rules:feat - adding rule to spring framework rce

This commit adds a new rule to identify a new remote code execution vulnerability in the spring framework. Due to the limitations of the regex engine, this rule can bring some false positives about safe versions pointed out as vulnerabilities. The rule will consider any vulnerability < 5.3.18 as vulnerable, which is not true, as versions >= 5.2.20 already have the fix for the problem, but due to the limitation of the engine we can't detect it. Signed-off-by: Nathan Martins <nathan.martins@zup.com.br>
ZupIT · Apr 1, 2022 · bff71b0 · bff71b0
1 parent 6fa62e4
commit bff71b0
Show file tree

Hide file tree

Showing 5 changed files with 132 additions and 3 deletions.
diff --git a/internal/services/custom_rules/custom_rule_test.go b/internal/services/custom_rules/custom_rule_test.go
@@ -18,12 +18,11 @@ import (
 	"regexp"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/ZupIT/horusec-devkit/pkg/enums/confidence"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/languages"
 	"github.com/ZupIT/horusec-devkit/pkg/enums/severities"
 	"github.com/ZupIT/horusec-engine/text"
+	"github.com/stretchr/testify/require"
 )
 
 func TestValidate(t *testing.T) {
@@ -325,7 +324,6 @@ func TestGetRuleType(t *testing.T) {
 }
 
 func TestGetExpressions(t *testing.T) {
-
 	exprs := []string{"testOne", "testTwo"}
 	exprOne, _ := regexp.Compile(exprs[0])
 	exprTwo, _ := regexp.Compile(exprs[1])

diff --git a/internal/services/engines/java/rule_manager.go b/internal/services/engines/java/rule_manager.go
@@ -143,6 +143,7 @@ func Rules() []engine.Rule {
 		// NewMessageDigest(),
 		NewOverlyPermissiveFilePermission(),
 		NewCipherGetInstanceInsecure(),
+		NewVulnerableRemoteCodeExecutionSpringFramework(),
 
 		// Regular rules
 		NewHiddenElements(),

diff --git a/internal/services/engines/java/rules.go b/internal/services/engines/java/rules.go
@@ -2634,3 +2634,21 @@ func NewUncheckedClassInstatiation() *text.Rule {
 		},
 	}
 }
+
+func NewVulnerableRemoteCodeExecutionSpringFramework() *text.Rule {
+	return &text.Rule{
+		Metadata: engine.Metadata{
+			ID:          "HS-JAVA-152",
+			Name:        "Spring Framework Remote Code Execution",
+			Description: "It has been identified that versions prior to < 5.3.18 or < 5.2.20 of the spring framework are vulnerable to remote code execution. Please upgrade to version >= 5.3.18 or >= 5.2.20. For more information checkout the CVE-2022-22965 (https://tanzu.vmware.com/security/cve-2022-22965) advisory.",
+			Severity:    severities.Critical.ToString(),
+			Confidence:  confidence.Medium.ToString(),
+		},
+		Type: text.OrMatch,
+		Expressions: []*regexp.Regexp{
+			regexp.MustCompile(`<dependency.*org="org\.springframework".*\s.*(5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+).*/>`),
+			regexp.MustCompile(`compile.*"org\.springframework:spring-context.*((5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+).*"\))`),
+			regexp.MustCompile(`<groupId>\s*org\.springframework\s*</groupId>\s*<artifactId>.*\s*spring-context.*\s*</artifactId>\s*(<version>\s*((5\.[0-3]\.(1[0-7]|[0-9]\.|[0-9]"))|([0-4]\.[0-9]+\.[0-9]+)).*)\s*</version>`),
+		},
+	}
+}
diff --git a/internal/services/engines/java/rules_test.go b/internal/services/engines/java/rules_test.go
@@ -723,6 +723,54 @@ func TestRulesVulnerableCode(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample1IvyVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.1", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<dependency org=\"org.springframework\"",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.1", ".test")),
+						Line:     2,
+						Column:   0,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample2GradleVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.2", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile(\"org.springframework:spring-context:5.3.17.RELEASE\")",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.2", ".test")),
+						Line:     3,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample3MavenVulnerableHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.3", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<groupId>org.springframework</groupId>",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152.3", ".test")),
+						Line:     4,
+						Column:   8,
+					},
+				},
+			},
+		},
 	}
 
 	testutil.TestVulnerableCode(t, testcases)
@@ -1007,6 +1055,24 @@ func TestRulesSafeCode(t *testing.T) {
 			Src:      Sample5MavenSafeHSJAVA151,
 			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
 		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample1IvySafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample2GradleSafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-152",
+			Rule:     NewVulnerableRemoteCodeExecutionSpringFramework(),
+			Src:      Sample3MavenSafeHSJAVA152,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-152", ".test")),
+		},
 	}
 	testutil.TestSafeCode(t, testcases)
 }
diff --git a/internal/services/engines/java/sample_test.go b/internal/services/engines/java/sample_test.go
@@ -1444,5 +1444,51 @@ test {
         </dependency>
     </dependencies>
 </project>
+`
+
+	Sample1IvyVulnerableHSJAVA152 = `
+<dependency org="org.springframework"
+    name="spring-core" rev="5.3.17.RELEASE" conf="compile->runtime"/>
+`
+
+	Sample1IvySafeHSJAVA152 = `
+<dependency org="org.springframework"
+    name="spring-core" rev="5.3.18.RELEASE" conf="compile->runtime"/>
+`
+
+	Sample2GradleVulnerableHSJAVA152 = `
+dependencies {
+    compile("org.springframework:spring-context:5.3.17.RELEASE")
+    testCompile("org.springframework:spring-test:5.3.17.RELEASE")
+}
+`
+
+	Sample2GradleSafeHSJAVA152 = `
+dependencies {
+    compile("org.springframework:spring-context:5.3.18.RELEASE")
+    testCompile("org.springframework:spring-test:5.3.18.RELEASE")
+}
+`
+
+	Sample3MavenVulnerableHSJAVA152 = `
+<dependencies>
+    <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-context</artifactId>
+        <version>5.3.17.RELEASE</version>
+        <scope>runtime</scope>
+    </dependency>
+</dependencies>
+`
+
+	Sample3MavenSafeHSJAVA152 = `
+<dependencies>
+    <dependency>
+        <groupId>org.springframework</groupId>
+        <artifactId>spring-context</artifactId>
+        <version>5.3.18.RELEASE</version>
+        <scope>runtime</scope>
+    </dependency>
+</dependencies>
 `
 )