Port patterns from 13_improper_input_filtering.rule #18

Closed
dmajda opened this Issue Sep 19, 2011 · 4 comments

Comments

Projects
None yet
3 participants
Contributor

dmajda commented Sep 19, 2011

We need to port patterns form the rules/13_improper_input_filtering.rule file from the old scanner:

Desc: Possible injection vulnerabilities

# impact        CWE identifier          regex
low             CWE-20                  logger\.\w+\s*[\(]*.*params\s*\[
low             CWE-20                  params\s*\[:
info            CWE-000                 validates[\w_]*_of\s*:\w*
low             CWE-20                  env\s*\[.*[\"\']HTTP_
low             CWE-20                  headers\s*\[.*[\"\']HTTP_
medium          CWE-150                 \\033\]30;.*\\007
Contributor

dmajda commented Aug 6, 2012

Implemented in InputFilteringCheck and ValidatesCheck (except the last pattern).


low             CWE-20                  logger\.\w+\s*[\(]*.*params\s*\[

I think the intent of this pattern was to look for something like:

logger.info("User #{params[:name]} just logged in.")

The ported version does not seem to do so.

@LTe If you agree, please fix the pattern.


def pattern_env_http
  <<-EOT
    SendWithArguments<
      arguments = ActualArguments<
        array = [
          any*,
          StringLiteral<string ^= "HTTP_">,
          any*
        ]
      >,
      name = :[],
      receiver = Send<name = :env | :headers>
    >
  EOT
end

@LTe I don't think that any*s are needed — env[...] or headers[...] will always have just one argument.


medium          CWE-150                 \\033\]30;.*\\007

@thomasbiege Why exactly is this checked?

The "logger" pattern and thw one with the octal numbers aims to find possible injection attacks of Terminal Escape Sequences" that allow to maliciously configure the terminal when log files are displayed.

http://cwe.mitre.org/data/definitions/150.html
http://unix.stackexchange.com/questions/15101/how-to-avoid-escape-sequence-attacks-in-terminals
http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection//

Member

LTe commented Aug 13, 2012

@LTe I don't think that any*s are needed — env[...] or headers[...] will always have just one argument.

Related to issue #11 and fixed with pull request #104

Contributor

dmajda commented Aug 13, 2012

@thomasbiege Thanks for clarification.

@LTe Thanks for implementation.

All issues resolved, closing.

@dmajda dmajda closed this Aug 13, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment