coderabbitai · harjotgill · Sep 13, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
diff --git a/rules/c/security/libxml2-audit-parser-c.yml b/rules/c/security/libxml2-audit-parser-c.yml
@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-c
+language: c
+severity: warning
+message: >-
+ The libxml2 library is used to parse XML. When auditing such code, make
+ sure that either the document being parsed is trusted or that the parsing
+ options are safe to consume untrusted documents. In such case make sure
+ DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+ [CWE-611] Improper Restriction of XML External Entity Reference.
+ [REFERENCES]
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+ - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+ - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
diff --git a/rules/c/security/sizeof-this-c.yml b/rules/c/security/sizeof-this-c.yml
@@ -0,0 +1,13 @@
+id: sizeof-this-c
+language: c
+severity: warning
+message: >-
+ Do not use `sizeof(this)` to get the number of bytes of the object in
+ memory. It returns the size of the pointer, not the size of the object.
+note: >-
+ [CWE-467]: Use of sizeof() on a Pointer Type
+ [REFERENCES]
+ - https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array
+rule:
+ any:
+ - pattern: "sizeof(this)"
diff --git a/rules/cpp/security/libxml2-audit-parser-cpp.yml b/rules/cpp/security/libxml2-audit-parser-cpp.yml
@@ -0,0 +1,25 @@
+id: libxml2-audit-parser-cpp
+language: Cpp
+severity: warning
+message: >-
+ The libxml2 library is used to parse XML. When auditing such code, make
+ sure that either the document being parsed is trusted or that the parsing
+ options are safe to consume untrusted documents. In such case make sure
+ DTD or XInclude documents cannot be loaded and there is no network access.
+note: >-
+ [CWE-611] Improper Restriction of XML External Entity Reference.
+ [REFERENCES]
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST)
+ - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS)
+ - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS)
+ - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS)
diff --git a/rules/csharp/security/httponly-false-csharp.yml b/rules/csharp/security/httponly-false-csharp.yml
@@ -0,0 +1,25 @@
+id: httponly-false-csharp
+language: csharp
+severity: warning
+message: >-
+ "Detected a cookie where the `HttpOnly` flag is either missing or
+ disabled. The `HttpOnly` cookie flag instructs the browser to forbid
+ client-side JavaScript to read the cookie. If JavaScript interaction is
+ required, you can ignore this finding. However, set the `HttpOnly` flag to
+ `true` in all other cases. If this wasn't intentional, it's recommended to
+ set the HttpOnly flag to true so the cookie will not be accessible through
+ client-side scripts or to use the Cookie Policy Middleware to globally set
+ the HttpOnly flag. You can then use the CookieOptions class when
+ instantiating the cookie, which inherits these settings and will require
+ future developers to have to explicitly override them on a case-by-case
+ basis if needed. This approach ensures cookies are secure by default."
+note: >-
+ [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag"
+ [REFERENCES]
+ - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware
+ - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: $BUILDER.Cookie.HttpOnly = false;
+ - pattern: $COOKIE.HttpOnly = false;
diff --git a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml
@@ -0,0 +1,17 @@
+id: oracleconnectionstringbuilder-hardcoded-secret-csharp
+language: csharp
+severity: info
+message: >-
+ "A secret is hard-coded in the application. Secrets stored in source
+ code, such as credentials, identifiers, and other types of sensitive data,
+ can be leaked and used by internal or external malicious actors. Use
+ environment variables to securely provide credentials and other secrets or
+ retrieve them from a secure vault or Hardware Security Module (HSM)."
+note: >-
+ [CWE-798] Use of Hard-coded Credentials
+ [REFERENCES]
+ - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+rule:
+ any:
+ - pattern: $B.Password = "$$$"
+ - pattern: $B["Password"] = "$$$"
diff --git a/rules/html/security/plaintext-http-link-html.yml b/rules/html/security/plaintext-http-link-html.yml
@@ -0,0 +1,14 @@
+id: plaintext-http-link-html
+language: html
+severity: warning
+message: >-
+ "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible."
+note: >-
+ [CWE-319] Authentication Bypass by Primary Weakness
+ [REFERENCES]
+ - https://cwe.mitre.org/data/definitions/319.html
+rule:
+ pattern: <a $$$ href=$URL>$C</a>
+constraints:
+ URL:
+ regex: ^['"`]?([Hh][Tt][Tt][Pp]://)
diff --git a/rules/java/security/cbc-padding-oracle-java.yml b/rules/java/security/cbc-padding-oracle-java.yml
@@ -0,0 +1,17 @@
+id: cbc-padding-oracle-java
+severity: warning
+language: java
+message: >-
+ Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A
+ malicious actor could discern the difference between plaintext with valid
+ or invalid padding. Further, CBC mode does not include any integrity
+ checks. Use 'AES/GCM/NoPadding' instead.
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+ [REFERENCES]
+ - https://capec.mitre.org/data/definitions/463.html
+rule:
+ pattern: Cipher.getInstance($MODE)
+constraints:
+ MODE:
+ regex: ".*/CBC/PKCS5Padding"
diff --git a/rules/java/security/cbc-padding-oracle.yml b/rules/java/security/cbc-padding-oracle.yml
diff --git a/rules/java/security/desede-is-deprecated-java.yml b/rules/java/security/desede-is-deprecated-java.yml
@@ -0,0 +1,16 @@
+id: desede-is-deprecated-java
+language: java
+severity: warning
+message: >-
+ Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
+note: >-
+ [CWE-326]: Inadequate Encryption Strength
+ [OWASP A03:2017]: Sensitive Data Exposure
+ [OWASP A02:2021]: Cryptographic Failures
+ [REFERENCES]
+ - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
+ - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
+rule:
+ any:
+ - pattern: $CIPHER.getInstance("=~/DESede.*/")
+ - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
- any:
- - pattern: $CIPHER.getInstance("=~/DESede.*/")
- - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
+ any:
+ - pattern: $CIPHER.getInstance("=~/DESede.*/")
+ - pattern: $CRYPTO.KeyGenerator.getInstance("=~/DESede.*/")
- any:
- - pattern: $CIPHER.getInstance("=~/DESede.*/")
- - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
+ any:
+ - pattern: $CIPHER.getInstance("=~/DESede.*/")
+ - pattern: $CRYPTO.KeyGenerator.getInstance("=~/DESede.*/")
diff --git a/rules/java/security/ecb-cipher-java.yml b/rules/java/security/ecb-cipher-java.yml
@@ -0,0 +1,17 @@
+id: ecb-cipher-java
+severity: warning
+language: java
+message: >-
+ Cipher in ECB mode is detected. ECB mode produces the same output for
+ the same input each time which allows an attacker to intercept and replay
+ the data. Further, ECB mode does not provide any integrity checking. See
+ https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ pattern: Cipher $VAR = $CIPHER.getInstance($MODE);
+constraints:
+ MODE:
+ regex: .*ECB.*
diff --git a/rules/java/security/no-null-cipher-java.yml b/rules/java/security/no-null-cipher-java.yml
@@ -0,0 +1,17 @@
+id: no-null-cipher-java
+severity: warning
+language: java
+message: >-
+ NullCipher was detected. This will not encrypt anything; the cipher
+ text will be the same as the plain text. Use a valid, secure cipher:
+ Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
+ https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
+ for more information.
+note: >-
+ [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: new NullCipher($$$)
+ - pattern: new javax.crypto.NullCipher($$$)
diff --git a/rules/java/security/rsa-no-padding-java.yml b/rules/java/security/rsa-no-padding-java.yml
@@ -0,0 +1,14 @@
+id: rsa-no-padding-java
+severity: warning
+language: java
+message: >-
+ Using RSA without OAEP mode weakens the encryption.
+note: >-
+ [CWE-326] Inadequate Encryption Strength
+ [REFERENCES]
+ - https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/
+rule:
+ pattern: $YST.getInstance($MODE)
+constraints:
+ MODE:
+ regex: "RSA/[Nn][Oo][Nn][Ee]/NoPadding"
diff --git a/rules/java/security/unencrypted-socket-java.yml b/rules/java/security/unencrypted-socket-java.yml
@@ -0,0 +1,16 @@
+id: unencrypted-socket-java
+language: java
+severity: info
+message: >-
+ "Detected use of a Java socket that is not encrypted. As a result, the
+ traffic could be read by an attacker intercepting the network traffic. Use
+ an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
+ instead."
+note: >-
+ [CWE-319] Cleartext Transmission of Sensitive Information
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: new ServerSocket($$$)
+ - pattern: new Socket($$$)
diff --git a/rules/java/security/use-of-weak-rsa-key-java.yml b/rules/java/security/use-of-weak-rsa-key-java.yml
@@ -0,0 +1,16 @@
+id: use-of-weak-rsa-key-java
+language: java
+severity: warning
+message: >-
+ RSA keys should be at least 2048 bits based on NIST recommendation.
+note: >-
+ [CWE-326] Inadequate Encryption Strength.
+ [REFERENCES]
+ - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
+rule:
+ pattern: |
+ $KEY.initialize($AST)
+follows: KeyPairGenerator $KEY = $G.getInstance("RSA");
+constraints:
+ AST:
+ regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'
diff --git a/rules/kotlin/security/desede-is-deprecated-kotlin.yml b/rules/kotlin/security/desede-is-deprecated-kotlin.yml
@@ -0,0 +1,16 @@
+id: desede-is-deprecated-kotlin
+language: kotlin
+severity: warning
+message: >-
+ Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.
+note: >-
+ [CWE-326]: Inadequate Encryption Strength
+ [OWASP A03:2017]: Sensitive Data Exposure
+ [OWASP A02:2021]: Cryptographic Failures
+ [REFERENCES]
+ - https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE
+ - https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
+rule:
+ any:
+ - pattern: $CIPHER.getInstance("=~/DESede.*/")
+ - pattern: $CRYPTO.KeyGenerator.getInstance("DES")
diff --git a/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml b/rules/kotlin/security/use-of-weak-rsa-key-kotlin.yml
@@ -0,0 +1,18 @@
+id: use-of-weak-rsa-key-kotlin
+language: kotlin
+severity: warning
+message: >-
+ RSA keys should be at least 2048 bits based on NIST recommendation
+note: >-
+ [CWE-326]: Inadequate Encryption Strength
+ [OWASP A03:2017]: Sensitive Data Exposure
+ [OWASP A02:2021]: Cryptographic Failures
+ [REFERENCES]
+ - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
+rule:
+ pattern: |
+ $KEY.initialize($BITS)
+follows: KEY = $G.getInstance("RSA");
+constraints:
+ BITS:
+ regex: '^(-?(0|[1-9][0-9]?|[1-9][0-9]{2}|1[0-9]{3}|20[0-3][0-9]|204[0-7])(\.[0-9]+)?|0|-[1-9][0-9]*|-[1-9][0-9]{2,}|-1[0-9]{3}|-20[0-3][0-9]|-204[0-7])$'
diff --git a/rules/rust/security/reqwest-accept-invalid-rust.yml b/rules/rust/security/reqwest-accept-invalid-rust.yml
@@ -0,0 +1,17 @@
+id: reqwest-accept-invalid-rust
+language: rust
+severity: warning
+message: >-
+ Dangerously accepting invalid TLS
+note: >-
+ [CWE-295]: Improper Certificate
+ [REFERENCES]
+ - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames
+ - https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs
+rule:
+ any:
+ - pattern: $CLIENT.danger_accept_invalid_hostnames(true)
+ - pattern: $CLIENT.danger_accept_invalid_certs(true)
+constraints:
+ CLIENT:
+ regex: '^reqwest::Client::builder\(\)'
diff --git a/rules/scala/security/rsa-padding-set-scala.yml b/rules/scala/security/rsa-padding-set-scala.yml
@@ -0,0 +1,18 @@
+id: rsa-padding-set-scala
+language: scala
+severity: warning
+message: >-
+ Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may
+ weaken encryption. This could lead to sensitive data exposure. Instead,
+ use RSA with `OAEPWithMD5AndMGF1Padding` instead.
+
+note: >-
+ [CWE-780] Use of RSA Algorithm without OAEP
+ [REFERENCES]
+ - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+rule:
+ any:
+ - pattern: $CIPHER.getInstance($MODE)
+constraints:
+ MODE:
+ regex: ".*RSA/.*/NoPadding.*"
diff --git a/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml b/rules/scala/security/xmlinputfactory-dtd-enabled-scala.yml
@@ -0,0 +1,25 @@
+id: xmlinputfactory-dtd-enabled-scala
+language: scala
+severity: warning
+message: >-
+ XMLInputFactory being instantiated without calling the setProperty
+ functions that are generally used for disabling entity processing. User
+ controlled data in XML Document builder can result in XML Internal Entity
+ Processing vulnerabilities like the disclosure of confidential data,
+ denial of service, Server Side Request Forgery (SSRF), port scanning. Make
+ sure to disable entity processing functionality.
+note: >-
+ [CWE-611] Improper Restriction of XML External Entity.
+ [REFERENCES]
+ - https://owasp.org/Top10/A05_2021-Security_Misconfiguration
+rule:
+ any:
+ - pattern: XMLInputFactory.newFactory($$$)
+ - pattern: XMLInputFactory.newInstance($$$)
+ - pattern: new XMLInputFactory($$$)
+precedes: 
+ not:
+ pattern: $XMLFACTORY.setProperty($MODE, false)
+constraints:
+ MODE:
+ regex: 'javax.xml.stream.isSupportingExternalEntities'
diff --git a/rules/swift/security/insecure-biometrics-swift.yml b/rules/swift/security/insecure-biometrics-swift.yml
@@ -0,0 +1,19 @@
+id: insecure-biometrics-swift
+language: swift
+severity: info
+message: >-
+ The application was observed to leverage biometrics via Local
+ Authentication, which returns a simple boolean result for authentication.
+ This design is subject to bypass with runtime tampering tools such as
+ Frida, Substrate, and others. Although this is limited to rooted
+ (jailbroken) devices, consider implementing biometric authentication the
+ reliable way - via Keychain Services.
+note: >-
+ [CWE-305] Authentication Bypass by Primary Weakness
+ [REFERENCES]
+ - https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication
+ - https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df
+rule:
+ any:
+ - pattern: LAContext.evaluatePolicy
+ - pattern: $X.evaluatePolicy
diff --git a/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml b/tests/__snapshots__/cbc-padding-oracle-java-snapshot.yml
@@ -0,0 +1,8 @@
+id: cbc-padding-oracle-java
+snapshots:
+ Cipher.getInstance("AES/CBC/PKCS5Padding");:
+ labels:
+ - source: Cipher.getInstance("AES/CBC/PKCS5Padding")
+ style: primary
+ start: 0
+ end: 42