-python.yml +++ /dev/null @@ -1,75 +0,0 @@ -id: insecure-cipher-algorithm-rc4-python -severity: warning -language: python -message: >- - Detected ARC4 cipher algorithm which is considered insecure. This - algorithm is not cryptographically secure and can be reversed easily. Use - secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block - cipher such as AES with a block size of 128 bits. When using a block - cipher, use a modern mode of operation that also provides authentication, - such as GCM. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://cwe.mitre.org/data/definitions/326.html - - https://www.pycryptodome.org/src/cipher/cipher -utils: - MATCH_PATTERN_arc4.new: - kind: call - all: - - has: - stopBy: end - kind: attribute - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $X - - has: - stopBy: neighbor - kind: identifier - regex: "^new$" - - has: - stopBy: neighbor - kind: argument_list - has: - stopBy: neighbor - kind: identifier - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: import_from_statement - all: - - has: - stopBy: neighbor - kind: dotted_name - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^Crypto$|^Cryptodome$" - - has: - stopBy: neighbor - kind: identifier - regex: "^Cipher$" - - has: - stopBy: neighbor - kind: aliased_import - all: - - has: - stopBy: neighbor - kind: dotted_name - has: - stopBy: neighbor - kind: identifier - regex: "^ARC4$" - - has: - stopBy: neighbor - kind: identifier - pattern: $X - -rule: - kind: call - matches: MATCH_PATTERN_arc4.new diff --git a/rules/python/security/jwt-python-hardcoded-secret-python.yml b/rules/python/security/jwt-python-hardcoded-secret-python.yml deleted file mode 100644 index eae611c3..00000000 --- a/rules/python/security/jwt-python-hardcoded-secret-python.yml +++ /dev/null @@ -1,98 +0,0 @@ -id: jwt-python-hardcoded-secret-python -severity: warning -language: python -message: >- - Hardcoded JWT secret or private key is used. This is a Insufficiently - Protected Credentials weakness: - https://cwe.mitre.org/data/definitions/522.html Consider using an - appropriate security mechanism to protect the credentials (e.g. keeping - secrets in environment variables). -note: >- - [CWE-522] Insufficiently Protected Credentials. -utils: - match_pattern_followed_by_instance: - inside: - stopBy: end - kind: function_definition - has: - stopBy: end - kind: expression_statement - pattern: $C - has: - kind: assignment - has: - kind: call - has: - kind: argument_list - has: - kind: identifier - nthChild: 2 - pattern: $S - - match_pattern_followed_by_instance_name: - inside: - stopBy: end - kind: function_definition - has: - stopBy: end - kind: expression_statement - pattern: $C - has: - kind: assignment - has: - kind: call - has: - kind: attribute - regex: ^jwt.encode - - match_pattern_followed_by_instance_value: - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - has: - stopBy: end - kind: string - - combined_utils: - all: - - matches: match_pattern_followed_by_instance - - matches: match_pattern_followed_by_instance_value - - matches: match_pattern_followed_by_instance_name - - match_pattern_followed_by_instance_value_one: - has: - kind: assignment - has: - kind: call - has: - kind: argument_list - has: - kind: string - nthChild: 2 - - match_pattern_followed_by_instance_value_two: - has: - kind: assignment - has: - kind: call - has: - kind: attribute - regex: ^jwt.encode - - combined_utils_two: - all: - - matches: match_pattern_followed_by_instance_value_one - - matches: match_pattern_followed_by_instance_value_two -rule: - kind: expression_statement - any: - - matches: combined_utils - - matches: combined_utils_two diff --git a/rules/python/security/openai-hardcoded-secret-python.yml b/rules/python/security/openai-hardcoded-secret-python.yml deleted file mode 100644 index 2d220b19..00000000 --- a/rules/python/security/openai-hardcoded-secret-python.yml +++ /dev/null @@ -1,24 +0,0 @@ -id: openai-hardcoded-secret-password-python -language: python -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798]: Use of Hard-coded Credentials - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - match_api_key: - kind: string_content - pattern: $R -rule: - all: - - matches: match_api_key -constraints: - R: - regex: \b(sk-[[:alnum:]]{20}T3BlbkFJ[[:alnum:]]{20})\b diff --git a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml b/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml deleted file mode 100644 index 9c5bc077..00000000 --- a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: python-elasticsearch-hardcoded-bearer-auth-python -severity: warning -language: python -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -rule: - any: - - pattern: Elasticsearch($$$, bearer_auth="$$$",$$$) - - pattern: Elasticsearch($$$,bearer_auth=$$$) - - pattern: $ES.options(bearer_auth="$$$").$$$ - not: - follows: - pattern: elasticsearch.Elasticsearch($$$) - - pattern: $ES.options($$$,bearer_auth="$$$").$$$ - not: - follows: - pattern: elasticsearch.Elasticsearch($$$) - - pattern: $ES.options($$$,bearer_auth="$$$",$$$) - not: - follows: - pattern: elasticsearch.Elasticsearch($$$) diff --git a/rules/ruby/rails/security/rails-check-before-filter.yml b/rules/ruby/rails/security/rails-check-before-filter.yml deleted file mode 100644 index 7fef75ac..00000000 --- a/rules/ruby/rails/security/rails-check-before-filter.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: rails-check-before-filter -language: ruby -severity: warning -message: >- - Rails controller checks make it much easier to introduce access control - mistakes. Prefer an allow list approach with `:only => [...]` rather than `except: => [...]` -note: >- - [CWE-284]: Improper Access Control - [OWASP A01:2021]: Broken Access Control - [REFERENCES] - - https://owasp.org/Top10/A01_2021-Broken_Access_Control -rule: - any: - - pattern: | - skip_filter $$$, :except => $ARGS - - pattern: | - skip_before_filter $$$, :except => $ARGS \ No newline at end of file diff --git a/rules/ruby/rails/security/rails-skip-forgery-protection.yml b/rules/ruby/rails/security/rails-skip-forgery-protection.yml deleted file mode 100644 index 136ea899..00000000 --- a/rules/ruby/rails/security/rails-skip-forgery-protection.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: rails-skip-forgery-protection -language: ruby -severity: warning -message: This call turns off CSRF protection allowing CSRF attacks against the application -note: >- - [CWE-352]: Cross-Site Request Forgery (CSRF) - [OWASP A01:2021]: Broken Access Control - [REFERENCES] - - https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection -rule: - pattern: skip_forgery_protection \ No newline at end of file diff --git a/rules/ruby/security/hardcoded-http-auth-in-controller-copy-ruby.yml b/rules/ruby/security/hardcoded-http-auth-in-controller-copy-ruby.yml deleted file mode 100644 index c4d5dbfe..00000000 --- a/rules/ruby/security/hardcoded-http-auth-in-controller-copy-ruby.yml +++ /dev/null @@ -1,55 +0,0 @@ -id: hardcoded-http-auth-in-controller-copy-ruby -language: ruby -severity: warning -message: >- - Detected hardcoded password used in basic authentication in a - controller class. Including this password in version control could expose - this credential. Consider refactoring to use environment variables or - configuration files -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_PASSWORD_STRING: - kind: string - inside: - stopBy: end - kind: pair - all: - - has: - stopBy: end - kind: simple_symbol - regex: "^:password$" - - inside: - stopBy: end - kind: argument_list - inside: - stopBy: end - kind: call - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^http_basic_authenticate_with$" - - inside: - stopBy: neighbor - kind: body_statement - inside: - stopBy: end - kind: class - all: - - has: - stopBy: neighbor - kind: constant - - has: - stopBy: end - kind: superclass - has: - stopBy: neighbor - kind: constant - regex: "^ApplicationController$" - -rule: - kind: string - matches: MATCH_PASSWORD_STRING diff --git a/rules/ruby/security/json-entity-escape.yml b/rules/ruby/security/json-entity-escape.yml deleted file mode 100644 index c48b5f2f..00000000 --- a/rules/ruby/security/json-entity-escape.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: json-entity-escape -language: ruby -severity: warning -message: >- - Found use of JSON entity escape. This can lead to security vulnerabilities such as XSS attacks. - Instead, use a secure method to escape JSON entities. -note: >- - [CWE-79]: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - [OWASP A07:2017]: Cross-Site Scripting (XSS) - [OWASP A03:2021]: Injection - [REFERENCES] - - https://owasp.org/Top10/A03_2021-Injection -rule: - any: - - pattern: config.active_support.escape_html_entities_in_json = false - - pattern: ActiveSupport.escape_html_entities_in_json = false \ No newline at end of file diff --git a/rules/ruby/security/jwt-none-alg-ruby.yml b/rules/ruby/security/jwt-none-alg-ruby.yml deleted file mode 100644 index d656d0b8..00000000 --- a/rules/ruby/security/jwt-none-alg-ruby.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: jwt-non-alg-ruby -language: ruby -severity: warning -message: >- - Found use none algorithm in JWT. This algorithm is insecure and should not be used. - Instead, use a more secure algorithm like HS256, RS256, or ES256. -note: >- - [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm - [OWASP A03:2017]: Sensitive Data Exposure - [OWASP A02:2021]: Cryptographic Failures - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: JWT.encode($PAYLOAD, $SECRET, 'none', $$$) - - pattern: JWT.encode($PAYLOAD, $SECRET, 'none') diff --git a/rules/ruby/security/ssl-mode-no-verify.yml b/rules/ruby/security/ssl-mode-no-verify.yml deleted file mode 100644 index 0f743a9d..00000000 --- a/rules/ruby/security/ssl-mode-no-verify.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: ssl-mode-no-verify -language: ruby -severity: warning -message: >- - Found use of OpenSSL::SSL::VERIFY_NONE. This constant disables SSL certificate verification and should not be used in production code. - Instead, use OpenSSL::SSL::VERIFY_PEER to enable SSL certificate verification. -note: >- - [CWE-295]: Improper Certificate Validation - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -rule: - pattern: OpenSSL::SSL::VERIFY_NONE \ No newline at end of file diff --git a/rules/rust/security/insecure-hashes.yml b/rules/rust/security/insecure-hashes.yml deleted file mode 100644 index 0e5a4a81..00000000 --- a/rules/rust/security/insecure-hashes.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: insecure-hashes -severity: warning -language: rust -message: >- - Insecure cryptographic hash functions should not be used. Prefer using a - cryptographically secure hash function like SHA-256 or SHA-3. - -note: >- - [CWE-328]: Use of Weak Hash - [OWASP A03:2021]: Sensitive Data Exposure - [REFERENCES] - - https://github.com/RustCrypto/hashes - - https://docs.rs/md2/latest/md2/ - - https://docs.rs/md4/latest/md4/ - - https://docs.rs/md5/latest/md5/ - - https://docs.rs/sha-1/latest/sha1/ -rule: - any: - - pattern: Md2::new($$$) - - pattern: Md2::new($$$) - - pattern: Md4::new($$$) - - pattern: Md5::new($$$) - - pattern: Sha1::new($$$) \ No newline at end of file diff --git a/rules/rust/security/postgres-empty-password-rust.yml b/rules/rust/security/postgres-empty-password-rust.yml deleted file mode 100644 index 371f1065..00000000 --- a/rules/rust/security/postgres-empty-password-rust.yml +++ /dev/null @@ -1,124 +0,0 @@ -id: postgres-empty-password-rust -language: rust -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://docs.rs/postgres/latest/postgres/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_PATTERN_WITH_INSTANCE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - regex: \(\s*\"\"\s*\) - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: postgres::Config::new() - - MATCH_PATTERN_DIRECTLY: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - has: - stopBy: neighbor - kind: call_expression - pattern: postgres::Config::new() - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - regex: \(\s*\"\"\s*\) - -rule: - kind: call_expression - any: - - matches: MATCH_PATTERN_WITH_INSTANCE - - matches: MATCH_PATTERN_DIRECTLY diff --git a/rules/rust/security/reqwest-accept-invalid-rust.yml b/rules/rust/security/reqwest-accept-invalid-rust.yml deleted file mode 100644 index 27fc9d8b..00000000 --- a/rules/rust/security/reqwest-accept-invalid-rust.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: reqwest-accept-invalid-rust -language: rust -severity: warning -message: >- - Dangerously accepting invalid TLS -note: >- - [CWE-295]: Improper Certificate - [REFERENCES] - - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames - - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs -rule: - any: - - pattern: $CLIENT.danger_accept_invalid_hostnames(true) - - pattern: $CLIENT.danger_accept_invalid_certs(true) -constraints: - CLIENT: - regex: '^reqwest::Client::builder\(\)' diff --git a/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml b/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml deleted file mode 100644 index 7bbe91d5..00000000 --- a/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml +++ /dev/null @@ -1,138 +0,0 @@ -id: secrets-reqwest-hardcoded-auth-rust -language: rust -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://docs.rs/reqwest/latest/reqwest/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_PATTERN_ONE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: field_identifier - regex: "^bearer_auth|basic_auth$" - - has: - stopBy: neighbor - kind: arguments - all: - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^Some$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - - - inside: - stopBy: end - kind: let_declaration - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: reqwest::Client::new($$$) - - MATCH_PATTERN_TWO: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: field_identifier - regex: "^bearer_auth|basic_auth$" - - inside: - stopBy: end - kind: let_declaration - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: reqwest::Client::new($$$) - - has: - stopBy: neighbor - kind: arguments - all: - - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - - not: - has: - kind: call_expression - -rule: - kind: call_expression - any: - - matches: MATCH_PATTERN_ONE - - matches: MATCH_PATTERN_TWO diff --git a/rules/rust/security/ssl-verify-none-rust.yml b/rules/rust/security/ssl-verify-none-rust.yml deleted file mode 100644 index 1affd65f..00000000 --- a/rules/rust/security/ssl-verify-none-rust.yml +++ /dev/null @@ -1,87 +0,0 @@ -id: ssl-verify-none-rust -language: rust -severity: warning -message: >- - SSL verification disabled, this allows for MitM attacks -note: >- - [CWE-295]: Improper Certificate Validation - [REFERENCES] - - https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify - -rule: - kind: call_expression - any: - - pattern: $BUILDER.set_verify(open::ssl::SSL_VERIFY_NONE) - inside: - stopBy: end - kind: source_file - has: - kind: use_declaration - any: - - pattern: use openssl; - - pattern: use openssl::ssl; - - pattern: use openssl::ssl::SSL_VERIFY_NONE; - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: identifier - pattern: SSL_VERIFY_NONE - - pattern: $BUILDER.set_verify(ssl::SSL_VERIFY_NONE) - inside: - stopBy: end - kind: source_file - has: - kind: use_declaration - any: - - pattern: use openssl::ssl; - - pattern: use openssl::ssl::SSL_VERIFY_NONE; - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: identifier - pattern: SSL_VERIFY_NONE - - pattern: $BUILDER.set_verify(SSL_VERIFY_NONE) - inside: - stopBy: end - kind: source_file - has: - kind: use_declaration - any: - - pattern: use openssl; - - pattern: use openssl::ssl; - - pattern: use openssl::ssl::SSL_VERIFY_NONE; - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: identifier - pattern: SSL_VERIFY_NONE - - pattern: $BUILDER.set_verify($ALIAS) - inside: - stopBy: end - kind: source_file - has: - kind: use_declaration - any: - - pattern: use openssl::ssl::SSL_VERIFY_NONE as $ALIAS; - - has: - stopBy: end - kind: use_list - has: - stopBy: end - kind: use_as_clause - all: - - has: - kind: identifier - field: path - pattern: SSL_VERIFY_NONE - - has: - kind: identifier - field: alias - pattern: $ALIAS - - pattern: $BUILDER.set_verify(open::ssl::SSL_VERIFY_NONE); diff --git a/rules/rust/security/tokio-postgres-empty-password-rust.yml b/rules/rust/security/tokio-postgres-empty-password-rust.yml deleted file mode 100644 index 2cf734cf..00000000 --- a/rules/rust/security/tokio-postgres-empty-password-rust.yml +++ /dev/null @@ -1,124 +0,0 @@ -id: tokio-postgres-empty-password-rust -language: rust -severity: warning -message: >- - The application uses an empty credential. This can lead to unauthorized - access by either an internal or external malicious actor. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://docs.rs/tokio-postgres/latest/tokio_postgres/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_PATTERN_WITH_INSTANCE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - regex: \(\s*\"\"\s*\) - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: tokio_postgres::Config::new() - - MATCH_PATTERN_DIRECTLY: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - has: - stopBy: neighbor - kind: call_expression - pattern: tokio_postgres::Config::new() - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - regex: \(\s*\"\"\s*\) - -rule: - kind: call_expression - any: - - matches: MATCH_PATTERN_WITH_INSTANCE - - matches: MATCH_PATTERN_DIRECTLY diff --git a/rules/rust/security/tokio-postgres-hardcoded-password-rust.yml b/rules/rust/security/tokio-postgres-hardcoded-password-rust.yml deleted file mode 100644 index 62254013..00000000 --- a/rules/rust/security/tokio-postgres-hardcoded-password-rust.yml +++ /dev/null @@ -1,135 +0,0 @@ -id: tokio-postgres-hardcoded-password-rust -language: rust -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. It is - recommended to rotate the secret and retrieve them from a secure secret - vault or Hardware Security Module (HSM), alternatively environment - variables can be used if allowed by your company policy. -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://docs.rs/tokio-postgres/latest/tokio_postgres/ - - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures -utils: - MATCH_PATTERN_WITH_INSTANCE: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - - inside: - stopBy: end - kind: expression_statement - follows: - stopBy: end - kind: let_declaration - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $C - - has: - stopBy: neighbor - kind: call_expression - pattern: tokio_postgres::Config::new() - - MATCH_PATTERN_DIRECTLY: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: field_expression - has: - stopBy: neighbor - kind: call_expression - pattern: tokio_postgres::Config::new() - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - - has: - stopBy: neighbor - kind: arguments - - has: - stopBy: neighbor - kind: field_identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string_literal - has: - stopBy: neighbor - kind: string_content - -rule: - kind: call_expression - any: - - matches: MATCH_PATTERN_WITH_INSTANCE - - matches: MATCH_PATTERN_DIRECTLY diff --git a/rules/rust/security/unsafe-usage.yml b/rules/rust/security/unsafe-usage.yml deleted file mode 100644 index bcb5c31b..00000000 --- a/rules/rust/security/unsafe-usage.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: unsafe-usage -language: rust -severity: warning -message: >- - Found use of unsafe code. Unsafe code should be avoided whenever possible. - Instead, prefer safe code and use unsafe code only when necessary. -note: >- - [CWE-242]: Use of Inherently Dangerous Function - [REFERENCES] - - https://doc.rust-lang.org/std/keyword.unsafe.html -rule: - pattern: unsafe { $$$ } \ No newline at end of file diff --git a/rules/scala/security/rsa-padding-set-scala.yml b/rules/scala/security/rsa-padding-set-scala.yml deleted file mode 100644 index b4601500..00000000 --- a/rules/scala/security/rsa-padding-set-scala.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: rsa-padding-set-scala -language: scala -severity: warning -message: >- - Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may - weaken encryption. This could lead to sensitive data exposure. Instead, - use RSA with `OAEPWithMD5AndMGF1Padding` instead. - -note: >- - [CWE-780] Use of RSA Algorithm without OAEP - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: $CIPHER.getInstance($MODE) -constraints: - MODE: - regex: ".*RSA/.*/NoPadding.*" diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml deleted file mode 100644 index 732fddc9..00000000 --- a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: xmlinputfactory-dtd-enabled-scala -language: scala -severity: warning -message: >- - XMLInputFactory being instantiated without calling the setProperty - functions that are generally used for disabling entity processing. User - controlled data in XML Document builder can result in XML Internal Entity - Processing vulnerabilities like the disclosure of confidential data, - denial of service, Server Side Request Forgery (SSRF), port scanning. Make - sure to disable entity processing functionality. -note: >- - [CWE-611] Improper Restriction of XML External Entity. - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -rule: - any: - - pattern: XMLInputFactory.newFactory($$$) - - pattern: XMLInputFactory.newInstance($$$) - - pattern: new XMLInputFactory($$$) -precedes: - not: - pattern: $XMLFACTORY.setProperty(javax.xml.stream.isSupportingExternalEntities, false) diff --git a/rules/swift/security/aes-hardcoded-secret-swift.yml b/rules/swift/security/aes-hardcoded-secret-swift.yml deleted file mode 100644 index 6f9ba968..00000000 --- a/rules/swift/security/aes-hardcoded-secret-swift.yml +++ /dev/null @@ -1,285 +0,0 @@ -id: aes-hardcoded-secret-swift -language: swift -severity: warning -message: >- - A secret is hard-coded in the application. Secrets stored in source - code, such as credentials, identifiers, and other types of sensitive data, - can be leaked and used by internal or external malicious actors. Use - environment variables to securely provide credentials and other secrets or - retrieve them from a secure vault or Hardware Security Module (HSM). -note: >- - [OWASP A07:2021]:Identification and Authentication Failures - [CWE-272]: Least Privilege Violation - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - match_pattern_try_expression_directly: - kind: try_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^AES$" - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^key$" - - has: - stopBy: neighbor - kind: line_string_literal - has: - stopBy: end - kind: line_str_text - - match_pattern_AES_statement_directly: - kind: call_expression - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^AES$" - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^key$" - - has: - stopBy: end - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - - not: - inside: - stopBy: end - kind: try_expression - - match_pattern_AES_expression_with_instance: - kind: call_expression - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^AES$" - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^key$" - - has: - stopBy: end - kind: simple_identifier - nthChild: 2 - pattern: $R - - not: - inside: - stopBy: neighbor - kind: try_expression - - follows: - stopBy: end - kind: property_declaration - all: - - has: - stopBy: end - kind: pattern - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array("$$$".utf8) - - match_pattern_try_expression_with_instance: - kind: try_expression - all: - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^AES$" - - has: - stopBy: end - kind: call_suffix - has: - stopBy: end - kind: value_arguments - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^key$" - - has: - stopBy: end - kind: simple_identifier - nthChild: 2 - pattern: $R - - follows: - stopBy: end - kind: property_declaration - all: - - has: - stopBy: end - kind: pattern - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: neighbor - kind: call_expression - pattern: Array("$$$".utf8) - - match_pattern_AES_expression_with_utf8: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - regex: "^AES$" - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^key$" - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - regex: "^Array$" - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - has: - stopBy: neighbor - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - - has: - stopBy: neighbor - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^utf8$" - - match_pattern_try_expression_with_utf8: - kind: try_expression - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - regex: "^AES$" - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: neighbor - kind: simple_identifier - regex: "^key$" - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - regex: "^Array$" - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: end - kind: value_argument - has: - stopBy: neighbor - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - - has: - stopBy: neighbor - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^utf8$" -rule: - any: - - kind: try_expression - any: - - matches: match_pattern_try_expression_directly - - matches: match_pattern_try_expression_with_instance - - matches: match_pattern_try_expression_with_utf8 - - - kind: call_expression - any: - - matches: match_pattern_AES_statement_directly - - matches: match_pattern_AES_expression_with_instance - - matches: match_pattern_AES_expression_with_utf8 diff --git a/rules/swift/security/insecure-biometrics-swift.yml b/rules/swift/security/insecure-biometrics-swift.yml deleted file mode 100644 index 8ea5a821..00000000 --- a/rules/swift/security/insecure-biometrics-swift.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: insecure-biometrics-swift -language: swift -severity: info -message: >- - The application was observed to leverage biometrics via Local - Authentication, which returns a simple boolean result for authentication. - This design is subject to bypass with runtime tampering tools such as - Frida, Substrate, and others. Although this is limited to rooted - (jailbroken) devices, consider implementing biometric authentication the - reliable way - via Keychain Services. -note: >- - [CWE-305] Authentication Bypass by Primary Weakness - [REFERENCES] - - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication - - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df -rule: - any: - - pattern: LAContext.evaluatePolicy - - pattern: $X.evaluatePolicy diff --git a/rules/swift/security/swift-webview-config-allows-js-open-windows-swift.yml b/rules/swift/security/swift-webview-config-allows-js-open-windows-swift.yml deleted file mode 100644 index 80b4ff8d..00000000 --- a/rules/swift/security/swift-webview-config-allows-js-open-windows-swift.yml +++ /dev/null @@ -1,62 +0,0 @@ -id: swift-webview-config-allows-js-open-windows-swift -language: swift -severity: warning -message: >- - Webviews were observed that explictly allow JavaScript in an WKWebview - to open windows automatically. Consider disabling this functionality if - not required, following the principle of least privelege. -note: >- - [CWE-272]: Least Privilege Violation - [REFERENCES] - https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/ - https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati -utils: - match_JavaScriptCanOpenWindowsAutomatically: - kind: assignment - all: - - has: - stopBy: end - kind: navigation_expression - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^JavaScriptCanOpenWindowsAutomatically$" - - has: - kind: boolean_literal - regex: "^true$" - - follows: - stopBy: end - kind: property_declaration - has: - stopBy: end - kind: pattern - has: - kind: simple_identifier - pattern: $R - - not: - precedes: - stopBy: neighbor - kind: assignment - has: - stopBy: end - kind: boolean_literal - regex: "^true$|false" - - not: - follows: - stopBy: neighbor - kind: assignment - has: - stopBy: end - kind: boolean_literal - regex: "^true" - -rule: - any: - - matches: match_JavaScriptCanOpenWindowsAutomatically diff --git a/rules/swift/security/swift-webview-config-allows-universal-file-access-swift.yml b/rules/swift/security/swift-webview-config-allows-universal-file-access-swift.yml deleted file mode 100644 index acf760d4..00000000 --- a/rules/swift/security/swift-webview-config-allows-universal-file-access-swift.yml +++ /dev/null @@ -1,198 +0,0 @@ -id: swift-webview-config-allows-universal-file-access-swift -severity: warning -language: swift -message: >- - Webviews were observed that do not disable access to application files. - If the WebView does not require loading content from the local filesystem - of the application, this setting should be disabled. -note: >- - [CWE-272] Least Privilege Violation. - [REFERENCES] - - https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/ -utils: - match_pattern_two: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - pattern: $W - - has: - stopBy: neighbor - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^setValue$" - - has: - stopBy: neighbor - kind: call_suffix - all: - - has: - stopBy: end - kind: value_argument - has: - stopBy: neighbor - kind: boolean_literal - regex: "^true$" - - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^forKey$" - - has: - stopBy: neighbor - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - regex: "^allowUniversalAccessFromFileURLs$" - - follows: - stopBy: end - kind: property_declaration - all: - - has: - stopBy: end - kind: pattern - has: - stopBy: neighbor - kind: simple_identifier - pattern: $W - - any: - - has: - stopBy: neighbor - kind: navigation_expression - - has: - stopBy: neighbor - kind: call_expression - - not: - precedes: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: simple_identifier - pattern: $W - - has: - stopBy: neighbor - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^setValue$" - - has: - stopBy: neighbor - kind: call_suffix - all: - - has: - stopBy: end - kind: value_argument - has: - stopBy: neighbor - kind: boolean_literal - regex: "^false$" - - has: - stopBy: end - kind: value_argument - all: - - has: - stopBy: end - kind: simple_identifier - regex: "^forKey$" - - has: - stopBy: neighbor - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - regex: "^allowUniversalAccessFromFileURLs$" - - match_pattern_one: - kind: call_expression - all: - - has: - stopBy: neighbor - kind: navigation_expression - all: - - has: - stopBy: neighbor - kind: navigation_expression - all: - - has: - stopBy: end - kind: simple_identifier - pattern: $L - - has: - stopBy: neighbor - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^configuration$" - - has: - stopBy: neighbor - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^setValue$" - - has: - stopBy: neighbor - kind: call_suffix - has: - stopBy: neighbor - kind: value_arguments - all: - - has: - stopBy: neighbor - kind: value_argument - has: - stopBy: neighbor - kind: boolean_literal - regex: "^true$" - - has: - stopBy: neighbor - kind: value_argument - all: - - has: - stopBy: neighbor - kind: simple_identifier - regex: "^forKey$" - - has: - stopBy: neighbor - kind: line_string_literal - has: - stopBy: neighbor - kind: line_str_text - regex: "^allowUniversalAccessFromFileURLs$" - - follows: - stopBy: neighbor - kind: property_declaration - all: - - has: - stopBy: end - kind: pattern - has: - stopBy: neighbor - kind: simple_identifier - pattern: $L - - has: - stopBy: neighbor - kind: call_expression -rule: - kind: call_expression - any: - - matches: match_pattern_two - - matches: match_pattern_one diff --git a/rules/swift/security/swift-webview-config-fraudulent-site-warning-swift.yml b/rules/swift/security/swift-webview-config-fraudulent-site-warning-swift.yml deleted file mode 100644 index 4704a735..00000000 --- a/rules/swift/security/swift-webview-config-fraudulent-site-warning-swift.yml +++ /dev/null @@ -1,58 +0,0 @@ -id: swift-webview-config-fraudulent-site-warning-swift -language: swift -severity: warning -message: >- - Webviews were observed that explicitly opt ouf of the WKWebView - fraudulent site warnings. Consider enabling such functionality, to better - protect your users from fraud/malware. -note: >- - [CWE-272]: Least Privilege Violation - [REFERENCES] - https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/ -utils: - match_isFraudulentWebsiteWarningEnabled: - kind: assignment - all: - - has: - stopBy: end - kind: navigation_expression - has: - stopBy: end - kind: simple_identifier - pattern: $R - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: end - kind: simple_identifier - regex: "^isFraudulentWebsiteWarningEnabled$" - - has: - kind: boolean_literal - regex: "^false$" - - follows: - stopBy: end - kind: property_declaration - has: - stopBy: end - kind: pattern - has: - kind: simple_identifier - pattern: $R - - not: - precedes: - kind: assignment - has: - kind: boolean_literal - regex: "false$|true" - - not: - follows: - stopBy: end - kind: assignment - has: - stopBy: end - kind: boolean_literal - regex: "^false" -rule: - any: - - matches: match_isFraudulentWebsiteWarningEnabled diff --git a/rules/swift/security/swift-webview-config-https-upgrade-swift.yml b/rules/swift/security/swift-webview-config-https-upgrade-swift.yml deleted file mode 100644 index 726479f8..00000000 --- a/rules/swift/security/swift-webview-config-https-upgrade-swift.yml +++ /dev/null @@ -1,113 +0,0 @@ -id: swift-webview-config-https-upgrade-swift -severity: warning -language: swift -message: >- - Webviews were observed that do not enable the - `upgradeKnownHostsToHTTPS` feature. This feature will ensure accidental - HTTP connections are automatically upgraded to HTTPS, avoiding potential - data leakage over the network. -note: >- - [CWE-272] Least Privilege Violation. - [REFERENCES] - - https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/3752243-upgradeknownhoststohttps - - https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/ -utils: - match_pattern_upgradeKnownHostsToHTTPS: - kind: assignment - all: - - has: - stopBy: neighbor - kind: directly_assignable_expression - all: - - has: - stopBy: end - kind: simple_identifier - pattern: $F - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^upgradeKnownHostsToHTTPS$" - - has: - stopBy: neighbor - regex: "^=$" - - has: - stopBy: neighbor - kind: boolean_literal - regex: "^false$" - - follows: - stopBy: end - kind: property_declaration - all: - - has: - stopBy: end - kind: pattern - has: - stopBy: neighbor - kind: simple_identifier - pattern: $F - - has: - stopBy: neighbor - kind: call_expression - pattern: WKWebViewConfiguration() - - not: - follows: - stopBy: end - kind: assignment - all: - - has: - stopBy: neighbor - kind: directly_assignable_expression - all: - - has: - stopBy: end - kind: simple_identifier - pattern: $F - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^upgradeKnownHostsToHTTPS$" - - has: - stopBy: neighbor - regex: "^=$" - - has: - stopBy: neighbor - kind: boolean_literal - regex: "^false$" - - not: - precedes: - stopBy: neighbor - kind: assignment - all: - - all: - - has: - stopBy: neighbor - kind: directly_assignable_expression - all: - - has: - stopBy: end - kind: simple_identifier - pattern: $F - - has: - stopBy: end - kind: navigation_suffix - has: - stopBy: neighbor - kind: simple_identifier - regex: "^upgradeKnownHostsToHTTPS$" - - has: - stopBy: neighbor - regex: "^=$" - - has: - stopBy: neighbor - kind: boolean_literal - regex: "^false$" - -rule: - kind: assignment - matches: match_pattern_upgradeKnownHostsToHTTPS diff --git a/rules/typescript/.gitkeep b/rules/typescript/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/rules/typescript/jwt/jwt-none-alg-typescript.yml b/rules/typescript/jwt/jwt-none-alg-typescript.yml deleted file mode 100644 index 1badeba2..00000000 --- a/rules/typescript/jwt/jwt-none-alg-typescript.yml +++ /dev/null @@ -1,46 +0,0 @@ -id: jwt-none-alg-typescript -language: typescript -severity: warning -message: >- - Detected use of the 'none' algorithm in a JWT token. The 'none' - algorithm assumes the integrity of the token has already been verified. - This would allow a malicious actor to forge a JWT token that will - automatically be verified. Do not explicitly use the 'none' algorithm. - Instead, use an algorithm such as 'HS256'. -note: >- - [CWE-327] Use of a Broken or Risky Cryptographic Algorithm. - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures -rule: - any: - - pattern: const $T = JWT.verify($P, JWK.None); - follows: - pattern: const { JWK, JWT } = $JOSE; - follows: - pattern: const $JOSE = require("jose"); - - pattern: $T = JWT.verify($P, JWK.None); - follows: - pattern: const { JWK, JWT } = $JOSE; - follows: - pattern: const $JOSE = require("jose"); - - pattern: JWT.verify($P, JWK.None); - follows: - pattern: const { JWK, JWT } = $JOSE; - follows: - pattern: const $JOSE = require("jose"); - - - pattern: var $T = JWT.verify($P, JWK.None); - follows: - pattern: var { JWK, JWT } = $JOSE; - follows: - pattern: var $JOSE = require("jose"); - - pattern: $T = JWT.verify($P, JWK.None); - follows: - pattern: var { JWK, JWT } = $JOSE; - follows: - pattern: var $JOSE = require("jose"); - - pattern: JWT.verify($P, JWK.None); - follows: - pattern: var { JWK, JWT } = $JOSE; - follows: - pattern: var $JOSE = require("jose"); diff --git a/rules/typescript/jwt/jwt-simple-noverify-ts.yml b/rules/typescript/jwt/jwt-simple-noverify-ts.yml deleted file mode 100644 index 2f58eb0f..00000000 --- a/rules/typescript/jwt/jwt-simple-noverify-ts.yml +++ /dev/null @@ -1,45 +0,0 @@ -id: jwt-simple-noverify-ts -language: TypeScript -severity: warning -message: >- - "Detected the decoding of a JWT token without a verify step. JWT tokens - must be verified before use, otherwise the token's integrity is unknown. - This means a malicious actor could forge a JWT token with any claims. Set - 'verify' to `true` before using the token." -note: >- - [CWE-287] Improper Authentication - [CWE-345] Insufficient Verification of Data Authenticity - [CWE-347] Improper Verification of Cryptographic Signature - [REFERENCES] - - https://www.npmjs.com/package/jwt-simple - - https://cwe.mitre.org/data/definitions/287 - - https://cwe.mitre.org/data/definitions/345 - - https://cwe.mitre.org/data/definitions/347 -rule: - kind: call_expression - any: - - pattern: $JWT.decode($TOKEN, $SECRET, true $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, "$$$" $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, '$$$' $$$) - - pattern: $JWT.decode($TOKEN, $SECRET, `$$$` $$$) - inside: - kind: expression_statement - stopBy: end - follows: - stopBy: end - any: - - kind: lexical_declaration - all: - - has: - stopBy: end - kind: identifier - pattern: $JWT - - has: - stopBy: end - kind: call_expression - pattern: require('jwt-simple') - - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - pattern: $JWT = require('jwt-simple') diff --git a/rules/typescript/security/detect-angular-sce-disabled-typescript.yml b/rules/typescript/security/detect-angular-sce-disabled-typescript.yml deleted file mode 100644 index 68c6f54c..00000000 --- a/rules/typescript/security/detect-angular-sce-disabled-typescript.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: detect-angular-sce-disabled-typescript -language: typescript -severity: warning -message: >- - $sceProvider is set to false. Disabling Strict Contextual escaping - (SCE) in an AngularJS application could provide additional attack surface - for XSS vulnerabilities. -note: >- - [CWE-79] Improper Neutralization of Input During Web Page Generation. - [REFERENCES] - - https://docs.angularjs.org/api/ng/service/$sce - - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf -rule: - pattern: | - $sceProvider.enabled(false); diff --git a/rules/typescript/security/express-jwt-hardcoded-secret-typescript.yml b/rules/typescript/security/express-jwt-hardcoded-secret-typescript.yml deleted file mode 100644 index dae5ebae..00000000 --- a/rules/typescript/security/express-jwt-hardcoded-secret-typescript.yml +++ /dev/null @@ -1,288 +0,0 @@ -id: express-jwt-hardcoded-secret-typescript -language: typescript -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_SECRET_DIRECTLY: - kind: pair - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: "^secret$" - - has: - stopBy: neighbor - kind: string - - - any: - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - MATCH_PATTERN_WITH_INSTANCE: - kind: pair - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - regex: "^secret$" - - has: - stopBy: neighbor - kind: identifier - pattern: $F - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - pattern: $F - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - - any: - - follows: - stopBy: end - kind: variable_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-jwt$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: named_imports - has: - stopBy: neighbor - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^express-jwt$" - -rule: - kind: pair - any: - - matches: MATCH_SECRET_DIRECTLY - - matches: MATCH_PATTERN_WITH_INSTANCE diff --git a/rules/typescript/security/express-session-hardcoded-secret-typescript.yml b/rules/typescript/security/express-session-hardcoded-secret-typescript.yml deleted file mode 100644 index c1b6ccc5..00000000 --- a/rules/typescript/security/express-session-hardcoded-secret-typescript.yml +++ /dev/null @@ -1,256 +0,0 @@ -id: express-session-hardcoded-secret-typescript -language: typescript -severity: warning -message: >- - A hard-coded credential was detected. It is not recommended to store - credentials in source-code, as this risks secrets being leaked and used by - either an internal or external malicious adversary. It is recommended to - use environment variables to securely provide credentials or retrieve - credentials from a secure vault or HSM (Hardware Security Module). -note: >- - [CWE-798] Use of Hard-coded Credentials. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_SECRET: - kind: pair - pattern: $C - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - pattern: $C - all: - - has: - stopBy: end - kind: property_identifier - pattern: $S - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - - - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - MATCH_SECRET_INSIDE_APP: - kind: pair - pattern: $C - inside: - stopBy: end - kind: expression_statement - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: property_identifier - regex: "^use$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $T - - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - pattern: $C - all: - - has: - stopBy: end - kind: property_identifier - pattern: $S - - any: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: string - - - any: - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: end - kind: import_clause - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: expression_statement - has: - stopBy: end - kind: assignment_expression - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: end - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" - - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - all: - - has: - stopBy: end - kind: named_imports - has: - stopBy: end - kind: import_specifier - has: - stopBy: end - kind: identifier - pattern: $T - - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: neighbor - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $T - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^express-session$" -rule: - kind: pair - any: - - matches: MATCH_SECRET - - matches: MATCH_SECRET_INSIDE_APP - -constraints: - S: - regex: "^secret$" diff --git a/rules/typescript/security/node-rsa-weak-key-typescript.yml b/rules/typescript/security/node-rsa-weak-key-typescript.yml deleted file mode 100644 index e92b05ff..00000000 --- a/rules/typescript/security/node-rsa-weak-key-typescript.yml +++ /dev/null @@ -1,577 +0,0 @@ -id: node-rsa-weak-key-typescript -language: typescript -severity: warning -message: >- - Use of RSA-$BITS, which is considered weak. Based on NIST standards, - RSA keys should be at least 2048 bits. -note: >- - [CWE-326] Inadequate Encryption Strength. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms -utils: - MATCH_BITS_DIRECTLY_NODE_FORGE: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $A - - has: - stopBy: end - kind: property_identifier - regex: "^rsa$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $A - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: neighbor - kind: property_identifier - regex: "^pki$" - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - MATCH_BITS_DIRECTLY_NODE_RSA: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: neighbor - kind: property_identifier - - has: - stopBy: neighbor - kind: number - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-rsa$" - MATCH_BITS_WITHIN_FUNCTION_WITH_NODE_FORGE: - kind: number - pattern: $R - inside: - stopBy: end - kind: variable_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^node-forge$" - MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO_AND_PROMISIFY: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - has: - stopBy: end - kind: property_identifier - regex: "^promisify$" - - has: - stopBy: end - kind: arguments - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^rsa$" - - has: - stopBy: end - kind: object - has: - stopBy: neighbor - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - regex: "^modulusLength$" - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $E - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO: - kind: number - pattern: $R - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: end - kind: member_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - has: - stopBy: end - kind: property_identifier - - has: - stopBy: end - kind: arguments - all: - - has: - stopBy: end - kind: string - has: - stopBy: end - kind: string_fragment - regex: "^rsa$" - - has: - stopBy: end - kind: object - has: - stopBy: end - kind: pair - all: - - has: - stopBy: end - kind: property_identifier - regex: "^modulusLength$" - - has: - stopBy: neighbor - kind: number - pattern: $R - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - all: - - has: - stopBy: end - kind: identifier - pattern: $S - - has: - stopBy: end - kind: call_expression - all: - - has: - stopBy: neighbor - kind: identifier - regex: "^require$" - - has: - stopBy: neighbor - kind: arguments - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - has: - stopBy: end - kind: namespace_import - has: - stopBy: neighbor - kind: identifier - pattern: $S - - has: - stopBy: end - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" - - follows: - stopBy: end - kind: import_statement - all: - - has: - stopBy: neighbor - kind: import_clause - - has: - stopBy: neighbor - kind: string - has: - stopBy: neighbor - kind: string_fragment - regex: "^crypto$" -rule: - kind: number - any: - - matches: MATCH_BITS_DIRECTLY_NODE_FORGE - - matches: MATCH_BITS_DIRECTLY_NODE_RSA - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_NODE_FORGE - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO_AND_PROMISIFY - - matches: MATCH_BITS_WITHIN_FUNCTION_WITH_CRYPTO - -constraints: - R: - regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$' diff --git a/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml b/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml deleted file mode 100644 index e4ea19f9..00000000 --- a/rules/typescript/security/node-sequelize-hardcoded-secret-argument-typescript.yml +++ /dev/null @@ -1,77 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-typescript -language: typescript -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_BLANK_PASSWORD: - kind: string - pattern: $Q - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string - nthChild: 3 - pattern: $Q - has: - stopBy: end - kind: string_fragment - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - -rule: - kind: string - matches: MATCH_BLANK_PASSWORD diff --git a/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml deleted file mode 100644 index a151bd90..00000000 --- a/tests/__snapshots__/aes-hardcoded-secret-swift-snapshot.yml +++ /dev/null @@ -1,93 +0,0 @@ -id: aes-hardcoded-secret-swift -snapshots: - ? | - let password: Array = Array("s33krit".utf8) - try AES(key: password, iv: "123") - : labels: - - source: 'try AES(key: password, iv: "123")' - style: primary - start: 51 - end: 84 - - source: AES - style: secondary - start: 55 - end: 58 - - source: key - style: secondary - start: 59 - end: 62 - - source: password - style: secondary - start: 64 - end: 72 - - source: 'key: password' - style: secondary - start: 59 - end: 72 - - source: '(key: password, iv: "123")' - style: secondary - start: 58 - end: 84 - - source: '(key: password, iv: "123")' - style: secondary - start: 58 - end: 84 - - source: 'AES(key: password, iv: "123")' - style: secondary - start: 55 - end: 84 - - source: password - style: secondary - start: 4 - end: 12 - - source: password - style: secondary - start: 4 - end: 12 - - source: Array("s33krit".utf8) - style: secondary - start: 29 - end: 50 - - source: 'let password: Array = Array("s33krit".utf8)' - style: secondary - start: 0 - end: 50 - ? | - try AES(key: "hello", iv: "123") - : labels: - - source: 'try AES(key: "hello", iv: "123")' - style: primary - start: 0 - end: 32 - - source: AES - style: secondary - start: 4 - end: 7 - - source: key - style: secondary - start: 8 - end: 11 - - source: hello - style: secondary - start: 14 - end: 19 - - source: '"hello"' - style: secondary - start: 13 - end: 20 - - source: 'key: "hello"' - style: secondary - start: 8 - end: 20 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 7 - end: 32 - - source: '(key: "hello", iv: "123")' - style: secondary - start: 7 - end: 32 - - source: 'AES(key: "hello", iv: "123")' - style: secondary - start: 4 - end: 32 diff --git a/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml b/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml deleted file mode 100644 index 7c22130f..00000000 --- a/tests/__snapshots__/avoid-bind-to-all-interfaces-go-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: avoid-bind-to-all-interfaces-go -snapshots: - ? | - l, err := net.Listen("tcp", "0.0.0.0:2000") - : labels: - - source: net.Listen("tcp", "0.0.0.0:2000") - style: primary - start: 10 - end: 43 - ? | - l, err := net.Listen("tcp", ":2000") - : labels: - - source: net.Listen("tcp", ":2000") - style: primary - start: 10 - end: 36 diff --git a/tests/__snapshots__/avoid-bind-to-all-interfaces-python-snapshot.yml b/tests/__snapshots__/avoid-bind-to-all-interfaces-python-snapshot.yml deleted file mode 100644 index 5a9a8c45..00000000 --- a/tests/__snapshots__/avoid-bind-to-all-interfaces-python-snapshot.yml +++ /dev/null @@ -1,62 +0,0 @@ -id: avoid-bind-to-all-interfaces-python -snapshots: - ? | - s = socket.socket(doesnt, matter) - s.bind(('',)) - s = socket.socket(doesnt, matter) - s.bind(('::', 1337)) - s = socket.socket(doesnt, matter) - s.bind(('0.0.0.0', 1337)) - : labels: - - source: s.bind(('',)) - style: primary - start: 34 - end: 47 - - source: s - style: secondary - start: 34 - end: 35 - - source: bind - style: secondary - start: 36 - end: 40 - - source: s.bind - style: secondary - start: 34 - end: 40 - - source: '''''' - style: secondary - start: 42 - end: 44 - - source: ('',) - style: secondary - start: 41 - end: 46 - - source: (('',)) - style: secondary - start: 40 - end: 47 - - source: s.bind(('',)) - style: secondary - start: 34 - end: 47 - - source: socket - style: secondary - start: 4 - end: 10 - - source: socket - style: secondary - start: 4 - end: 10 - - source: socket.socket - style: secondary - start: 4 - end: 17 - - source: socket.socket(doesnt, matter) - style: secondary - start: 4 - end: 33 - - source: s = socket.socket(doesnt, matter) - style: secondary - start: 0 - end: 33 diff --git a/tests/__snapshots__/avoid-mktemp-python-snapshot.yml b/tests/__snapshots__/avoid-mktemp-python-snapshot.yml deleted file mode 100644 index cea452c6..00000000 --- a/tests/__snapshots__/avoid-mktemp-python-snapshot.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: avoid-mktemp-python -snapshots: - ? | - from tempfile import mktemp - ff = mktemp() - : labels: - - source: mktemp() - style: primary - start: 33 - end: 41 - - source: mktemp - style: secondary - start: 21 - end: 27 - - source: mktemp - style: secondary - start: 21 - end: 27 - - source: from tempfile import mktemp - style: secondary - start: 0 - end: 27 - - source: ff = mktemp() - style: secondary - start: 28 - end: 41 - - source: mktemp - style: secondary - start: 33 - end: 39 diff --git a/tests/__snapshots__/avoid_app_run_with_bad_host-python-snapshot.yml b/tests/__snapshots__/avoid_app_run_with_bad_host-python-snapshot.yml deleted file mode 100644 index da08aa56..00000000 --- a/tests/__snapshots__/avoid_app_run_with_bad_host-python-snapshot.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: avoid_app_run_with_bad_host-python -snapshots: - ? | - app.run(host="0.0.0.0") - app.run("0.0.0.0") - : labels: - - source: app.run(host="0.0.0.0") - style: primary - start: 0 - end: 23 - - source: app - style: secondary - start: 0 - end: 3 - - source: run - style: secondary - start: 4 - end: 7 - - source: app.run - style: secondary - start: 0 - end: 7 - - source: host - style: secondary - start: 8 - end: 12 - - source: '"0.0.0.0"' - style: secondary - start: 13 - end: 22 - - source: = - style: secondary - start: 12 - end: 13 - - source: host="0.0.0.0" - style: secondary - start: 8 - end: 22 - - source: (host="0.0.0.0") - style: secondary - start: 7 - end: 23 diff --git a/tests/__snapshots__/bad-tmp-go-snapshot.yml b/tests/__snapshots__/bad-tmp-go-snapshot.yml deleted file mode 100644 index ebe83c48..00000000 --- a/tests/__snapshots__/bad-tmp-go-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: bad-tmp-go -snapshots: - ioutil.WriteFile("/tmp/demo2", "tmp"): - labels: - - source: ioutil.WriteFile("/tmp/demo2", "tmp") - style: primary - start: 0 - end: 37 diff --git a/tests/__snapshots__/binary-formatter-snapshot.yml b/tests/__snapshots__/binary-formatter-snapshot.yml deleted file mode 100644 index 652f4690..00000000 --- a/tests/__snapshots__/binary-formatter-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: binary-formatter -snapshots: - BinaryFormatter binaryFormatter = new BinaryFormatter();: - labels: - - source: new BinaryFormatter() - style: primary - start: 34 - end: 55 diff --git a/tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml b/tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml deleted file mode 100644 index 4ffc57d8..00000000 --- a/tests/__snapshots__/blowfish-insufficient-key-size-java-snapshot.yml +++ /dev/null @@ -1,56 +0,0 @@ -id: blowfish-insufficient-key-size-java -snapshots: - ? | - public void unsafeKeySize() { - KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); - keyGen.init(64); - } - : labels: - - source: keyGen.init(64); - style: primary - start: 96 - end: 112 - - source: keyGen - style: secondary - start: 96 - end: 102 - - source: init - style: secondary - start: 103 - end: 107 - - source: '64' - style: secondary - start: 108 - end: 110 - - source: (64) - style: secondary - start: 107 - end: 111 - - source: keyGen.init(64) - style: secondary - start: 96 - end: 111 - - source: KeyGenerator - style: secondary - start: 55 - end: 67 - - source: getInstance - style: secondary - start: 68 - end: 79 - - source: '"Blowfish"' - style: secondary - start: 80 - end: 90 - - source: ("Blowfish") - style: secondary - start: 79 - end: 91 - - source: KeyGenerator.getInstance("Blowfish") - style: secondary - start: 55 - end: 91 - - source: KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); - style: secondary - start: 33 - end: 92 diff --git a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml index 12d32ee1..89c27d11 100644 --- a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml +++ b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml @@ -1,11 +1,5 @@ id: cbc-padding-oracle-java snapshots: - Cipher.getInstance("AES/CBC/PKCS5Padding");: - labels: - - source: Cipher.getInstance("AES/CBC/PKCS5Padding") - style: primary - start: 0 - end: 42 ? | Cipher.getInstance("AES/CBC/PKCS5Padding"); : labels: diff --git a/tests/__snapshots__/command-injection-formatted-runtime-call-snapshot.yml b/tests/__snapshots__/command-injection-formatted-runtime-call-snapshot.yml deleted file mode 100644 index 0b684d57..00000000 --- a/tests/__snapshots__/command-injection-formatted-runtime-call-snapshot.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: command-injection-formatted-runtime-call -snapshots: - ? | - val r: Runtime = Runtime.getRuntime() - r.exec("/bin/sh -c tool_command" + input) - : labels: - - source: r.exec("/bin/sh -c tool_command" + input) - style: primary - start: 38 - end: 79 - ? |- - val r: Runtime = Runtime.getRuntime() - r.loadLibrary(String.format("%s.dll", input)) - : labels: - - source: r.loadLibrary(String.format("%s.dll", input)) - style: primary - start: 38 - end: 83 diff --git a/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml b/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml deleted file mode 100644 index c1460483..00000000 --- a/tests/__snapshots__/cookie-httponly-false-java-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: cookie-httponly-false-java -snapshots: - ? |2 - - @RequestMapping(value = "/cookie4", method = "GET") - public void explicitDisable(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(false); - cookie.setHttpOnly(false); - response.addCookie(cookie); - } - : labels: - - source: cookie.setHttpOnly(false); - style: primary - start: 223 - end: 249 diff --git a/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml b/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml deleted file mode 100644 index dc3df37f..00000000 --- a/tests/__snapshots__/cookie-missing-samesite-java-snapshot.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: cookie-missing-samesite-java -snapshots: - ? | - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); - } - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - response.setHeader("Set-Cookie", "key=value; HttpOnly;"); - } - : labels: - - source: response.addCookie(cookie); - style: primary - start: 255 - end: 282 diff --git a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml b/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml deleted file mode 100644 index b4c1bec6..00000000 --- a/tests/__snapshots__/cookie-secure-flag-false-java-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: cookie-secure-flag-false-java -snapshots: - ? | - cookie.setSecure(false); - : labels: - - source: cookie.setSecure(false); - style: primary - start: 0 - end: 24 diff --git a/tests/__snapshots__/data-contract-resolver-snapshot.yml b/tests/__snapshots__/data-contract-resolver-snapshot.yml deleted file mode 100644 index 2637897a..00000000 --- a/tests/__snapshots__/data-contract-resolver-snapshot.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: data-contract-resolver -snapshots: - ? |- - namespace DCR - { - class CustomDCR : DataContractResolver - { - } - } - : labels: - - source: |- - class CustomDCR : DataContractResolver - { - } - style: primary - start: 20 - end: 70 diff --git a/tests/__snapshots__/debug-enabled-python-snapshot.yml b/tests/__snapshots__/debug-enabled-python-snapshot.yml deleted file mode 100644 index 65065284..00000000 --- a/tests/__snapshots__/debug-enabled-python-snapshot.yml +++ /dev/null @@ -1,47 +0,0 @@ -id: debug-enabled-python -snapshots: - ? | - from flask import Flask - if __name__ == "__main__": - app.run("0.0.0.0", debug=True) - : labels: - - source: app.run("0.0.0.0", debug=True) - style: primary - start: 51 - end: 81 - - source: app - style: secondary - start: 51 - end: 54 - - source: run - style: secondary - start: 55 - end: 58 - - source: app.run - style: secondary - start: 51 - end: 58 - - source: debug=True - style: secondary - start: 70 - end: 80 - - source: ("0.0.0.0", debug=True) - style: secondary - start: 58 - end: 81 - - source: Flask - style: secondary - start: 18 - end: 23 - - source: Flask - style: secondary - start: 18 - end: 23 - - source: from flask import Flask - style: secondary - start: 0 - end: 23 - - source: app.run("0.0.0.0", debug=True) - style: secondary - start: 51 - end: 81 diff --git a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml deleted file mode 100644 index ebce9bbf..00000000 --- a/tests/__snapshots__/des-is-deprecated-kotlin-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: des-is-deprecated-kotlin -snapshots: - ? | - Cipher.getInstance("DES/ECB/PKCS5Padding"); - : labels: - - source: Cipher.getInstance("DES/ECB/PKCS5Padding") - style: primary - start: 0 - end: 42 diff --git a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml deleted file mode 100644 index 1b0bc359..00000000 --- a/tests/__snapshots__/desede-is-deprecated-java-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: desede-is-deprecated-java -snapshots: - ? | - Cipher.getInstance("DESede/ECB/PKCS5Padding"); - javax.crypto.KeyGenerator.getInstance("DES") - : labels: - - source: javax.crypto.KeyGenerator.getInstance("DES") - style: primary - start: 47 - end: 91 diff --git a/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml b/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml deleted file mode 100644 index 7eb1119d..00000000 --- a/tests/__snapshots__/desede-is-deprecated-kotlin-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: desede-is-deprecated-kotlin -snapshots: - ? | - Cipher.getInstance("DESede/ECB/PKCS5Padding"); - javax.crypto.KeyGenerator.getInstance("DES") - : labels: - - source: javax.crypto.KeyGenerator.getInstance("DES") - style: primary - start: 47 - end: 91 diff --git a/tests/__snapshots__/detect-angular-sce-disabled-javascript-snapshot.yml b/tests/__snapshots__/detect-angular-sce-disabled-javascript-snapshot.yml deleted file mode 100644 index 809d3ff2..00000000 --- a/tests/__snapshots__/detect-angular-sce-disabled-javascript-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: detect-angular-sce-disabled-javascript -snapshots: - ? | - $sceProvider.enabled(false); - : labels: - - source: $sceProvider.enabled(false); - style: primary - start: 0 - end: 28 diff --git a/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml b/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml deleted file mode 100644 index 8142ea9d..00000000 --- a/tests/__snapshots__/detect-angular-sce-disabled-typescript-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: detect-angular-sce-disabled-typescript -snapshots: - ? | - $sceProvider.enabled(false); - : labels: - - source: $sceProvider.enabled(false); - style: primary - start: 0 - end: 28 diff --git a/tests/__snapshots__/detect-replaceall-sanitization-snapshot.yml b/tests/__snapshots__/detect-replaceall-sanitization-snapshot.yml deleted file mode 100644 index 01f39381..00000000 --- a/tests/__snapshots__/detect-replaceall-sanitization-snapshot.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: detect-replaceall-sanitization -snapshots: - ? | - "Hello World".replace('<', '<').replace('>', '>') - : labels: - - source: '"Hello World".replace(''<'', ''<'').replace(''>'', ''>'')' - style: primary - start: 0 - end: 72 - ? | - "Hello World".replaceAll('"', '"').replaceAll("'", ''').replaceAll('&', '&') - : labels: - - source: '"Hello World".replaceAll(''"'', ''"'').replaceAll("''", ''''').replaceAll(''&'', ''&'')' - style: primary - start: 0 - end: 107 - ? | - "Hello World".replaceAll('<', '<').replaceAll('>', '>') - : labels: - - source: '"Hello World".replaceAll(''<'', ''<'').replaceAll(''>'', ''>'')' - style: primary - start: 0 - end: 78 diff --git a/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml deleted file mode 100644 index ae72bb04..00000000 --- a/tests/__snapshots__/documentbuilderfactory-disallow-doctype-decl-false-java-snapshot.yml +++ /dev/null @@ -1,36 +0,0 @@ -id: documentbuilderfactory-disallow-doctype-decl-false-java -snapshots: - ? | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - //ruleid:documentbuilderfactory-disallow-doctype-decl-false - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - //fix:documentbuilderfactory-disallow-doctype-decl-false - //dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } - : labels: - - source: dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - style: primary - start: 170 - end: 248 - - source: DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - style: secondary - start: 35 - end: 101 - ? | - ParserConfigurationException { - SAXParserFactory spf = SAXParserFactory.newInstance(); - //ruleid:documentbuilderfactory-disallow-doctype-decl-false - spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - //fix:documentbuilderfactory-disallow-doctype-decl-false - //spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } - : labels: - - source: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - style: primary - start: 158 - end: 236 - - source: SAXParserFactory spf = SAXParserFactory.newInstance(); - style: secondary - start: 35 - end: 89 diff --git a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml deleted file mode 100644 index 238311e7..00000000 --- a/tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: documentbuilderfactory-external-general-entities-true-java -snapshots: - ? | - dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); - : labels: - - source: dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); - style: primary - start: 0 - end: 79 diff --git a/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml b/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml deleted file mode 100644 index c10c8249..00000000 --- a/tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: documentbuilderfactory-external-parameter-entities-true-java -snapshots: - ? | - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); - : labels: - - source: dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); - style: primary - start: 0 - end: 81 diff --git a/tests/__snapshots__/dont-call-system-c-snapshot.yml b/tests/__snapshots__/dont-call-system-c-snapshot.yml deleted file mode 100644 index 6085d5c7..00000000 --- a/tests/__snapshots__/dont-call-system-c-snapshot.yml +++ /dev/null @@ -1,41 +0,0 @@ -id: dont-call-system-c -snapshots: - ? | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } - : labels: - - source: system(cmdbuf) - style: primary - start: 156 - end: 170 - - source: system - style: secondary - start: 156 - end: 162 - - source: (cmdbuf) - style: secondary - start: 162 - end: 170 diff --git a/tests/__snapshots__/dont-call-system-cpp-snapshot.yml b/tests/__snapshots__/dont-call-system-cpp-snapshot.yml deleted file mode 100644 index b26da26d..00000000 --- a/tests/__snapshots__/dont-call-system-cpp-snapshot.yml +++ /dev/null @@ -1,41 +0,0 @@ -id: dont-call-system-cpp -snapshots: - ? | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } - : labels: - - source: system(cmdbuf) - style: primary - start: 156 - end: 170 - - source: system - style: secondary - start: 156 - end: 162 - - source: (cmdbuf) - style: secondary - start: 162 - end: 170 diff --git a/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml deleted file mode 100644 index 9083e268..00000000 --- a/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: drivermanager-hardcoded-secret-java -snapshots: - ? | - String password = "a"; - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password); - String password = "a"; - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password); - : labels: - - source: DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password") - style: primary - start: 40 - end: 124 - - source: DriverManager - style: secondary - start: 40 - end: 53 - - source: getConnection - style: secondary - start: 54 - end: 67 - - source: '"password"' - style: secondary - start: 113 - end: 123 - - source: ("jdbc:oracle:thin:@localhost:1521:o92", "a", "password") - style: secondary - start: 67 - end: 124 diff --git a/tests/__snapshots__/ecb-cipher-java-snapshot.yml b/tests/__snapshots__/ecb-cipher-java-snapshot.yml deleted file mode 100644 index a9c76fd2..00000000 --- a/tests/__snapshots__/ecb-cipher-java-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: ecb-cipher-java -snapshots: - ? | - Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); - : labels: - - source: Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); - style: primary - start: 0 - end: 51 diff --git a/tests/__snapshots__/empty-aes-key-snapshot.yml b/tests/__snapshots__/empty-aes-key-snapshot.yml deleted file mode 100644 index 67d7f160..00000000 --- a/tests/__snapshots__/empty-aes-key-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: empty-aes-key -snapshots: - cipher = AES.new("", AES.MODE_CFB, iv): - labels: - - source: AES.new("", AES.MODE_CFB, iv) - style: primary - start: 9 - end: 38 diff --git a/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml deleted file mode 100644 index 44fd920e..00000000 --- a/tests/__snapshots__/express-jwt-hardcoded-secret-javascript-snapshot.yml +++ /dev/null @@ -1,81 +0,0 @@ -id: express-jwt-hardcoded-secret-javascript -snapshots: - ? | - var jwt = require('express-jwt'); - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - : labels: - - source: 'secret: ''shhhhhhared-secret''' - style: primary - start: 62 - end: 90 - - source: jwt - style: secondary - start: 56 - end: 59 - - source: secret - style: secondary - start: 62 - end: 68 - - source: '''shhhhhhared-secret''' - style: secondary - start: 70 - end: 90 - - source: 'secret: ''shhhhhhared-secret''' - style: secondary - start: 62 - end: 90 - - source: '{ secret: ''shhhhhhared-secret'' }' - style: secondary - start: 60 - end: 92 - - source: '({ secret: ''shhhhhhared-secret'' })' - style: secondary - start: 59 - end: 93 - - source: 'jwt({ secret: ''shhhhhhared-secret'' })' - style: secondary - start: 56 - end: 93 - - source: jwt - style: secondary - start: 4 - end: 7 - - source: require - style: secondary - start: 10 - end: 17 - - source: express-jwt - style: secondary - start: 19 - end: 30 - - source: '''express-jwt''' - style: secondary - start: 18 - end: 31 - - source: ('express-jwt') - style: secondary - start: 17 - end: 32 - - source: require('express-jwt') - style: secondary - start: 10 - end: 32 - - source: jwt = require('express-jwt') - style: secondary - start: 4 - end: 32 - - source: var jwt = require('express-jwt'); - style: secondary - start: 0 - end: 33 - - source: |- - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - style: secondary - start: 34 - end: 189 diff --git a/tests/__snapshots__/express-jwt-hardcoded-secret-typescript-snapshot.yml b/tests/__snapshots__/express-jwt-hardcoded-secret-typescript-snapshot.yml deleted file mode 100644 index 72523292..00000000 --- a/tests/__snapshots__/express-jwt-hardcoded-secret-typescript-snapshot.yml +++ /dev/null @@ -1,81 +0,0 @@ -id: express-jwt-hardcoded-secret-typescript -snapshots: - ? | - var jwt = require('express-jwt'); - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - : labels: - - source: 'secret: ''shhhhhhared-secret''' - style: primary - start: 62 - end: 90 - - source: jwt - style: secondary - start: 56 - end: 59 - - source: secret - style: secondary - start: 62 - end: 68 - - source: '''shhhhhhared-secret''' - style: secondary - start: 70 - end: 90 - - source: 'secret: ''shhhhhhared-secret''' - style: secondary - start: 62 - end: 90 - - source: '{ secret: ''shhhhhhared-secret'' }' - style: secondary - start: 60 - end: 92 - - source: '({ secret: ''shhhhhhared-secret'' })' - style: secondary - start: 59 - end: 93 - - source: 'jwt({ secret: ''shhhhhhared-secret'' })' - style: secondary - start: 56 - end: 93 - - source: jwt - style: secondary - start: 4 - end: 7 - - source: require - style: secondary - start: 10 - end: 17 - - source: express-jwt - style: secondary - start: 19 - end: 30 - - source: '''express-jwt''' - style: secondary - start: 18 - end: 31 - - source: ('express-jwt') - style: secondary - start: 17 - end: 32 - - source: require('express-jwt') - style: secondary - start: 10 - end: 32 - - source: jwt = require('express-jwt') - style: secondary - start: 4 - end: 32 - - source: var jwt = require('express-jwt'); - style: secondary - start: 0 - end: 33 - - source: |- - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); - style: secondary - start: 34 - end: 189 diff --git a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml deleted file mode 100644 index 85dce1d9..00000000 --- a/tests/__snapshots__/express-session-hardcoded-secret-javascript-snapshot.yml +++ /dev/null @@ -1,82 +0,0 @@ -id: express-session-hardcoded-secret-javascript -snapshots: - ? | - import * as session from 'express-session' - let a = 'a' - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - : labels: - - source: 'secret: ''a''' - style: primary - start: 70 - end: 81 - - source: secret - style: secondary - start: 70 - end: 76 - - source: a - style: secondary - start: 79 - end: 80 - - source: '''a''' - style: secondary - start: 78 - end: 81 - - source: 'secret: ''a''' - style: secondary - start: 70 - end: 81 - - source: |- - { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 68 - end: 125 - - source: |- - config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 59 - end: 125 - - source: session - style: secondary - start: 12 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: express-session - style: secondary - start: 26 - end: 41 - - source: '''express-session''' - style: secondary - start: 25 - end: 42 - - source: import * as session from 'express-session' - style: secondary - start: 0 - end: 42 - - source: |- - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 55 - end: 125 diff --git a/tests/__snapshots__/express-session-hardcoded-secret-typescript-snapshot.yml b/tests/__snapshots__/express-session-hardcoded-secret-typescript-snapshot.yml deleted file mode 100644 index 02288644..00000000 --- a/tests/__snapshots__/express-session-hardcoded-secret-typescript-snapshot.yml +++ /dev/null @@ -1,82 +0,0 @@ -id: express-session-hardcoded-secret-typescript -snapshots: - ? | - import * as session from 'express-session' - let a = 'a' - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - : labels: - - source: 'secret: ''a''' - style: primary - start: 70 - end: 81 - - source: secret - style: secondary - start: 70 - end: 76 - - source: a - style: secondary - start: 79 - end: 80 - - source: '''a''' - style: secondary - start: 78 - end: 81 - - source: 'secret: ''a''' - style: secondary - start: 70 - end: 81 - - source: |- - { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 68 - end: 125 - - source: |- - config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 59 - end: 125 - - source: session - style: secondary - start: 12 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: '* as session' - style: secondary - start: 7 - end: 19 - - source: express-session - style: secondary - start: 26 - end: 41 - - source: '''express-session''' - style: secondary - start: 25 - end: 42 - - source: import * as session from 'express-session' - style: secondary - start: 0 - end: 42 - - source: |- - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } - style: secondary - start: 55 - end: 125 diff --git a/tests/__snapshots__/file-access-before-action-c-snapshot.yml b/tests/__snapshots__/file-access-before-action-c-snapshot.yml deleted file mode 100644 index 184a6e9d..00000000 --- a/tests/__snapshots__/file-access-before-action-c-snapshot.yml +++ /dev/null @@ -1,79 +0,0 @@ -id: file-access-before-action-c -snapshots: - ? | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - } - void test_002() - { - const char *original_key = "path/to/file/filename"; - - if (access(original_key, W_OK) == 0) - { - // ruleid: file-access-before-action - FILe *fp = fopen(original_key, "wb"); - } - } - : labels: - - source: unlink - style: primary - start: 293 - end: 299 - - source: access - style: secondary - start: 118 - end: 124 - - source: original_key - style: secondary - start: 125 - end: 137 - - source: F_OK - style: secondary - start: 139 - end: 143 - - source: (original_key, F_OK) - style: secondary - start: 124 - end: 144 - - source: access(original_key, F_OK) - style: secondary - start: 118 - end: 144 - - source: |- - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - style: secondary - start: 113 - end: 316 - - source: |- - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - style: secondary - start: 187 - end: 316 - - source: unlink(original_key); - style: secondary - start: 293 - end: 314 - - source: unlink(original_key) - style: secondary - start: 293 - end: 313 diff --git a/tests/__snapshots__/file-access-before-action-cpp-snapshot.yml b/tests/__snapshots__/file-access-before-action-cpp-snapshot.yml deleted file mode 100644 index 0c9cd833..00000000 --- a/tests/__snapshots__/file-access-before-action-cpp-snapshot.yml +++ /dev/null @@ -1,79 +0,0 @@ -id: file-access-before-action-cpp -snapshots: - ? | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - } - void test_002() - { - const char *original_key = "path/to/file/filename"; - - if (access(original_key, W_OK) == 0) - { - // ruleid: file-access-before-action - FILe *fp = fopen(original_key, "wb"); - } - } - : labels: - - source: unlink - style: primary - start: 293 - end: 299 - - source: access - style: secondary - start: 118 - end: 124 - - source: original_key - style: secondary - start: 125 - end: 137 - - source: F_OK - style: secondary - start: 139 - end: 143 - - source: (original_key, F_OK) - style: secondary - start: 124 - end: 144 - - source: access(original_key, F_OK) - style: secondary - start: 118 - end: 144 - - source: |- - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - style: secondary - start: 113 - end: 316 - - source: |- - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - style: secondary - start: 187 - end: 316 - - source: unlink(original_key); - style: secondary - start: 293 - end: 314 - - source: unlink(original_key) - style: secondary - start: 293 - end: 313 diff --git a/tests/__snapshots__/file-stat-before-action-c-snapshot.yml b/tests/__snapshots__/file-stat-before-action-c-snapshot.yml deleted file mode 100644 index d5a64b98..00000000 --- a/tests/__snapshots__/file-stat-before-action-c-snapshot.yml +++ /dev/null @@ -1,295 +0,0 @@ -id: file-stat-before-action-c -snapshots: - ? | - if (stat(file.c_str(), &buf) == 0) - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - : labels: - - source: fopen - style: primary - start: 123 - end: 128 - - source: stat - style: secondary - start: 4 - end: 8 - - source: file.c_str() - style: secondary - start: 9 - end: 21 - - source: (file.c_str(), &buf) - style: secondary - start: 8 - end: 28 - - source: stat(file.c_str(), &buf) - style: secondary - start: 4 - end: 28 - - source: |- - if (stat(file.c_str(), &buf) == 0) - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 0 - end: 989 - - source: |- - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 36 - end: 989 - - source: fp = fopen(file.c_str(), "r"); - style: secondary - start: 118 - end: 148 - - source: fopen(file.c_str(), "r") - style: secondary - start: 123 - end: 147 - ? | - if (stat(file.c_str(), &buf) == 0) - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - : labels: - - source: fopen - style: primary - start: 123 - end: 128 - - source: stat - style: secondary - start: 4 - end: 8 - - source: file.c_str() - style: secondary - start: 9 - end: 21 - - source: (file.c_str(), &buf) - style: secondary - start: 8 - end: 28 - - source: stat(file.c_str(), &buf) - style: secondary - start: 4 - end: 28 - - source: |- - if (stat(file.c_str(), &buf) == 0) - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 0 - end: 967 - - source: |- - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } - style: secondary - start: 36 - end: 967 - - source: fp = fopen(file.c_str(), "r"); - style: secondary - start: 118 - end: 148 - - source: fopen(file.c_str(), "r") - style: secondary - start: 123 - end: 147 diff --git a/tests/__snapshots__/gcm-nonce-reuse-java-snapshot.yml b/tests/__snapshots__/gcm-nonce-reuse-java-snapshot.yml deleted file mode 100644 index 91128348..00000000 --- a/tests/__snapshots__/gcm-nonce-reuse-java-snapshot.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: gcm-nonce-reuse-java -snapshots: - ? | - byte[] theBadIV = BAD_IV.getBytes(); - GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, theBadIV); - : labels: - - source: GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, theBadIV); - style: primary - start: 37 - end: 124 - - source: byte[] theBadIV = BAD_IV.getBytes(); - style: secondary - start: 0 - end: 36 diff --git a/tests/__snapshots__/go-template-insecure-types-snapshot.yml b/tests/__snapshots__/go-template-insecure-types-snapshot.yml deleted file mode 100644 index d478bb95..00000000 --- a/tests/__snapshots__/go-template-insecure-types-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: go-template-insecure-types -snapshots: - ? | - var b template.CSS = "a { text-decoration: underline; } " - : labels: - - source: 'var b template.CSS = "a { text-decoration: underline; } "' - style: primary - start: 0 - end: 57 diff --git a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml deleted file mode 100644 index 8ed0060e..00000000 --- a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml +++ /dev/null @@ -1,44 +0,0 @@ -id: gorilla-cookie-store-hardcoded-session-key-go -snapshots: - ? "import (\n\"github.com/gorilla/sessions\"\n)\n \tvar store = sessions.NewCookieStore([]byte(\"hardcoded-session-key-here\"))\n var store = sessions.NewCookieStore(\n []byte(\"new-authentication-key\"),\n []byte(\"new-encryption-key\"),\n []byte(\"old-authentication-key\"),\n []byte(\"old-encryption-key\"),\n )\n" - : labels: - - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here")) - style: primary - start: 55 - end: 116 - - source: sessions - style: secondary - start: 55 - end: 63 - - source: NewCookieStore - style: secondary - start: 64 - end: 78 - - source: sessions.NewCookieStore - style: secondary - start: 55 - end: 78 - - source: byte - style: secondary - start: 81 - end: 85 - - source: '[]byte' - style: secondary - start: 79 - end: 85 - - source: '[]byte' - style: secondary - start: 79 - end: 85 - - source: '[]byte("hardcoded-session-key-here")' - style: secondary - start: 79 - end: 115 - - source: ([]byte("hardcoded-session-key-here")) - style: secondary - start: 78 - end: 116 - - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here")) - style: secondary - start: 55 - end: 116 diff --git a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml b/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml deleted file mode 100644 index 11c87f57..00000000 --- a/tests/__snapshots__/gorilla-csrf-hardcoded-auth-key-go-snapshot.yml +++ /dev/null @@ -1,66 +0,0 @@ -id: gorilla-csrf-hardcoded-auth-key-go -snapshots: - ? | - import ( - "github.com/gorilla/csrf" - ) - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } - : labels: - - source: csrf.Protect([]byte("32-byte-long-auth-key")) - style: primary - start: 84 - end: 129 - - source: csrf - style: secondary - start: 84 - end: 88 - - source: Protect - style: secondary - start: 89 - end: 96 - - source: csrf.Protect - style: secondary - start: 84 - end: 96 - - source: byte - style: secondary - start: 99 - end: 103 - - source: '[]byte' - style: secondary - start: 97 - end: 103 - - source: '"32-byte-long-auth-key"' - style: secondary - start: 104 - end: 127 - - source: '[]byte("32-byte-long-auth-key")' - style: secondary - start: 97 - end: 128 - - source: ([]byte("32-byte-long-auth-key")) - style: secondary - start: 96 - end: 129 - - source: '"github.com/gorilla/csrf"' - style: secondary - start: 9 - end: 34 - - source: |- - import ( - "github.com/gorilla/csrf" - ) - style: secondary - start: 0 - end: 36 - - source: |- - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } - style: secondary - start: 37 - end: 138 diff --git a/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml b/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml deleted file mode 100644 index 18911bf9..00000000 --- a/tests/__snapshots__/grpc-client-insecure-connection-go-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: grpc-client-insecure-connection-go -snapshots: - ? | - conn, err := grpc.Dial(address, grpc.WithInsecure()) - : labels: - - source: grpc.Dial(address, grpc.WithInsecure()) - style: primary - start: 13 - end: 52 diff --git a/tests/__snapshots__/hardcoded-http-auth-in-controller-copy-ruby-snapshot.yml b/tests/__snapshots__/hardcoded-http-auth-in-controller-copy-ruby-snapshot.yml deleted file mode 100644 index be378ba7..00000000 --- a/tests/__snapshots__/hardcoded-http-auth-in-controller-copy-ruby-snapshot.yml +++ /dev/null @@ -1,114 +0,0 @@ -id: hardcoded-http-auth-in-controller-copy-ruby -snapshots: - ? | - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - end - : labels: - - source: '"secret"' - style: primary - start: 108 - end: 116 - - source: :password - style: secondary - start: 95 - end: 104 - - source: http_basic_authenticate_with - style: secondary - start: 50 - end: 78 - - source: DangerousController - style: secondary - start: 6 - end: 25 - - source: ApplicationController - style: secondary - start: 28 - end: 49 - - source: < ApplicationController - style: secondary - start: 26 - end: 49 - - source: |- - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - end - style: secondary - start: 0 - end: 160 - - source: |- - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - style: secondary - start: 50 - end: 156 - - source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - style: secondary - start: 50 - end: 135 - - source: :name => "dhh", :password => "secret", :except => :index - style: secondary - start: 79 - end: 135 - - source: :password => "secret" - style: secondary - start: 95 - end: 116 - ? | - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff"" - end - : labels: - - source: '"secret"' - style: primary - start: 108 - end: 116 - - source: :password - style: secondary - start: 95 - end: 104 - - source: http_basic_authenticate_with - style: secondary - start: 50 - end: 78 - - source: DangerousController - style: secondary - start: 6 - end: 25 - - source: ApplicationController - style: secondary - start: 28 - end: 49 - - source: < ApplicationController - style: secondary - start: 26 - end: 49 - - source: |- - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff"" - end - style: secondary - start: 0 - end: 161 - - source: |- - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff"" - style: secondary - start: 50 - end: 157 - - source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - style: secondary - start: 50 - end: 135 - - source: :name => "dhh", :password => "secret", :except => :index - style: secondary - start: 79 - end: 135 - - source: :password => "secret" - style: secondary - start: 95 - end: 116 diff --git a/tests/__snapshots__/hashids-with-django-secret-python-snapshot.yml b/tests/__snapshots__/hashids-with-django-secret-python-snapshot.yml deleted file mode 100644 index da2eddb5..00000000 --- a/tests/__snapshots__/hashids-with-django-secret-python-snapshot.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: hashids-with-django-secret-python -snapshots: - ? | - Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - Hashids(salt=settings.SECRET_KEY, min_length=4, alphabet="abcdefghijklmnopqrstuvwxyz") - Hashids(settings.SECRET_KEY, min_length=length, alphabet=alphabet) - : labels: - - source: Hashids(salt=settings.SECRET_KEY, min_length=settings.ID_HASH_MIN_LENGTH) - style: primary - start: 0 - end: 73 diff --git a/tests/__snapshots__/html-raw-json-snapshot.yml b/tests/__snapshots__/html-raw-json-snapshot.yml deleted file mode 100644 index 31d4a31e..00000000 --- a/tests/__snapshots__/html-raw-json-snapshot.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: html-raw-json -snapshots: - ? |- - anotherCall(); - var obj = @Html.Raw(Json.Encode(Model)); - alert("hello world"); - : labels: - - source: '@Html.Raw(Json.Encode(Model))' - style: primary - start: 25 - end: 54 - ? | - var obj = @Html.Raw(JsonConvert.SerializeObject(Model)); - : labels: - - source: '@Html.Raw(JsonConvert.SerializeObject(Model))' - style: primary - start: 10 - end: 55 diff --git a/tests/__snapshots__/httponly-false-csharp-snapshot.yml b/tests/__snapshots__/httponly-false-csharp-snapshot.yml deleted file mode 100644 index 4ec18734..00000000 --- a/tests/__snapshots__/httponly-false-csharp-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: httponly-false-csharp -snapshots: - ? | - myHttpOnlyCookie.HttpOnly = false; - : labels: - - source: myHttpOnlyCookie.HttpOnly = false; - style: primary - start: 0 - end: 34 - ? | - options.Cookie.HttpOnly = false; - : labels: - - source: options.Cookie.HttpOnly = false; - style: primary - start: 0 - end: 32 diff --git a/tests/__snapshots__/info-leak-on-non-formated-string-snapshot.yml b/tests/__snapshots__/info-leak-on-non-formated-string-snapshot.yml deleted file mode 100644 index 46a80a3e..00000000 --- a/tests/__snapshots__/info-leak-on-non-formated-string-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: info-leak-on-non-formated-string -snapshots: - printf(argv[0]);: - labels: - - source: printf(argv[0]); - style: primary - start: 0 - end: 16 diff --git a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml b/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml deleted file mode 100644 index 2e7ddc4c..00000000 --- a/tests/__snapshots__/insecure-biometrics-swift-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: insecure-biometrics-swift -snapshots: - ? | - context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application" - : labels: - - source: context.evaluatePolicy - style: primary - start: 0 - end: 22 diff --git a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml b/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml deleted file mode 100644 index 1b8f6de1..00000000 --- a/tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml +++ /dev/null @@ -1,64 +0,0 @@ -id: insecure-cipher-algorithm-rc4-python -snapshots: - ? "from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4\nfrom Crypto.Cipher import ARC4 as pycrypto_arc4\nkey = b'Very long and confidential key'\nnonce = Random.new().read(16)\ntempkey = SHA.new(key+nonce).digest()\ncipher = pycrypto_arc4.new(tempkey)\nmsg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL') \ncipher = pycryptodomex_arc4.new(tempkey)\nmsg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL')\n" - : labels: - - source: pycrypto_arc4.new(tempkey) - style: primary - start: 222 - end: 248 - - source: pycrypto_arc4 - style: secondary - start: 222 - end: 235 - - source: new - style: secondary - start: 236 - end: 239 - - source: pycrypto_arc4.new - style: secondary - start: 222 - end: 239 - - source: tempkey - style: secondary - start: 240 - end: 247 - - source: (tempkey) - style: secondary - start: 239 - end: 248 - - source: Crypto - style: secondary - start: 62 - end: 68 - - source: Cipher - style: secondary - start: 69 - end: 75 - - source: Crypto.Cipher - style: secondary - start: 62 - end: 75 - - source: ARC4 - style: secondary - start: 83 - end: 87 - - source: ARC4 - style: secondary - start: 83 - end: 87 - - source: pycrypto_arc4 - style: secondary - start: 91 - end: 104 - - source: ARC4 as pycrypto_arc4 - style: secondary - start: 83 - end: 104 - - source: from Crypto.Cipher import ARC4 as pycrypto_arc4 - style: secondary - start: 57 - end: 104 - - source: cipher = pycrypto_arc4.new(tempkey) - style: secondary - start: 213 - end: 248 diff --git a/tests/__snapshots__/insecure-fspickler-deserialization-snapshot.yml b/tests/__snapshots__/insecure-fspickler-deserialization-snapshot.yml deleted file mode 100644 index 7893ceb7..00000000 --- a/tests/__snapshots__/insecure-fspickler-deserialization-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-fspickler-deserialization -snapshots: - var fsPickler = FsPickler.CreateJsonSerializer();: - labels: - - source: FsPickler.CreateJsonSerializer() - style: primary - start: 16 - end: 48 diff --git a/tests/__snapshots__/insecure-hash-c-snapshot.yml b/tests/__snapshots__/insecure-hash-c-snapshot.yml deleted file mode 100644 index bd4945a4..00000000 --- a/tests/__snapshots__/insecure-hash-c-snapshot.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: insecure-hash-c -snapshots: - ? | - MD2_Init(); - SHA1_Init(); - const char *md4 = "MD4"; - EVP_MD_fetch(NULL, md4, NULL); - EVP_get_digestbyname(md4); - const char *sha1 = "SHA1"; - EVP_MD_fetch(NULL, sha1, NULL); - EVP_get_digestbyname(sha1); - : labels: - - source: MD2_Init(); - style: primary - start: 0 - end: 11 - - source: MD2_Init - style: secondary - start: 0 - end: 8 - - source: () - style: secondary - start: 8 - end: 10 - - source: MD2_Init() - style: secondary - start: 0 - end: 10 diff --git a/tests/__snapshots__/insecure-hash-cpp-snapshot.yml b/tests/__snapshots__/insecure-hash-cpp-snapshot.yml deleted file mode 100644 index 8c45cf53..00000000 --- a/tests/__snapshots__/insecure-hash-cpp-snapshot.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: insecure-hash-cpp -snapshots: - ? | - MD2_Init(); - SHA1_Init(); - const char *md4 = "MD4"; - EVP_MD_fetch(NULL, md4, NULL); - EVP_get_digestbyname(md4); - const char *sha1 = "SHA1"; - EVP_MD_fetch(NULL, sha1, NULL); - EVP_get_digestbyname(sha1); - : labels: - - source: MD2_Init(); - style: primary - start: 0 - end: 11 - - source: MD2_Init - style: secondary - start: 0 - end: 8 - - source: () - style: secondary - start: 8 - end: 10 - - source: MD2_Init() - style: secondary - start: 0 - end: 10 diff --git a/tests/__snapshots__/insecure-hashes-snapshot.yml b/tests/__snapshots__/insecure-hashes-snapshot.yml deleted file mode 100644 index 21a5253e..00000000 --- a/tests/__snapshots__/insecure-hashes-snapshot.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: insecure-hashes -snapshots: - ? | - let mut hasher = Md2::new(); - : labels: - - source: Md2::new() - style: primary - start: 17 - end: 27 - ? | - let mut hasher = Md4::new(); - : labels: - - source: Md4::new() - style: primary - start: 17 - end: 27 - ? | - let mut hasher = Md5::new(); - : labels: - - source: Md5::new() - style: primary - start: 17 - end: 27 - ? | - let mut hasher = Sha1::new(); - : labels: - - source: Sha1::new() - style: primary - start: 17 - end: 28 diff --git a/tests/__snapshots__/insecure-netdatacontract-deserialization-snapshot.yml b/tests/__snapshots__/insecure-netdatacontract-deserialization-snapshot.yml deleted file mode 100644 index e5386632..00000000 --- a/tests/__snapshots__/insecure-netdatacontract-deserialization-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-netdatacontract-deserialization -snapshots: - NetDataContractSerializer netDataContractSerializer = new NetDataContractSerializer();: - labels: - - source: new NetDataContractSerializer() - style: primary - start: 54 - end: 85 diff --git a/tests/__snapshots__/insecure-use-gets-function-snapshot.yml b/tests/__snapshots__/insecure-use-gets-function-snapshot.yml deleted file mode 100644 index 733e1a76..00000000 --- a/tests/__snapshots__/insecure-use-gets-function-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-gets-function -snapshots: - gets(buffer);: - labels: - - source: gets(buffer); - style: primary - start: 0 - end: 13 diff --git a/tests/__snapshots__/insecure-use-memset-function-snapshot.yml b/tests/__snapshots__/insecure-use-memset-function-snapshot.yml deleted file mode 100644 index a8487606..00000000 --- a/tests/__snapshots__/insecure-use-memset-function-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-memset-function -snapshots: - memset(buffer, 0, sizeof(buffer));: - labels: - - source: memset(buffer, 0, sizeof(buffer)); - style: primary - start: 0 - end: 34 diff --git a/tests/__snapshots__/insecure-use-scanf-function-snapshot.yml b/tests/__snapshots__/insecure-use-scanf-function-snapshot.yml deleted file mode 100644 index 6cd11029..00000000 --- a/tests/__snapshots__/insecure-use-scanf-function-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-scanf-function -snapshots: - scanf("%s", buffer);: - labels: - - source: scanf("%s", buffer); - style: primary - start: 0 - end: 20 diff --git a/tests/__snapshots__/insecure-use-strcat-function-snapshot.yml b/tests/__snapshots__/insecure-use-strcat-function-snapshot.yml deleted file mode 100644 index 2f8aade9..00000000 --- a/tests/__snapshots__/insecure-use-strcat-function-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: insecure-use-strcat-function -snapshots: - ? |- - strcat(buffer, "abc"); - strncat(buffer, "abc", sizeof(buffer)); - : labels: - - source: strcat(buffer, "abc"); - style: primary - start: 0 - end: 22 diff --git a/tests/__snapshots__/insecure-use-string-copy-function-snapshot.yml b/tests/__snapshots__/insecure-use-string-copy-function-snapshot.yml deleted file mode 100644 index f1531fc4..00000000 --- a/tests/__snapshots__/insecure-use-string-copy-function-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: insecure-use-string-copy-function -snapshots: - ? |- - strcpy(buffer, "abc"); - strncpy(buffer, "abc", sizeof(buffer)); - : labels: - - source: strcpy(buffer, "abc"); - style: primary - start: 0 - end: 22 diff --git a/tests/__snapshots__/insecure-use-strtok-function-snapshot.yml b/tests/__snapshots__/insecure-use-strtok-function-snapshot.yml deleted file mode 100644 index ddf24fe2..00000000 --- a/tests/__snapshots__/insecure-use-strtok-function-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-strtok-function -snapshots: - strtok(buffer, " ");: - labels: - - source: strtok(buffer, " "); - style: primary - start: 0 - end: 20 diff --git a/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml b/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml deleted file mode 100644 index 4a04b573..00000000 --- a/tests/__snapshots__/jedis-jedisfactory-hardcoded-password-java-snapshot.yml +++ /dev/null @@ -1,92 +0,0 @@ -id: jedis-jedisfactory-hardcoded-password-java -snapshots: - ? | - import redis.clients.jedis.JedisFactory; - - @Service - public class JedisService implements IJedisService { - @Test - public void hardcoded() { - JedisFactory jedisFactory = new JedisFactory(); - jedisFactory.setHostName(hostName); - jedisFactory.setport(port); - jedisFactory.setPassword("asdf"); - jedisFactory.setDatabase(database); - } - } - : labels: - - source: jedisFactory.setPassword("asdf"); - style: primary - start: 248 - end: 281 - - source: jedisFactory - style: secondary - start: 248 - end: 260 - - source: setPassword - style: secondary - start: 261 - end: 272 - - source: '"asdf"' - style: secondary - start: 273 - end: 279 - - source: ("asdf") - style: secondary - start: 272 - end: 280 - - source: jedisFactory.setPassword("asdf") - style: secondary - start: 248 - end: 280 - - source: JedisFactory - style: secondary - start: 136 - end: 148 - - source: jedisFactory - style: secondary - start: 149 - end: 161 - - source: new JedisFactory() - style: secondary - start: 164 - end: 182 - - source: jedisFactory = new JedisFactory() - style: secondary - start: 149 - end: 182 - - source: JedisFactory jedisFactory = new JedisFactory(); - style: secondary - start: 136 - end: 183 - - source: redis - style: secondary - start: 7 - end: 12 - - source: clients - style: secondary - start: 13 - end: 20 - - source: redis.clients.jedis.JedisFactory - style: secondary - start: 7 - end: 39 - - source: import redis.clients.jedis.JedisFactory; - style: secondary - start: 0 - end: 40 - - source: |- - @Service - public class JedisService implements IJedisService { - @Test - public void hardcoded() { - JedisFactory jedisFactory = new JedisFactory(); - jedisFactory.setHostName(hostName); - jedisFactory.setport(port); - jedisFactory.setPassword("asdf"); - jedisFactory.setDatabase(database); - } - } - style: secondary - start: 42 - end: 321 diff --git a/tests/__snapshots__/json-entity-escape-snapshot.yml b/tests/__snapshots__/json-entity-escape-snapshot.yml deleted file mode 100644 index 1fdd6473..00000000 --- a/tests/__snapshots__/json-entity-escape-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: json-entity-escape -snapshots: - ActiveSupport.escape_html_entities_in_json = false: - labels: - - source: ActiveSupport.escape_html_entities_in_json = false - style: primary - start: 0 - end: 50 diff --git a/tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml b/tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml deleted file mode 100644 index 17c8ceef..00000000 --- a/tests/__snapshots__/jwt-go-none-algorithm-go-snapshot.yml +++ /dev/null @@ -1,90 +0,0 @@ -id: jwt-go-none-algorithm-go -snapshots: - ? | - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - func bad1(key []byte) { - claims := jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test",} - token := jwt.NewWithClaims(jwt.SigningMethodNone, claims) - ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) - fmt.Printf("%v %v\n", ss, err)} - : labels: - - source: jwt.SigningMethodNone - style: primary - start: 172 - end: 193 - - source: |- - ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - style: secondary - start: 7 - end: 51 - - source: |- - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - style: secondary - start: 0 - end: 51 - - source: |- - func bad1(key []byte) { - claims := jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test",} - token := jwt.NewWithClaims(jwt.SigningMethodNone, claims) - ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) - fmt.Printf("%v %v\n", ss, err)} - style: secondary - start: 52 - end: 298 - ? | - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - func bad1(key []byte) { - claims = jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test",} - token = jwt.NewWithClaims(jwt.SigningMethodNone, claims) - ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType) - fmt.Printf("%v %v\n", ss, err)} - : labels: - - source: jwt.SigningMethodNone - style: primary - start: 170 - end: 191 - - source: |- - ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - style: secondary - start: 7 - end: 51 - - source: |- - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - style: secondary - start: 0 - end: 51 - - source: |- - func bad1(key []byte) { - claims = jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test",} - token = jwt.NewWithClaims(jwt.SigningMethodNone, claims) - ss, err = token.SignedString(jwt.UnsafeAllowNoneSignatureType) - fmt.Printf("%v %v\n", ss, err)} - style: secondary - start: 52 - end: 295 diff --git a/tests/__snapshots__/jwt-go-none-algorithm-snapshot.yml b/tests/__snapshots__/jwt-go-none-algorithm-snapshot.yml deleted file mode 100644 index f35c1882..00000000 --- a/tests/__snapshots__/jwt-go-none-algorithm-snapshot.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: jwt-go-none-algorithm -snapshots: - ? | - jwt.New(jwt.SigningMethodNone) - : labels: - - source: jwt.SigningMethodNone - style: primary - start: 8 - end: 29 - ? | - jwt.New(jwt.SigningMethodNone, jwt.WithClaims(jwt.MapClaims{"foo": "bar"})) - : labels: - - source: jwt.SigningMethodNone - style: primary - start: 8 - end: 29 - ? | - jwt.New(jwt.UnsafeAllowNoneSignatureType, jwt.WithHeader(jwt.MapClaims{"foo": "bar"})) - : labels: - - source: jwt.UnsafeAllowNoneSignatureType - style: primary - start: 8 - end: 40 diff --git a/tests/__snapshots__/jwt-go-parse-unverified-snapshot.yml b/tests/__snapshots__/jwt-go-parse-unverified-snapshot.yml deleted file mode 100644 index 91ce5a91..00000000 --- a/tests/__snapshots__/jwt-go-parse-unverified-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: jwt-go-parse-unverified -snapshots: - token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{}): - labels: - - source: new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{}) - style: primary - start: 17 - end: 78 diff --git a/tests/__snapshots__/jwt-go-snapshot.yml b/tests/__snapshots__/jwt-go-snapshot.yml deleted file mode 100644 index d0bb3843..00000000 --- a/tests/__snapshots__/jwt-go-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: jwt-go -snapshots: - token.SignedString([]byte("secret")): - labels: - - source: token.SignedString([]byte("secret")) - style: primary - start: 0 - end: 36 diff --git a/tests/__snapshots__/jwt-non-alg-ruby-snapshot.yml b/tests/__snapshots__/jwt-non-alg-ruby-snapshot.yml deleted file mode 100644 index 2a2dfe24..00000000 --- a/tests/__snapshots__/jwt-non-alg-ruby-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: jwt-non-alg-ruby -snapshots: - ? | - token = JWT.encode(payload, nil, 'none'); - : labels: - - source: JWT.encode(payload, nil, 'none') - style: primary - start: 8 - end: 40 - ? | - token = JWT.encode(payload, nil, 'none', { algorithm: 'none' }); - : labels: - - source: 'JWT.encode(payload, nil, ''none'', { algorithm: ''none'' })' - style: primary - start: 8 - end: 63 diff --git a/tests/__snapshots__/jwt-none-alg-javascript-snapshot.yml b/tests/__snapshots__/jwt-none-alg-javascript-snapshot.yml deleted file mode 100644 index d1fe39db..00000000 --- a/tests/__snapshots__/jwt-none-alg-javascript-snapshot.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: jwt-none-alg-javascript -snapshots: - ? | - const jose = require("jose"); - const { JWK, JWT } = jose; - const token = JWT.verify('token-here', JWK.None); - : labels: - - source: const token = JWT.verify('token-here', JWK.None); - style: primary - start: 57 - end: 106 - - source: const jose = require("jose"); - style: secondary - start: 0 - end: 29 - - source: const { JWK, JWT } = jose; - style: secondary - start: 30 - end: 56 diff --git a/tests/__snapshots__/jwt-none-alg-typescript-snapshot.yml b/tests/__snapshots__/jwt-none-alg-typescript-snapshot.yml deleted file mode 100644 index 1cb4f8a7..00000000 --- a/tests/__snapshots__/jwt-none-alg-typescript-snapshot.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: jwt-none-alg-typescript -snapshots: - ? | - const jose = require("jose"); - const { JWK, JWT } = jose; - const token = JWT.verify('token-here', JWK.None); - : labels: - - source: const token = JWT.verify('token-here', JWK.None); - style: primary - start: 57 - end: 106 - - source: const jose = require("jose"); - style: secondary - start: 0 - end: 29 - - source: const { JWK, JWT } = jose; - style: secondary - start: 30 - end: 56 diff --git a/tests/__snapshots__/jwt-python-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/jwt-python-hardcoded-secret-python-snapshot.yml deleted file mode 100644 index e8384206..00000000 --- a/tests/__snapshots__/jwt-python-hardcoded-secret-python-snapshot.yml +++ /dev/null @@ -1,40 +0,0 @@ -id: jwt-python-hardcoded-secret-python -snapshots: - ? | - encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256") - encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256') - secret = "secret" - encoded = jwt.encode({"some": "payload"}, secret, algorithm="HS256") - : labels: - - source: 'encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")' - style: primary - start: 0 - end: 70 - - source: '"secret"' - style: secondary - start: 42 - end: 50 - - source: '({"some": "payload"}, "secret", algorithm="HS256")' - style: secondary - start: 20 - end: 70 - - source: 'jwt.encode({"some": "payload"}, "secret", algorithm="HS256")' - style: secondary - start: 10 - end: 70 - - source: 'encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")' - style: secondary - start: 0 - end: 70 - - source: jwt.encode - style: secondary - start: 10 - end: 20 - - source: 'jwt.encode({"some": "payload"}, "secret", algorithm="HS256")' - style: secondary - start: 10 - end: 70 - - source: 'encoded = jwt.encode({"some": "payload"}, "secret", algorithm="HS256")' - style: secondary - start: 0 - end: 70 diff --git a/tests/__snapshots__/jwt-simple-noverify-astgrep-snapshot.yml b/tests/__snapshots__/jwt-simple-noverify-astgrep-snapshot.yml deleted file mode 100644 index f6c5439f..00000000 --- a/tests/__snapshots__/jwt-simple-noverify-astgrep-snapshot.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: jwt-simple-noverify-astgrep -snapshots: - jwt.decode("token", "secret", true): - labels: - - source: jwt.decode("token", "secret", true) - style: primary - start: 0 - end: 35 - jwt.decode("token", "secret", true, {}): - labels: - - source: jwt.decode("token", "secret", true, {}) - style: primary - start: 0 - end: 39 diff --git a/tests/__snapshots__/jwt-simple-noverify-js-snapshot.yml b/tests/__snapshots__/jwt-simple-noverify-js-snapshot.yml deleted file mode 100644 index 3394c951..00000000 --- a/tests/__snapshots__/jwt-simple-noverify-js-snapshot.yml +++ /dev/null @@ -1,68 +0,0 @@ -id: jwt-simple-noverify-js -snapshots: - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'HS256', 12) - style: primary - start: 287 - end: 328 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: "app.get('/protectedRoute1', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});" - style: secondary - start: 37 - end: 482 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute2', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, true);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, true) - style: primary - start: 289 - end: 323 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: "app.get('/protectedRoute2', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, true);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});" - style: secondary - start: 38 - end: 477 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute3', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'false');\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'false') - style: primary - start: 290 - end: 327 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: "app.get('/protectedRoute3', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'false');\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});" - style: secondary - start: 38 - end: 481 diff --git a/tests/__snapshots__/jwt-simple-noverify-ts-snapshot.yml b/tests/__snapshots__/jwt-simple-noverify-ts-snapshot.yml deleted file mode 100644 index 52b0aea6..00000000 --- a/tests/__snapshots__/jwt-simple-noverify-ts-snapshot.yml +++ /dev/null @@ -1,68 +0,0 @@ -id: jwt-simple-noverify-ts -snapshots: - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute1', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'HS256', 12) - style: primary - start: 287 - end: 328 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: "app.get('/protectedRoute1', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'HS256', 12);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});" - style: secondary - start: 37 - end: 482 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute2', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, true);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, true) - style: primary - start: 289 - end: 323 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: "app.get('/protectedRoute2', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, true);\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});" - style: secondary - start: 38 - end: 477 - ? "const jwt = require('jwt-simple'); \n\napp.get('/protectedRoute3', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'false');\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});\n" - : labels: - - source: jwt.decode(token, secretKey, 'false') - style: primary - start: 290 - end: 327 - - source: jwt - style: secondary - start: 6 - end: 9 - - source: require('jwt-simple') - style: secondary - start: 12 - end: 33 - - source: const jwt = require('jwt-simple'); - style: secondary - start: 0 - end: 34 - - source: "app.get('/protectedRoute3', (req, res) => {\n const token = req.headers.authorization;\n\n if (!token) {\n return res.status(401).json({ error: 'Unauthorized. Token missing.' });\n }\n\n try {\n // ruleid: jwt-simple-noverify \n const decoded = jwt.decode(token, secretKey, 'false');\n res.json({ message: `Hello ${decoded.username}` });\n } catch (error) {\n res.status(401).json({ error: 'Unauthorized. Invalid token.' });\n }\n});" - style: secondary - start: 38 - end: 481 diff --git a/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml b/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml deleted file mode 100644 index 357a1ec4..00000000 --- a/tests/__snapshots__/jwt-tokenvalidationparameters-no-expiry-validation-csharp-snapshot.yml +++ /dev/null @@ -1,59 +0,0 @@ -id: jwt-tokenvalidationparameters-no-expiry-validation-csharp -snapshots: - ? | - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireSignedTokens = true, - ValidateIssuer = false, - ValidateAudience = false, - RequireExpirationTime = false - }; - TokenValidationParameters parameters = new TokenValidationParameters(); - parameters.RequireExpirationTime = false; - parameters.ValidateLifetime = false; - : labels: - - source: ValidateLifetime = false - style: primary - start: 68 - end: 92 - - source: ValidateLifetime - style: secondary - start: 68 - end: 84 - - source: = - style: secondary - start: 85 - end: 86 - - source: 'false' - style: secondary - start: 87 - end: 92 - - source: TokenValidationParameters - style: secondary - start: 40 - end: 65 - - source: |- - new TokenValidationParameters - { - ValidateLifetime = false, - RequireSignedTokens = true, - ValidateIssuer = false, - ValidateAudience = false, - RequireExpirationTime = false - } - style: secondary - start: 36 - end: 203 - - source: |- - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireSignedTokens = true, - ValidateIssuer = false, - ValidateAudience = false, - RequireExpirationTime = false - }; - style: secondary - start: 0 - end: 204 diff --git a/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml deleted file mode 100644 index 60994812..00000000 --- a/tests/__snapshots__/libxml2-audit-parser-c-snapshot.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: libxml2-audit-parser-c -snapshots: - ? | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); - : labels: - - source: |- - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode) - style: primary - start: 0 - end: 103 diff --git a/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml b/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml deleted file mode 100644 index 6d424b83..00000000 --- a/tests/__snapshots__/libxml2-audit-parser-cpp-snapshot.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: libxml2-audit-parser-cpp -snapshots: - ? | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); - : labels: - - source: |- - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode) - style: primary - start: 0 - end: 103 diff --git a/tests/__snapshots__/los-formatter-snapshot.yml b/tests/__snapshots__/los-formatter-snapshot.yml deleted file mode 100644 index f3a292fc..00000000 --- a/tests/__snapshots__/los-formatter-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: los-formatter -snapshots: - LosFormatter losFormatter = new LosFormatter();: - labels: - - source: new LosFormatter() - style: primary - start: 28 - end: 46 diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 3931463b..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - : labels: - - source: s - style: primary - start: 13 - end: 14 - - source: SimpleCookie - style: secondary - start: 0 - end: 12 - - source: s - style: secondary - start: 13 - end: 14 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 0 - end: 48 diff --git a/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml b/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml deleted file mode 100644 index 1c95d52f..00000000 --- a/tests/__snapshots__/missing-ssl-minversion-go-snapshot.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: missing-ssl-minversion-go -snapshots: - ? | - server.TLS = &tls.Config{ Rand: zeroSource{}, } - : labels: - - source: 'tls.Config{ Rand: zeroSource{}, }' - style: primary - start: 14 - end: 47 - - source: 'server.TLS = &tls.Config{ Rand: zeroSource{}, }' - style: secondary - start: 0 - end: 47 diff --git a/tests/__snapshots__/no-null-cipher-java-snapshot.yml b/tests/__snapshots__/no-null-cipher-java-snapshot.yml deleted file mode 100644 index a926152d..00000000 --- a/tests/__snapshots__/no-null-cipher-java-snapshot.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: no-null-cipher-java -snapshots: - ? |- - Cipher doNothingCihper = new NullCipher(); - new javax.crypto.NullCipher(); - : labels: - - source: new NullCipher() - style: primary - start: 25 - end: 41 - ? | - Cipher doNothingCihper = new NullCipher(); - new javax.crypto.NullCipher(); - : labels: - - source: new NullCipher() - style: primary - start: 25 - end: 41 diff --git a/tests/__snapshots__/node-rsa-weak-key-javascript-snapshot.yml b/tests/__snapshots__/node-rsa-weak-key-javascript-snapshot.yml deleted file mode 100644 index 51e1d6ca..00000000 --- a/tests/__snapshots__/node-rsa-weak-key-javascript-snapshot.yml +++ /dev/null @@ -1,122 +0,0 @@ -id: node-rsa-weak-key-javascript -snapshots: - ? | - const crypto = require("crypto"); - const NodeRSA = require('node-rsa'); - const forge = require('node-forge'); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - const key = new NodeRSA({b: 2048}); - const key = new NodeRSA({b: 512}); - const pki = forge.pki; - : labels: - - source: '512' - style: primary - start: 201 - end: 204 - - source: crypto - style: secondary - start: 142 - end: 148 - - source: generateKeyPairSync - style: secondary - start: 149 - end: 168 - - source: crypto.generateKeyPairSync - style: secondary - start: 142 - end: 168 - - source: rsa - style: secondary - start: 170 - end: 173 - - source: '"rsa"' - style: secondary - start: 169 - end: 174 - - source: modulusLength - style: secondary - start: 186 - end: 199 - - source: '512' - style: secondary - start: 201 - end: 204 - - source: 'modulusLength: 512' - style: secondary - start: 186 - end: 204 - - source: |- - { - a: 123, - modulusLength: 512, - } - style: secondary - start: 176 - end: 207 - - source: |- - ("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 168 - end: 208 - - source: |- - crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 142 - end: 208 - - source: |- - { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 114 - end: 208 - - source: crypto - style: secondary - start: 6 - end: 12 - - source: require - style: secondary - start: 15 - end: 22 - - source: crypto - style: secondary - start: 24 - end: 30 - - source: '"crypto"' - style: secondary - start: 23 - end: 31 - - source: ("crypto") - style: secondary - start: 22 - end: 32 - - source: require("crypto") - style: secondary - start: 15 - end: 32 - - source: crypto = require("crypto") - style: secondary - start: 6 - end: 32 - - source: const crypto = require("crypto"); - style: secondary - start: 0 - end: 33 - - source: |- - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - style: secondary - start: 108 - end: 209 diff --git a/tests/__snapshots__/node-rsa-weak-key-typescript-snapshot.yml b/tests/__snapshots__/node-rsa-weak-key-typescript-snapshot.yml deleted file mode 100644 index c03ca54c..00000000 --- a/tests/__snapshots__/node-rsa-weak-key-typescript-snapshot.yml +++ /dev/null @@ -1,122 +0,0 @@ -id: node-rsa-weak-key-typescript -snapshots: - ? | - const crypto = require("crypto"); - const NodeRSA = require('node-rsa'); - const forge = require('node-forge'); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - const key = new NodeRSA({b: 2048}); - const key = new NodeRSA({b: 512}); - const pki = forge.pki; - : labels: - - source: '512' - style: primary - start: 201 - end: 204 - - source: crypto - style: secondary - start: 142 - end: 148 - - source: generateKeyPairSync - style: secondary - start: 149 - end: 168 - - source: crypto.generateKeyPairSync - style: secondary - start: 142 - end: 168 - - source: rsa - style: secondary - start: 170 - end: 173 - - source: '"rsa"' - style: secondary - start: 169 - end: 174 - - source: modulusLength - style: secondary - start: 186 - end: 199 - - source: '512' - style: secondary - start: 201 - end: 204 - - source: 'modulusLength: 512' - style: secondary - start: 186 - end: 204 - - source: |- - { - a: 123, - modulusLength: 512, - } - style: secondary - start: 176 - end: 207 - - source: |- - ("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 168 - end: 208 - - source: |- - crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 142 - end: 208 - - source: |- - { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }) - style: secondary - start: 114 - end: 208 - - source: crypto - style: secondary - start: 6 - end: 12 - - source: require - style: secondary - start: 15 - end: 22 - - source: crypto - style: secondary - start: 24 - end: 30 - - source: '"crypto"' - style: secondary - start: 23 - end: 31 - - source: ("crypto") - style: secondary - start: 22 - end: 32 - - source: require("crypto") - style: secondary - start: 15 - end: 32 - - source: crypto = require("crypto") - style: secondary - start: 6 - end: 32 - - source: const crypto = require("crypto"); - style: secondary - start: 0 - end: 33 - - source: |- - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - style: secondary - start: 108 - end: 209 diff --git a/tests/__snapshots__/node-sequelize-empty-password-argument-javascript-snapshot.yml b/tests/__snapshots__/node-sequelize-empty-password-argument-javascript-snapshot.yml deleted file mode 100644 index 6034344a..00000000 --- a/tests/__snapshots__/node-sequelize-empty-password-argument-javascript-snapshot.yml +++ /dev/null @@ -1,61 +0,0 @@ -id: node-sequelize-empty-password-argument-javascript -snapshots: - ? | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''''' - style: primary - start: 97 - end: 99 - - source: Sequelize - style: secondary - start: 63 - end: 72 - - source: '''''' - style: secondary - start: 97 - end: 99 - - source: |- - ('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 72 - end: 158 - - source: |- - new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 59 - end: 158 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 40 - end: 158 diff --git a/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml b/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml deleted file mode 100644 index 9efc0238..00000000 --- a/tests/__snapshots__/node-sequelize-empty-password-argument-typescript-snapshot.yml +++ /dev/null @@ -1,61 +0,0 @@ -id: node-sequelize-empty-password-argument-typescript -snapshots: - ? | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''''' - style: primary - start: 97 - end: 99 - - source: Sequelize - style: secondary - start: 63 - end: 72 - - source: '''''' - style: secondary - start: 97 - end: 99 - - source: |- - ('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 72 - end: 158 - - source: |- - new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 59 - end: 158 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 40 - end: 158 diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml deleted file mode 100644 index a9240aff..00000000 --- a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-javascript-snapshot.yml +++ /dev/null @@ -1,65 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-javascript -snapshots: - ? | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''password''' - style: primary - start: 96 - end: 106 - - source: Sequelize - style: secondary - start: 62 - end: 71 - - source: password - style: secondary - start: 97 - end: 105 - - source: '''password''' - style: secondary - start: 96 - end: 106 - - source: |- - ('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 71 - end: 165 - - source: |- - new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 58 - end: 165 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 40 - end: 165 diff --git a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml b/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml deleted file mode 100644 index 1ce5b449..00000000 --- a/tests/__snapshots__/node-sequelize-hardcoded-secret-argument-typescript-snapshot.yml +++ /dev/null @@ -1,65 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-typescript -snapshots: - ? | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - : labels: - - source: '''password''' - style: primary - start: 96 - end: 106 - - source: Sequelize - style: secondary - start: 62 - end: 71 - - source: password - style: secondary - start: 97 - end: 105 - - source: '''password''' - style: secondary - start: 96 - end: 106 - - source: |- - ('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 71 - end: 165 - - source: |- - new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 58 - end: 165 - - source: Sequelize - style: secondary - start: 6 - end: 15 - - source: Sequelize = require('sequelize') - style: secondary - start: 6 - end: 38 - - source: const Sequelize = require('sequelize'); - style: secondary - start: 0 - end: 39 - - source: |- - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) - style: secondary - start: 40 - end: 165 diff --git a/tests/__snapshots__/null-library-function-c-snapshot.yml b/tests/__snapshots__/null-library-function-c-snapshot.yml deleted file mode 100644 index 9a30d57f..00000000 --- a/tests/__snapshots__/null-library-function-c-snapshot.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: null-library-function-c -snapshots: - ? "gid_t f() {\nreturn getgrent()->gr_gid;\n}\nvoid f() {\nchar buf[128];\nstrcpy(buf, getenv(\"FOO\"));\n}\n{\nfwrite(\"foo\", 3, 1, fopen(\"foo.txt\", \"w\"));\n}\n{\nFILE *fptr;\nfwrite(\"foo\", 3, 1, fptr = fopen(\"foo.txt\", \"w\"));\n}\nvoid test_getc() {\nint c = getc(fopen(file_name, \"r\")); \nint c = getc(fptr = fopen(file_name, \"r\"));\n}\n" - : labels: - - source: return getgrent()->gr_gid; - style: primary - start: 12 - end: 38 - - source: getgrent - style: secondary - start: 19 - end: 27 - - source: getgrent() - style: secondary - start: 19 - end: 29 - - source: getgrent()->gr_gid - style: secondary - start: 19 - end: 37 diff --git a/tests/__snapshots__/null-library-function-cpp-snapshot.yml b/tests/__snapshots__/null-library-function-cpp-snapshot.yml deleted file mode 100644 index c95fb6f0..00000000 --- a/tests/__snapshots__/null-library-function-cpp-snapshot.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: null-library-function-cpp -snapshots: - ? "gid_t f() {\nreturn getgrent()->gr_gid;\n}\nvoid f() {\nchar buf[128];\nstrcpy(buf, getenv(\"FOO\"));\n}\n{\nfwrite(\"foo\", 3, 1, fopen(\"foo.txt\", \"w\"));\n}\n{\nFILE *fptr;\nfwrite(\"foo\", 3, 1, fptr = fopen(\"foo.txt\", \"w\"));\n}\nvoid test_getc() {\nint c = getc(fopen(file_name, \"r\")); \nint c = getc(fptr = fopen(file_name, \"r\"));\n}\n" - : labels: - - source: return getgrent()->gr_gid; - style: primary - start: 12 - end: 38 - - source: getgrent - style: secondary - start: 19 - end: 27 - - source: getgrent() - style: secondary - start: 19 - end: 29 - - source: getgrent()->gr_gid - style: secondary - start: 19 - end: 37 diff --git a/tests/__snapshots__/object-deserialization-snapshot.yml b/tests/__snapshots__/object-deserialization-snapshot.yml deleted file mode 100644 index 69a8e1b3..00000000 --- a/tests/__snapshots__/object-deserialization-snapshot.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: object-deserialization -snapshots: - ? |- - ObjectInputStream ois = new ObjectInputStream(new FileInputStream("object.ser")); - Object obj = ois.readObject(); - ois.close(); - // obj is now deserialized - : labels: - - source: new ObjectInputStream(new FileInputStream("object.ser")) - style: primary - start: 24 - end: 80 diff --git a/tests/__snapshots__/openai-empty-secret-go-snapshot.yml b/tests/__snapshots__/openai-empty-secret-go-snapshot.yml deleted file mode 100644 index a55ff8f1..00000000 --- a/tests/__snapshots__/openai-empty-secret-go-snapshot.yml +++ /dev/null @@ -1,52 +0,0 @@ -id: openai-empty-secret-go -snapshots: - ? | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("") - } - : labels: - - source: openai.NewClient("") - style: primary - start: 72 - end: 92 - - source: openai - style: secondary - start: 72 - end: 78 - - source: NewClient - style: secondary - start: 79 - end: 88 - - source: openai.NewClient - style: secondary - start: 72 - end: 88 - - source: ("") - style: secondary - start: 88 - end: 92 - - source: openai.NewClient("") - style: secondary - start: 72 - end: 92 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 9 - end: 44 - - source: |- - import ( - "github.com/sashabaranov/go-openai" - ) - style: secondary - start: 0 - end: 46 - - source: |- - func main() { - client := openai.NewClient("") - } - style: secondary - start: 47 - end: 97 diff --git a/tests/__snapshots__/openai-hardcoded-secret-go-snapshot.yml b/tests/__snapshots__/openai-hardcoded-secret-go-snapshot.yml deleted file mode 100644 index d5ce6dbf..00000000 --- a/tests/__snapshots__/openai-hardcoded-secret-go-snapshot.yml +++ /dev/null @@ -1,52 +0,0 @@ -id: openai-hardcoded-secret-go -snapshots: - ? | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("my-openai-token") - } - : labels: - - source: openai.NewClient("my-openai-token") - style: primary - start: 72 - end: 107 - - source: openai - style: secondary - start: 72 - end: 78 - - source: NewClient - style: secondary - start: 79 - end: 88 - - source: openai.NewClient - style: secondary - start: 72 - end: 88 - - source: ("my-openai-token") - style: secondary - start: 88 - end: 107 - - source: openai.NewClient("my-openai-token") - style: secondary - start: 72 - end: 107 - - source: '"github.com/sashabaranov/go-openai"' - style: secondary - start: 9 - end: 44 - - source: |- - import ( - "github.com/sashabaranov/go-openai" - ) - style: secondary - start: 0 - end: 46 - - source: |- - func main() { - client := openai.NewClient("my-openai-token") - } - style: secondary - start: 47 - end: 112 diff --git a/tests/__snapshots__/openai-hardcoded-secret-password-python-snapshot.yml b/tests/__snapshots__/openai-hardcoded-secret-password-python-snapshot.yml deleted file mode 100644 index 652bfde5..00000000 --- a/tests/__snapshots__/openai-hardcoded-secret-password-python-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: openai-hardcoded-secret-password-python -snapshots: - ? | - api_key="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" - f = "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" - : labels: - - source: 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 - style: primary - start: 9 - end: 60 diff --git a/tests/__snapshots__/openssl-cbc-static-iv-php-snapshot.yml b/tests/__snapshots__/openssl-cbc-static-iv-php-snapshot.yml deleted file mode 100644 index 321ed335..00000000 --- a/tests/__snapshots__/openssl-cbc-static-iv-php-snapshot.yml +++ /dev/null @@ -1,77 +0,0 @@ -id: openssl-cbc-static-iv-php -snapshots: - ? | - Astgrep - Astgrep - Astgrep - Astgrep - Astgrep - Astgrep - Astgrep - : labels: - - source: Astgrep - style: primary - start: 0 - end: 40 diff --git a/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml b/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml deleted file mode 100644 index 1e24cd09..00000000 --- a/tests/__snapshots__/postgres-empty-password-rust-snapshot.yml +++ /dev/null @@ -1,101 +0,0 @@ -id: postgres-empty-password-rust -snapshots: - ? | - fn test1() { - let mut config = postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } - : labels: - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - style: primary - start: 55 - end: 171 - - source: config - style: secondary - start: 55 - end: 61 - - source: |- - config - .host - style: secondary - start: 55 - end: 67 - - source: (std::env::var("HOST").expect("set HOST")) - style: secondary - start: 67 - end: 109 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - style: secondary - start: 55 - end: 109 - - source: user - style: secondary - start: 111 - end: 115 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user - style: secondary - start: 55 - end: 115 - - source: (std::env::var("USER").expect("set USER")) - style: secondary - start: 115 - end: 157 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - style: secondary - start: 55 - end: 157 - - source: password - style: secondary - start: 159 - end: 167 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password - style: secondary - start: 55 - end: 167 - - source: ("") - style: secondary - start: 167 - end: 171 - - source: config - style: secondary - start: 21 - end: 27 - - source: postgres::Config::new() - style: secondary - start: 30 - end: 53 - - source: let mut config = postgres::Config::new(); - style: secondary - start: 13 - end: 54 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - style: secondary - start: 55 - end: 220 diff --git a/tests/__snapshots__/python-cassandra-empty-password-python-snapshot.yml b/tests/__snapshots__/python-cassandra-empty-password-python-snapshot.yml deleted file mode 100644 index e07435de..00000000 --- a/tests/__snapshots__/python-cassandra-empty-password-python-snapshot.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: python-cassandra-empty-password-python -snapshots: - ? | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider('user', '') - : labels: - - source: PlainTextAuthProvider('user', '') - style: primary - start: 65 - end: 98 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - - source: | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider('user', '') - style: secondary - start: 0 - end: 99 - - source: | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider('user', '') - style: secondary - start: 0 - end: 99 - ? | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider(username='user', password='') - : labels: - - source: PlainTextAuthProvider(username='user', password='') - style: primary - start: 65 - end: 116 - - source: from cassandra.auth import PlainTextAuthProvider - style: secondary - start: 0 - end: 48 - - source: | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider(username='user', password='') - style: secondary - start: 0 - end: 117 - - source: | - from cassandra.auth import PlainTextAuthProvider - auth_provider = PlainTextAuthProvider(username='user', password='') - style: secondary - start: 0 - end: 117 diff --git a/tests/__snapshots__/python-couchbase-empty-password-python-snapshot.yml b/tests/__snapshots__/python-couchbase-empty-password-python-snapshot.yml deleted file mode 100644 index fdd4f71e..00000000 --- a/tests/__snapshots__/python-couchbase-empty-password-python-snapshot.yml +++ /dev/null @@ -1,118 +0,0 @@ -id: python-couchbase-empty-password-python -snapshots: - ? | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - PasswordAuthenticator('username', '') - : labels: - - source: PasswordAuthenticator('username', '') - style: primary - start: 121 - end: 158 - - source: PasswordAuthenticator - style: secondary - start: 121 - end: 142 - - source: '''username''' - style: secondary - start: 143 - end: 153 - - source: '''''' - style: secondary - start: 155 - end: 157 - - source: ('username', '') - style: secondary - start: 142 - end: 158 - - source: couchbase_core - style: secondary - start: 69 - end: 83 - - source: cluster - style: secondary - start: 84 - end: 91 - - source: couchbase_core.cluster - style: secondary - start: 69 - end: 91 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: from couchbase_core.cluster import PasswordAuthenticator - style: secondary - start: 64 - end: 120 - - source: | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - PasswordAuthenticator('username', '') - style: secondary - start: 0 - end: 159 - ? | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', ''))) - : labels: - - source: PasswordAuthenticator('username', '') - style: primary - start: 179 - end: 216 - - source: PasswordAuthenticator - style: secondary - start: 179 - end: 200 - - source: '''username''' - style: secondary - start: 201 - end: 211 - - source: '''''' - style: secondary - start: 213 - end: 215 - - source: ('username', '') - style: secondary - start: 200 - end: 216 - - source: couchbase_core - style: secondary - start: 69 - end: 83 - - source: cluster - style: secondary - start: 84 - end: 91 - - source: couchbase_core.cluster - style: secondary - start: 69 - end: 91 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: PasswordAuthenticator - style: secondary - start: 99 - end: 120 - - source: from couchbase_core.cluster import PasswordAuthenticator - style: secondary - start: 64 - end: 120 - - source: | - import os - from couchbase.cluster import Cluster, ClusterOptions - from couchbase_core.cluster import PasswordAuthenticator - cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', ''))) - style: secondary - start: 0 - end: 219 diff --git a/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml b/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml deleted file mode 100644 index 37456744..00000000 --- a/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: python-elasticsearch-hardcoded-bearer-auth-python -snapshots: - ? | - es.options(bearer_auth="password").indices. - es = Elasticsearch("https://localhost:9200",bearer_auth=pswd) - es = Elasticsearch("https://localhost:9200",bearer_auth="token-value") - : labels: - - source: es.options(bearer_auth="password").indices - style: primary - start: 0 - end: 42 diff --git a/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml b/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml deleted file mode 100644 index 6c50984e..00000000 --- a/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: python-ldap3-empty-password-python -snapshots: - ? | - ldap3.Connection(password="") - : labels: - - source: ldap3.Connection(password="") - style: primary - start: 0 - end: 29 - - source: ldap3.Connection - style: secondary - start: 0 - end: 16 - - source: password - style: secondary - start: 17 - end: 25 - - source: '""' - style: secondary - start: 26 - end: 28 - - source: password="" - style: secondary - start: 17 - end: 28 - - source: (password="") - style: secondary - start: 16 - end: 29 diff --git a/tests/__snapshots__/rails-skip-forgery-protection-snapshot.yml b/tests/__snapshots__/rails-skip-forgery-protection-snapshot.yml deleted file mode 100644 index 21a15bc8..00000000 --- a/tests/__snapshots__/rails-skip-forgery-protection-snapshot.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: rails-skip-forgery-protection -snapshots: - ? |- - class ApplicationController < ActionController::Base - skip_forgery_protection - end - : labels: - - source: skip_forgery_protection - style: primary - start: 55 - end: 78 diff --git a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml b/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml deleted file mode 100644 index cb1eeac4..00000000 --- a/tests/__snapshots__/reqwest-accept-invalid-rust-snapshot.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: reqwest-accept-invalid-rust -snapshots: - ? | - reqwest::Client::builder().danger_accept_invalid_certs(true) - : labels: - - source: reqwest::Client::builder().danger_accept_invalid_certs(true) - style: primary - start: 0 - end: 60 - ? | - reqwest::Client::builder().danger_accept_invalid_hostnames(true) - : labels: - - source: reqwest::Client::builder().danger_accept_invalid_hostnames(true) - style: primary - start: 0 - end: 64 - ? | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) - : labels: - - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) - style: primary - start: 0 - end: 104 - ? | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) - : labels: - - source: reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) - style: primary - start: 0 - end: 108 diff --git a/tests/__snapshots__/return-c-str-c-snapshot.yml b/tests/__snapshots__/return-c-str-c-snapshot.yml deleted file mode 100644 index 77f074bf..00000000 --- a/tests/__snapshots__/return-c-str-c-snapshot.yml +++ /dev/null @@ -1,76 +0,0 @@ -id: return-c-str-c -snapshots: - ? | - char *f(){ - std::string s; - return s.c_str(); - } - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } - char *f(std::string s) { - return s.c_str(); - } - class Foo { - char *f() { - std::string s; - return s.c_str(); - } - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } - : labels: - - source: return s.c_str(); - style: primary - start: 26 - end: 43 - - source: s - style: secondary - start: 33 - end: 34 - - source: c_str - style: secondary - start: 35 - end: 40 - - source: s.c_str - style: secondary - start: 33 - end: 40 - - source: () - style: secondary - start: 40 - end: 42 - - source: s.c_str() - style: secondary - start: 33 - end: 42 - - source: std - style: secondary - start: 11 - end: 14 - - source: string - style: secondary - start: 16 - end: 22 - - source: s - style: secondary - start: 23 - end: 24 - - source: s; - style: secondary - start: 23 - end: 25 - - source: std::string s; - style: secondary - start: 11 - end: 25 - - source: |- - { - std::string s; - return s.c_str(); - } - style: secondary - start: 9 - end: 45 diff --git a/tests/__snapshots__/return-c-str-cpp-snapshot.yml b/tests/__snapshots__/return-c-str-cpp-snapshot.yml deleted file mode 100644 index 063981c6..00000000 --- a/tests/__snapshots__/return-c-str-cpp-snapshot.yml +++ /dev/null @@ -1,130 +0,0 @@ -id: return-c-str-cpp -snapshots: - ? | - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } - : labels: - - source: return s.c_str(); - style: primary - start: 52 - end: 69 - - source: std::string s = std::string("foo"); - style: secondary - start: 14 - end: 49 - ? | - char *f() { - std::string s; - return s.c_str(); - } - : labels: - - source: return s.c_str(); - style: primary - start: 31 - end: 48 - - source: std::string s; - style: secondary - start: 14 - end: 28 - ? | - char *f(std::string s) { - return s.c_str(); - } - : labels: - - source: return s.c_str(); - style: primary - start: 27 - end: 44 - - source: std::string - style: secondary - start: 8 - end: 19 - - source: s - style: secondary - start: 20 - end: 21 - - source: std::string s - style: secondary - start: 8 - end: 21 - - source: (std::string s) - style: secondary - start: 7 - end: 22 - - source: |- - char *f(std::string s) { - return s.c_str(); - } - style: secondary - start: 0 - end: 46 - ? | - char *return_basic_string_directly() { - return std::basic_string("foo").c_str(); - } - : labels: - - source: return std::basic_string("foo").c_str(); - style: primary - start: 41 - end: 87 - ? | - char *return_data_directly() { - return std::string("foo").data(); - } - : labels: - - source: return std::string("foo").data(); - style: primary - start: 33 - end: 66 - ? | - char *return_directly() { - return string("foo").c_str(); - } - : labels: - - source: return string("foo").c_str(); - style: primary - start: 28 - end: 57 - ? | - char *return_namespace_directly() { - return std::string("foo").c_str(); - } - : labels: - - source: return std::string("foo").c_str(); - style: primary - start: 38 - end: 72 - ? | - class Foo { - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } - }; - : labels: - - source: return s.c_str(); - style: primary - start: 70 - end: 87 - - source: std::string s = std::string("foo"); - style: secondary - start: 30 - end: 65 - ? | - class Foo { - char *f() { - std::string s; - return s.c_str(); - } - }; - : labels: - - source: return s.c_str(); - style: primary - start: 49 - end: 66 - - source: std::string s; - style: secondary - start: 30 - end: 44 diff --git a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml b/tests/__snapshots__/rsa-no-padding-java-snapshot.yml deleted file mode 100644 index 80e65e5d..00000000 --- a/tests/__snapshots__/rsa-no-padding-java-snapshot.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: rsa-no-padding-java -snapshots: - ? |- - Cipher.getInstance("RSA/None/NoPadding"); - Cipher.getInstance("RSA/NONE/NoPadding"); - : labels: - - source: Cipher.getInstance("RSA/None/NoPadding") - style: primary - start: 0 - end: 40 - ? | - Cipher.getInstance("RSA/None/NoPadding"); - Cipher.getInstance("RSA/NONE/NoPadding"); - : labels: - - source: Cipher.getInstance("RSA/None/NoPadding") - style: primary - start: 0 - end: 40 diff --git a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml b/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml deleted file mode 100644 index 4507882d..00000000 --- a/tests/__snapshots__/rsa-no-padding-kotlin-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: rsa-no-padding-kotlin -snapshots: - ? | - Cipher.getInstance("RSA/None/NoPadding"); - Cipher.getInstance("RSA/NONE/NoPadding"); - : labels: - - source: Cipher.getInstance("RSA/None/NoPadding") - style: primary - start: 0 - end: 40 diff --git a/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml b/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml deleted file mode 100644 index 1274abe0..00000000 --- a/tests/__snapshots__/rsa-padding-set-scala-snapshot.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: rsa-padding-set-scala -snapshots: - Cipher.getInstance("RSA/ECB/NoPadding"): - labels: - - source: Cipher.getInstance("RSA/ECB/NoPadding") - style: primary - start: 0 - end: 39 - ? | - Cipher.getInstance("RSA/ECB/NoPadding") - : labels: - - source: Cipher.getInstance("RSA/ECB/NoPadding") - style: primary - start: 0 - end: 39 diff --git a/tests/__snapshots__/search-active-debug-php-snapshot.yml b/tests/__snapshots__/search-active-debug-php-snapshot.yml deleted file mode 100644 index abbb3a4c..00000000 --- a/tests/__snapshots__/search-active-debug-php-snapshot.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: search-active-debug-php -snapshots: - ? | - Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some("hardcoded-password")) - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } - async fn test2() -> Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.put("http://httpbin.org/delete") - .bearer_auth("hardcoded-token") - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } - : labels: - - source: |- - client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some("hardcoded-password")) - style: primary - start: 97 - end: 188 - - source: client - style: secondary - start: 97 - end: 103 - - source: client.delete - style: secondary - start: 97 - end: 110 - - source: client.delete("http://httpbin.org/delete") - style: secondary - start: 97 - end: 139 - - source: basic_auth - style: secondary - start: 141 - end: 151 - - source: |- - client.delete("http://httpbin.org/delete") - .basic_auth - style: secondary - start: 97 - end: 151 - - source: admin - style: secondary - start: 153 - end: 158 - - source: '"admin"' - style: secondary - start: 152 - end: 159 - - source: Some - style: secondary - start: 161 - end: 165 - - source: hardcoded-password - style: secondary - start: 167 - end: 185 - - source: '"hardcoded-password"' - style: secondary - start: 166 - end: 186 - - source: ("hardcoded-password") - style: secondary - start: 165 - end: 187 - - source: Some("hardcoded-password") - style: secondary - start: 161 - end: 187 - - source: ("admin", Some("hardcoded-password")) - style: secondary - start: 151 - end: 188 - - source: client - style: secondary - start: 53 - end: 59 - - source: reqwest::Client::new() - style: secondary - start: 62 - end: 84 - - source: let client = reqwest::Client::new(); - style: secondary - start: 49 - end: 85 - - source: |- - let resp = client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some("hardcoded-password")) - .send() - .await?; - style: secondary - start: 86 - end: 205 diff --git a/tests/__snapshots__/session-cookie-missing-httponly-snapshot.yml b/tests/__snapshots__/session-cookie-missing-httponly-snapshot.yml deleted file mode 100644 index 7e19a01d..00000000 --- a/tests/__snapshots__/session-cookie-missing-httponly-snapshot.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: session-cookie-missing-httponly -snapshots: - ? | - &sessions.Options{ HttpOnly: false } - : labels: - - source: '&sessions.Options{ HttpOnly: false }' - style: primary - start: 0 - end: 36 - '&sessions.Options{ HttpOnly: false, Path: "/"}': - labels: - - source: '&sessions.Options{ HttpOnly: false, Path: "/"}' - style: primary - start: 0 - end: 46 diff --git a/tests/__snapshots__/session-cookie-missing-secure-snapshot.yml b/tests/__snapshots__/session-cookie-missing-secure-snapshot.yml deleted file mode 100644 index 5e8d4a16..00000000 --- a/tests/__snapshots__/session-cookie-missing-secure-snapshot.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: session-cookie-missing-secure -snapshots: - ? | - &sessions.Options{ Secure: false } - : labels: - - source: '&sessions.Options{ Secure: false }' - style: primary - start: 0 - end: 34 - '&sessions.Options{ Secure: false, Path: "/"}': - labels: - - source: '&sessions.Options{ Secure: false, Path: "/"}' - style: primary - start: 0 - end: 44 diff --git a/tests/__snapshots__/simple-command-injection-direct-input-java-snapshot.yml b/tests/__snapshots__/simple-command-injection-direct-input-java-snapshot.yml deleted file mode 100644 index 22d0b82e..00000000 --- a/tests/__snapshots__/simple-command-injection-direct-input-java-snapshot.yml +++ /dev/null @@ -1,126 +0,0 @@ -id: simple-command-injection-direct-input-java -snapshots: - ? | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - : labels: - - source: Runtime.getRuntime().exec(command) - style: primary - start: 208 - end: 242 - - source: PathVariable - style: secondary - start: 83 - end: 95 - - source: '@PathVariable' - style: secondary - start: 82 - end: 95 - - source: command - style: secondary - start: 109 - end: 116 - - source: String - style: secondary - start: 102 - end: 108 - - source: '@PathVariable final' - style: secondary - start: 82 - end: 101 - - source: '@PathVariable final String command' - style: secondary - start: 82 - end: 116 - - source: |- - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - style: secondary - start: 0 - end: 358 - ? | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable() final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - : labels: - - source: Runtime.getRuntime().exec(command) - style: primary - start: 210 - end: 244 - - source: PathVariable - style: secondary - start: 83 - end: 95 - - source: () - style: secondary - start: 95 - end: 97 - - source: '@PathVariable()' - style: secondary - start: 82 - end: 97 - - source: command - style: secondary - start: 111 - end: 118 - - source: String - style: secondary - start: 104 - end: 110 - - source: '@PathVariable() final' - style: secondary - start: 82 - end: 103 - - source: '@PathVariable() final String command' - style: secondary - start: 82 - end: 118 - - source: |- - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable() final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - style: secondary - start: 0 - end: 360 diff --git a/tests/__snapshots__/sizeof-this-c-snapshot.yml b/tests/__snapshots__/sizeof-this-c-snapshot.yml deleted file mode 100644 index e8db9995..00000000 --- a/tests/__snapshots__/sizeof-this-c-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: sizeof-this-c -snapshots: - ? | - return sizeof(this); - : labels: - - source: sizeof(this) - style: primary - start: 7 - end: 19 diff --git a/tests/__snapshots__/sizeof-this-cpp-snapshot.yml b/tests/__snapshots__/sizeof-this-cpp-snapshot.yml deleted file mode 100644 index 4d874f00..00000000 --- a/tests/__snapshots__/sizeof-this-cpp-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: sizeof-this-cpp -snapshots: - ? | - return sizeof(this); - : labels: - - source: sizeof(this) - style: primary - start: 7 - end: 19 diff --git a/tests/__snapshots__/small-key-size-c-snapshot.yml b/tests/__snapshots__/small-key-size-c-snapshot.yml deleted file mode 100644 index bdfd49e0..00000000 --- a/tests/__snapshots__/small-key-size-c-snapshot.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: small-key-size-c -snapshots: - ? | - void foo() { - size_t bad_size = 1024; - size_t good_size = 2048; - DH_generate_parameters_ex(NULL, bad_size); - DSA_generate_parameters_ex(NULL, bad_size); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(NULL, bad_size); - EVP_PKEY_CTX_set_dsa_paramgen_bits(NULL, bad_size); - EVP_PKEY_CTX_set_rsa_keygen_bits(NULL, bad_size); - RSA_generate_key_ex(NULL, bad_size); - RSA_generate_key_fips(NULL, bad_size);} - : labels: - - source: DH_generate_parameters_ex(NULL, bad_size); - style: primary - start: 62 - end: 104 - - source: DH_generate_parameters_ex - style: secondary - start: 62 - end: 87 - - source: bad_size - style: secondary - start: 94 - end: 102 - - source: (NULL, bad_size) - style: secondary - start: 87 - end: 103 - - source: DH_generate_parameters_ex(NULL, bad_size) - style: secondary - start: 62 - end: 103 - - source: bad_size - style: secondary - start: 20 - end: 28 - - source: '1024' - style: secondary - start: 31 - end: 35 - - source: bad_size = 1024 - style: secondary - start: 20 - end: 35 - - source: size_t bad_size = 1024; - style: secondary - start: 13 - end: 36 diff --git a/tests/__snapshots__/small-key-size-cpp-snapshot.yml b/tests/__snapshots__/small-key-size-cpp-snapshot.yml deleted file mode 100644 index caee978d..00000000 --- a/tests/__snapshots__/small-key-size-cpp-snapshot.yml +++ /dev/null @@ -1,50 +0,0 @@ -id: small-key-size-cpp -snapshots: - ? | - void foo() { - size_t bad_size = 1024; - size_t good_size = 2048; - DH_generate_parameters_ex(NULL, bad_size); - DSA_generate_parameters_ex(NULL, bad_size); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(NULL, bad_size); - EVP_PKEY_CTX_set_dsa_paramgen_bits(NULL, bad_size); - EVP_PKEY_CTX_set_rsa_keygen_bits(NULL, bad_size); - RSA_generate_key_ex(NULL, bad_size); - RSA_generate_key_fips(NULL, bad_size);} - : labels: - - source: DH_generate_parameters_ex(NULL, bad_size); - style: primary - start: 62 - end: 104 - - source: DH_generate_parameters_ex - style: secondary - start: 62 - end: 87 - - source: bad_size - style: secondary - start: 94 - end: 102 - - source: (NULL, bad_size) - style: secondary - start: 87 - end: 103 - - source: DH_generate_parameters_ex(NULL, bad_size) - style: secondary - start: 62 - end: 103 - - source: bad_size - style: secondary - start: 20 - end: 28 - - source: '1024' - style: secondary - start: 31 - end: 35 - - source: bad_size = 1024 - style: secondary - start: 20 - end: 35 - - source: size_t bad_size = 1024; - style: secondary - start: 13 - end: 36 diff --git a/tests/__snapshots__/ssl-mode-no-verify-snapshot.yml b/tests/__snapshots__/ssl-mode-no-verify-snapshot.yml deleted file mode 100644 index dd33fd25..00000000 --- a/tests/__snapshots__/ssl-mode-no-verify-snapshot.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: ssl-mode-no-verify -snapshots: - OpenSSL::SSL::VERIFY_NONE: - labels: - - source: OpenSSL::SSL::VERIFY_NONE - style: primary - start: 0 - end: 25 diff --git a/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml b/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml deleted file mode 100644 index fe66016e..00000000 --- a/tests/__snapshots__/ssl-v3-is-insecure-go-snapshot.yml +++ /dev/null @@ -1,25 +0,0 @@ -id: ssl-v3-is-insecure-go -snapshots: - ? | - client := &http.Client{ - Transport: &http.Transport{ - // ruleid: ssl-v3-is-insecure - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - }, - }, - } - : labels: - - source: |- - tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - } - style: primary - start: 107 - end: 358 diff --git a/tests/__snapshots__/ssl-verify-none-rust-snapshot.yml b/tests/__snapshots__/ssl-verify-none-rust-snapshot.yml deleted file mode 100644 index e9d03ad6..00000000 --- a/tests/__snapshots__/ssl-verify-none-rust-snapshot.yml +++ /dev/null @@ -1,94 +0,0 @@ -id: ssl-verify-none-rust -snapshots: - ? "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n};\nconnector.builder_mut().set_verify(NoVerify);\n" - : labels: - - source: connector.builder_mut().set_verify(NoVerify) - style: primary - start: 91 - end: 135 - - source: SSL_VERIFY_NONE - style: secondary - start: 60 - end: 75 - - source: NoVerify - style: secondary - start: 79 - end: 87 - - source: SSL_VERIFY_NONE as NoVerify - style: secondary - start: 60 - end: 87 - - source: "{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n}" - style: secondary - start: 18 - end: 89 - - source: "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n};" - style: secondary - start: 0 - end: 90 - - source: "use openssl::ssl::{\n SslMethod, \n SslConnectorBuilder,\n SSL_VERIFY_NONE as NoVerify\n};\nconnector.builder_mut().set_verify(NoVerify);\n" - style: secondary - start: 0 - end: 137 - ? | - use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - connector.builder_mut().set_verify(SSL_VERIFY_NONE); - : labels: - - source: connector.builder_mut().set_verify(SSL_VERIFY_NONE) - style: primary - start: 69 - end: 120 - - source: SSL_VERIFY_NONE - style: secondary - start: 51 - end: 66 - - source: '{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}' - style: secondary - start: 18 - end: 67 - - source: use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - style: secondary - start: 0 - end: 68 - - source: | - use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - connector.builder_mut().set_verify(SSL_VERIFY_NONE); - style: secondary - start: 0 - end: 122 - ? | - use openssl::ssl; - connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE); - : labels: - - source: connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE) - style: primary - start: 18 - end: 74 - - source: use openssl::ssl; - style: secondary - start: 0 - end: 17 - - source: | - use openssl::ssl; - connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE); - style: secondary - start: 0 - end: 76 - ? | - use openssl; - connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE); - : labels: - - source: connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE) - style: primary - start: 13 - end: 75 - - source: use openssl; - style: secondary - start: 0 - end: 12 - - source: | - use openssl; - connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE); - style: secondary - start: 0 - end: 77 diff --git a/tests/__snapshots__/std-return-data-c-snapshot.yml b/tests/__snapshots__/std-return-data-c-snapshot.yml deleted file mode 100644 index 8c6c6885..00000000 --- a/tests/__snapshots__/std-return-data-c-snapshot.yml +++ /dev/null @@ -1,68 +0,0 @@ -id: std-return-data-c -snapshots: - ? | - int *return_vector_data() { - std::vector v; - return v.data(); - } - : labels: - - source: return v.data(); - style: primary - start: 48 - end: 64 - - source: v - style: secondary - start: 55 - end: 56 - - source: v.data - style: secondary - start: 55 - end: 61 - - source: v.data() - style: secondary - start: 55 - end: 63 - - source: std - style: secondary - start: 28 - end: 31 - - source: vector - style: secondary - start: 33 - end: 39 - - source: vector - style: secondary - start: 33 - end: 39 - - source: vector v; - return v.data(); - } - style: secondary - start: 0 - end: 66 - - source: v - style: secondary - start: 45 - end: 46 - - source: vector v - style: secondary - start: 33 - end: 46 - - source: vector v; - style: secondary - start: 33 - end: 47 - - source: std::vector v; - style: secondary - start: 28 - end: 47 diff --git a/tests/__snapshots__/std-return-data-cpp-snapshot.yml b/tests/__snapshots__/std-return-data-cpp-snapshot.yml deleted file mode 100644 index ad3d8145..00000000 --- a/tests/__snapshots__/std-return-data-cpp-snapshot.yml +++ /dev/null @@ -1,76 +0,0 @@ -id: std-return-data-cpp -snapshots: - ? | - int *return_vector_data() { - std::vector v; - return v.data(); - } - : labels: - - source: return v.data(); - style: primary - start: 48 - end: 64 - - source: v - style: secondary - start: 45 - end: 46 - - source: vector - style: secondary - start: 33 - end: 39 - - source: vector - style: secondary - start: 33 - end: 44 - - source: return_vector_data - style: secondary - start: 5 - end: 23 - - source: return_vector_data() - style: secondary - start: 5 - end: 25 - - source: '*return_vector_data()' - style: secondary - start: 4 - end: 25 - - source: int - style: secondary - start: 0 - end: 3 - - source: |- - { - std::vector v; - return v.data(); - } - style: secondary - start: 26 - end: 66 - - source: std - style: secondary - start: 28 - end: 31 - - source: std::vector - style: secondary - start: 28 - end: 44 - - source: std::vector v; - style: secondary - start: 28 - end: 47 - - source: return v.data(); - style: secondary - start: 48 - end: 64 - - source: v - style: secondary - start: 55 - end: 56 - - source: v.data - style: secondary - start: 55 - end: 61 - - source: v.data() - style: secondary - start: 55 - end: 63 diff --git a/tests/__snapshots__/std-vector-invalidation-c-snapshot.yml b/tests/__snapshots__/std-vector-invalidation-c-snapshot.yml deleted file mode 100644 index eb2f2ce8..00000000 --- a/tests/__snapshots__/std-vector-invalidation-c-snapshot.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: std-vector-invalidation-c -snapshots: - ? "void loop_variant_5(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_6(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(); it != vec.end(); it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_7(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(); it != vec.rend(); ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_8(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(); it != vec.rend(); it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_9(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_10(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_11(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_12(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n} \nvoid f(std::vector &vec, std::vector &other_vec) {\nfor(std::vector::iterator it = vec.begin(); it != vec.end(); it++) {\nif (foo()) {\n // ruleid: std-vector-invalidation\n vec.push_back(0);\n\n // Modifying a different container is OK\n // ok: std-vector-invalidation\n other_vec.push_back(0);\n}\n}\n}\n" - : labels: - - source: vec.erase(it) - style: primary - start: 183 - end: 196 - - source: |- - for(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - style: secondary - start: 45 - end: 201 - - source: vec.erase(it); - style: secondary - start: 183 - end: 197 diff --git a/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml b/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml deleted file mode 100644 index 49c43df6..00000000 --- a/tests/__snapshots__/std-vector-invalidation-cpp-snapshot.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: std-vector-invalidation-cpp -snapshots: - ? "void loop_variant_5(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_6(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(); it != vec.end(); it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_7(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(); it != vec.rend(); ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_8(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(); it != vec.rend(); it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_9(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_10(std::vector &vec) {\nfor(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_11(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n}\nvoid loop_variant_12(std::vector &vec) {\nfor(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) {\nif (should_erase(*it)) {\n // ruleid: std-vector-invalidation\n vec.erase(it);\n}\n}\n} \nvoid f(std::vector &vec, std::vector &other_vec) {\nfor(std::vector::iterator it = vec.begin(); it != vec.end(); it++) {\nif (foo()) {\n // ruleid: std-vector-invalidation\n vec.push_back(0);\n\n // Modifying a different container is OK\n // ok: std-vector-invalidation\n other_vec.push_back(0);\n}\n}\n}\n" - : labels: - - source: vec.erase(it) - style: primary - start: 183 - end: 196 - - source: |- - for(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - style: secondary - start: 45 - end: 201 - - source: vec.erase(it); - style: secondary - start: 183 - end: 197 diff --git a/tests/__snapshots__/swift-webview-config-allows-js-open-windows-swift-snapshot.yml b/tests/__snapshots__/swift-webview-config-allows-js-open-windows-swift-snapshot.yml deleted file mode 100644 index 156978e1..00000000 --- a/tests/__snapshots__/swift-webview-config-allows-js-open-windows-swift-snapshot.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: swift-webview-config-allows-js-open-windows-swift -snapshots: - ? | - let prefs = WKPreferences() - prefs.JavaScriptCanOpenWindowsAutomatically = true - : labels: - - source: prefs.JavaScriptCanOpenWindowsAutomatically = true - style: primary - start: 28 - end: 79 - - source: prefs - style: secondary - start: 28 - end: 33 - - source: prefs.JavaScriptCanOpenWindowsAutomatically - style: secondary - start: 28 - end: 71 - - source: JavaScriptCanOpenWindowsAutomatically - style: secondary - start: 34 - end: 71 - - source: .JavaScriptCanOpenWindowsAutomatically - style: secondary - start: 33 - end: 71 - - source: 'true' - style: secondary - start: 75 - end: 79 - - source: prefs - style: secondary - start: 4 - end: 9 - - source: prefs - style: secondary - start: 4 - end: 9 - - source: let prefs = WKPreferences() - style: secondary - start: 0 - end: 27 diff --git a/tests/__snapshots__/swift-webview-config-allows-universal-file-access-swift-snapshot.yml b/tests/__snapshots__/swift-webview-config-allows-universal-file-access-swift-snapshot.yml deleted file mode 100644 index d9b88f84..00000000 --- a/tests/__snapshots__/swift-webview-config-allows-universal-file-access-swift-snapshot.yml +++ /dev/null @@ -1,72 +0,0 @@ -id: swift-webview-config-allows-universal-file-access-swift -snapshots: - ? | - let w = WKWebView(frame: .zero, configuration: config) - w.setValue(true, forKey: "allowUniversalAccessFromFileURLs") - let config = w.configuration - config.setValue(true, forKey: "allowUniversalAccessFromFileURLs") - : labels: - - source: 'w.setValue(true, forKey: "allowUniversalAccessFromFileURLs")' - style: primary - start: 55 - end: 115 - - source: w - style: secondary - start: 55 - end: 56 - - source: setValue - style: secondary - start: 57 - end: 65 - - source: .setValue - style: secondary - start: 56 - end: 65 - - source: w.setValue - style: secondary - start: 55 - end: 65 - - source: 'true' - style: secondary - start: 66 - end: 70 - - source: 'true' - style: secondary - start: 66 - end: 70 - - source: forKey - style: secondary - start: 72 - end: 78 - - source: allowUniversalAccessFromFileURLs - style: secondary - start: 81 - end: 113 - - source: '"allowUniversalAccessFromFileURLs"' - style: secondary - start: 80 - end: 114 - - source: 'forKey: "allowUniversalAccessFromFileURLs"' - style: secondary - start: 72 - end: 114 - - source: '(true, forKey: "allowUniversalAccessFromFileURLs")' - style: secondary - start: 65 - end: 115 - - source: w - style: secondary - start: 4 - end: 5 - - source: w - style: secondary - start: 4 - end: 5 - - source: 'WKWebView(frame: .zero, configuration: config)' - style: secondary - start: 8 - end: 54 - - source: 'let w = WKWebView(frame: .zero, configuration: config)' - style: secondary - start: 0 - end: 54 diff --git a/tests/__snapshots__/swift-webview-config-fraudulent-site-warning-swift-snapshot.yml b/tests/__snapshots__/swift-webview-config-fraudulent-site-warning-swift-snapshot.yml deleted file mode 100644 index e0ebe7e8..00000000 --- a/tests/__snapshots__/swift-webview-config-fraudulent-site-warning-swift-snapshot.yml +++ /dev/null @@ -1,83 +0,0 @@ -id: swift-webview-config-fraudulent-site-warning-swift -snapshots: - ? | - let prefs2 = WKPreferences() - prefs2.isFraudulentWebsiteWarningEnabled = false - : labels: - - source: prefs2.isFraudulentWebsiteWarningEnabled = false - style: primary - start: 29 - end: 78 - - source: prefs2 - style: secondary - start: 29 - end: 35 - - source: prefs2.isFraudulentWebsiteWarningEnabled - style: secondary - start: 29 - end: 69 - - source: isFraudulentWebsiteWarningEnabled - style: secondary - start: 36 - end: 69 - - source: .isFraudulentWebsiteWarningEnabled - style: secondary - start: 35 - end: 69 - - source: 'false' - style: secondary - start: 73 - end: 78 - - source: prefs2 - style: secondary - start: 4 - end: 10 - - source: prefs2 - style: secondary - start: 4 - end: 10 - - source: let prefs2 = WKPreferences() - style: secondary - start: 0 - end: 28 - ? | - let prefs2 = WKPreferences() - prefs2.isFraudulentWebsiteWarningEnabled = true - prefs2.isFraudulentWebsiteWarningEnabled = false - : labels: - - source: prefs2.isFraudulentWebsiteWarningEnabled = false - style: primary - start: 78 - end: 127 - - source: prefs2 - style: secondary - start: 78 - end: 84 - - source: prefs2.isFraudulentWebsiteWarningEnabled - style: secondary - start: 78 - end: 118 - - source: isFraudulentWebsiteWarningEnabled - style: secondary - start: 85 - end: 118 - - source: .isFraudulentWebsiteWarningEnabled - style: secondary - start: 84 - end: 118 - - source: 'false' - style: secondary - start: 122 - end: 127 - - source: prefs2 - style: secondary - start: 4 - end: 10 - - source: prefs2 - style: secondary - start: 4 - end: 10 - - source: let prefs2 = WKPreferences() - style: secondary - start: 0 - end: 28 diff --git a/tests/__snapshots__/swift-webview-config-https-upgrade-swift-snapshot.yml b/tests/__snapshots__/swift-webview-config-https-upgrade-swift-snapshot.yml deleted file mode 100644 index e7cd7081..00000000 --- a/tests/__snapshots__/swift-webview-config-https-upgrade-swift-snapshot.yml +++ /dev/null @@ -1,48 +0,0 @@ -id: swift-webview-config-https-upgrade-swift -snapshots: - ? "let prefs2 = WKPreferences()\nlet config2 = WKWebViewConfiguration()\nconfig2.upgradeKnownHostsToHTTPS = true\nconfig2.upgradeKnownHostsToHTTPS = false\nconfig.defaultWebpagePreferences = prefs2 \nWKWebView(frame: .zero, configuration: config)\n" - : labels: - - source: config2.upgradeKnownHostsToHTTPS = false - style: primary - start: 109 - end: 150 - - source: config2 - style: secondary - start: 109 - end: 116 - - source: upgradeKnownHostsToHTTPS - style: secondary - start: 117 - end: 141 - - source: .upgradeKnownHostsToHTTPS - style: secondary - start: 116 - end: 141 - - source: config2.upgradeKnownHostsToHTTPS - style: secondary - start: 109 - end: 141 - - source: = - style: secondary - start: 143 - end: 144 - - source: 'false' - style: secondary - start: 145 - end: 150 - - source: config2 - style: secondary - start: 33 - end: 40 - - source: config2 - style: secondary - start: 33 - end: 40 - - source: WKWebViewConfiguration() - style: secondary - start: 43 - end: 67 - - source: let config2 = WKWebViewConfiguration() - style: secondary - start: 29 - end: 67 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml deleted file mode 100644 index 9130101a..00000000 --- a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: system-setproperty-hardcoded-secret-java -snapshots: - ? | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - System.setProperty("javax.net.ssl.trustStorePassword", "password"); - : labels: - - source: System.setProperty("javax.net.ssl.keyStorePassword", "password"); - style: primary - start: 0 - end: 65 diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml deleted file mode 100644 index 0d421bce..00000000 --- a/tests/__snapshots__/system-setproperty-hardcoded-secret-kotlin-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: system-setproperty-hardcoded-secret-kotlin -snapshots: - ? | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - System.setProperty("javax.net.ssl.trustStorePassword", "password"); - : labels: - - source: System.setProperty("javax.net.ssl.keyStorePassword", "password") - style: primary - start: 0 - end: 64 diff --git a/tests/__snapshots__/tls-with-insecure-cipher-go-snapshot.yml b/tests/__snapshots__/tls-with-insecure-cipher-go-snapshot.yml deleted file mode 100644 index 25d4614d..00000000 --- a/tests/__snapshots__/tls-with-insecure-cipher-go-snapshot.yml +++ /dev/null @@ -1,38 +0,0 @@ -id: tls-with-insecure-cipher-go -snapshots: - ? | - tr := &http.Transport{ - TLSClientConfig: &tls.Config{CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }}, - } - : labels: - - source: |- - tls.Config{CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }} - style: primary - start: 41 - end: 151 - - source: tls.Config - style: secondary - start: 41 - end: 51 - - source: |- - []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - } - style: secondary - start: 66 - end: 150 - - source: |- - {CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }} - style: secondary - start: 51 - end: 151 diff --git a/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml b/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml deleted file mode 100644 index 9a478d93..00000000 --- a/tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml +++ /dev/null @@ -1,100 +0,0 @@ -id: tokio-postgres-empty-password-rust -snapshots: - ? | - async fn test1() -> Result<(), anyhow::Error> { - let mut config = tokio_postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - Ok(()) - } - : labels: - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - style: primary - start: 96 - end: 212 - - source: config - style: secondary - start: 96 - end: 102 - - source: |- - config - .host - style: secondary - start: 96 - end: 108 - - source: (std::env::var("HOST").expect("set HOST")) - style: secondary - start: 108 - end: 150 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - style: secondary - start: 96 - end: 150 - - source: user - style: secondary - start: 152 - end: 156 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user - style: secondary - start: 96 - end: 156 - - source: (std::env::var("USER").expect("set USER")) - style: secondary - start: 156 - end: 198 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - style: secondary - start: 96 - end: 198 - - source: password - style: secondary - start: 200 - end: 208 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password - style: secondary - start: 96 - end: 208 - - source: ("") - style: secondary - start: 208 - end: 212 - - source: config - style: secondary - start: 56 - end: 62 - - source: tokio_postgres::Config::new() - style: secondary - start: 65 - end: 94 - - source: let mut config = tokio_postgres::Config::new(); - style: secondary - start: 48 - end: 95 - - source: |- - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - style: secondary - start: 96 - end: 261 diff --git a/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml b/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml deleted file mode 100644 index ba49829e..00000000 --- a/tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml +++ /dev/null @@ -1,91 +0,0 @@ -id: tokio-postgres-hardcoded-password-rust -snapshots: - ? | - async fn test2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("postgres") - .dbname("moray") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - : labels: - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("postgres") - style: primary - start: 75 - end: 176 - - source: tokio_postgres::Config::new() - style: secondary - start: 75 - end: 104 - - source: |- - tokio_postgres::Config::new() - .host - style: secondary - start: 75 - end: 110 - - source: (shard_host_name.as_str()) - style: secondary - start: 110 - end: 136 - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - style: secondary - start: 75 - end: 136 - - source: user - style: secondary - start: 138 - end: 142 - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user - style: secondary - start: 75 - end: 142 - - source: ("postgres") - style: secondary - start: 142 - end: 154 - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - style: secondary - start: 75 - end: 154 - - source: password - style: secondary - start: 156 - end: 164 - - source: |- - tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password - style: secondary - start: 75 - end: 164 - - source: postgres - style: secondary - start: 166 - end: 174 - - source: '"postgres"' - style: secondary - start: 165 - end: 175 - - source: ("postgres") - style: secondary - start: 164 - end: 176 diff --git a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml b/tests/__snapshots__/unencrypted-socket-java-snapshot.yml deleted file mode 100644 index e0becd2b..00000000 --- a/tests/__snapshots__/unencrypted-socket-java-snapshot.yml +++ /dev/null @@ -1,58 +0,0 @@ -id: unencrypted-socket-java -snapshots: - ? | - ServerSocket ssoc = new ServerSocket(1234); - : labels: - - source: new ServerSocket(1234) - style: primary - start: 20 - end: 42 - ? | - ServerSocket ssoc1 = new ServerSocket(); - : labels: - - source: new ServerSocket() - style: primary - start: 21 - end: 39 - ? | - ServerSocket ssoc2 = new ServerSocket(1234, 10); - : labels: - - source: new ServerSocket(1234, 10) - style: primary - start: 21 - end: 47 - ? | - ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); - : labels: - - source: new ServerSocket(1234, 10, InetAddress.getByAddress(address)) - style: primary - start: 21 - end: 82 - ? | - Socket soc = new Socket("www.google.com", 80); - : labels: - - source: new Socket("www.google.com", 80) - style: primary - start: 13 - end: 45 - ? | - Socket soc1 = new Socket("www.google.com", 80, true); - : labels: - - source: new Socket("www.google.com", 80, true) - style: primary - start: 14 - end: 52 - ? | - Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); - : labels: - - source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337) - style: primary - start: 14 - end: 88 - ? | - Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); - : labels: - - source: new Socket(InetAddress.getByAddress(remoteAddress), 80) - style: primary - start: 14 - end: 69 diff --git a/tests/__snapshots__/unencrypted-socket-snapshot.yml b/tests/__snapshots__/unencrypted-socket-snapshot.yml deleted file mode 100644 index bc373b34..00000000 --- a/tests/__snapshots__/unencrypted-socket-snapshot.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: unencrypted-socket -snapshots: - ? |- - val socket = Socket("localhost", 8080) - val out = PrintWriter(socket.getOutputStream(), true) - val input = BufferedReader(InputStreamReader(socket.getInputStream())) - out.println("Hello, World!") - val response = input.readLine() - println(response) - : labels: - - source: Socket("localhost", 8080) - style: primary - start: 13 - end: 38 diff --git a/tests/__snapshots__/unsafe-usage-snapshot.yml b/tests/__snapshots__/unsafe-usage-snapshot.yml deleted file mode 100644 index 7bd74108..00000000 --- a/tests/__snapshots__/unsafe-usage-snapshot.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: unsafe-usage -snapshots: - ? |- - fn main() { - let x = 42; - unsafe { - println!("{}", x); - } - } - : labels: - - source: |- - unsafe { - println!("{}", x); - } - style: primary - start: 32 - end: 73 diff --git a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml b/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml deleted file mode 100644 index 6c8a701c..00000000 --- a/tests/__snapshots__/use-of-aes-ecb-java-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: use-of-aes-ecb-java -snapshots: - ? | - Cipher.getInstance("AES/ECB/NoPadding") - Cipher.getInstance("AES/ECB/PKCS5Padding") - : labels: - - source: Cipher.getInstance("AES/ECB/NoPadding") - style: primary - start: 0 - end: 39 diff --git a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml b/tests/__snapshots__/use-of-blowfish-java-snapshot.yml deleted file mode 100644 index cc54e7fb..00000000 --- a/tests/__snapshots__/use-of-blowfish-java-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: use-of-blowfish-java -snapshots: - ? | - Cipher.getInstance("Blowfish"); - : labels: - - source: Cipher.getInstance("Blowfish") - style: primary - start: 0 - end: 30 - ? | - useCipher(Cipher.getInstance("Blowfish")); - : labels: - - source: Cipher.getInstance("Blowfish") - style: primary - start: 10 - end: 40 diff --git a/tests/__snapshots__/use-of-default-aes-java-snapshot.yml b/tests/__snapshots__/use-of-default-aes-java-snapshot.yml deleted file mode 100644 index 31aafdca..00000000 --- a/tests/__snapshots__/use-of-default-aes-java-snapshot.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: use-of-default-aes-java -snapshots: - ? "import javax;\nimport javax.crypto; \nimport javax.crypto.*;\nimport javax.crypto.Cipher;\nclass AES{\npublic void useofAES() {\nCipher.getInstance(\"AES\");\ncrypto.Cipher.getInstance(\"AES\");\njavax.crypto.Cipher.getInstance(\"AES\");\n}\n" - : labels: - - source: Cipher.getInstance("AES") - style: primary - start: 127 - end: 152 - - source: import javax; - style: secondary - start: 0 - end: 13 - - source: |- - class AES{ - public void useofAES() { - Cipher.getInstance("AES"); - crypto.Cipher.getInstance("AES"); - javax.crypto.Cipher.getInstance("AES"); - } - style: secondary - start: 91 - end: 229 diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml deleted file mode 100644 index fe41e08d..00000000 --- a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-md5-digest-utils-java -snapshots: - ? | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); - : labels: - - source: DigestUtils.getMd5Digest().digest(password.getBytes()) - style: primary - start: 19 - end: 73 diff --git a/tests/__snapshots__/use-of-md5-java-snapshot.yml b/tests/__snapshots__/use-of-md5-java-snapshot.yml deleted file mode 100644 index 6f6c27ae..00000000 --- a/tests/__snapshots__/use-of-md5-java-snapshot.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-md5-java -snapshots: - ? | - MessageDigest md5Digest = MessageDigest.getInstance("MD5"); - : labels: - - source: MessageDigest.getInstance("MD5") - style: primary - start: 26 - end: 58 diff --git a/tests/__snapshots__/use-of-rc2-java-snapshot.yml b/tests/__snapshots__/use-of-rc2-java-snapshot.yml deleted file mode 100644 index 7ac4199f..00000000 --- a/tests/__snapshots__/use-of-rc2-java-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: use-of-rc2-java -snapshots: - ? | - useCipher(Cipher.getInstance("RC2")); - Cipher.getInstance("RC2"); - : labels: - - source: Cipher.getInstance("RC2") - style: primary - start: 10 - end: 35 diff --git a/tests/__snapshots__/use-of-rc4-java-snapshot.yml b/tests/__snapshots__/use-of-rc4-java-snapshot.yml deleted file mode 100644 index cbf4423c..00000000 --- a/tests/__snapshots__/use-of-rc4-java-snapshot.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: use-of-rc4-java -snapshots: - ? | - Cipher.getInstance("RC4"); - : labels: - - source: Cipher.getInstance("RC4") - style: primary - start: 0 - end: 25 - ? | - useCipher(Cipher.getInstance("RC4")); - : labels: - - source: Cipher.getInstance("RC4") - style: primary - start: 10 - end: 35 diff --git a/tests/__snapshots__/use-of-sha1-java-snapshot.yml b/tests/__snapshots__/use-of-sha1-java-snapshot.yml deleted file mode 100644 index 444fe5b3..00000000 --- a/tests/__snapshots__/use-of-sha1-java-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: use-of-sha1-java -snapshots: - ? | - java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); - DigestUtils.getSha1Digest().digest(password.getBytes()); - : labels: - - source: java.security.MessageDigest.getInstance("SHA1", "SUN") - style: primary - start: 33 - end: 87 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml deleted file mode 100644 index 91aeb283..00000000 --- a/tests/__snapshots__/use-of-weak-rsa-key-go-snapshot.yml +++ /dev/null @@ -1,21 +0,0 @@ -id: use-of-weak-rsa-key-go -snapshots: - ? | - pvk, err := rsa.GenerateKey(rand.Reader, 1025) - : labels: - - source: rsa.GenerateKey(rand.Reader, 1025) - style: primary - start: 12 - end: 46 - - source: rsa.GenerateKey - style: secondary - start: 12 - end: 27 - - source: (rand.Reader, 1025) - style: secondary - start: 27 - end: 46 - - source: '1025' - style: secondary - start: 41 - end: 45 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml deleted file mode 100644 index bb83308a..00000000 --- a/tests/__snapshots__/use-of-weak-rsa-key-java-snapshot.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: use-of-weak-rsa-key-java -snapshots: - ? | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(-512); - : labels: - - source: keyGen.initialize(-512) - style: primary - start: 63 - end: 86 - ? | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512); - : labels: - - source: keyGen.initialize(512) - style: primary - start: 63 - end: 85 - ? | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512.0); - : labels: - - source: keyGen.initialize(512.0) - style: primary - start: 63 - end: 87 - ? | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512.09); - : labels: - - source: keyGen.initialize(512.09) - style: primary - start: 63 - end: 88 diff --git a/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml b/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml deleted file mode 100644 index 5c7fe552..00000000 --- a/tests/__snapshots__/use-of-weak-rsa-key-kotlin-snapshot.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: use-of-weak-rsa-key-kotlin -snapshots: - ? | - KeyPairGenerator.getInstance("RSA") - keyGen.initialize(-5.12); - : labels: - - source: keyGen.initialize(-5.12) - style: primary - start: 36 - end: 60 diff --git a/tests/__snapshots__/weak-ssl-context-java-snapshot.yml b/tests/__snapshots__/weak-ssl-context-java-snapshot.yml deleted file mode 100644 index ca21f566..00000000 --- a/tests/__snapshots__/weak-ssl-context-java-snapshot.yml +++ /dev/null @@ -1,37 +0,0 @@ -id: weak-ssl-context-java -snapshots: - ? | - SSLContext ctx = SSLContext.getInstance("SSL"); - : labels: - - source: SSLContext.getInstance("SSL") - style: primary - start: 17 - end: 46 - ? | - SSLContext ctx = SSLContext.getInstance("SSLv3"); - : labels: - - source: SSLContext.getInstance("SSLv3") - style: primary - start: 17 - end: 48 - ? | - SSLContext ctx = SSLContext.getInstance("TLS"); - : labels: - - source: SSLContext.getInstance("TLS") - style: primary - start: 17 - end: 46 - ? | - SSLContext ctx = SSLContext.getInstance("TLSv1"); - : labels: - - source: SSLContext.getInstance("TLSv1") - style: primary - start: 17 - end: 48 - ? | - SSLContext ctx = SSLContext.getInstance("TLSv1.1"); - : labels: - - source: SSLContext.getInstance("TLSv1.1") - style: primary - start: 17 - end: 50 diff --git a/tests/__snapshots__/wildcard-postmessage-configuration-snapshot.yml b/tests/__snapshots__/wildcard-postmessage-configuration-snapshot.yml deleted file mode 100644 index 86dad6a4..00000000 --- a/tests/__snapshots__/wildcard-postmessage-configuration-snapshot.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: wildcard-postmessage-configuration -snapshots: - window.postMessage("hello", '*'): - labels: - - source: window.postMessage("hello", '*') - style: primary - start: 0 - end: 32 - window.postMessage("world", "*"): - labels: - - source: window.postMessage("world", "*") - style: primary - start: 0 - end: 32 diff --git a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml b/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml deleted file mode 100644 index ed6503fc..00000000 --- a/tests/__snapshots__/xmlinputfactory-dtd-enabled-scala-snapshot.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: xmlinputfactory-dtd-enabled-scala -snapshots: - ? |- - val factory = XMLInputFactory.newFactory() - val fileReader = new FileReader(file) - : labels: - - source: XMLInputFactory.newFactory() - style: primary - start: 14 - end: 42 - ? |- - val factory = XMLInputFactory.newFactory() - val fileReader = new FileReader(file) - val fileReader = new FileReader(file) - : labels: - - source: XMLInputFactory.newFactory() - style: primary - start: 14 - end: 42 diff --git a/tests/c/dont-call-system-c-test.yml b/tests/c/dont-call-system-c-test.yml deleted file mode 100644 index 3d482dfc..00000000 --- a/tests/c/dont-call-system-c-test.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: dont-call-system-c -valid: - - | - void test_003(const char *input) - { - storer->store_binary(Clocks->system()); - } -invalid: - - | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } diff --git a/tests/c/file-access-before-action-c-test.yml b/tests/c/file-access-before-action-c-test.yml deleted file mode 100644 index 0135ed02..00000000 --- a/tests/c/file-access-before-action-c-test.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: file-access-before-action-c -valid: - - | - -invalid: - - | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - } - void test_002() - { - const char *original_key = "path/to/file/filename"; - - if (access(original_key, W_OK) == 0) - { - // ruleid: file-access-before-action - FILe *fp = fopen(original_key, "wb"); - } - } diff --git a/tests/c/file-stat-before-action-c-test.yml b/tests/c/file-stat-before-action-c-test.yml deleted file mode 100644 index 24f2c4c8..00000000 --- a/tests/c/file-stat-before-action-c-test.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: file-stat-before-action-c -valid: - - | - -invalid: - - | - if (stat(file.c_str(), &buf) == 0) - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } diff --git a/tests/c/info-leak-on-non-formated-string-test.yml b/tests/c/info-leak-on-non-formated-string-test.yml deleted file mode 100644 index a2d1bad1..00000000 --- a/tests/c/info-leak-on-non-formated-string-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: info-leak-on-non-formated-string -valid: - - | - printf("Hello, World! %s", "Hello"); - printf("Hello, World! %s %d", "Hello", 1); - printf("Hello, World! %s %d %c", "Hello", 1, 'a'); - printf("Hello, World! %s %d %c %f", "Hello", 1, 'a', 1.0); - printf("Hello, World! %s %d %c %f %lf", "Hello", 1, 'a', 1.0, 1.0); -invalid: - - | - printf(argv[0]); \ No newline at end of file diff --git a/tests/c/insecure-hash-c-test.yml b/tests/c/insecure-hash-c-test.yml deleted file mode 100644 index d0be7610..00000000 --- a/tests/c/insecure-hash-c-test.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: insecure-hash-c -valid: - - | - MD5Final(digest,ctx); -invalid: - - | - MD2_Init(); - SHA1_Init(); - const char *md4 = "MD4"; - EVP_MD_fetch(NULL, md4, NULL); - EVP_get_digestbyname(md4); - const char *sha1 = "SHA1"; - EVP_MD_fetch(NULL, sha1, NULL); - EVP_get_digestbyname(sha1); diff --git a/tests/c/insecure-use-gets-function-test.yml b/tests/c/insecure-use-gets-function-test.yml deleted file mode 100644 index 6c69ff5a..00000000 --- a/tests/c/insecure-use-gets-function-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-gets-function -valid: - - | - fgets(buffer, sizeof(buffer), stdin); - gets_s(buffer, sizeof(buffer)); -invalid: - - | - gets(buffer); \ No newline at end of file diff --git a/tests/c/insecure-use-memset-test.yml b/tests/c/insecure-use-memset-test.yml deleted file mode 100644 index 2b273723..00000000 --- a/tests/c/insecure-use-memset-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: insecure-use-memset-function -valid: - - | - memset_s(buffer, 0, sizeof(buffer)); -invalid: - - | - memset(buffer, 0, sizeof(buffer)); \ No newline at end of file diff --git a/tests/c/insecure-use-scanf-test.yml b/tests/c/insecure-use-scanf-test.yml deleted file mode 100644 index 36279af6..00000000 --- a/tests/c/insecure-use-scanf-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-scanf-function -valid: - - | - fgets(buffer, sizeof(buffer), stdin); - gets_s(buffer, sizeof(buffer)); -invalid: - - | - scanf("%s", buffer); \ No newline at end of file diff --git a/tests/c/insecure-use-strcat-test.yaml b/tests/c/insecure-use-strcat-test.yaml deleted file mode 100644 index 460a1a3e..00000000 --- a/tests/c/insecure-use-strcat-test.yaml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-strcat-function -valid: - - | - strcat_s(buffer, sizeof(buffer), "abc"); -invalid: - - | - strcat(buffer, "abc"); - strncat(buffer, "abc", sizeof(buffer)); \ No newline at end of file diff --git a/tests/c/insecure-use-string-copy-function-test.yml b/tests/c/insecure-use-string-copy-function-test.yml deleted file mode 100644 index dee0150e..00000000 --- a/tests/c/insecure-use-string-copy-function-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: insecure-use-string-copy-function -valid: - - | - strcpy_s(buffer, sizeof(buffer), "abc"); -invalid: - - | - strcpy(buffer, "abc"); - strncpy(buffer, "abc", sizeof(buffer)); \ No newline at end of file diff --git a/tests/c/insecure-use-strtok-function-test.yml b/tests/c/insecure-use-strtok-function-test.yml deleted file mode 100644 index 76522b71..00000000 --- a/tests/c/insecure-use-strtok-function-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: insecure-use-strtok-function -valid: - - | - strtok_s(buffer, " ", &context); -invalid: - - | - strtok(buffer, " "); \ No newline at end of file diff --git a/tests/c/libxml2-audit-parser-c-test.yml b/tests/c/libxml2-audit-parser-c-test.yml deleted file mode 100644 index d5fca034..00000000 --- a/tests/c/libxml2-audit-parser-c-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: libxml2-audit-parser-c -valid: - - | - xmlCtxtReadMemory(); -invalid: - - | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); diff --git a/tests/c/null-library-function-c-test.yml b/tests/c/null-library-function-c-test.yml deleted file mode 100644 index 96bdd2dc..00000000 --- a/tests/c/null-library-function-c-test.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: null-library-function-c -valid: - - | - errno = 0; - fwrite(data, len, 1, f); - if (errno) { - ERRS("unable to write output file"); - goto out_flush; - } - -invalid: - - | - gid_t f() { - return getgrent()->gr_gid; - } - void f() { - char buf[128]; - strcpy(buf, getenv("FOO")); - } - { - fwrite("foo", 3, 1, fopen("foo.txt", "w")); - } - { - FILE *fptr; - fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")); - } - void test_getc() { - int c = getc(fopen(file_name, "r")); - int c = getc(fptr = fopen(file_name, "r")); - } diff --git a/tests/c/return-c-str-c-test.yml b/tests/c/return-c-str-c-test.yml deleted file mode 100644 index 55cbefd3..00000000 --- a/tests/c/return-c-str-c-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: return-c-str-c -valid: - - | - StringWrapper return_wrapped() { - std::string s = "foo"; - return s.c_str(); - } -invalid: - - | - char *f(){ - std::string s; - return s.c_str(); - } - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } - char *f(std::string s) { - return s.c_str(); - } - class Foo { - char *f() { - std::string s; - return s.c_str(); - } - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } diff --git a/tests/c/sizeof-this-c-test.yml b/tests/c/sizeof-this-c-test.yml deleted file mode 100644 index f9be53fb..00000000 --- a/tests/c/sizeof-this-c-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: sizeof-this-c -valid: - - | - return sizeof(*this); -invalid: - - | - return sizeof(this); diff --git a/tests/c/small-key-size-c-test.yml b/tests/c/small-key-size-c-test.yml deleted file mode 100644 index e4c3a272..00000000 --- a/tests/c/small-key-size-c-test.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: small-key-size-c -valid: - - | - void foo() { - size_t bad_size = 1024; - size_t good_size = 2048; - DH_generate_parameters_ex(NULL, good_size); - DSA_generate_parameters_ex(NULL, good_size); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(NULL, good_size); - EVP_PKEY_CTX_set_dsa_paramgen_bits(NULL, good_size); - EVP_PKEY_CTX_set_rsa_keygen_bits(NULL, good_size); - RSA_generate_key_ex(NULL, good_size); - RSA_generate_key_fips(NULL, good_size);} - -invalid: - - | - void foo() { - size_t bad_size = 1024; - size_t good_size = 2048; - DH_generate_parameters_ex(NULL, bad_size); - DSA_generate_parameters_ex(NULL, bad_size); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(NULL, bad_size); - EVP_PKEY_CTX_set_dsa_paramgen_bits(NULL, bad_size); - EVP_PKEY_CTX_set_rsa_keygen_bits(NULL, bad_size); - RSA_generate_key_ex(NULL, bad_size); - RSA_generate_key_fips(NULL, bad_size);} diff --git a/tests/c/std-return-data-c-test.yml b/tests/c/std-return-data-c-test.yml deleted file mode 100644 index c46c85fa..00000000 --- a/tests/c/std-return-data-c-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: std-return-data-c -valid: - - | - class Wrapper { - std::vector v; - int *return_vector_begin_iterator() { - return v.data(); - } - } -invalid: - - | - int *return_vector_data() { - std::vector v; - return v.data(); - } diff --git a/tests/c/std-vector-invalidation-c-test.yml b/tests/c/std-vector-invalidation-c-test.yml deleted file mode 100644 index 540715f7..00000000 --- a/tests/c/std-vector-invalidation-c-test.yml +++ /dev/null @@ -1,105 +0,0 @@ -id: std-vector-invalidation-c -valid: - - | - void f(std::vector &vec) { - for (std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - // This is the correct way to iterate while erasing - // ok: std-vector-invalidation - it = vec.erase(it); - } else { - ++it; - } - } - } - bool isInList(const TCHAR *token2Find, std::vector ¶ms, bool eraseArg = true) - { - for (std::vector::iterator = params.begin(); it != params.end(); ++it) - { - if (lstrcmp(token2Find, it->c_str()) == 0) - { - // ok: std-vector-invalidation - if (eraseArg) params.erase(it); - return true; - } - } - return false; - } -invalid: - - | - void loop_variant_5(std::vector &vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_6(std::vector &vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_7(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_8(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_9(std::vector &vec) { - for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_10(std::vector &vec) { - for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_11(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_12(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void f(std::vector &vec, std::vector &other_vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) { - if (foo()) { - // ruleid: std-vector-invalidation - vec.push_back(0); - - // Modifying a different container is OK - // ok: std-vector-invalidation - other_vec.push_back(0); - } - } - } diff --git a/tests/cpp/dont-call-system-cpp-test.yml b/tests/cpp/dont-call-system-cpp-test.yml deleted file mode 100644 index acab0c60..00000000 --- a/tests/cpp/dont-call-system-cpp-test.yml +++ /dev/null @@ -1,34 +0,0 @@ -id: dont-call-system-cpp -valid: - - | - void test_003(const char *input) - { - storer->store_binary(Clocks->system()); - } -invalid: - - | - void test_002(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - system(cmdbuf); - } - void test_001(const char *input) - { - char cmdbuf[BUFFERSIZE]; - int len_wanted = snprintf(cmdbuf, BUFFERSIZE, - "any_cmd '%s'", input); - if (len_wanted >= BUFFERSIZE) - { - /* Handle error */ - } - else if (len_wanted < 0) - { - /* Handle error */ - } - else if (system(cmdbuf) == -1) - { - /* Handle error */ - } - } diff --git a/tests/cpp/file-access-before-action-cpp-test.yml b/tests/cpp/file-access-before-action-cpp-test.yml deleted file mode 100644 index fb725b2c..00000000 --- a/tests/cpp/file-access-before-action-cpp-test.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: file-access-before-action-cpp -valid: - - | - -invalid: - - | - { - const char *original_key = "path/to/file/filename"; - const char *mirror_key = "path/to/another/file/filename"; - - if ((access(original_key, F_OK) == 0) && (access(mirror_key, F_OK) == 0)) - { - copy_file("/bin/cp %s %s", original_key, mirror_key); - - // ruleid: file-access-before-action - unlink(original_key); - } - } - void test_002() - { - const char *original_key = "path/to/file/filename"; - - if (access(original_key, W_OK) == 0) - { - // ruleid: file-access-before-action - FILe *fp = fopen(original_key, "wb"); - } - } diff --git a/tests/cpp/file-stat-before-action-cpp-test.yml b/tests/cpp/file-stat-before-action-cpp-test.yml deleted file mode 100644 index 76bed212..00000000 --- a/tests/cpp/file-stat-before-action-cpp-test.yml +++ /dev/null @@ -1,43 +0,0 @@ -id: file-stat-before-action-c -valid: - - | - -invalid: - - | - if (stat(file.c_str(), &buf) == 0) - { - - // Open the file for reading - // ruleid: file-stat-before-action - fp = fopen(file.c_str(), "r"); - if (fp == NULL) - { - char message[2560]; - sprintf(message, "File '%s' Cound Not be Opened", file.c_str()); - // DISPLAY_MSG_ERROR( this, message, "GetFileContents", "System" ); - throw message; - } - - // Read the file - MvString s, ss; - while (fgets(data, sizeof(data), fp) != (char *)0) - { - s = data; - s.trimBoth(); - if (s.compare(0, 5, "GROUP") == 0) - { - // size_t t = s.find_last_of( ":" ); - size_t t = s.find(":"); - if (t != string::npos) - { - ss = s.substr(t + 1).c_str(); - ss.trimBoth(); - ss = ss.substr(1, ss.length() - 3).c_str(); - group_list.push_back(ss); - } - } - } - - // Close the file - fclose(fp); - } diff --git a/tests/cpp/insecure-hash-cpp-test.yml b/tests/cpp/insecure-hash-cpp-test.yml deleted file mode 100644 index a8240276..00000000 --- a/tests/cpp/insecure-hash-cpp-test.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: insecure-hash-cpp -valid: - - | - MD5Final(digest,ctx); -invalid: - - | - MD2_Init(); - SHA1_Init(); - const char *md4 = "MD4"; - EVP_MD_fetch(NULL, md4, NULL); - EVP_get_digestbyname(md4); - const char *sha1 = "SHA1"; - EVP_MD_fetch(NULL, sha1, NULL); - EVP_get_digestbyname(sha1); diff --git a/tests/cpp/libxml2-audit-parser-cpp-test.yml b/tests/cpp/libxml2-audit-parser-cpp-test.yml deleted file mode 100644 index f09ad2bd..00000000 --- a/tests/cpp/libxml2-audit-parser-cpp-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: libxml2-audit-parser-cpp -valid: - - | - xmlCtxtReadMemory(); -invalid: - - | - xmlParseInNodeContext(cur_node->parent, xml_filtered.c_str(), - (int)xml_filtered.length(), 0, &pNewNode); diff --git a/tests/cpp/null-library-function-cpp-test.yml b/tests/cpp/null-library-function-cpp-test.yml deleted file mode 100644 index 070db324..00000000 --- a/tests/cpp/null-library-function-cpp-test.yml +++ /dev/null @@ -1,30 +0,0 @@ -id: null-library-function-cpp -valid: - - | - errno = 0; - fwrite(data, len, 1, f); - if (errno) { - ERRS("unable to write output file"); - goto out_flush; - } - -invalid: - - | - gid_t f() { - return getgrent()->gr_gid; - } - void f() { - char buf[128]; - strcpy(buf, getenv("FOO")); - } - { - fwrite("foo", 3, 1, fopen("foo.txt", "w")); - } - { - FILE *fptr; - fwrite("foo", 3, 1, fptr = fopen("foo.txt", "w")); - } - void test_getc() { - int c = getc(fopen(file_name, "r")); - int c = getc(fptr = fopen(file_name, "r")); - } diff --git a/tests/cpp/return-c-str-cpp-test.yml b/tests/cpp/return-c-str-cpp-test.yml deleted file mode 100644 index b9ac5f52..00000000 --- a/tests/cpp/return-c-str-cpp-test.yml +++ /dev/null @@ -1,63 +0,0 @@ -id: return-c-str-cpp -valid: - - | - std::string return_directly() { - // ok: return-c-str - return std::string("foo"); - } - - | - char *f() { - static std::string s; - // ok: return-c-str - return s.c_str(); - } - - | - char *f() { - std::string s1; - return s.c_str(); - } -invalid: - - | - char *f() { - std::string s; - return s.c_str(); - } - - | - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } - - | - char *f(std::string s) { - return s.c_str(); - } - - | - class Foo { - char *f() { - std::string s = std::string("foo"); - return s.c_str(); - } - }; - - | - class Foo { - char *f() { - std::string s; - return s.c_str(); - } - }; - - | - char *return_namespace_directly() { - return std::string("foo").c_str(); - } - - | - char *return_directly() { - return string("foo").c_str(); - } - - | - char *return_basic_string_directly() { - return std::basic_string("foo").c_str(); - } - - | - char *return_data_directly() { - return std::string("foo").data(); - } diff --git a/tests/cpp/sizeof-this-cpp-test.yml b/tests/cpp/sizeof-this-cpp-test.yml deleted file mode 100644 index 343b2a66..00000000 --- a/tests/cpp/sizeof-this-cpp-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: sizeof-this-cpp -valid: - - | - return sizeof(*this); -invalid: - - | - return sizeof(this); diff --git a/tests/cpp/small-key-size-cpp-test.yml b/tests/cpp/small-key-size-cpp-test.yml deleted file mode 100644 index 636b0ce3..00000000 --- a/tests/cpp/small-key-size-cpp-test.yml +++ /dev/null @@ -1,26 +0,0 @@ -id: small-key-size-cpp -valid: - - | - void foo() { - size_t bad_size = 1024; - size_t good_size = 2048; - DH_generate_parameters_ex(NULL, good_size); - DSA_generate_parameters_ex(NULL, good_size); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(NULL, good_size); - EVP_PKEY_CTX_set_dsa_paramgen_bits(NULL, good_size); - EVP_PKEY_CTX_set_rsa_keygen_bits(NULL, good_size); - RSA_generate_key_ex(NULL, good_size); - RSA_generate_key_fips(NULL, good_size);} - -invalid: - - | - void foo() { - size_t bad_size = 1024; - size_t good_size = 2048; - DH_generate_parameters_ex(NULL, bad_size); - DSA_generate_parameters_ex(NULL, bad_size); - EVP_PKEY_CTX_set_dh_paramgen_prime_len(NULL, bad_size); - EVP_PKEY_CTX_set_dsa_paramgen_bits(NULL, bad_size); - EVP_PKEY_CTX_set_rsa_keygen_bits(NULL, bad_size); - RSA_generate_key_ex(NULL, bad_size); - RSA_generate_key_fips(NULL, bad_size);} diff --git a/tests/cpp/std-return-data-cpp-test.yml b/tests/cpp/std-return-data-cpp-test.yml deleted file mode 100644 index 881e0957..00000000 --- a/tests/cpp/std-return-data-cpp-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: std-return-data-cpp -valid: - - | - class Wrapper { - std::vector v; - int *return_vector_begin_iterator() { - return v.data(); - } - } -invalid: - - | - int *return_vector_data() { - std::vector v; - return v.data(); - } diff --git a/tests/cpp/std-vector-invalidation-cpp-test.yml b/tests/cpp/std-vector-invalidation-cpp-test.yml deleted file mode 100644 index d5e0a90d..00000000 --- a/tests/cpp/std-vector-invalidation-cpp-test.yml +++ /dev/null @@ -1,105 +0,0 @@ -id: std-vector-invalidation-cpp -valid: - - | - void f(std::vector &vec) { - for (std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - // This is the correct way to iterate while erasing - // ok: std-vector-invalidation - it = vec.erase(it); - } else { - ++it; - } - } - } - bool isInList(const TCHAR *token2Find, std::vector ¶ms, bool eraseArg = true) - { - for (std::vector::iterator = params.begin(); it != params.end(); ++it) - { - if (lstrcmp(token2Find, it->c_str()) == 0) - { - // ok: std-vector-invalidation - if (eraseArg) params.erase(it); - return true; - } - } - return false; - } -invalid: - - | - void loop_variant_5(std::vector &vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_6(std::vector &vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_7(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_8(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(); it != vec.rend(); it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_9(std::vector &vec) { - for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_10(std::vector &vec) { - for(std::vector::iterator it = vec.begin(), end = vec.end(); it != end; it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_11(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; ++it) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void loop_variant_12(std::vector &vec) { - for(std::vector::iterator it = vec.rbegin(), end = vec.rend(); it != end; it++) { - if (should_erase(*it)) { - // ruleid: std-vector-invalidation - vec.erase(it); - } - } - } - void f(std::vector &vec, std::vector &other_vec) { - for(std::vector::iterator it = vec.begin(); it != vec.end(); it++) { - if (foo()) { - // ruleid: std-vector-invalidation - vec.push_back(0); - - // Modifying a different container is OK - // ok: std-vector-invalidation - other_vec.push_back(0); - } - } - } diff --git a/tests/csharp/binary-formatter-test.yml b/tests/csharp/binary-formatter-test.yml deleted file mode 100644 index 0a4b4cea..00000000 --- a/tests/csharp/binary-formatter-test.yml +++ /dev/null @@ -1,5 +0,0 @@ -id: binary-formatter -valid: -invalid: - - | - BinaryFormatter binaryFormatter = new BinaryFormatter(); \ No newline at end of file diff --git a/tests/csharp/data-contract-resolver-test.yml b/tests/csharp/data-contract-resolver-test.yml deleted file mode 100644 index 39029b03..00000000 --- a/tests/csharp/data-contract-resolver-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: data-contract-resolver -valid: -invalid: - - | - namespace DCR - { - class CustomDCR : DataContractResolver - { - } - } \ No newline at end of file diff --git a/tests/csharp/html-raw-json-test.yml b/tests/csharp/html-raw-json-test.yml deleted file mode 100644 index 76edde04..00000000 --- a/tests/csharp/html-raw-json-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: html-raw-json -valid: - - | - var obj = @Html.Raw(Model.HtmlField); - - | -
-invalid: - - | - var obj = @Html.Raw(JsonConvert.SerializeObject(Model)); - - | - anotherCall(); - var obj = @Html.Raw(Json.Encode(Model)); - alert("hello world"); \ No newline at end of file diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml deleted file mode 100644 index 92062f04..00000000 --- a/tests/csharp/httponly-false-csharp-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: httponly-false-csharp -valid: - - | - myHttpOnlyCookie.HttpOnly = true; - - | - options.Cookie.HttpOnly = true; -invalid: - - | - myHttpOnlyCookie.HttpOnly = false; - - | - options.Cookie.HttpOnly = false; diff --git a/tests/csharp/insecure-fspickler-deserialization-test.yml b/tests/csharp/insecure-fspickler-deserialization-test.yml deleted file mode 100644 index 80c47ec1..00000000 --- a/tests/csharp/insecure-fspickler-deserialization-test.yml +++ /dev/null @@ -1,5 +0,0 @@ -id: insecure-fspickler-deserialization -valid: -invalid: - - | - var fsPickler = FsPickler.CreateJsonSerializer(); \ No newline at end of file diff --git a/tests/csharp/insecure-netdatacontract-deserialization-test.yml b/tests/csharp/insecure-netdatacontract-deserialization-test.yml deleted file mode 100644 index 099cf2ba..00000000 --- a/tests/csharp/insecure-netdatacontract-deserialization-test.yml +++ /dev/null @@ -1,5 +0,0 @@ -id: insecure-netdatacontract-deserialization -valid: -invalid: - - | - NetDataContractSerializer netDataContractSerializer = new NetDataContractSerializer(); \ No newline at end of file diff --git a/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml b/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml deleted file mode 100644 index 0b42cda6..00000000 --- a/tests/csharp/jwt-tokenvalidationparameters-no-expiry-validation-csharp-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: jwt-tokenvalidationparameters-no-expiry-validation-csharp -valid: - - | - parameters.ValidateLifetime = true; - parameters.RequireExpirationTime = true -invalid: - - | - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateLifetime = false, - RequireSignedTokens = true, - ValidateIssuer = false, - ValidateAudience = false, - RequireExpirationTime = false - }; - TokenValidationParameters parameters = new TokenValidationParameters(); - parameters.RequireExpirationTime = false; - parameters.ValidateLifetime = false; diff --git a/tests/csharp/los-formatter-test.yml b/tests/csharp/los-formatter-test.yml deleted file mode 100644 index 840cf498..00000000 --- a/tests/csharp/los-formatter-test.yml +++ /dev/null @@ -1,5 +0,0 @@ -id: los-formatter -valid: -invalid: - - | - LosFormatter losFormatter = new LosFormatter(); \ No newline at end of file diff --git a/tests/go/avoid-bind-to-all-interfaces-go-test.yml b/tests/go/avoid-bind-to-all-interfaces-go-test.yml deleted file mode 100644 index 4aebe122..00000000 --- a/tests/go/avoid-bind-to-all-interfaces-go-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: avoid-bind-to-all-interfaces-go -valid: - - | - l, err := net.Listen("tcp", "192.168.1.101:2000") -invalid: - - | - l, err := net.Listen("tcp", "0.0.0.0:2000") - - | - l, err := net.Listen("tcp", ":2000") diff --git a/tests/go/bad-tmp-test.yml b/tests/go/bad-tmp-test.yml deleted file mode 100644 index 9f532567..00000000 --- a/tests/go/bad-tmp-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: bad-tmp-go -valid: - - | - ioutil.TempFile("", "tmp") -invalid: - - | - ioutil.WriteFile("/tmp/demo2", "tmp") \ No newline at end of file diff --git a/tests/go/go-insecure-types-test.yml b/tests/go/go-insecure-types-test.yml deleted file mode 100644 index 60b34213..00000000 --- a/tests/go/go-insecure-types-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: go-template-insecure-types -valid: - - | - tmpl, err := template.New("test").ParseFiles("file.txt") -invalid: - - | - var b template.CSS = "a { text-decoration: underline; } " diff --git a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml deleted file mode 100644 index 27fb5c13..00000000 --- a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: gorilla-cookie-store-hardcoded-session-key-go -valid: - - | - var store = sessions.NewCookieStore([]byte(os.Getenv("SESSION_KEY"))) -invalid: - - | - import ( - "github.com/gorilla/sessions" - ) - var store = sessions.NewCookieStore([]byte("hardcoded-session-key-here")) - var store = sessions.NewCookieStore( - []byte("new-authentication-key"), - []byte("new-encryption-key"), - []byte("old-authentication-key"), - []byte("old-encryption-key"), - ) diff --git a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml b/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml deleted file mode 100644 index 374fc510..00000000 --- a/tests/go/gorilla-csrf-hardcoded-auth-key-go-test.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: gorilla-csrf-hardcoded-auth-key-go -valid: - - | - import ( - "github.com/gorilla/csrf" - ) - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte(os.Getenv("CSRF_AUTH_KEY")))(r)) - } -invalid: - - | - import ( - "github.com/gorilla/csrf" - ) - func main() { - http.ListenAndServe(":8000", - csrf.Protect([]byte("32-byte-long-auth-key"))(r)) - } diff --git a/tests/go/grpc-client-insecure-connection-go-test.yml b/tests/go/grpc-client-insecure-connection-go-test.yml deleted file mode 100644 index dcd502ef..00000000 --- a/tests/go/grpc-client-insecure-connection-go-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: grpc-client-insecure-connection-go -valid: - - | - conn, err := grpc.Dial(address) -invalid: - - | - conn, err := grpc.Dial(address, grpc.WithInsecure()) diff --git a/tests/go/jwt-go-none-algorithm-go-test.yml b/tests/go/jwt-go-none-algorithm-go-test.yml deleted file mode 100644 index d3c1681f..00000000 --- a/tests/go/jwt-go-none-algorithm-go-test.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: jwt-go-none-algorithm-go -valid: - - | - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - func ok1(key []byte){ - claims = jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test",} - token = jwt.NewWithClaims(jwt.SigningMethodHS256, claims) - ss, err = token.SignedString(key) - fmt.Printf("%v %v\n", ss, err)} - -invalid: - - | - import ( - "fmt" - "github.com/dgrijalva/jwt-go" - ) - func bad1(key []byte) { - claims := jwt.StandardClaims{ - ExpiresAt:15000, - Issuer:"test",} - token := jwt.NewWithClaims(jwt.SigningMethodNone, claims) - ss, err := token.SignedString(jwt.UnsafeAllowNoneSignatureType) - fmt.Printf("%v %v\n", ss, err)} diff --git a/tests/go/jwt-go-none-algorithm-test.yml b/tests/go/jwt-go-none-algorithm-test.yml deleted file mode 100644 index 4493c728..00000000 --- a/tests/go/jwt-go-none-algorithm-test.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: jwt-go-none-algorithm -valid: - - | - jwt.New(jwt.SigningMethodHS256) -invalid: - - | - jwt.New(jwt.SigningMethodNone) - - | - jwt.New(jwt.SigningMethodNone, jwt.WithClaims(jwt.MapClaims{"foo": "bar"})) - - | - jwt.New(jwt.UnsafeAllowNoneSignatureType, jwt.WithHeader(jwt.MapClaims{"foo": "bar"})) - diff --git a/tests/go/jwt-go-parse-unverified-test.yml b/tests/go/jwt-go-parse-unverified-test.yml deleted file mode 100644 index 451dee21..00000000 --- a/tests/go/jwt-go-parse-unverified-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: jwt-go-parse-unverified -valid: - - | - token, _, err := new(jwt.Parser).ParseWithClaims(tokenString, jwt.MapClaims{}, keyFunc) -invalid: - - | - token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{}) \ No newline at end of file diff --git a/tests/go/jwt-go-test.yml b/tests/go/jwt-go-test.yml deleted file mode 100644 index 51e167ef..00000000 --- a/tests/go/jwt-go-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: jwt-go -valid: - - | - token.SignedString([]byte(env.secret)) -invalid: - - | - token.SignedString([]byte("secret")) \ No newline at end of file diff --git a/tests/go/missing-ssl-minversion-go-test.yml b/tests/go/missing-ssl-minversion-go-test.yml deleted file mode 100644 index 247e706e..00000000 --- a/tests/go/missing-ssl-minversion-go-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: missing-ssl-minversion-go -valid: - - | - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, - InsecureSkipVerify: true, - }, - -invalid: - - | - server.TLS = &tls.Config{ Rand: zeroSource{}, } diff --git a/tests/go/openai-empty-secret-go-test.yml b/tests/go/openai-empty-secret-go-test.yml deleted file mode 100644 index c0473e03..00000000 --- a/tests/go/openai-empty-secret-go-test.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: openai-empty-secret-go -valid: - - | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("fvgf") - } -invalid: - - | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("") - } diff --git a/tests/go/openai-hardcoded-secret-go-test.yml b/tests/go/openai-hardcoded-secret-go-test.yml deleted file mode 100644 index 0668bfb9..00000000 --- a/tests/go/openai-hardcoded-secret-go-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: openai-hardcoded-secret-go -valid: - - | -invalid: - - | - import ( - "github.com/sashabaranov/go-openai" - ) - func main() { - client := openai.NewClient("my-openai-token") - } diff --git a/tests/go/session-cookie-missing-httponly-test.yml b/tests/go/session-cookie-missing-httponly-test.yml deleted file mode 100644 index 0f7f1a5e..00000000 --- a/tests/go/session-cookie-missing-httponly-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: session-cookie-missing-httponly -valid: - - | - &sessions.Options{ HttpOnly: true } - - | - &sessions.Options{ HttpOnly: true, Path: "/"} - - | - &sessions.Options{ Domain: "example.com", HttpOnly: true, Path: "/"} -invalid: - - | - &sessions.Options{ HttpOnly: false } - - | - &sessions.Options{ HttpOnly: false, Path: "/"} \ No newline at end of file diff --git a/tests/go/session-cookie-missing-secure-test.yml b/tests/go/session-cookie-missing-secure-test.yml deleted file mode 100644 index 4dbf82d1..00000000 --- a/tests/go/session-cookie-missing-secure-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: session-cookie-missing-secure -valid: - - | - &sessions.Options{ Secure: true } - - | - &sessions.Options{ Secure: true, Path: "/"} - - | - &sessions.Options{ Domain: "example.com", Secure: true, Path: "/"} -invalid: - - | - &sessions.Options{ Secure: false } - - | - &sessions.Options{ Secure: false, Path: "/"} \ No newline at end of file diff --git a/tests/go/ssl-v3-is-insecure-go-test.yml b/tests/go/ssl-v3-is-insecure-go-test.yml deleted file mode 100644 index a1d2bce4..00000000 --- a/tests/go/ssl-v3-is-insecure-go-test.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: ssl-v3-is-insecure-go -valid: - - | - client_good := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - // OK - MinVersion: tls.VersionTLS10, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - }, - }, - } - -invalid: - - | - client := &http.Client{ - Transport: &http.Transport{ - // ruleid: ssl-v3-is-insecure - TLSClientConfig: &tls.Config{ - KeyLogWriter: w, - MinVersion: tls.VersionSSL30, - Rand: zeroSource{}, // for reproducible output; don't do this. - InsecureSkipVerify: true, // test server certificate is not trusted. - }, - }, - } diff --git a/tests/go/tls-with-insecure-cipher-go-test.yml b/tests/go/tls-with-insecure-cipher-go-test.yml deleted file mode 100644 index e71dfd46..00000000 --- a/tests/go/tls-with-insecure-cipher-go-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: tls-with-insecure-cipher-go -valid: - - | - tr := &http.Transport{ - TLSClientConfig: &tls.Config{CipherSuites: []uint16{ - tls.TLS_AES_128_GCM_SHA256, - tls.TLS_AES_256_GCM_SHA384, - }}, - } - -invalid: - - | - tr := &http.Transport{ - TLSClientConfig: &tls.Config{CipherSuites: []uint16{ - tls.TLS_RSA_WITH_RC4_128_SHA, - tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - }}, - } diff --git a/tests/go/use-of-weak-rsa-key-go-test.yml b/tests/go/use-of-weak-rsa-key-go-test.yml deleted file mode 100644 index 0233aa98..00000000 --- a/tests/go/use-of-weak-rsa-key-go-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: use-of-weak-rsa-key-go -valid: - - | - rsa.GenerateKey(rand.Reader, 2048) -invalid: - - | - pvk, err := rsa.GenerateKey(rand.Reader, 1025) diff --git a/tests/html/plaintext-http-link-html-test.yml b/tests/html/plaintext-http-link-html-test.yml deleted file mode 100644 index c73d9bd0..00000000 --- a/tests/html/plaintext-http-link-html-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: plaintext-http-link-html -valid: - - | - Astgrep - Astgrep - Astgrep -invalid: - - | - Astgrep - Astgrep - Astgrep - Astgrep - Astgrep - Astgrep - Astgrep diff --git a/tests/java/blowfish-insufficient-key-size-java-test.yml b/tests/java/blowfish-insufficient-key-size-java-test.yml deleted file mode 100644 index cb412a9c..00000000 --- a/tests/java/blowfish-insufficient-key-size-java-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: blowfish-insufficient-key-size-java -valid: - - | - public void safeKeySize() { - KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); - keyGen.init(128); - } -invalid: - - | - public void unsafeKeySize() { - KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); - keyGen.init(64); - } diff --git a/tests/java/cookie-httponly-false-java-test.yml b/tests/java/cookie-httponly-false-java-test.yml deleted file mode 100644 index e9ae0072..00000000 --- a/tests/java/cookie-httponly-false-java-test.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: cookie-httponly-false-java -valid: - - | - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); - } -invalid: - - | - - @RequestMapping(value = "/cookie4", method = "GET") - public void explicitDisable(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(false); - cookie.setHttpOnly(false); - response.addCookie(cookie); - } diff --git a/tests/java/cookie-missing-samesite-java-test.yml b/tests/java/cookie-missing-samesite-java-test.yml deleted file mode 100644 index bfd4cd62..00000000 --- a/tests/java/cookie-missing-samesite-java-test.yml +++ /dev/null @@ -1,20 +0,0 @@ -id: cookie-missing-samesite-java -valid: - - | - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - response.setHeader("Set-Cookie", "key=value; HttpOnly; SameSite=strict"); - } -invalid: - - | - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); - } - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - response.setHeader("Set-Cookie", "key=value; HttpOnly;"); - } diff --git a/tests/java/cookie-secure-flag-false-java-test.yml b/tests/java/cookie-secure-flag-false-java-test.yml deleted file mode 100644 index 4d2b0fdb..00000000 --- a/tests/java/cookie-secure-flag-false-java-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: cookie-secure-flag-false-java -valid: - - | - response.addCookie(cookie); - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); -invalid: - - | - cookie.setSecure(false); diff --git a/tests/java/desede-is-deprecated-java-test.yml b/tests/java/desede-is-deprecated-java-test.yml deleted file mode 100644 index 7ae2996e..00000000 --- a/tests/java/desede-is-deprecated-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: desede-is-deprecated-java -valid: - - | - Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher.getInstance("DESede/ECB/PKCS5Padding"); - javax.crypto.KeyGenerator.getInstance("DES") diff --git a/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml b/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml deleted file mode 100644 index 51cb4f21..00000000 --- a/tests/java/documentbuilderfactory-disallow-doctype-decl-false-java-test.yml +++ /dev/null @@ -1,63 +0,0 @@ -id: documentbuilderfactory-disallow-doctype-decl-false-java -valid: - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - //ok:documentbuilderfactory-disallow-doctype-decl-false - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - //ok:documentbuilderfactory-disallow-doctype-decl-false - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - //ok:documentbuilderfactory-disallow-doctype-decl-false - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - //ok:documentbuilderfactory-disallow-doctype-decl-false - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - } - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - //ok:documentbuilderfactory-disallow-doctype-decl-false - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); - } - - | - ParserConfigurationException { - SAXParserFactory spf = SAXParserFactory.newInstance(); - //ok:documentbuilderfactory-disallow-doctype-decl-false - spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } -invalid: - - | - ParserConfigurationException { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - //ruleid:documentbuilderfactory-disallow-doctype-decl-false - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - //fix:documentbuilderfactory-disallow-doctype-decl-false - //dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } - - | - ParserConfigurationException { - SAXParserFactory spf = SAXParserFactory.newInstance(); - //ruleid:documentbuilderfactory-disallow-doctype-decl-false - spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); - //fix:documentbuilderfactory-disallow-doctype-decl-false - //spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - } diff --git a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml deleted file mode 100644 index a56a6eb5..00000000 --- a/tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: documentbuilderfactory-external-general-entities-true-java -valid: - - | - dbf.setFeature("http://xml.org/sax/features/external-general-entities" , false); - spf.setFeature("http://xml.org/sax/features/external-general-entities" , false); -invalid: - - | - dbf.setFeature("http://xml.org/sax/features/external-general-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-general-entities" , true); diff --git a/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml b/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml deleted file mode 100644 index 309b83da..00000000 --- a/tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: documentbuilderfactory-external-parameter-entities-true-java -valid: - - | - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , false); -invalid: - - | - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); - spf.setFeature("http://xml.org/sax/features/external-parameter-entities" , true); diff --git a/tests/java/drivermanager-hardcoded-secret-java-test.yml b/tests/java/drivermanager-hardcoded-secret-java-test.yml deleted file mode 100644 index 1863df97..00000000 --- a/tests/java/drivermanager-hardcoded-secret-java-test.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: drivermanager-hardcoded-secret-java -valid: - - | - Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92","a"); -invalid: - - | - String password = "a"; - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password); - String password = "a"; - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password"); - Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", password); diff --git a/tests/java/ecb-cipher-java-test.yml b/tests/java/ecb-cipher-java-test.yml deleted file mode 100644 index b9089221..00000000 --- a/tests/java/ecb-cipher-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: ecb-cipher-java -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); diff --git a/tests/java/gcm-nonce-reuse-java-test.yml b/tests/java/gcm-nonce-reuse-java-test.yml deleted file mode 100644 index 3f5e052e..00000000 --- a/tests/java/gcm-nonce-reuse-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: gcm-nonce-reuse-java -valid: - - | - byte[] theBadIV = BAD_IV.getBytes(); - GCMParameterSpec gcmParameter = new GCMParameter(GCM_TAG_LENGTH * 8, theBadIV); -invalid: - - | - byte[] theBadIV = BAD_IV.getBytes(); - GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, theBadIV); diff --git a/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml b/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml deleted file mode 100644 index 8b41cdf8..00000000 --- a/tests/java/jedis-jedisfactory-hardcoded-password-java-test.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: jedis-jedisfactory-hardcoded-password-java -valid: - - | - jedisFactory.setPassword(password); -invalid: - - | - import redis.clients.jedis.JedisFactory; - - @Service - public class JedisService implements IJedisService { - @Test - public void hardcoded() { - JedisFactory jedisFactory = new JedisFactory(); - jedisFactory.setHostName(hostName); - jedisFactory.setport(port); - jedisFactory.setPassword("asdf"); - jedisFactory.setDatabase(database); - } - } diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 507f951f..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-secure-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie c = new NettyCookie("foo", "bar"); - c.secure(true); - NettyCookie r = new NettyCookie("foo", "bar").secure(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); diff --git a/tests/java/no-null-cipher-java-test.yml b/tests/java/no-null-cipher-java-test.yml deleted file mode 100644 index ef38e9f6..00000000 --- a/tests/java/no-null-cipher-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: no-null-cipher-java -valid: - - | - Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -invalid: - - | - Cipher doNothingCihper = new NullCipher(); - new javax.crypto.NullCipher(); diff --git a/tests/java/object-deserialization-test.yml b/tests/java/object-deserialization-test.yml deleted file mode 100644 index d43a39a9..00000000 --- a/tests/java/object-deserialization-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: object-deserialization -valid: -invalid: - - | - ObjectInputStream ois = new ObjectInputStream(new FileInputStream("object.ser")); - Object obj = ois.readObject(); - ois.close(); - // obj is now deserialized \ No newline at end of file diff --git a/tests/java/rsa-no-padding-java-test.yml b/tests/java/rsa-no-padding-java-test.yml deleted file mode 100644 index cb962e9e..00000000 --- a/tests/java/rsa-no-padding-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: rsa-no-padding-java -valid: - - | - Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); -invalid: - - | - Cipher.getInstance("RSA/None/NoPadding"); - Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/java/simple-command-injection-direct-input-java-test.yml b/tests/java/simple-command-injection-direct-input-java-test.yml deleted file mode 100644 index cba713e4..00000000 --- a/tests/java/simple-command-injection-direct-input-java-test.yml +++ /dev/null @@ -1,59 +0,0 @@ -id: simple-command-injection-direct-input-java -valid: - - | - @GetMapping("/run/{command}") - public ResponseEntity run1( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - String foo = command + "something something..."; - Runtime.getRuntime().exec(foo); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - return response; - } - - | - @GetMapping("/run/{command}") - public ResponseEntity ok( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec("/bin/ls"); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } -invalid: - - | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable() final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } - - | - @GetMapping("/run/{command}") - public ResponseEntity run_direct_from_jumbo( - @PathVariable final String command - ) { - ResponseEntity response = ResponseEntity.noContent().build(); - try { - Runtime.getRuntime().exec(command); - } catch (IOException e) { - response = ResponseEntity.badRequest().build(); - } - - return response; - } diff --git a/tests/java/system-setproperty-hardcoded-secret-java-test.yml b/tests/java/system-setproperty-hardcoded-secret-java-test.yml deleted file mode 100644 index 4bf72c91..00000000 --- a/tests/java/system-setproperty-hardcoded-secret-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: system-setproperty-hardcoded-secret-java -valid: - - | - System.setProperty("javax.net.ssl.trustStorePassword", config); - System.setProperty("javax.net.ssl.keyStorePassword", config); -invalid: - - | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - System.setProperty("javax.net.ssl.trustStorePassword", "password"); diff --git a/tests/java/unencrypted-socket-java-test.yml b/tests/java/unencrypted-socket-java-test.yml deleted file mode 100644 index d023debf..00000000 --- a/tests/java/unencrypted-socket-java-test.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: unencrypted-socket-java -valid: - - | - Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443); - - | - ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234); -invalid: - - | - Socket soc = new Socket("www.google.com", 80); - - | - Socket soc1 = new Socket("www.google.com", 80, true); - - | - Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337); - - | - Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80); - - | - ServerSocket ssoc = new ServerSocket(1234); - - | - ServerSocket ssoc1 = new ServerSocket(); - - | - ServerSocket ssoc2 = new ServerSocket(1234, 10); - - | - ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address)); diff --git a/tests/java/use-of-aes-ecb-java-test.yml b/tests/java/use-of-aes-ecb-java-test.yml deleted file mode 100644 index cd41ad9e..00000000 --- a/tests/java/use-of-aes-ecb-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: use-of-aes-ecb-java -valid: - - | - Cipher.getInstance("AES/CBC/PKCS7PADDING") -invalid: - - | - Cipher.getInstance("AES/ECB/NoPadding") - Cipher.getInstance("AES/ECB/PKCS5Padding") diff --git a/tests/java/use-of-blowfish-java-test.yml b/tests/java/use-of-blowfish-java-test.yml deleted file mode 100644 index c4a43b2d..00000000 --- a/tests/java/use-of-blowfish-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-blowfish-java -valid: - - | - Cipher.getInstance("AES/CBC/PKCS7PADDING"); -invalid: - - | - Cipher.getInstance("Blowfish"); - - | - useCipher(Cipher.getInstance("Blowfish")); diff --git a/tests/java/use-of-default-aes-java-test.yml b/tests/java/use-of-default-aes-java-test.yml deleted file mode 100644 index a6755262..00000000 --- a/tests/java/use-of-default-aes-java-test.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: use-of-default-aes-java -valid: - - | - crypto.KeyGenerator.getInstance("AES"); - javax.crypto.KeyGenerator.getInstance("AES"); -invalid: - - | - import javax; - import javax.crypto; - import javax.crypto.*; - import javax.crypto.Cipher; - class AES{ - public void useofAES() { - Cipher.getInstance("AES"); - crypto.Cipher.getInstance("AES"); - javax.crypto.Cipher.getInstance("AES"); - } diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml deleted file mode 100644 index f6bc228d..00000000 --- a/tests/java/use-of-md5-digest-utils-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-md5-digest-utils-java -valid: - - | - MessageDigest md5Digest = MessageDigest.getInstance("MD5"); - - | - byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); -invalid: - - | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); diff --git a/tests/java/use-of-md5-java-test.yml b/tests/java/use-of-md5-java-test.yml deleted file mode 100644 index af34098d..00000000 --- a/tests/java/use-of-md5-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: use-of-md5-java -valid: - - | - MessageDigest md5Digest = MessageDigest.getInstance("SHA-512"); -invalid: - - | - MessageDigest md5Digest = MessageDigest.getInstance("MD5"); diff --git a/tests/java/use-of-rc2-java-test.yml b/tests/java/use-of-rc2-java-test.yml deleted file mode 100644 index 74f8d6d3..00000000 --- a/tests/java/use-of-rc2-java-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: use-of-rc2-java -valid: - - | - Cipher.getInstance("AES/CBC/PKCS7PADDING"); -invalid: - - | - useCipher(Cipher.getInstance("RC2")); - Cipher.getInstance("RC2"); diff --git a/tests/java/use-of-rc4-java-test.yml b/tests/java/use-of-rc4-java-test.yml deleted file mode 100644 index a82db3b3..00000000 --- a/tests/java/use-of-rc4-java-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-rc4-java -valid: - - | - Cipher.getInstance("AES/CBC/PKCS7PADDING"); -invalid: - - | - Cipher.getInstance("RC4"); - - | - useCipher(Cipher.getInstance("RC4")); diff --git a/tests/java/use-of-sha1-java-test.yml b/tests/java/use-of-sha1-java-test.yml deleted file mode 100644 index 307dc641..00000000 --- a/tests/java/use-of-sha1-java-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: use-of-sha1-java -valid: - - | - java.io.File fileTarget = new java.io.File( - new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR), - "passwordFile.txt"); -invalid: - - | - java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN"); - DigestUtils.getSha1Digest().digest(password.getBytes()); diff --git a/tests/java/use-of-weak-rsa-key-java-test.yml b/tests/java/use-of-weak-rsa-key-java-test.yml deleted file mode 100644 index c1aee8fa..00000000 --- a/tests/java/use-of-weak-rsa-key-java-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: use-of-weak-rsa-key-java -valid: - - | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(2048); -invalid: - - | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512); - - | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(-512); - - | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512.09); - - | - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512.0); diff --git a/tests/java/weak-ssl-context-java-test.yml b/tests/java/weak-ssl-context-java-test.yml deleted file mode 100644 index 66505656..00000000 --- a/tests/java/weak-ssl-context-java-test.yml +++ /dev/null @@ -1,19 +0,0 @@ -id: weak-ssl-context-java -valid: - - | - SSLContext ctx = SSLContext.getInstance("TLSv1.2"); - - | - SSLContext ctx = SSLContext.getInstance("TLSv1.3"); - - | - SSLContext ctx = SSLContext.getInstance(getSslContext()); -invalid: - - | - SSLContext ctx = SSLContext.getInstance("SSL"); - - | - SSLContext ctx = SSLContext.getInstance("TLS"); - - | - SSLContext ctx = SSLContext.getInstance("TLSv1"); - - | - SSLContext ctx = SSLContext.getInstance("SSLv3"); - - | - SSLContext ctx = SSLContext.getInstance("TLSv1.1"); diff --git a/tests/javascript/.gitkeep b/tests/javascript/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/javascript/detect-angular-sce-disabled-javascript-test.yml b/tests/javascript/detect-angular-sce-disabled-javascript-test.yml deleted file mode 100644 index 965afe1e..00000000 --- a/tests/javascript/detect-angular-sce-disabled-javascript-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: detect-angular-sce-disabled-javascript -valid: - - | - -invalid: - - | - $sceProvider.enabled(false); diff --git a/tests/javascript/detect-replaceall-sanitization-test.yml b/tests/javascript/detect-replaceall-sanitization-test.yml deleted file mode 100644 index fdb97dbe..00000000 --- a/tests/javascript/detect-replaceall-sanitization-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: detect-replaceall-sanitization -valid: - - | - "Hello World.".replace('.', '!') -invalid: - - | - "Hello World".replaceAll('<', '<').replaceAll('>', '>') - - | - "Hello World".replace('<', '<').replace('>', '>') - - | - "Hello World".replaceAll('"', '"').replaceAll("'", ''').replaceAll('&', '&') diff --git a/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml b/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml deleted file mode 100644 index 5f2f59bf..00000000 --- a/tests/javascript/express-jwt-hardcoded-secret-javascript-test.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: express-jwt-hardcoded-secret-javascript -valid: - - | - app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); -invalid: - - | - var jwt = require('express-jwt'); - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); diff --git a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml b/tests/javascript/express-session-hardcoded-secret-javascript-test.yml deleted file mode 100644 index 2dc651fe..00000000 --- a/tests/javascript/express-session-hardcoded-secret-javascript-test.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: express-session-hardcoded-secret-javascript -valid: - - | - let config1 = { - secret: config.secret, - resave: false, - saveUninitialized: false, - } -invalid: - - | - import * as session from 'express-session' - let a = 'a' - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } diff --git a/tests/javascript/jwt-none-alg-javascript-test.yml b/tests/javascript/jwt-none-alg-javascript-test.yml deleted file mode 100644 index 11ef4c36..00000000 --- a/tests/javascript/jwt-none-alg-javascript-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: jwt-none-alg-javascript -valid: - - | - -invalid: - - | - const jose = require("jose"); - const { JWK, JWT } = jose; - const token = JWT.verify('token-here', JWK.None); diff --git a/tests/javascript/jwt-simple-noverify-astgrep-test.yml b/tests/javascript/jwt-simple-noverify-astgrep-test.yml deleted file mode 100644 index d88f20d4..00000000 --- a/tests/javascript/jwt-simple-noverify-astgrep-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: jwt-simple-noverify-astgrep -valid: - - jwt.decode("token", "secret", false) - - jwt.decode("token", "secret") - - jwt.decode("token", "secret", false, {}) -invalid: - - jwt.decode("token", "secret", true) - - jwt.decode("token", "secret", true, {}) diff --git a/tests/javascript/jwt-simple-noverify-js-test.yml b/tests/javascript/jwt-simple-noverify-js-test.yml deleted file mode 100644 index 1601fa58..00000000 --- a/tests/javascript/jwt-simple-noverify-js-test.yml +++ /dev/null @@ -1,91 +0,0 @@ -id: jwt-simple-noverify-js -valid: - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute4', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ok: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute5', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ok: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, false); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); -invalid: - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute1', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ruleid: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, 'HS256', 12); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute2', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ruleid: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, true); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute3', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ruleid: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, 'false'); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); diff --git a/tests/javascript/node-rsa-weak-key-javascript-test.yml b/tests/javascript/node-rsa-weak-key-javascript-test.yml deleted file mode 100644 index 7031b6c0..00000000 --- a/tests/javascript/node-rsa-weak-key-javascript-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: node-rsa-weak-key-javascript -valid: - - | - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - modulusLength: 2048, - }); -invalid: - - | - const crypto = require("crypto"); - const NodeRSA = require('node-rsa'); - const forge = require('node-forge'); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - const key = new NodeRSA({b: 2048}); - const key = new NodeRSA({b: 512}); - const pki = forge.pki; diff --git a/tests/javascript/node-sequelize-empty-password-argument-javascript-test.yml b/tests/javascript/node-sequelize-empty-password-argument-javascript-test.yml deleted file mode 100644 index 093cf3a7..00000000 --- a/tests/javascript/node-sequelize-empty-password-argument-javascript-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: node-sequelize-empty-password-argument-javascript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }); -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) diff --git a/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml b/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml deleted file mode 100644 index 8cc8edeb..00000000 --- a/tests/javascript/node-sequelize-hardcoded-secret-argument-javascript-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-javascript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }) -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) diff --git a/tests/javascript/wildcard-postmessage-configuration-test.yml b/tests/javascript/wildcard-postmessage-configuration-test.yml deleted file mode 100644 index 8934d219..00000000 --- a/tests/javascript/wildcard-postmessage-configuration-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: wildcard-postmessage-configuration -valid: - - window.postMessage("hello", 'https://example.com') - - window.postMessage("world", 'example.com') -invalid: - - window.postMessage("hello", '*') - - window.postMessage("world", "*") \ No newline at end of file diff --git a/tests/kotlin/command-injection-formatted-runtime-call-test.yml b/tests/kotlin/command-injection-formatted-runtime-call-test.yml deleted file mode 100644 index 2caa2ad3..00000000 --- a/tests/kotlin/command-injection-formatted-runtime-call-test.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: command-injection-formatted-runtime-call -valid: - - | - val r: Runtime = Runtime.getRuntime() - r.exec("echo 'Hello, World!'") -invalid: - - | - val r: Runtime = Runtime.getRuntime() - r.exec("/bin/sh -c tool_command" + input) - - | - val r: Runtime = Runtime.getRuntime() - r.loadLibrary(String.format("%s.dll", input)) \ No newline at end of file diff --git a/tests/kotlin/des-is-deprecated-kotlin-test.yml b/tests/kotlin/des-is-deprecated-kotlin-test.yml deleted file mode 100644 index 60949d48..00000000 --- a/tests/kotlin/des-is-deprecated-kotlin-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: des-is-deprecated-kotlin -valid: - - | - Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher.getInstance("DES/ECB/PKCS5Padding"); diff --git a/tests/kotlin/desede-is-deprecated-kotlin-test.yml b/tests/kotlin/desede-is-deprecated-kotlin-test.yml deleted file mode 100644 index c3d2e28e..00000000 --- a/tests/kotlin/desede-is-deprecated-kotlin-test.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: desede-is-deprecated-kotlin -valid: - - | - Cipher.getInstance("AES/GCM/NoPadding"); -invalid: - - | - Cipher.getInstance("DESede/ECB/PKCS5Padding"); - javax.crypto.KeyGenerator.getInstance("DES") diff --git a/tests/kotlin/rsa-no-padding-kotlin.yml b/tests/kotlin/rsa-no-padding-kotlin.yml deleted file mode 100644 index 6dc46d21..00000000 --- a/tests/kotlin/rsa-no-padding-kotlin.yml +++ /dev/null @@ -1,8 +0,0 @@ -id: rsa-no-padding-kotlin -valid: - - | - Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding"); -invalid: - - | - Cipher.getInstance("RSA/None/NoPadding"); - Cipher.getInstance("RSA/NONE/NoPadding"); diff --git a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml b/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml deleted file mode 100644 index d66da67a..00000000 --- a/tests/kotlin/system-setproperty-hardcoded-secret-kotlin-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: system-setproperty-hardcoded-secret-kotlin -valid: - - | - System.setProperty("javax.net.ssl.trustStorePassword", config); - System.setProperty("javax.net.ssl.keyStorePassword", config); -invalid: - - | - System.setProperty("javax.net.ssl.keyStorePassword", "password"); - System.setProperty("javax.net.ssl.trustStorePassword", "password"); diff --git a/tests/kotlin/unencrypted-socket-test.yml b/tests/kotlin/unencrypted-socket-test.yml deleted file mode 100644 index 4c88c2a4..00000000 --- a/tests/kotlin/unencrypted-socket-test.yml +++ /dev/null @@ -1,12 +0,0 @@ -id: unencrypted-socket -valid: - - | - val ssoc: ServerSocket = SSLServerSocketFactory.getDefault().createServerSocket(1234) -invalid: - - | - val socket = Socket("localhost", 8080) - val out = PrintWriter(socket.getOutputStream(), true) - val input = BufferedReader(InputStreamReader(socket.getInputStream())) - out.println("Hello, World!") - val response = input.readLine() - println(response) \ No newline at end of file diff --git a/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml b/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml deleted file mode 100644 index 199c4b1e..00000000 --- a/tests/kotlin/use-of-weak-rsa-key-kotlin-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: use-of-weak-rsa-key-kotlin -valid: - - | - KeyPairGenerator.getInstance("RSA") - keyGen.initialize(2048); -invalid: - - | - KeyPairGenerator.getInstance("RSA") - keyGen.initialize(-5.12); diff --git a/tests/php/openssl-cbc-static-iv-php-test.yml b/tests/php/openssl-cbc-static-iv-php-test.yml deleted file mode 100644 index e1b06980..00000000 --- a/tests/php/openssl-cbc-static-iv-php-test.yml +++ /dev/null @@ -1,23 +0,0 @@ -id: openssl-cbc-static-iv-php -valid: - - | - "dhh", :password => not_a_string, :except => :index - puts "do more stuff" - end -invalid: - - | - class DangerousController < ApplicationController - http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index - puts "do more stuff" - end diff --git a/tests/ruby/json-entity-escape-test.yml b/tests/ruby/json-entity-escape-test.yml deleted file mode 100644 index c9aad16a..00000000 --- a/tests/ruby/json-entity-escape-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: json-entity-escape -valid: - - | - ActiveSupport.escape_html_entities_in_json = true -invalid: - - | - ActiveSupport.escape_html_entities_in_json = false \ No newline at end of file diff --git a/tests/ruby/jwt-non-alg-ruby-test.yml b/tests/ruby/jwt-non-alg-ruby-test.yml deleted file mode 100644 index 775f77b0..00000000 --- a/tests/ruby/jwt-non-alg-ruby-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: jwt-non-alg-ruby -valid: - - | - token = JWT.encode(payload, nil, 'HS256'); -invalid: - - | - token = JWT.encode(payload, nil, 'none'); - - | - token = JWT.encode(payload, nil, 'none', { algorithm: 'none' }); diff --git a/tests/ruby/rails-skip-forgery-protection-test.yml b/tests/ruby/rails-skip-forgery-protection-test.yml deleted file mode 100644 index c2f12310..00000000 --- a/tests/ruby/rails-skip-forgery-protection-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: rails-skip-forgery-protection -valid: - - | - class ApplicationController < ActionController::Base - end -invalid: - - | - class ApplicationController < ActionController::Base - skip_forgery_protection - end \ No newline at end of file diff --git a/tests/ruby/ssl-mode-no-verify-test.yml b/tests/ruby/ssl-mode-no-verify-test.yml deleted file mode 100644 index 1627a4c3..00000000 --- a/tests/ruby/ssl-mode-no-verify-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: ssl-mode-no-verify -valid: - - | - OpenSSL::SSL::VERIFY_PEER -invalid: - - | - OpenSSL::SSL::VERIFY_NONE \ No newline at end of file diff --git a/tests/rust/insecure-hashes-test.yml b/tests/rust/insecure-hashes-test.yml deleted file mode 100644 index 3cb39168..00000000 --- a/tests/rust/insecure-hashes-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: insecure-hashes -valid: - - | - use sha2::{Sha256}; - - let mut hasher = Sha256::new(); -invalid: - - | - let mut hasher = Md2::new(); - - | - let mut hasher = Md4::new(); - - | - let mut hasher = Md5::new(); - - | - let mut hasher = Sha1::new(); diff --git a/tests/rust/postgres-empty-password-rust-test.yml b/tests/rust/postgres-empty-password-rust-test.yml deleted file mode 100644 index 3ea7d652..00000000 --- a/tests/rust/postgres-empty-password-rust-test.yml +++ /dev/null @@ -1,29 +0,0 @@ -id: postgres-empty-password-rust -valid: - - | - async fn okTest2() { - let (client, connection) = postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("postgres") - .dbname("ninja") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; - Ok(()) - } -invalid: - - | - fn test1() { - let mut config = postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls); - Ok(()) - } diff --git a/tests/rust/reqwest-accept-invalid-rust-test.yml b/tests/rust/reqwest-accept-invalid-rust-test.yml deleted file mode 100644 index 894c5cec..00000000 --- a/tests/rust/reqwest-accept-invalid-rust-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: reqwest-accept-invalid-rust -valid: - - | - reqwest::Client::builder().user_agent("USER AGENT") -invalid: - - | - reqwest::Client::builder().danger_accept_invalid_hostnames(true) - - | - reqwest::Client::builder().danger_accept_invalid_certs(true) - - | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_hostnames(true) - - | - reqwest::Client::builder().user_agent("USER AGENT").cookie_store(true).danger_accept_invalid_certs(true) diff --git a/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml b/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml deleted file mode 100644 index e2fecd2c..00000000 --- a/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: secrets-reqwest-hardcoded-auth-rust -valid: - - | - async fn test1(pass: &str) -> Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some(pass)) - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } -invalid: - - | - async fn test1() -> Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.delete("http://httpbin.org/delete") - .basic_auth("admin", Some("hardcoded-password")) - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } - async fn test2() -> Result<(), reqwest::Error> { - let client = reqwest::Client::new(); - let resp = client.put("http://httpbin.org/delete") - .bearer_auth("hardcoded-token") - .send() - .await?; - println!("body = {:?}", resp); - Ok(()) - } diff --git a/tests/rust/ssl-verify-none-rust-test.yml b/tests/rust/ssl-verify-none-rust-test.yml deleted file mode 100644 index 6c47df5b..00000000 --- a/tests/rust/ssl-verify-none-rust-test.yml +++ /dev/null @@ -1,22 +0,0 @@ -id: ssl-verify-none-rust -valid: - - | - use openssl::ssl::SSL_VERIFY_NONE; - connector.builder_mut().set_verify(SSL_VERIFY_PEER); -invalid: - - | - use openssl; - connector.builder_mut().set_verify(open::ssl::SSL_VERIFY_NONE); - - | - use openssl::ssl; - connector.builder_mut().set_verify(ssl::SSL_VERIFY_NONE); - - | - use openssl::ssl::{SslMethod, SslConnectorBuilder, SSL_VERIFY_NONE}; - connector.builder_mut().set_verify(SSL_VERIFY_NONE); - - | - use openssl::ssl::{ - SslMethod, - SslConnectorBuilder, - SSL_VERIFY_NONE as NoVerify - }; - connector.builder_mut().set_verify(NoVerify); diff --git a/tests/rust/tokio-postgres-empty-password-rust-test.yml b/tests/rust/tokio-postgres-empty-password-rust-test.yml deleted file mode 100644 index a8909265..00000000 --- a/tests/rust/tokio-postgres-empty-password-rust-test.yml +++ /dev/null @@ -1,28 +0,0 @@ -id: tokio-postgres-empty-password-rust -valid: - - | - let mut config = tokio_postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password(std::env::var("PASSWORD").expect("set PASSWORD")) - .port(std::env::var("PORT").expect("set PORT")); - let (client, connection) = config.connect(NoTls).await?; - tokio::spawn(async move { - if let Err(e) = connection.await { - tracing::error!("postgres db connection error: {}", e); - } - }); - Ok(()) - } -invalid: - - | - async fn test1() -> Result<(), anyhow::Error> { - let mut config = tokio_postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - Ok(()) - } diff --git a/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml b/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml deleted file mode 100644 index 935d067d..00000000 --- a/tests/rust/tokio-postgres-hardcoded-password-rust-test.yml +++ /dev/null @@ -1,27 +0,0 @@ -id: tokio-postgres-hardcoded-password-rust -valid: - - | - async fn test1() -> Result<(), anyhow::Error> { - let mut config = tokio_postgres::Config::new(); - config - .host(std::env::var("HOST").expect("set HOST")) - .user(std::env::var("USER").expect("set USER")) - .password("") - .port(std::env::var("PORT").expect("set PORT")); - Ok(()) - } -invalid: - - | - async fn test2() -> Result<(), anyhow::Error> { - let (client, connection) = tokio_postgres::Config::new() - .host(shard_host_name.as_str()) - .user("postgres") - .password("postgres") - .dbname("moray") - .keepalives_idle(std::time::Duration::from_secs(30)) - .connect(NoTls) - .await - .map_err(|e| { - error!(log, "failed to connect to {}: {}", &shard_host_name, e); - Error::new(ErrorKind::Other, e) - })?; diff --git a/tests/rust/unsage-usage-test.yml b/tests/rust/unsage-usage-test.yml deleted file mode 100644 index 925aba68..00000000 --- a/tests/rust/unsage-usage-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: unsafe-usage -valid: - - | - fn main() { - let x = 42; - println!("{}", x); - } -invalid: - - | - fn main() { - let x = 42; - unsafe { - println!("{}", x); - } - } \ No newline at end of file diff --git a/tests/scala/rsa-padding-set-scala-test.yml b/tests/scala/rsa-padding-set-scala-test.yml deleted file mode 100644 index 3196e148..00000000 --- a/tests/scala/rsa-padding-set-scala-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: rsa-padding-set-scala -valid: - - | - Cipher.getInstance("AES/CBC/PKCS5Padding"); - Cipher.getInstance("DES/ECB/PKCS5Padding"); - Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); -invalid: - - | - Cipher.getInstance("RSA/ECB/NoPadding") diff --git a/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml b/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml deleted file mode 100644 index ab78f6be..00000000 --- a/tests/scala/xmlinputfactory-dtd-enabled-scala-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: xmlinputfactory-dtd-enabled-scala -valid: - - | - val factory = XMLInputFactory.newInstance - factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false) - val fileReader = new FileReader(file) -invalid: - - | - val factory = XMLInputFactory.newFactory() - val fileReader = new FileReader(file) - val fileReader = new FileReader(file) \ No newline at end of file diff --git a/tests/swift/aes-hardcoded-secret-swift-test.yml b/tests/swift/aes-hardcoded-secret-swift-test.yml deleted file mode 100644 index 9aa125aa..00000000 --- a/tests/swift/aes-hardcoded-secret-swift-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: aes-hardcoded-secret-swift -valid: - - | - -invalid: - - | - let password: Array = Array("s33krit".utf8) - try AES(key: password, iv: "123") - - | - try AES(key: "hello", iv: "123") diff --git a/tests/swift/insecure-biometrics-swift-test.yml b/tests/swift/insecure-biometrics-swift-test.yml deleted file mode 100644 index fffee11c..00000000 --- a/tests/swift/insecure-biometrics-swift-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: insecure-biometrics-swift -valid: - - | - context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) -invalid: - - | - context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "Authenticate to the application" diff --git a/tests/swift/swift-webview-config-allows-js-open-windows-swift-test.yml b/tests/swift/swift-webview-config-allows-js-open-windows-swift-test.yml deleted file mode 100644 index 3772db95..00000000 --- a/tests/swift/swift-webview-config-allows-js-open-windows-swift-test.yml +++ /dev/null @@ -1,10 +0,0 @@ -id: swift-webview-config-allows-js-open-windows-swift -valid: - - | - let prefs2 = WKPreferences() - prefs2.JavaScriptCanOpenWindowsAutomatically = true - prefs2.JavaScriptCanOpenWindowsAutomatically = false -invalid: - - | - let prefs = WKPreferences() - prefs.JavaScriptCanOpenWindowsAutomatically = true diff --git a/tests/swift/swift-webview-config-allows-universal-file-access-swift-test.yml b/tests/swift/swift-webview-config-allows-universal-file-access-swift-test.yml deleted file mode 100644 index a10c40cb..00000000 --- a/tests/swift/swift-webview-config-allows-universal-file-access-swift-test.yml +++ /dev/null @@ -1,11 +0,0 @@ -id: swift-webview-config-allows-universal-file-access-swift -valid: - - | - let w2 = WKWebView(frame: .zero, configuration: config) - w2.configuration.setValue(false, forKey: "allowUniversalAccessFromFileURLs") -invalid: - - | - let w = WKWebView(frame: .zero, configuration: config) - w.setValue(true, forKey: "allowUniversalAccessFromFileURLs") - let config = w.configuration - config.setValue(true, forKey: "allowUniversalAccessFromFileURLs") diff --git a/tests/swift/swift-webview-config-fraudulent-site-warning-swift-test.yml b/tests/swift/swift-webview-config-fraudulent-site-warning-swift-test.yml deleted file mode 100644 index 229867e2..00000000 --- a/tests/swift/swift-webview-config-fraudulent-site-warning-swift-test.yml +++ /dev/null @@ -1,13 +0,0 @@ -id: swift-webview-config-fraudulent-site-warning-swift -valid: - - | - let prefs = WKPreferences() - prefs.isFraudulentWebsiteWarningEnabled = true -invalid: - - | - let prefs2 = WKPreferences() - prefs2.isFraudulentWebsiteWarningEnabled = true - prefs2.isFraudulentWebsiteWarningEnabled = false - - | - let prefs2 = WKPreferences() - prefs2.isFraudulentWebsiteWarningEnabled = false diff --git a/tests/swift/swift-webview-config-https-upgrade-swift-test.yml b/tests/swift/swift-webview-config-https-upgrade-swift-test.yml deleted file mode 100644 index 0e25efe3..00000000 --- a/tests/swift/swift-webview-config-https-upgrade-swift-test.yml +++ /dev/null @@ -1,16 +0,0 @@ -id: swift-webview-config-https-upgrade-swift -valid: - - | - let prefs = WKPreferences() - let config = WKWebViewConfiguration() - config.upgradeKnownHostsToHTTPS = true - config.defaultWebpagePreferences = prefs - WKWebView(frame: .zero, configuration: config) -invalid: - - | - let prefs2 = WKPreferences() - let config2 = WKWebViewConfiguration() - config2.upgradeKnownHostsToHTTPS = true - config2.upgradeKnownHostsToHTTPS = false - config.defaultWebpagePreferences = prefs2 - WKWebView(frame: .zero, configuration: config) diff --git a/tests/typescript/.gitkeep b/tests/typescript/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/tests/typescript/detect-angular-sce-disabled-typescript-test.yml b/tests/typescript/detect-angular-sce-disabled-typescript-test.yml deleted file mode 100644 index 541d83e7..00000000 --- a/tests/typescript/detect-angular-sce-disabled-typescript-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: detect-angular-sce-disabled-typescript -valid: - - | - -invalid: - - | - $sceProvider.enabled(false); diff --git a/tests/typescript/express-jwt-hardcoded-secret-typescript-test.yml b/tests/typescript/express-jwt-hardcoded-secret-typescript-test.yml deleted file mode 100644 index 356a6e15..00000000 --- a/tests/typescript/express-jwt-hardcoded-secret-typescript-test.yml +++ /dev/null @@ -1,14 +0,0 @@ -id: express-jwt-hardcoded-secret-typescript -valid: - - | - app.get('/ok-protected', jwt({ secret: process.env.SECRET }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); -invalid: - - | - var jwt = require('express-jwt'); - app.get('/protected', jwt({ secret: 'shhhhhhared-secret' }), function(req, res) { - if (!req.user.admin) return res.sendStatus(401); - res.sendStatus(200); - }); diff --git a/tests/typescript/express-session-hardcoded-secret-typescript-test.yml b/tests/typescript/express-session-hardcoded-secret-typescript-test.yml deleted file mode 100644 index 148c5997..00000000 --- a/tests/typescript/express-session-hardcoded-secret-typescript-test.yml +++ /dev/null @@ -1,17 +0,0 @@ -id: express-session-hardcoded-secret-typescript -valid: - - | - let config1 = { - secret: config.secret, - resave: false, - saveUninitialized: false, - } -invalid: - - | - import * as session from 'express-session' - let a = 'a' - let config = { - secret: 'a', - resave: false, - saveUninitialized: false, - } diff --git a/tests/typescript/jwt-none-alg-typescript-test.yml b/tests/typescript/jwt-none-alg-typescript-test.yml deleted file mode 100644 index b0c89b0f..00000000 --- a/tests/typescript/jwt-none-alg-typescript-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: jwt-none-alg-typescript -valid: - - | - -invalid: - - | - const jose = require("jose"); - const { JWK, JWT } = jose; - const token = JWT.verify('token-here', JWK.None); diff --git a/tests/typescript/jwt-simple-noverify-ts-test.yml b/tests/typescript/jwt-simple-noverify-ts-test.yml deleted file mode 100644 index 55eaeec9..00000000 --- a/tests/typescript/jwt-simple-noverify-ts-test.yml +++ /dev/null @@ -1,91 +0,0 @@ -id: jwt-simple-noverify-ts -valid: - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute4', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ok: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - app.get('/protectedRoute5', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ok: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, false); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); -invalid: - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute1', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ruleid: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, 'HS256', 12); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute2', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ruleid: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, true); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); - - | - const jwt = require('jwt-simple'); - - app.get('/protectedRoute3', (req, res) => { - const token = req.headers.authorization; - - if (!token) { - return res.status(401).json({ error: 'Unauthorized. Token missing.' }); - } - - try { - // ruleid: jwt-simple-noverify - const decoded = jwt.decode(token, secretKey, 'false'); - res.json({ message: `Hello ${decoded.username}` }); - } catch (error) { - res.status(401).json({ error: 'Unauthorized. Invalid token.' }); - } - }); diff --git a/tests/typescript/node-rsa-weak-key-typescript-test.yml b/tests/typescript/node-rsa-weak-key-typescript-test.yml deleted file mode 100644 index 90230944..00000000 --- a/tests/typescript/node-rsa-weak-key-typescript-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: node-rsa-weak-key-typescript -valid: - - | - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - modulusLength: 2048, - }); -invalid: - - | - const crypto = require("crypto"); - const NodeRSA = require('node-rsa'); - const forge = require('node-forge'); - const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", { - a: 123, - modulusLength: 512, - }); - const key = new NodeRSA({b: 2048}); - const key = new NodeRSA({b: 512}); - const pki = forge.pki; diff --git a/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml b/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml deleted file mode 100644 index 0c17510d..00000000 --- a/tests/typescript/node-sequelize-empty-password-argument-typescript-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: node-sequelize-empty-password-argument-typescript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }); -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize1 = new Sequelize('database', 'username', '', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - }) diff --git a/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml b/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml deleted file mode 100644 index b45d2743..00000000 --- a/tests/typescript/node-sequelize-hardcoded-secret-argument-typescript-test.yml +++ /dev/null @@ -1,18 +0,0 @@ -id: node-sequelize-hardcoded-secret-argument-typescript -valid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize({ - database: 'pinche', - username: 'root', - password: '123456789', - dialect: 'mysql' - }) -invalid: - - | - const Sequelize = require('sequelize'); - const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - port: '5433', - dialect: 'postgres' - })