From f3127c2abd318cf998490eb3d511b32594480e79 Mon Sep 17 00:00:00 2001 From: pabloest Date: Fri, 3 May 2024 08:08:55 -0700 Subject: [PATCH 01/17] Update README to fix bugs, add links, and update structure --- README.md | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 2e33554bd7..2e3b7c5681 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,34 @@ # semgrep-rules -[![powered by semgrep](https://img.shields.io/badge/powered%20by-semgrep-1B2F3D?labelColor=lightgrey&link=https://semgrep.live/&style=flat-square&logo=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAA0AAAAOCAYAAAD0f5bSAAAABmJLR0QA/gD+AP+cH+QUAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH5AYMEy0l8dkqrQAAAvFJREFUKBUB5gIZ/QEAAP8BAAAAAAMG6AD9+hn/GzA//wD//wAAAAD+AAAAAgABAQDl0MEBAwbmAf36GQAAAAAAAQEC9QH//gv/Gi1GFQEC+OoAAAAAAAAAAAABAQAA//8AAAAAAAAAAAD//ggX5tO66gID9AEBFSRxAgYLzRQAAADpAAAAAP7+/gDl0cMPAAAA+wAAAPkbLz39AgICAAAAAAAAAAAs+vU12AEbLz4bAAAA5P8AAAAA//4A5NDDEwEBAO///wABAQEAAP//ABwcMD7hAQEBAAAAAAAAAAAaAgAAAOAAAAAAAQEBAOXRwxUAAADw//8AAgAAAAD//wAAAAAA5OXRwhcAAQEAAAAAAAAAAOICAAAABP3+/gDjzsAT//8A7gAAAAEAAAD+AAAA/wAAAAAAAAAA//8A7ePOwA/+/v4AAAAABAIAAAAAAAAAAAAAAO8AAAABAAAAAAAAAAIAAAABAAAAAAAAAAgAAAD/AAAA8wAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA8AAAAEAAAA/gAAAP8AAAADAAAA/gAAAP8AAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAA7wAAAPsAAAARAAAABAAAAP4AAAAAAAAAAgAAABYAAAAAAAAAAAIAAAD8AwICAB0yQP78/v4GAAAA/wAAAPAAAAD9AAAA/wAAAPr9//8aHTJA6AICAgAAAAD8AgAAADIAAAAAAP//AB4wPvgAAAARAQEA/gEBAP4BAQABAAAAGB0vPeIA//8AAAAAAAAAABAC+vUz1QAAAA8AAAAAAwMDABwwPu3//wAe//8AAv//ABAcMD7lAwMDAAAAAAAAAAAG+vU0+QEBAvUB//4L/xotRhUBAvjqAAAAAAAAAAAAAQEAAP//AAAAAAAAAAAA//4IF+bTuuoCA/QBAQAA/wEAAAAAAwboAP36Gf8bMD//AP//AAAAAP4AAAACAAEBAOXQwQEDBuYB/foZAAAAAAD4I6qbK3+1zQAAAABJRU5ErkJggg==)](https://semgrep.dev/) -[![Semgrep community slack](https://img.shields.io/badge/slack-join-green?style=flat-square)](https://go.semgrep.dev/slack) +[![powered by semgrep](https://img.shields.io/badge/powered%20by%20semgrep-2ACFA6)](https://semgrep.dev/) + +Join Semgrep community Slack + -| branch | using semgrep docker image | test status | -| ------------ | ------------------------ | -------------------- | -| `develop` | `returntocorp/semgrep:develop` | [![semgrep-rules-test-develop](https://github.com/returntocorp/semgrep-rules/workflows/semgrep-develop/badge.svg)](https://github.com/returntocorp/semgrep-rules/actions?query=workflow%3Asemgrep-develop+branch%3Adevelop) | +Welcome! This repository is the standard library for open source [Semgrep](https://semgrep.dev/) rules. -Welcome! This repository is the standard library for [Semgrep](https://semgrep.dev/) rules. There are many more rules available in the [Semgrep Registry](https://semgrep.dev/explore) written by [Semgrep, Inc.](https://semgrep.dev/) and other contributors. The [Semgrep Registry](https://semgrep.dev/explore) includes rules from this repository and additional rules that are accessible within [Semgrep Cloud Platform](https://semgrep.dev/pricing). If there is a specific rule you are looking for, see the [Semgrep registry search](https://semgrep.dev/r). To contribute, find details about contributing in the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. +In addition to rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) also includes proprietary rules that enable interfile and interprocedural analsis, called [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules). -## Using Semgrep rules repository +- Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). +- Use rules: Scan your code with these rules through the [Semgrep AppSec Platform](https://semgrep.dev/login) +- Contribute to rules: see the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. -Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep App. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). +## Using the Semgrep rules repository + +Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep AppSec Platform. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). To write your own Semgrep rules, see the [Semgrep tutorial](https://semgrep.dev/learn) and [documentation on writing rules](https://semgrep.dev/docs/writing-rules/overview/). + +## Writing Semgrep rules + +See Semgrep documentation on [writing rules](https://semgrep.dev/docs/writing-rules/overview/), including: + +- Pattern syntax, describing what Semgrep patterns can do in detail, and provides example use cases of the ellipsis operator, metavariables. +- Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators. + +You can also learn how to write rules using the [interactive, example-based Semgrep rule tutorial](https://semgrep.dev/learn). ## Contributing -We welcome Semgrep rule contributions directly to this repository! When you submit your contribution to the `semgrep-rules` repository we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE). +We welcome Semgrep rule contributions directly to this repository! When submitting your contribution to this repository, we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE). Note: To contribute, review the **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** documentation. @@ -29,8 +42,7 @@ Join [Slack](https://go.semgrep.dev/slack) for the fastest answers to your quest ### GitHub action to run tests -If you fork this repository or create your own, you can add a special [semgrep --rules-test](https://github.com/marketplace/actions/semgrep-rules-test) GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml). +If you fork this repository or create your own, you can add a GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test example](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml). ### Rulesets From 5d829bc23fb79f9011c948d06e64467bd790d9ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 21:42:24 +0000 Subject: [PATCH 02/17] Bump tqdm from 4.66.1 to 4.66.3 Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.66.1 to 4.66.3. - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](https://github.com/tqdm/tqdm/compare/v4.66.1...v4.66.3) --- updated-dependencies: - dependency-name: tqdm dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index e8bb09e9b3..891842ad7a 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -279,11 +279,12 @@ }, "tqdm": { "hashes": [ - "sha256:d302b3c5b53d47bce91fea46679d9c3c6508cf6332229aa1e7d8653723793386", - "sha256:d88e651f9db8d8551a62556d3cff9e3034274ca5d66e93197cf2490e2dcb69c7" + "sha256:23097a41eba115ba99ecae40d06444c15d1c0c698d527a01c6c8bd1c5d0647e5", + "sha256:4f41d54107ff9a223dca80b53efe4fb654c67efaba7f47bada3ee9d50e05bd53" ], + "index": "pypi", "markers": "python_version >= '3.7'", - "version": "==4.66.1" + "version": "==4.66.3" }, "urllib3": { "hashes": [ From c686c81cd97f1506274c82fed65a3260e8f63a71 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:50:55 -0700 Subject: [PATCH 03/17] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e3b7c5681..d468e52ff8 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Welcome! This repository is the standard library for open source [Semgrep](https://semgrep.dev/) rules. -In addition to rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) also includes proprietary rules that enable interfile and interprocedural analsis, called [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules). +In addition to the rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) offers proprietary [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules) that enable interfile and interprocedural analysis. - Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). - Use rules: Scan your code with these rules through the [Semgrep AppSec Platform](https://semgrep.dev/login) From c383ba08384a210bd1a36c15398213402d27f055 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:02 -0700 Subject: [PATCH 04/17] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d468e52ff8..ee34c81fc6 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Welcome! This repository is the standard library for open source [Semgrep](https In addition to the rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) offers proprietary [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules) that enable interfile and interprocedural analysis. - Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). -- Use rules: Scan your code with these rules through the [Semgrep AppSec Platform](https://semgrep.dev/login) +- Use rules: Scan your code with these rules through [Semgrep AppSec Platform](https://semgrep.dev/login) - Contribute to rules: see the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. ## Using the Semgrep rules repository From ea482e362dc76d31b1f1e149747836291d36cad5 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:13 -0700 Subject: [PATCH 05/17] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ee34c81fc6..8c924f5c11 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ In addition to the rules in this repository, the [Semgrep Registry](https://semg - Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). - Use rules: Scan your code with these rules through [Semgrep AppSec Platform](https://semgrep.dev/login) -- Contribute to rules: see the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. +- Contribute to rules: see [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) for more information. ## Using the Semgrep rules repository From b140c42eba836daea2d6c74e67fdda6399e3bf44 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:32 -0700 Subject: [PATCH 06/17] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8c924f5c11..f6aab501d1 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ In addition to the rules in this repository, the [Semgrep Registry](https://semg ## Using the Semgrep rules repository -Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep AppSec Platform. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). To write your own Semgrep rules, see the [Semgrep tutorial](https://semgrep.dev/learn) and [documentation on writing rules](https://semgrep.dev/docs/writing-rules/overview/). +To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://semgrep.dev/learn) and [Writing rules](https://semgrep.dev/docs/writing-rules/overview/). Then, run existing and custom Semgrep rules locally with the [Semgrep command line interface (Semgrep CLI)](https://semgrep.dev/docs/getting-started/) or [continuously with Semgrep in CI while using Semgrep AppSec Platform](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). ## Writing Semgrep rules From 6bf22a092d4cb8eff1fc10e880f130b8b859cf80 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:41 -0700 Subject: [PATCH 07/17] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f6aab501d1..9f48a84b8a 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://sem See Semgrep documentation on [writing rules](https://semgrep.dev/docs/writing-rules/overview/), including: -- Pattern syntax, describing what Semgrep patterns can do in detail, and provides example use cases of the ellipsis operator, metavariables. +- Pattern syntax, describing what Semgrep patterns can do in detail, and example use cases of the ellipsis operator, metavariables. - Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators. You can also learn how to write rules using the [interactive, example-based Semgrep rule tutorial](https://semgrep.dev/learn). From 529a62dbf3a4331dcca3653b7406a870e7f44226 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:52:47 -0700 Subject: [PATCH 08/17] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9f48a84b8a..3500e141b8 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://sem ## Writing Semgrep rules -See Semgrep documentation on [writing rules](https://semgrep.dev/docs/writing-rules/overview/), including: +See [Writing rules](https://semgrep.dev/docs/writing-rules/overview/) for information including: - Pattern syntax, describing what Semgrep patterns can do in detail, and example use cases of the ellipsis operator, metavariables. - Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators. From 76b27f88b5d2d3d0bef9791a92ad58e450cd719c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 20:44:32 +0000 Subject: [PATCH 09/17] Bump jinja2 from 3.1.3 to 3.1.4 Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.3...3.1.4) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:development ... Signed-off-by: dependabot[bot] --- Pipfile | 2 +- Pipfile.lock | 130 +++++++++++++++++++++++++-------------------------- 2 files changed, 66 insertions(+), 66 deletions(-) diff --git a/Pipfile b/Pipfile index a7a292cc8c..3367bca2db 100644 --- a/Pipfile +++ b/Pipfile @@ -4,7 +4,7 @@ url = "https://pypi.org/simple" verify_ssl = true [dev-packages] -jinja2 = "~=3.1.3" +jinja2 = "~=3.1.4" pytest = "*" semgrep = "*" pyyaml = "*" diff --git a/Pipfile.lock b/Pipfile.lock index e8bb09e9b3..59d10f4809 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "762f3c7cbb0a3ecd999e7b644a02421c6132ab10439b5eb9a2531519c86351b9" + "sha256": "d1c4d570ba8e1837ab876d9ac9bbd71c2463c3ca16501a5bb380c8ead66baa40" }, "pipfile-spec": 6, "requires": { @@ -434,12 +434,12 @@ }, "jinja2": { "hashes": [ - "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa", - "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90" + "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369", + "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d" ], "index": "pypi", "markers": "python_version >= '3.7'", - "version": "==3.1.3" + "version": "==3.1.4" }, "jsonschema": { "hashes": [ @@ -450,69 +450,69 @@ }, "markupsafe": { "hashes": [ - "sha256:05fb21170423db021895e1ea1e1f3ab3adb85d1c2333cbc2310f2a26bc77272e", - "sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e", - "sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431", - "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686", - "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c", - "sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559", - "sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc", - "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb", - "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939", - "sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c", - "sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0", - "sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4", - "sha256:338ae27d6b8745585f87218a3f23f1512dbf52c26c28e322dbe54bcede54ccb9", - "sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575", - "sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba", - "sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d", - "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd", - "sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3", - "sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00", - "sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155", - "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac", - "sha256:65c1a9bcdadc6c28eecee2c119465aebff8f7a584dd719facdd9e825ec61ab52", - "sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f", - "sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8", - "sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b", - "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007", - "sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24", - "sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea", - "sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198", - "sha256:8758846a7e80910096950b67071243da3e5a20ed2546e6392603c096778d48e0", - "sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee", - "sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be", - "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2", - "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1", - "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707", - "sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6", - "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c", - "sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58", - "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823", - "sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779", - "sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636", - "sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c", - "sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad", - "sha256:b076b6226fb84157e3f7c971a47ff3a679d837cf338547532ab866c57930dbee", - "sha256:b7ff0f54cb4ff66dd38bebd335a38e2c22c41a8ee45aa608efc890ac3e3931bc", - "sha256:bfce63a9e7834b12b87c64d6b155fdd9b3b96191b6bd334bf37db7ff1fe457f2", - "sha256:c011a4149cfbcf9f03994ec2edffcb8b1dc2d2aede7ca243746df97a5d41ce48", - "sha256:c9c804664ebe8f83a211cace637506669e7890fec1b4195b505c214e50dd4eb7", - "sha256:ca379055a47383d02a5400cb0d110cef0a776fc644cda797db0c5696cfd7e18e", - "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b", - "sha256:cd0f502fe016460680cd20aaa5a76d241d6f35a1c3350c474bac1273803893fa", - "sha256:ceb01949af7121f9fc39f7d27f91be8546f3fb112c608bc4029aef0bab86a2a5", - "sha256:d080e0a5eb2529460b30190fcfcc4199bd7f827663f858a226a81bc27beaa97e", - "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb", - "sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9", - "sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57", - "sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc", - "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc", - "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2", - "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11" + "sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf", + "sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff", + "sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f", + "sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3", + "sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532", + "sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f", + "sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617", + "sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df", + "sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4", + "sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906", + "sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f", + "sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4", + "sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8", + "sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371", + "sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2", + "sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465", + "sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52", + "sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6", + "sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169", + "sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad", + "sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2", + "sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0", + "sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029", + "sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f", + "sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a", + "sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced", + "sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5", + "sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c", + "sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf", + "sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9", + "sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb", + "sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad", + "sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3", + "sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1", + "sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46", + "sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc", + "sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a", + "sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee", + "sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900", + "sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5", + "sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea", + "sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f", + "sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5", + "sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e", + "sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a", + "sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f", + "sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50", + "sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a", + "sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b", + "sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4", + "sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff", + "sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2", + "sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46", + "sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b", + "sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf", + "sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5", + "sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5", + "sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab", + "sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd", + "sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68" ], "markers": "python_version >= '3.7'", - "version": "==2.1.3" + "version": "==2.1.5" }, "packaging": { "hashes": [ From b6d791baa972433ebbbdd19f66645509dfd83e85 Mon Sep 17 00:00:00 2001 From: Anton Abashkin Date: Tue, 7 May 2024 17:23:20 +0800 Subject: [PATCH 10/17] Add rule use-of-basic-authentication (OpenAPI Spec) (#3370) * Add rule use-of-basic-authentication (OpenAPI) * Update: Restricted to version 3. Version 2 uses 'securityDefinitions' instead of 'components/securitySchemes' --------- Co-authored-by: Vasilii Ermilov --- .../use-of-basic-authentication.test.yaml | 36 ++++++++++++++++ .../security/use-of-basic-authentication.yaml | 41 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 yaml/openapi/security/use-of-basic-authentication.test.yaml create mode 100644 yaml/openapi/security/use-of-basic-authentication.yaml diff --git a/yaml/openapi/security/use-of-basic-authentication.test.yaml b/yaml/openapi/security/use-of-basic-authentication.test.yaml new file mode 100644 index 0000000000..63b30365e3 --- /dev/null +++ b/yaml/openapi/security/use-of-basic-authentication.test.yaml @@ -0,0 +1,36 @@ +openapi: 3.1.0 +info: + title: Example API + description: Example API + version: 1.0.0 + +servers: + - url: https://api.example.com/ + +paths: + /test/{param}: + get: + operationId: test + parameters: + - name: param + in: path + required: true + description: test + schema: + type: string + +security: + - basicAuth: [] + - apiKeyAuth: [] + +components: + securitySchemes: + basicAuth: + # ruleid: use-of-basic-authentication + type: http + scheme: basic + apiKeyAuth: + # ok: use-of-basic-authentication + type: apiKey + in: header + name: X-API-Key diff --git a/yaml/openapi/security/use-of-basic-authentication.yaml b/yaml/openapi/security/use-of-basic-authentication.yaml new file mode 100644 index 0000000000..befbd9eb23 --- /dev/null +++ b/yaml/openapi/security/use-of-basic-authentication.yaml @@ -0,0 +1,41 @@ +rules: + - id: use-of-basic-authentication + languages: [yaml] + message: >- + Basic authentication is considered weak and should be avoided. + Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + $SCHEME: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + type: http + ... + scheme: basic + metadata: + category: security + subcategory: vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-287: Improper Authentication' + owasp: + - 'A04:2021 Insecure Design' + - 'A07:2021 Identification and Authentication Failures' + references: + - https://cwe.mitre.org/data/definitions/287.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + \ No newline at end of file From 40079b93dc152e30ff1791b3de6fb825cd2daf7d Mon Sep 17 00:00:00 2001 From: Vasilii Date: Wed, 8 May 2024 15:53:32 +0900 Subject: [PATCH 11/17] update metadata for JS tainted-sql-string rule --- javascript/express/security/injection/tainted-sql-string.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml index e5d078f933..6f16c720ab 100644 --- a/javascript/express/security/injection/tainted-sql-string.yaml +++ b/javascript/express/security/injection/tainted-sql-string.yaml @@ -10,10 +10,10 @@ rules: protect your queries. metadata: owasp: - - A07:2017 - Cross-Site Scripting (XSS) + - A01:2017 - Injection - A03:2021 - Injection cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" references: - https://owasp.org/www-community/attacks/SQL_Injection category: security From 995826581dc1350917d7848aecd356fcad6505df Mon Sep 17 00:00:00 2001 From: "semgrep-dev-pr-bot[bot]" <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 17:08:12 +0900 Subject: [PATCH 12/17] New Published Rules - 1512543916_personal_org.missing-self-transfer-check-ercx (#3373) * add 1512543916_personal_org/missing-self-transfer-check-ercx.yaml * add 1512543916_personal_org/missing-self-transfer-check-ercx.sol * move missing-self-transfer-check-ercx to solidity folder * move missing-self-transfer-check-ercx to solidity folder --------- Co-authored-by: MarkLee131 <1512543916@qq.com> Co-authored-by: Vasilii --- .../missing-self-transfer-check-ercx.sol | 90 +++++++++++++++++++ .../missing-self-transfer-check-ercx.yaml | 43 +++++++++ 2 files changed, 133 insertions(+) create mode 100644 solidity/security/missing-self-transfer-check-ercx.sol create mode 100644 solidity/security/missing-self-transfer-check-ercx.yaml diff --git a/solidity/security/missing-self-transfer-check-ercx.sol b/solidity/security/missing-self-transfer-check-ercx.sol new file mode 100644 index 0000000000..d3d1c50206 --- /dev/null +++ b/solidity/security/missing-self-transfer-check-ercx.sol @@ -0,0 +1,90 @@ +function _update(address from, address to, uint256 value, bool mint) internal virtual { + uint256 fromBalance = _balances[from]; + uint256 toBalance = _balances[to]; + if (fromBalance < value) { + revert ERC20InsufficientBalance(from, fromBalance, value); + } + + //No need to adjust balances when transfer is to self, prevent self NFT-grind + + unchecked { + // Overflow not possible: value <= fromBalance <= totalSupply. + // ruleid: missing-self-transfer-check-ercx + _balances[from] = fromBalance - value; + // ruleid: missing-self-transfer-check-ercx + _balances[to] = toBalance + value; + + + if(mint) { + // Skip burn for certain addresses to save gas + bool wlf = whitelist[from]; + if (!wlf) { + uint256 tokens_to_burn = (fromBalance / tokensPerNFT) - ((fromBalance - value) / tokensPerNFT); + if(tokens_to_burn > 0) + _burnBatch(from, tokens_to_burn); + } + + // Skip minting for certain addresses to save gas + if (!whitelist[to]) { + if(easyLaunch == 1 && wlf && from == owner()) { + //auto-initialize first (assumed) LP + whitelist[to] = true; + easyLaunch = 2; + } else { + uint256 tokens_to_mint = ((toBalance + value) / tokensPerNFT) - (toBalance / tokensPerNFT); + if(tokens_to_mint > 0) + _mintWithoutCheck(to, tokens_to_mint); + } + } + } + } + + emit Transfer(from, to, value); +} + + +function _update(address from, address to, uint256 value, bool mint) internal virtual { + uint256 fromBalance = _balances[from]; + uint256 toBalance = _balances[to]; + if (fromBalance < value) { + revert ERC20InsufficientBalance(from, fromBalance, value); + } + + //No need to adjust balances when transfer is to self, prevent self NFT-grind + if (from != to) { + unchecked { + // Overflow not possible: value <= fromBalance <= totalSupply. + //ok: missing-self-transfer-check-ercx + _balances[from] = fromBalance - value; + + // Overflow not possible: balance + value is at most totalSupply, which we know fits into a uint256. + //ok: missing-self-transfer-check-ercx + _balances[to] = toBalance + value; + } + + if(mint) { + // Skip burn for certain addresses to save gas + bool wlf = whitelist[from]; + if (!wlf) { + uint256 tokens_to_burn = (fromBalance / tokensPerNFT) - ((fromBalance - value) / tokensPerNFT); + if(tokens_to_burn > 0) + _burnBatch(from, tokens_to_burn); + } + + // Skip minting for certain addresses to save gas + if (!whitelist[to]) { + if(easyLaunch == 1 && wlf && from == owner()) { + //auto-initialize first (assumed) LP + whitelist[to] = true; + easyLaunch = 2; + } else { + uint256 tokens_to_mint = ((toBalance + value) / tokensPerNFT) - (toBalance / tokensPerNFT); + if(tokens_to_mint > 0) + _mintWithoutCheck(to, tokens_to_mint); + } + } + } + } + + emit Transfer(from, to, value); +} diff --git a/solidity/security/missing-self-transfer-check-ercx.yaml b/solidity/security/missing-self-transfer-check-ercx.yaml new file mode 100644 index 0000000000..017d499125 --- /dev/null +++ b/solidity/security/missing-self-transfer-check-ercx.yaml @@ -0,0 +1,43 @@ +rules: +- id: missing-self-transfer-check-ercx + languages: + - solidity + message: >- + Missing check for 'from' and 'to' being the same before updating balances + could lead to incorrect balance manipulation on self-transfers. + Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers. + severity: ERROR + metadata: + category: security + technology: + - blockchain + - solidity + cwe: 'CWE-682: Incorrect Calculation' + subcategory: + - vuln + confidence: HIGH + likelihood: HIGH + impact: HIGH + owasp: + - A7:2021 Identification and Authentication Failures + references: + - https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities + - https://x.com/shoucccc/status/1757777764646859121 + patterns: + - pattern-either: + - pattern: | + _balances[$FROM] = $FROM_BALANCE - value; + - pattern: | + _balances[$TO] = $TO_BALANCE + value; + - pattern-not-inside: | + if ($FROM != $TO) { + ... + _balances[$FROM] = $FROM_BALANCE - value; + ... + _balances[$TO] = $TO_BALANCE + value; + ... + } + - pattern-inside: | + function _update(address $FROM, address $TO, uint256 value, bool mint) internal virtual { + ... + } From 0502383d08d39e95bc5d6983df376d2c3b825e00 Mon Sep 17 00:00:00 2001 From: "semgrep-dev-pr-bot[bot]" <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 18:37:35 +0900 Subject: [PATCH 13/17] New Published Rules - federicobellini.session-cookie-samesitenone (#3361) * add federicobellini/session-cookie-samesitenone.yaml * add federicobellini/session-cookie-samesitenone.go * move session-cookie-samesitenone rule to go/gorilla folder --------- Co-authored-by: semgrep.dev Co-authored-by: Vasilii --- .../audit/session-cookie-samesitenone.go | 40 +++++++++++++++++++ .../audit/session-cookie-samesitenone.yaml | 36 +++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 go/gorilla/security/audit/session-cookie-samesitenone.go create mode 100644 go/gorilla/security/audit/session-cookie-samesitenone.yaml diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.go b/go/gorilla/security/audit/session-cookie-samesitenone.go new file mode 100644 index 0000000000..56b52c7906 --- /dev/null +++ b/go/gorilla/security/audit/session-cookie-samesitenone.go @@ -0,0 +1,40 @@ +package main + +import ( + "net/http" + "github.com/gorilla/sessions" +) + +var store = sessions.NewCookieStore([]byte("")) + +func setSessionWithSameSiteNone(w http.ResponseWriter, r *http.Request) { + session, _ := store.Get(r, "session-name") + // ruleid: session-cookie-samesitenone + session.Options = &sessions.Options{ + Path: "/", + MaxAge: 3600, + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteNoneMode, + } + session.Save(r, w) +} + +func setSessionWithSameSiteStrict(w http.ResponseWriter, r *http.Request) { + session, _ := store.Get(r, "session-name") + // ok: session-cookie-samesitenone + session.Options = &sessions.Options{ + Path: "/", + MaxAge: 3600, + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteStrictMode, + } + session.Save(r, w) +} + +func main() { + http.HandleFunc("/set-none", setSessionWithSameSiteNone) + http.HandleFunc("/set-strict", setSessionWithSameSiteStrict) + http.ListenAndServe(":8080", nil) +} diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.yaml b/go/gorilla/security/audit/session-cookie-samesitenone.yaml new file mode 100644 index 0000000000..bcec859903 --- /dev/null +++ b/go/gorilla/security/audit/session-cookie-samesitenone.yaml @@ -0,0 +1,36 @@ +rules: +- id: session-cookie-samesitenone + patterns: + - pattern-inside: | + &sessions.Options{ + ..., + SameSite: http.SameSiteNoneMode, + ..., + } + - pattern: | + &sessions.Options{ + ..., + } + message: Found SameSiteNoneMode setting in Gorilla session options. Consider setting + SameSite to Lax, Strict or Default for enhanced security. + metadata: + cwe: + - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://pkg.go.dev/github.com/gorilla/sessions#Options + category: security + technology: + - gorilla + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: LOW + fix-regex: + regex: (SameSite\s*:\s+)http.SameSiteNoneMode + replacement: \1http.SameSiteDefaultMode + severity: WARNING + languages: + - go From 7d2773e2118694c294a0f379d2ac83826d133649 Mon Sep 17 00:00:00 2001 From: Vasilii Ermilov Date: Thu, 9 May 2024 10:58:52 +0900 Subject: [PATCH 14/17] Fix metadata for use-of-basic-authentication rule (#3378) --- yaml/openapi/security/use-of-basic-authentication.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yaml/openapi/security/use-of-basic-authentication.yaml b/yaml/openapi/security/use-of-basic-authentication.yaml index befbd9eb23..eb95190a77 100644 --- a/yaml/openapi/security/use-of-basic-authentication.yaml +++ b/yaml/openapi/security/use-of-basic-authentication.yaml @@ -24,7 +24,8 @@ rules: scheme: basic metadata: category: security - subcategory: vuln + subcategory: + - vuln technology: - openapi likelihood: MEDIUM From 9bc127c0cd63e679e0a208289b20706509d86330 Mon Sep 17 00:00:00 2001 From: Anton Abashkin Date: Thu, 9 May 2024 10:13:46 +0800 Subject: [PATCH 15/17] Add rule API key in query parameter (OpenAPI Spec) (#3375) * Add rule API key in query parameter (OpenAPI Spec) * Update api-key-in-query-parameter.yaml --------- Co-authored-by: Vasilii Ermilov --- .../api-key-in-query-parameter.test.yaml | 37 +++++++++++++++ .../security/api-key-in-query-parameter.yaml | 45 +++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 yaml/openapi/security/api-key-in-query-parameter.test.yaml create mode 100644 yaml/openapi/security/api-key-in-query-parameter.yaml diff --git a/yaml/openapi/security/api-key-in-query-parameter.test.yaml b/yaml/openapi/security/api-key-in-query-parameter.test.yaml new file mode 100644 index 0000000000..22c2df921e --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.test.yaml @@ -0,0 +1,37 @@ +openapi: 3.1.0 +info: + title: Example API + description: Example API + version: 1.0.0 + +servers: + - url: https://api.example.com/ + +paths: + /test/{param}: + get: + operationId: test + parameters: + - name: param + in: path + required: true + description: test + schema: + type: string + +security: + - apiKeyAuthQuery: [] + - apiKeyAuthHeader: [] + +components: + securitySchemes: + # ruleid: api-key-in-query-parameter + apiKeyAuthQuery: + type: apiKey + in: query + name: api_key + # ok: api-key-in-query-parameter + apiKeyAuthHeader: + type: apiKey + in: header + name: X-API-Key diff --git a/yaml/openapi/security/api-key-in-query-parameter.yaml b/yaml/openapi/security/api-key-in-query-parameter.yaml new file mode 100644 index 0000000000..673c01b8bb --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.yaml @@ -0,0 +1,45 @@ +rules: + - id: api-key-in-query-parameter + languages: [yaml] + message: >- + The $SECURITY_SCHEME security scheme passes an API key in a query parameter. + API keys should not be passed as query parameters in security schemes. + Pass the API key in the header or body. + If using a query parameter is necessary, ensure that the API key is tightly scoped and short lived. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + $SECURITY_SCHEME: + ... + type: apiKey + ... + in: query + + metadata: + category: security + subcategory: + - vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-598: Use of GET Request Method With Sensitive Query Strings' + owasp: + - 'A04:2021 Insecure Design' + - 'A07:2021 Identification and Authentication Failures' + references: + - https://datatracker.ietf.org/doc/html/rfc6749 + - https://cwe.mitre.org/data/definitions/598.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ From 48f6e91b0b6548965f2ddb163b384d7b5a2f8770 Mon Sep 17 00:00:00 2001 From: amitfurman <111306242+amitfurman@users.noreply.github.com> Date: Thu, 9 May 2024 05:27:55 +0300 Subject: [PATCH 16/17] Update webservice-ssrf.yaml (#3380) I corrected the word runnig to running in the message(: Co-authored-by: Vasilii Ermilov --- scala/play/security/webservice-ssrf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scala/play/security/webservice-ssrf.yaml b/scala/play/security/webservice-ssrf.yaml index 1d9c19aa9a..93423165d7 100644 --- a/scala/play/security/webservice-ssrf.yaml +++ b/scala/play/security/webservice-ssrf.yaml @@ -27,7 +27,7 @@ rules: A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. + They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host. metadata: From 4c5bd64dddf7164b574997b8c09532f0eba19c37 Mon Sep 17 00:00:00 2001 From: "semgrep-dev-pr-bot[bot]" <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com> Date: Thu, 9 May 2024 03:05:44 +0000 Subject: [PATCH 17/17] New Published Rules - p0_security.direct-response-write-copy (#3382) * add p0_security/direct-response-write-copy.yaml * add p0_security/direct-response-write-copy.jsx * move direct-response-write rule to xss folder * update direct-response-write metadata --------- Co-authored-by: Nathan Brahms Co-authored-by: Vasilii --- .../security/audit/xss/direct-response-write.js | 9 +++++++++ .../audit/xss/direct-response-write.yaml | 16 ++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/javascript/express/security/audit/xss/direct-response-write.js b/javascript/express/security/audit/xss/direct-response-write.js index 3898522ff5..f0718cd16f 100644 --- a/javascript/express/security/audit/xss/direct-response-write.js +++ b/javascript/express/security/audit/xss/direct-response-write.js @@ -132,6 +132,15 @@ app.get('/xss', function (req, res) { res.write('Response
' + html); }); +const jsonRouter = express.Router(); +jsonRouter.use(express.json()); +jsonRouter.get('/noxss-json', function (req, res) { + var name = req.query.name; + // ok: direct-response-write + res.write({ name }); +}); +app.use(jsonRouter); + // For https://github.com/returntocorp/semgrep-rules/issues/2872 app.post( "/:id", diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml index 370edab86c..25959b5687 100644 --- a/javascript/express/security/audit/xss/direct-response-write.yaml +++ b/javascript/express/security/audit/xss/direct-response-write.yaml @@ -1,10 +1,9 @@ rules: - id: direct-response-write message: >- - Detected directly writing to a Response object from user-defined input. This bypasses - any HTML escaping and may expose your application to a Cross-Site-scripting - (XSS) vulnerability. Instead, use 'resp.render()' to render - safely escaped HTML. + Detected directly writing to a Response object from user-defined input. + This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting + (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. options: interfile: true metadata: @@ -15,7 +14,8 @@ rules: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' category: security technology: - express @@ -26,6 +26,9 @@ rules: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) languages: - javascript - typescript @@ -112,6 +115,7 @@ rules: - pattern: $RES.send($ARG) - pattern-not: $RES. ... .set('...'). ... .send($ARG) - pattern-not: $RES. ... .type('...'). ... .send($ARG) + - pattern-not-inside: $RES.$METHOD({ ... }) - focus-metavariable: $ARG pattern-sanitizers: - patterns: @@ -222,7 +226,7 @@ rules: - metavariable-regex: metavariable: $F regex: (?!.*text/html) - - patterns: + - patterns: - pattern-inside: | $X = [...]; ...