-
Notifications
You must be signed in to change notification settings - Fork 190
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
rules: refactor engines rules tests (#691)
This commit move rules tests cases to each directory and create some testutil functions with the logic to test Safe and Vulnerable codes. Add some rules tests: HS-CSHARP-1, HS-DART-6, HS-KUBERNETES-1, HS-NGINX-2 and HS-SWIFT-6. Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br>
- Loading branch information
1 parent
ddeca73
commit 245f013
Showing
22 changed files
with
1,415 additions
and
744 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package csharp | ||
|
||
import ( | ||
"testing" | ||
|
||
engine "github.com/ZupIT/horusec-engine" | ||
"github.com/ZupIT/horusec/internal/utils/testutil" | ||
) | ||
|
||
func TestRulesVulnerableCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{ | ||
{ | ||
Name: "HS-CSHARP-1", | ||
Rule: NewCommandInjection(), | ||
Src: SampleVulnerableCsharpNewCommandInjection, | ||
Findings: []engine.Finding{ | ||
{ | ||
CodeSample: "var p = new Process();", | ||
SourceLocation: engine.Location{ | ||
Line: 1, | ||
Column: 8, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
testutil.TestVulnerableCode(t, testcases) | ||
} | ||
|
||
func TestRulesSafeCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{} | ||
|
||
testutil.TestSafeCode(t, testcases) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package csharp | ||
|
||
const ( | ||
SampleVulnerableCsharpNewCommandInjection = `var p = new Process(); | ||
p.StartInfo.FileName = "exportLegacy.exe"; | ||
p.StartInfo.Arguments = " -user " + input + " -role user"; | ||
p.Start();` | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package dart | ||
|
||
import ( | ||
"testing" | ||
|
||
engine "github.com/ZupIT/horusec-engine" | ||
"github.com/ZupIT/horusec/internal/utils/testutil" | ||
) | ||
|
||
func TestRulesVulnerableCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{ | ||
{ | ||
Name: "HS-DART-6", | ||
Rule: NewSendSMS(), | ||
Src: SampleVulnerableDartSendSMS, | ||
Findings: []engine.Finding{ | ||
{ | ||
CodeSample: "import 'package:flutter_sms/flutter_sms.dart';", | ||
SourceLocation: engine.Location{ | ||
Line: 1, | ||
Column: 28, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
testutil.TestVulnerableCode(t, testcases) | ||
} | ||
|
||
func TestRulesSafeCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{} | ||
|
||
testutil.TestSafeCode(t, testcases) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package dart | ||
|
||
const ( | ||
SampleVulnerableDartSendSMS = `import 'package:flutter_sms/flutter_sms.dart'; | ||
` | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package java | ||
|
||
import ( | ||
engine "github.com/ZupIT/horusec-engine" | ||
"testing" | ||
|
||
"github.com/ZupIT/horusec/internal/utils/testutil" | ||
) | ||
|
||
func TestRulesVulnerableCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{ | ||
{ | ||
Name: "HS-JAVA-1", | ||
Rule: NewXMLParsingVulnerableToXXE(), | ||
Src: SampleVulnerableJavaXMLParsingVulnerableToXXE, | ||
Findings: []engine.Finding{ | ||
{ | ||
CodeSample: `XMLReader reader = XMLReaderFactory.createXMLReader();`, | ||
SourceLocation: engine.Location{ | ||
Line: 4, | ||
Column: 21, | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
Name: "HS-JAVA-134", | ||
Rule: NewSQLInjection(), | ||
Src: SampleVulnerableJavaSQLInjection, | ||
Findings: []engine.Finding{ | ||
{ | ||
CodeSample: "var pstmt = con.prepareStatement(\"select * from mytable where field01 = '\" + field01 + \"'\");", | ||
SourceLocation: engine.Location{ | ||
Line: 14, | ||
Column: 50, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
testutil.TestVulnerableCode(t, testcases) | ||
} | ||
|
||
func TestRulesSafeCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{ | ||
{ | ||
Name: "HS-JAVA-134", | ||
Rule: NewSQLInjection(), | ||
Src: SampleSafeJavaSQLInjection, | ||
}, | ||
} | ||
testutil.TestSafeCode(t, testcases) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package java | ||
|
||
const ( | ||
SampleVulnerableJavaSQLInjection = ` | ||
import java.sql.Connection; | ||
import java.sql.PreparedStatement; | ||
import java.sql.ResultSet; | ||
import java.sql.SQLException; | ||
import javax.sql.DataSource; | ||
public class VulnerableCodeSQLInjection134 { | ||
public void printResults(DataSource ds, String field01) throws SQLException { | ||
try ( | ||
var con = ds.getConnection(); | ||
var pstmt = con.prepareStatement("select * from mytable where field01 = '" + field01 + "'"); | ||
var rs = pstmt.executeQuery()) { | ||
while (rs.next()) { | ||
System.out.println(rs.getString(1)); | ||
} | ||
} | ||
} | ||
} | ||
` | ||
|
||
SampleSafeJavaSQLInjection = ` | ||
import java.sql.Connection; | ||
import java.sql.PreparedStatement; | ||
import java.sql.ResultSet; | ||
import java.sql.SQLException; | ||
import javax.sql.DataSource; | ||
public class VulnerableCodeSQLInjection134 { | ||
public void printResults(DataSource ds, String field01) throws SQLException { | ||
try { | ||
var con = ds.getConnection(); | ||
var pstmt = con.prepareStatement("select * from mytable where field01 = ? "); | ||
pstmt.setString(1,field01); | ||
var rs = pstmt.executeQuery(); | ||
while (rs.next()) { | ||
System.out.println(rs.getString(1)); | ||
} | ||
} | ||
} | ||
} | ||
` | ||
SampleVulnerableJavaXMLParsingVulnerableToXXE = ` | ||
class Foo { | ||
void fn(String input) { | ||
XMLReader reader = XMLReaderFactory.createXMLReader(); | ||
reader.parse(input) | ||
} | ||
} | ||
` | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package jvm | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/ZupIT/horusec/internal/utils/testutil" | ||
) | ||
|
||
func TestRulesVulnerableCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{} | ||
|
||
testutil.TestVulnerableCode(t, testcases) | ||
} | ||
|
||
func TestRulesSafeCode(t *testing.T) { | ||
testcases := []*testutil.RuleTestCase{} | ||
|
||
testutil.TestSafeCode(t, testcases) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package jvm | ||
|
||
const () |
Oops, something went wrong.