-
-
Notifications
You must be signed in to change notification settings - Fork 11
/
read_string.clj
36 lines (33 loc) · 1.73 KB
/
read_string.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
(ns clj-holmes.rules.read-string
(:require [clj-holmes.rules.utils :as utils]
[clojure.spec.alpha :as s]))
; private
(defn ^:private check-if-form-is-vulnerable
"Returns a function that receives a form and check if it's a vulnerable pattern and return a boolean."
[fn-to-find]
(fn vulnerable-to-read-string? [form]
(let [direct-invoke (s/cat :fn-to-find fn-to-find
:anything-else (s/* any?))
invoke-inside-other-fn (s/cat :anything-else (s/* any?)
:fn-to-find fn-to-find
:rest (s/* any?))]
(s/valid? (s/or :direct-invoke direct-invoke
:invoke-inside-other-fn invoke-inside-other-fn)
form))))
; public
(def rule
"Definition of a rule which is used by sarif."
{:id :read-string
:name "read-string serialization RCE"
:shortDescription {:text "Usage of vulnerable function clojure.core/read-string"}
:fullDescription {:text "Attackers can exploit vulnerable deserialization functions which could lead to a remote code execution."}
:help {:text "Usage of vulnerable function clojure.core/read-string"}
:properties {:precision :medium
:security-severity 8.0
:tags ["rce"]
:problem {:severity :error}}})
(defn check [{:keys [forms ns-declaration]}]
(let [fn-to-find (utils/function-usage-possibilities ns-declaration 'clojure.core 'read-string)
findings (utils/find-in-forms (check-if-form-is-vulnerable fn-to-find) forms)]
(when (seq findings)
(assoc {} :findings findings :id (:id rule) :definition (-> rule :shortDescription :text)))))