Skip to content

Commit

Permalink
rules: refactor engines rules tests (#691)
Browse files Browse the repository at this point in the history
This commit move rules tests cases to each directory and create 
some testutil functions with the logic to test Safe and Vulnerable codes. 
Add some rules tests: HS-CSHARP-1, HS-DART-6, HS-KUBERNETES-1, 
HS-NGINX-2 and HS-SWIFT-6.

Signed-off-by: Ian Cardoso <ian.cardoso@zup.com.br>
  • Loading branch information
iancardosozup authored Oct 19, 2021
1 parent ddeca73 commit 245f013
Show file tree
Hide file tree
Showing 22 changed files with 1,415 additions and 744 deletions.
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ require (
github.com/go-enry/go-oniguruma v1.2.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/addlicense v1.0.0 // indirect
github.com/gorilla/mux v1.8.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
Expand All @@ -61,6 +62,7 @@ require (
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
golang.org/x/mod v0.5.1 // indirect
golang.org/x/net v0.0.0-20211011170408-caeb26a5c8c0 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20211013075003-97ac67df715c // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
Expand Down
3 changes: 3 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,8 @@ github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw
github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/addlicense v1.0.0 h1:cqvo5suPWlsk6r6o42Fs2K66xYCl2tnhVPUYoP3EnO4=
github.com/google/addlicense v1.0.0/go.mod h1:Sm/DHu7Jk+T5miFHHehdIjbi4M5+dJDRS3Cq0rncIxA=
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
Expand Down Expand Up @@ -1179,6 +1181,7 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
Expand Down
48 changes: 48 additions & 0 deletions internal/services/engines/csharp/rules_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package csharp

import (
"testing"

engine "github.com/ZupIT/horusec-engine"
"github.com/ZupIT/horusec/internal/utils/testutil"
)

func TestRulesVulnerableCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{
{
Name: "HS-CSHARP-1",
Rule: NewCommandInjection(),
Src: SampleVulnerableCsharpNewCommandInjection,
Findings: []engine.Finding{
{
CodeSample: "var p = new Process();",
SourceLocation: engine.Location{
Line: 1,
Column: 8,
},
},
},
},
}
testutil.TestVulnerableCode(t, testcases)
}

func TestRulesSafeCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{}

testutil.TestSafeCode(t, testcases)
}
22 changes: 22 additions & 0 deletions internal/services/engines/csharp/samples_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package csharp

const (
SampleVulnerableCsharpNewCommandInjection = `var p = new Process();
p.StartInfo.FileName = "exportLegacy.exe";
p.StartInfo.Arguments = " -user " + input + " -role user";
p.Start();`
)
49 changes: 49 additions & 0 deletions internal/services/engines/dart/rules_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package dart

import (
"testing"

engine "github.com/ZupIT/horusec-engine"
"github.com/ZupIT/horusec/internal/utils/testutil"
)

func TestRulesVulnerableCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{
{
Name: "HS-DART-6",
Rule: NewSendSMS(),
Src: SampleVulnerableDartSendSMS,
Findings: []engine.Finding{
{
CodeSample: "import 'package:flutter_sms/flutter_sms.dart';",
SourceLocation: engine.Location{
Line: 1,
Column: 28,
},
},
},
},
}

testutil.TestVulnerableCode(t, testcases)
}

func TestRulesSafeCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{}

testutil.TestSafeCode(t, testcases)
}
20 changes: 20 additions & 0 deletions internal/services/engines/dart/sample_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package dart

const (
SampleVulnerableDartSendSMS = `import 'package:flutter_sms/flutter_sms.dart';
`
)
68 changes: 68 additions & 0 deletions internal/services/engines/java/rules_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package java

import (
engine "github.com/ZupIT/horusec-engine"
"testing"

"github.com/ZupIT/horusec/internal/utils/testutil"
)

func TestRulesVulnerableCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{
{
Name: "HS-JAVA-1",
Rule: NewXMLParsingVulnerableToXXE(),
Src: SampleVulnerableJavaXMLParsingVulnerableToXXE,
Findings: []engine.Finding{
{
CodeSample: `XMLReader reader = XMLReaderFactory.createXMLReader();`,
SourceLocation: engine.Location{
Line: 4,
Column: 21,
},
},
},
},
{
Name: "HS-JAVA-134",
Rule: NewSQLInjection(),
Src: SampleVulnerableJavaSQLInjection,
Findings: []engine.Finding{
{
CodeSample: "var pstmt = con.prepareStatement(\"select * from mytable where field01 = '\" + field01 + \"'\");",
SourceLocation: engine.Location{
Line: 14,
Column: 50,
},
},
},
},
}

testutil.TestVulnerableCode(t, testcases)
}

func TestRulesSafeCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{
{
Name: "HS-JAVA-134",
Rule: NewSQLInjection(),
Src: SampleSafeJavaSQLInjection,
},
}
testutil.TestSafeCode(t, testcases)
}
72 changes: 72 additions & 0 deletions internal/services/engines/java/sample_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package java

const (
SampleVulnerableJavaSQLInjection = `
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.sql.DataSource;
public class VulnerableCodeSQLInjection134 {
public void printResults(DataSource ds, String field01) throws SQLException {
try (
var con = ds.getConnection();
var pstmt = con.prepareStatement("select * from mytable where field01 = '" + field01 + "'");
var rs = pstmt.executeQuery()) {
while (rs.next()) {
System.out.println(rs.getString(1));
}
}
}
}
`

SampleSafeJavaSQLInjection = `
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.sql.DataSource;
public class VulnerableCodeSQLInjection134 {
public void printResults(DataSource ds, String field01) throws SQLException {
try {
var con = ds.getConnection();
var pstmt = con.prepareStatement("select * from mytable where field01 = ? ");
pstmt.setString(1,field01);
var rs = pstmt.executeQuery();
while (rs.next()) {
System.out.println(rs.getString(1));
}
}
}
}
`
SampleVulnerableJavaXMLParsingVulnerableToXXE = `
class Foo {
void fn(String input) {
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.parse(input)
}
}
`
)
33 changes: 33 additions & 0 deletions internal/services/engines/jvm/rules_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package jvm

import (
"testing"

"github.com/ZupIT/horusec/internal/utils/testutil"
)

func TestRulesVulnerableCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{}

testutil.TestVulnerableCode(t, testcases)
}

func TestRulesSafeCode(t *testing.T) {
testcases := []*testutil.RuleTestCase{}

testutil.TestSafeCode(t, testcases)
}
17 changes: 17 additions & 0 deletions internal/services/engines/jvm/samples_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
// Copyright 2021 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package jvm

const ()
Loading

0 comments on commit 245f013

Please sign in to comment.