From 6f760ecd8fb911e9ce80c4e1109fc3bafe3b986e Mon Sep 17 00:00:00 2001
From: Nathan Martins <nathan.martins@zup.com.br>
Date: Fri, 1 Apr 2022 16:22:18 -0300
Subject: [PATCH] rules:feat - adding rule to spring framework rce

This commit adds a new rule to identify a new remote code execution
vulnerability in the spring framework. Due to the limitations of the
regex engine, this rule can bring some false positives about safe
versions pointed out as vulnerabilities. The rule will consider
any vulnerability < 5.3.18 as vulnerable, which is not true, as
versions >= 5.2.20 already have the fix for the problem, but due
to the limitation of the engine we can't detect it.

Signed-off-by: Nathan Martins <nathan.martins@zup.com.br>
---
 .../services/custom_rules/custom_rule_test.go |  4 +-
 .../services/engines/java/rule_manager.go     |  1 +
 internal/services/engines/java/rules.go       | 18 +++++
 internal/services/engines/java/rules_test.go  | 66 +++++++++++++++++++
 internal/services/engines/java/sample_test.go | 46 +++++++++++++
 internal/services/engines/rules_test.go       |  2 +-
 6 files changed, 133 insertions(+), 4 deletions(-)

diff --git a/internal/services/custom_rules/custom_rule_test.go b/internal/services/custom_rules/custom_rule_test.go
index aee75e270..e5b526a0a 100644
--- a/internal/services/custom_rules/custom_rule_test.go
+++ b/internal/services/custom_rules/custom_rule_test.go
@@ -18,12 +18,11 @@ import (
 	"regexp"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/ZupIT/horusec-devkit/pkg/enums/confidence"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/severities"
 	"github.com/ZupIT/horusec-engine/text"
+	"github.com/stretchr/testify/require"
 )
 
 func TestValidate(t *testing.T) {
@@ -325,7 +324,6 @@ func TestGetRuleType(t *testing.T) {
 }
 
 func TestGetExpressions(t *testing.T) {
-
 	exprs := []string{"testOne", "testTwo"}
 	exprOne, _ := regexp.Compile(exprs[0])
 	exprTwo, _ := regexp.Compile(exprs[1])
diff --git a/internal/services/engines/java/rule_manager.go b/internal/services/engines/java/rule_manager.go
index 6c95fcd4d..42293e233 100644
--- a/internal/services/engines/java/rule_manager.go
+++ b/internal/services/engines/java/rule_manager.go
@@ -143,6 +143,7 @@ func Rules() []engine.Rule {
 		// NewMessageDigest(),
 		NewOverlyPermissiveFilePermission(),
 		NewCipherGetInstanceInsecure(),
+		NewVulnerableRemoteCodeExecutionSpringFramework(),
 
 		// Regular rules
 		NewHiddenElements(),
diff --git a/internal/services/engines/java/rules.go b/internal/services/engines/java/rules.go
index 4814df5b2..e6659d027 100644
--- a/internal/services/engines/java/rules.go
+++ b/internal/services/engines/java/rules.go
@@ -2634,3 +2634,21 @@ func NewUncheckedClassInstatiation() *text.Rule {
 		},
 	}
 }
+
+func NewVulnerableRemoteCodeExecutionSpringFramework() *text.Rule {
+	return &text.Rule{
+		Metadata: engine.Metadata{
+			ID:          "HS-JAVA-152",
+			Name:        "Spring Framework Remote Code Execution",
+			Description: "It has been identified that versions prior to < 5.3.18 or < 5.2.20 of the spring framework are vulnerable to remote code execution. Please upgrade to version >= 5.3.18 or >= 5.2.20. For more information checkout the CVE-2022-22965 (https://tanzu.vmware.com/security/cve-2022-22965) advisory.",
+			Severity:    severities.Critical.ToString(),
+			Confidence:  confidence.Medium.ToString(),
+		},
+		Type: text.OrMatch,
+		Expressions: []*regexp.Regexp{
+			regexp.MustCompile(`<dependency.*org="org\.springframework".*\s.*(5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+).*/>`),
+			regexp.MustCompile(`compile.*"org\.springframework:spring-context.*((5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+).*"\))`),
+			regexp.MustCompile(`<groupId>\s*org\.springframework\s*</groupId>\s*<artifactId>.*\s*spring-context.*\s*</artifactId>\s*(<version>\s*((5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+)).*)\s*</version>`),
+		},
+	}
+}
diff --git a/internal/services/engines/java/rules_test.go b/internal/services/engines/java/rules_test.go
index afcc2f465..e8d5ad83e 100644
--- a/internal/services/engines/java/rules_test.go
+++ b/internal/services/engines/java/rules_test.go
@@ -723,6 +723,54 @@ func TestRulesVulnerableCode(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample1IvyVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.1", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<dependency org=\"org.springframework\"",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.1", ".test")),
+						Line:     2,
+						Column:   0,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample2GradleVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.2", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile(\"org.springframework:spring-context:5.3.17.RELEASE\")",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.2", ".test")),
+						Line:     3,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample3MavenVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.3", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<groupId>org.springframework</groupId>",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.3", ".test")),
+						Line:     4,
+						Column:   8,
+					},
+				},
+			},
+		},
 	}
 
 	testutil.TestVulnerableCode(t, testcases)
@@ -1007,6 +1055,24 @@ func TestRulesSafeCode(t *testing.T) {
 			Src:      Sample5MavenSafeHSJAVA151,
 			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
 		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample1IvySafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample2GradleSafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample3MavenSafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
 	}
 	testutil.TestSafeCode(t, testcases)
 }
diff --git a/internal/services/engines/java/sample_test.go b/internal/services/engines/java/sample_test.go
index 2b6005ab3..f373b5655 100644
--- a/internal/services/engines/java/sample_test.go
+++ b/internal/services/engines/java/sample_test.go
@@ -1444,5 +1444,51 @@ test {
         </dependency>
     </dependencies>
 </project>
+`
+
+	Sample1IvyVulnerableHSJAVA152 = `
+<dependency org="org.springframework"
+    name="spring-core" rev="5.3.17.RELEASE" conf="compile->runtime"/>
+`
+
+	Sample1IvySafeHSJAVA152 = `
+<dependency org="org.springframework"
+    name="spring-core" rev="5.3.18.RELEASE" conf="compile->runtime"/>
+`
+
+	Sample2GradleVulnerableHSJAVA152 = `
+dependencies {
+    compile("org.springframework:spring-context:5.3.17.RELEASE")
+    testCompile("org.springframework:spring-test:5.3.17.RELEASE")
+}
+`
+
+	Sample2GradleSafeHSJAVA152 = `
+dependencies {
+    compile("org.springframework:spring-context:5.3.18.RELEASE")
+    testCompile("org.springframework:spring-test:5.3.18.RELEASE")
+}
+`
+
+	Sample3MavenVulnerableHSJAVA152 = `
+<dependencies>
+    <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-context</artifactId>
+        <version>5.3.17.RELEASE</version>
+        <scope>runtime</scope>
+    </dependency>
+</dependencies>
+`
+
+	Sample3MavenSafeHSJAVA152 = `
+<dependencies>
+    <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-context</artifactId>
+        <version>5.3.18.RELEASE</version>
+        <scope>runtime</scope>
+    </dependency>
+</dependencies>
 `
 )
diff --git a/internal/services/engines/rules_test.go b/internal/services/engines/rules_test.go
index 7f3c2341d..da1d29240 100644
--- a/internal/services/engines/rules_test.go
+++ b/internal/services/engines/rules_test.go
@@ -67,7 +67,7 @@ func TestGetRules(t *testing.T) {
 		{
 			engine:             "Java",
 			manager:            java.NewRules(),
-			expectedTotalRules: 182,
+			expectedTotalRules: 183,
 		},
 		{
 			engine:             "Dart",