Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port patterns from 13_improper_input_filtering.rule #18

Closed
dmajda opened this issue Sep 19, 2011 · 4 comments
Closed

Port patterns from 13_improper_input_filtering.rule #18

dmajda opened this issue Sep 19, 2011 · 4 comments
Labels
Feature
Milestone
0.1

Comments

@dmajda
Copy link
Contributor

dmajda commented Sep 19, 2011

We need to port patterns form the rules/13_improper_input_filtering.rule file from the old scanner:

Desc: Possible injection vulnerabilities

# impact        CWE identifier          regex
low             CWE-20                  logger\.\w+\s*[\(]*.*params\s*\[
low             CWE-20                  params\s*\[:
info            CWE-000                 validates[\w_]*_of\s*:\w*
low             CWE-20                  env\s*\[.*[\"\']HTTP_
low             CWE-20                  headers\s*\[.*[\"\']HTTP_
medium          CWE-150                 \\033\]30;.*\\007
@dmajda
Copy link
Contributor Author

dmajda commented Aug 6, 2012

Implemented in InputFilteringCheck and ValidatesCheck (except the last pattern).

low             CWE-20                  logger\.\w+\s*[\(]*.*params\s*\[

I think the intent of this pattern was to look for something like:

logger.info("User #{params[:name]} just logged in.")

The ported version does not seem to do so.

@LTe If you agree, please fix the pattern.

def pattern_env_http
  <<-EOT
    SendWithArguments<
      arguments = ActualArguments<
        array = [
          any*,
          StringLiteral<string ^= "HTTP_">,
          any*
        ]
      >,
      name = :[],
      receiver = Send<name = :env | :headers>
    >
  EOT
end

@LTe I don't think that any*s are needed — env[...] or headers[...] will always have just one argument.

medium          CWE-150                 \\033\]30;.*\\007

@thomasbiege Why exactly is this checked?

@ghost
Copy link

ghost commented Aug 12, 2012

The "logger" pattern and thw one with the octal numbers aims to find possible injection attacks of Terminal Escape Sequences" that allow to maliciously configure the terminal when log files are displayed.

http://cwe.mitre.org/data/definitions/150.html
http://unix.stackexchange.com/questions/15101/how-to-avoid-escape-sequence-attacks-in-terminals
http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection//

@LTe
Copy link
Member

LTe commented Aug 13, 2012

@LTe I don't think that any*s are needed — env[...] or headers[...] will always have just one argument.

Related to issue #11 and fixed with pull request #104

@LTe LTe mentioned this issue Aug 13, 2012
Merged
@dmajda
Copy link
Contributor Author

dmajda commented Aug 13, 2012

@thomasbiege Thanks for clarification.

@LTe Thanks for implementation.

All issues resolved, closing.

@dmajda dmajda closed this as completed Aug 13, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
0.1
Development

No branches or pull requests
2 participants
@dmajda @LTe