Skip to content

Commit

Permalink
Adding tests for rules 7-17 of dart language
Browse files Browse the repository at this point in the history
Note that in the HS-DART-8 rule, I increased the accuracy of the rule to only get logs that have string concatenation or string format.
Note too the HS-DART-15 rule was not working because there is no capitalized property so I added the option to include it in the entire regular expression.
Signed-off-by: wilian <wilian.silva@zup.com.br>
  • Loading branch information
wiliansilvazup committed Oct 25, 2021
1 parent b2272fa commit 4488f18
Show file tree
Hide file tree
Showing 3 changed files with 468 additions and 7 deletions.
14 changes: 7 additions & 7 deletions internal/services/engines/dart/rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,9 +160,9 @@ func NewNoLogSensitive() text.TextRule {
},
Type: text.Regular,
Expressions: []*regexp.Regexp{
regexp.MustCompile(`print\(.*\$`),
regexp.MustCompile(`window\.console.*\(`),
regexp.MustCompile(`log.*\.(finest|finer|fine|config|info|warning|severe|shout|erro).*\(`),
regexp.MustCompile(`print\(.*(\$|%|('|")\s*\+)`),
regexp.MustCompile(`window\.console.*\(.*(\$|%|('|")\s*\+)`),
regexp.MustCompile(`log.*\.(finest|finer|fine|config|info|warning|severe|shout|erro).*\(.*(\$|%|('|")\s*\+)`),
},
}
}
Expand Down Expand Up @@ -278,10 +278,10 @@ func NewNoUseCipherMode() text.TextRule {
},
Type: text.Regular,
Expressions: []*regexp.Regexp{
regexp.MustCompile(`(?i)AesMode\.ECB`),
regexp.MustCompile(`(?i)AesMode\.OFB`),
regexp.MustCompile(`(?i)AesMode\.CTS`),
regexp.MustCompile(`(?i)AesMode\.CFB`),
regexp.MustCompile(`(?i)(AesMode\.ECB)`),
regexp.MustCompile(`(?i)(AesMode\.OFB)`),
regexp.MustCompile(`(?i)(AesMode\.CTS)`),
regexp.MustCompile(`(?i)(AesMode\.CFB)`),
},
}
}
Expand Down
216 changes: 216 additions & 0 deletions internal/services/engines/dart/rules_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,167 @@ func TestRulesVulnerableCode(t *testing.T) {
},
},
},
{
Name: "HS-DART-7",
Rule: NewXSSAttack(),
Src: SampleVulnerableXSSAttack,
Findings: []engine.Finding{
{
CodeSample: "var element = new Element.html(sprintf(\"<div class=\"foo\">%s</div>\", [content]));",
SourceLocation: engine.Location{
Line: 8,
Column: 19,
},
},
},
},
{
Name: "HS-DART-8",
Rule: NewNoLogSensitive(),
Src: SampleVulnerableNoLogSensitive,
Findings: []engine.Finding{
{
CodeSample: "print(sprintf(\"User identity is: %s\", [identity]));",
SourceLocation: engine.Location{
Line: 9,
Column: 1,
},
},
{
CodeSample: "_logger.info(sprintf(\"User identity is: %s\", [identity]));",
SourceLocation: engine.Location{
Line: 11,
Column: 2,
},
},
},
},
{
Name: "HS-DART-9",
Rule: NewWeakHashingFunctionMd5OrSha1(),
Src: SampleVulnerableWeakHashingFunctionMd5OrSha1,
Findings: []engine.Finding{
{
CodeSample: "var digest = md5.convert(content);",
SourceLocation: engine.Location{
Line: 11,
Column: 15,
},
},
},
},
{
Name: "HS-DART-10",
Rule: NewNoUseSelfSignedCertificate(),
Src: SampleVulnerableNoUseSelfSignedCertificate,
Findings: []engine.Finding{
{
CodeSample: "context.setTrustedCertificates(\"client.cer\");",
SourceLocation: engine.Location{
Line: 4,
Column: 8,
},
},
},
},
{
Name: "HS-DART-11",
Rule: NewNoUseBiometricsTypeAndroid(),
Src: SampleVulnerableNoUseBiometricsTypeAndroid,
Findings: []engine.Finding{
{
CodeSample: "authenticated = await auth.authenticateWithBiometrics(",
SourceLocation: engine.Location{
Line: 4,
Column: 29,
},
},
},
},
{
Name: "HS-DART-12",
Rule: NewNoListClipboardChanges(),
Src: SampleVulnerableNoListClipboardChanges,
Findings: []engine.Finding{
{
CodeSample: "Map<String, dynamic> result = await SystemChannels.platform.invokeMethod('Clipboard.getData');",
SourceLocation: engine.Location{
Line: 4,
Column: 75,
},
},
},
},
{
Name: "HS-DART-13",
Rule: NewSQLInjection(),
Src: SampleVulnerableSQLInjection,
Findings: []engine.Finding{
{
CodeSample: "List<Map> list = await database.rawQuery(\"SELECT * FROM Users WHERE username = '\" + username + \"';\");",
SourceLocation: engine.Location{
Line: 10,
Column: 34,
},
},
},
},
{
Name: "HS-DART-14",
Rule: NewNoUseNSTemporaryDirectory(),
Src: SampleVulnerableNoUseNSTemporaryDirectory,
Findings: []engine.Finding{
{
CodeSample: "let temporaryDirectoryURL = URL(fileURLWithPath: NSTemporaryDirectory(), isDirectory: true);",
SourceLocation: engine.Location{
Line: 3,
Column: 49,
},
},
},
},
{
Name: "HS-DART-15",
Rule: NewNoUseCipherMode(),
Src: SampleVulnerableNoUseCipherMode,
Findings: []engine.Finding{
{
CodeSample: "final encrypter = Encrypter(AES(key, mode: AESMode.cts));",
SourceLocation: engine.Location{
Line: 3,
Column: 43,
},
},
},
},
{
Name: "HS-DART-16",
Rule: NewCorsAllowOriginWildCard(),
Src: SampleVulnerableCorsAllowOriginWildCard,
Findings: []engine.Finding{
{
CodeSample: `request.response.headers.add("Access-Control-Allow-Origin", "*");`,
SourceLocation: engine.Location{
Line: 9,
Column: 32,
},
},
},
},
{
Name: "HS-DART-17",
Rule: NewUsingShellInterpreterWhenExecutingOSCommand(),
Src: SampleVulnerableUsingShellInterpreterWhenExecutingOSCommand,
Findings: []engine.Finding{
{
CodeSample: `var result = await Process.run("netcfg", [UserParams]);`,
SourceLocation: engine.Location{
Line: 4,
Column: 20,
},
},
},
},
}

testutil.TestVulnerableCode(t, testcases)
Expand Down Expand Up @@ -144,6 +305,61 @@ func TestRulesSafeCode(t *testing.T) {
Rule: NewSendSMS(),
Src: "",
},
{
Name: "HS-DART-7",
Rule: NewXSSAttack(),
Src: SampleSafeXSSAttack,
},
{
Name: "HS-DART-8",
Rule: NewNoLogSensitive(),
Src: SampleSafeNoLogSensitive,
},
{
Name: "HS-DART-9",
Rule: NewWeakHashingFunctionMd5OrSha1(),
Src: SampleSafeWeakHashingFunctionMd5OrSha1,
},
{
Name: "HS-DART-10",
Rule: NewNoUseSelfSignedCertificate(),
Src: SampleSafeNoUseSelfSignedCertificate,
},
{
Name: "HS-DART-11",
Rule: NewNoUseBiometricsTypeAndroid(),
Src: SampleSafeNoUseBiometricsTypeAndroid,
},
{
Name: "HS-DART-12",
Rule: NewNoListClipboardChanges(),
Src: SampleSafeNoListClipboardChanges,
},
{
Name: "HS-DART-13",
Rule: NewSQLInjection(),
Src: SampleSafeSQLInjection,
},
{
Name: "HS-DART-14",
Rule: NewNoUseNSTemporaryDirectory(),
Src: SampleSafeNoUseNSTemporaryDirectory,
},
{
Name: "HS-DART-15",
Rule: NewNoUseCipherMode(),
Src: SampleSafeNoUseCipherMode,
},
{
Name: "HS-DART-16",
Rule: NewCorsAllowOriginWildCard(),
Src: SampleSafeCorsAllowOriginWildCard,
},
{
Name: "HS-DART-17",
Rule: NewUsingShellInterpreterWhenExecutingOSCommand(),
Src: SampleSafeUsingShellInterpreterWhenExecutingOSCommand,
},
}

testutil.TestSafeCode(t, testcases)
Expand Down
Loading

0 comments on commit 4488f18

Please sign in to comment.