Merge pull request #3365 from semgrep/merge-develop-to-release

Merge Develop into Release
semgrep · Apr 29, 2024 · d9ccd4c · d9ccd4c
2 parents 0279a95 + 9ac9a3d
commit d9ccd4c
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 11 deletions.
diff --git a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml
@@ -35,5 +35,7 @@ rules:
   - pattern-either:
       - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", true);
       - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, true);
+      - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.TRUE);
+      - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, Boolean.TRUE);
   languages:
   - java
diff --git a/java/lang/security/xmlinputfactory-possible-xxe.java b/java/lang/security/xmlinputfactory-possible-xxe.java
@@ -29,6 +29,18 @@ public GoodConstXMLInputFactory() {
     }
 }
 
+class GoodConstXMLInputFactory1 {
+    public GoodConstXMLInputFactory1() {
+        final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
+
+        // See
+        // https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser
+        xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+        // ok
+        xmlInputFactory.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+    }
+}
+
 class BadXMLInputFactory1 {
     public BadXMLInputFactory1() {
         // ruleid:xmlinputfactory-possible-xxe

diff --git a/java/lang/security/xmlinputfactory-possible-xxe.yaml b/java/lang/security/xmlinputfactory-possible-xxe.yaml
@@ -45,6 +45,18 @@ rules:
         $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
         ...
       }
+  - pattern-not-inside: |
+      $METHOD(...) {
+        ...
+        $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.FALSE);
+        ...
+      }
+  - pattern-not-inside: |
+      $METHOD(...) {
+        ...
+        $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        ...
+      }
   - pattern-either:
     - pattern: javax.xml.stream.XMLInputFactory.newFactory(...)
     - pattern: new XMLInputFactory(...)

diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml
@@ -35,13 +35,7 @@ rules:
   pattern-sources:
   - patterns:
     - pattern-either:
-      - pattern-inside: function ... ($REQ, $RES) {...}
-      - pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
-      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
-      - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
-    - metavariable-regex:
-        metavariable: $METHOD
-        regex: ^(get|post|put|head|delete|options)$
+      - pattern-inside: function ... (...,$REQ, ...) {...}
     - pattern-either:
       - pattern: $REQ.query
       - pattern: $REQ.body
@@ -50,11 +44,11 @@ rules:
       - pattern: $REQ.headers
   - patterns:
     - pattern-either:
-      - pattern-inside: |
-          ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
+      - pattern-inside: >
+          (...,{ $REQ }: Request,...) =>
           {...}
       - pattern-inside: |
-          ({ $REQ }: Request,$RES: Response) => {...}
+          (...,{ $REQ }: $EXPRESS.Request,...) => {...}
     - focus-metavariable: $REQ
     - pattern-either:
       - pattern: params

diff --git a/yaml/semgrep/metadata-incorrect-option.yaml b/yaml/semgrep/metadata-incorrect-option.yaml
@@ -22,4 +22,4 @@ rules:
           $KEY: $VALUE
       - metavariable-regex:
           metavariable: $KEY
-          regex: (?!options|constant_propagation|symbolic_propagation|taint_unify_mvars|taint_assume_safe_functions|taint_assume_safe_indexes|taint_assume_safe_comparisons|taint_assume_safe_booleans|taint_assume_safe_numbers|ac_matching|commutative_boolop|flddef_assign|arrow_is_function|let_is_var|go_deeper_expr|go_deeper_stmt|implicit_deep_exprstmt|implicit_ellipsis|xml_singleton_loose_matching|xml_attrs_implicit_ellipsis|xml_children_ordered|generic_engine|generic_multiline|generic_braces|generic_extra_braces|generic_extra_word_characters|generic_caseless|generic_ellipsis_max_span|generic_comment_style|interfile|generic_engine|commutative_compop)
+          regex: (?!options|constant_propagation|symbolic_propagation|taint_unify_mvars|taint_assume_safe_functions|taint_assume_safe_indexes|taint_assume_safe_comparisons|taint_assume_safe_booleans|taint_assume_safe_numbers|ac_matching|commutative_boolop|flddef_assign|arrow_is_function|let_is_var|go_deeper_expr|go_deeper_stmt|implicit_deep_exprstmt|implicit_ellipsis|xml_singleton_loose_matching|xml_attrs_implicit_ellipsis|xml_children_ordered|generic_engine|generic_multiline|generic_braces|generic_extra_braces|generic_extra_word_characters|generic_caseless|generic_ellipsis_max_span|generic_comment_style|interfile|generic_engine|commutative_compop|taint_focus_on)