Merge pull request #3407 from semgrep/merge-develop-to-release

Merge Develop into Release
semgrep · Jun 19, 2024 · 1032ff0 · 1032ff0
2 parents adfc239 + da164e5
commit 1032ff0
Show file tree

Hide file tree

Showing 14 changed files with 60 additions and 21 deletions.
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/generic/secrets/gitleaks/harness-api-key.yaml b/generic/secrets/gitleaks/harness-api-key.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: harness-api-key
+  message: A gitleaks harness-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: ((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20})
diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(?:^|\b|bot)([0-9]{5,16}:A[a-z0-9_\-]{34})(?:$|\b[^_\-])
+    - pattern-regex: (?i:(?:telegr)(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)
diff --git a/go/lang/security/audit/crypto/math_random.fixed.go b/go/lang/security/audit/crypto/math_random.fixed.go
@@ -4,6 +4,12 @@ import (
 	"crypto/rand"
 	// ruleid: math-random-used
 	mrand "crypto/rand"
+	// ruleid: math-random-used
+	mrand "crypto/rand"
+	// ruleid: math-random-used
+	mrand "crypto/rand"
+	// ok: math-random-used
+	mrand "math/rand/something"
 )
 
 func main() {

diff --git a/go/lang/security/audit/crypto/math_random.go b/go/lang/security/audit/crypto/math_random.go
@@ -4,6 +4,12 @@ import (
 	"crypto/rand"
 	// ruleid: math-random-used
 	mrand "math/rand"
+	// ruleid: math-random-used
+	mrand "math/rand/v2"
+	// ruleid: math-random-used
+	mrand "math/rand/v222"
+	// ok: math-random-used
+	mrand "math/rand/something"
 )
 
 func main() {

diff --git a/go/lang/security/audit/crypto/math_random.yaml b/go/lang/security/audit/crypto/math_random.yaml
@@ -26,7 +26,7 @@ rules:
           import "$MATH"
     - metavariable-regex:
         metavariable: $MATH
-        regex: ^(math/rand)$
+        regex: ^(math/rand(\/v[0-9]+)*)$
     - pattern-either:
         - pattern-inside: |
             ...

diff --git a/java/spring/security/injection/tainted-url-host.yaml b/java/spring/security/injection/tainted-url-host.yaml
@@ -8,9 +8,9 @@ rules:
     This could allow an attacker to send data to their own server,
     potentially exposing sensitive data such as cookies or authorization
     information sent with this request. They could also probe internal
-    servers or other resources that the server runnig this code can access.
+    servers or other resources that the server running this code can access.
     (This is called server-side request forgery, or SSRF.) Do not allow
-    arbitrary hosts. Instead, create an allowlist for approved hosts hardcode
+    arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode
     the correct host, or ensure that the user data can only affect the path or parameters.
   options:
     interfile: true

diff --git a/php/lang/security/injection/tainted-url-host.yaml b/php/lang/security/injection/tainted-url-host.yaml
@@ -8,10 +8,10 @@ rules:
     to send data
     to their own server, potentially exposing sensitive data such as cookies or authorization information
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
+    They could also probe internal servers or other resources that the server running this code can access.
     (This is called
     server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist
-    for approved hosts hardcode
+    for approved hosts, or hardcode
     the correct host.
   metadata:
     cwe:

diff --git a/python/django/security/injection/tainted-url-host.yaml b/python/django/security/injection/tainted-url-host.yaml
@@ -5,8 +5,8 @@ rules:
   message: User data flows into the host portion of this manually-constructed URL. This could allow an
     attacker to send data to their own server, potentially exposing sensitive data such as cookies or
     authorization information sent with this request. They could also probe internal servers or other
-    resources that the server runnig this code can access. (This is called server-side request forgery,
-    or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the
+    resources that the server running this code can access. (This is called server-side request forgery,
+    or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the
     correct host.
   metadata:
     cwe:

diff --git a/python/flask/security/injection/tainted-url-host.yaml b/python/flask/security/injection/tainted-url-host.yaml
@@ -7,9 +7,9 @@ rules:
     This could allow an attacker to send data to their own server, potentially
     exposing sensitive data such as cookies or authorization information sent
     with this request. They could also probe internal servers or other
-    resources that the server runnig this code can access. (This is called
+    resources that the server running this code can access. (This is called
     server-side request forgery, or SSRF.) Do not allow arbitrary hosts.
-    Instead, create an allowlist for approved hosts hardcode the correct host.
+    Instead, create an allowlist for approved hosts, or hardcode the correct host.
   metadata:
     cwe:
     - 'CWE-918: Server-Side Request Forgery (SSRF)'

diff --git a/ruby/rails/security/injection/tainted-url-host.yaml b/ruby/rails/security/injection/tainted-url-host.yaml
@@ -7,7 +7,7 @@ rules:
     This could allow an attacker to send data to their own server, potentially
     exposing sensitive data such as cookies or authorization information sent
     with this request. They could also probe internal servers or other resources
-    that the server runnig this code can access. (This is called server-side
+    that the server running this code can access. (This is called server-side
     request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter`
     gem and guard the url construction with `SsrfFilter(...)`, or create
     an allowlist for approved hosts.

diff --git a/scala/lang/security/audit/dispatch-ssrf.yaml b/scala/lang/security/audit/dispatch-ssrf.yaml
@@ -18,8 +18,8 @@ rules:
     A parameter being passed directly into `url` most likely lead to SSRF.
     This could allow an attacker to send data to their own server, potentially exposing sensitive data
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
-    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct
+    They could also probe internal servers or other resources that the server running this code can access.
+    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct
     host.
   metadata:
     cwe:

diff --git a/scala/lang/security/audit/io-source-ssrf.yaml b/scala/lang/security/audit/io-source-ssrf.yaml
@@ -20,8 +20,8 @@ rules:
     A parameter being passed directly into `fromURL` most likely lead to SSRF.
     This could allow an attacker to send data to their own server, potentially exposing sensitive data
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
-    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct
+    They could also probe internal servers or other resources that the server running this code can access.
+    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct
     host.
   metadata:
     cwe:

diff --git a/scala/lang/security/audit/scalaj-http-ssrf.yaml b/scala/lang/security/audit/scalaj-http-ssrf.yaml
@@ -15,11 +15,11 @@ rules:
           ...
         }
   message: >-
-    A parameter being passed directly into `Http` most likely lead to SSRF.
+    A parameter being passed directly into `Http` can likely lead to SSRF.
     This could allow an attacker to send data to their own server, potentially exposing sensitive data
     sent with this request.
-    They could also probe internal servers or other resources that the server runnig this code can access.
-    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct
+    They could also probe internal servers or other resources that the server running this code can access.
+    Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct
     host.
   metadata:
     cwe: