Merge pull request #3462 from semgrep/merge-develop-to-release

Merge Develop into Release

java/lang/security/audit/xss/no-direct-response-writer.java

@@ -16,6 +16,25 @@
 * @created 2015
 */
 
+/** From: Iago
+   Java/tainting:
+   This is a test that comes from the OWASP Benchmark v1.2.
+   Here DeepSemgrep doesn't report lines 56, 128, and 195.
+   But these are actually false positives! This benchmark tries
+   to confuse analyzers into reporting these false positives.
+   It does this in two ways, 1) by using a third-function
+   `doSomething` that receives tainted data, even though it
+   returns safe data; and 2) by putting both safe and unsafe
+   data into a `HashMap`, but ultimately only returning the
+   safe data. FOSS Semgrep falls into the first trap.
+   DeepSemgrep does inter-procedural analysis so it is only
+   affected by the second trap, but it seems to not fall
+   into it because we are lacking a `pattern-propagators` spec
+   for `HashMap`s. If we told DeepSemgrep that `HashMap`s
+   store/propagate taint, then it should report the same
+   false positives.
+*/
+
 package org.owasp.benchmark.testcode;
 
 import java.io.IOException;
@@ -52,7 +71,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
 
 response.setHeader("X-XSS-Protection", "0");
         Object[] obj = { "a", bar};
-        // ruleid: no-direct-response-writer
+        // NOTE: see comment at start of file
+        // ruleid: deepok: no-direct-response-writer
         response.getWriter().printf(java.util.Locale.US,"Formatted like: %1$s and %2$s.",obj);
     }  // end doPost
 
@@ -191,7 +211,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
 
         response.setHeader("X-XSS-Protection", "0");
         Object[] obj = {"a", bar};
-        // ruleid: no-direct-response-writer
+        // NOTE: see comment at start of file
+        // ruleid: deepok: no-direct-response-writer
         response.getWriter().printf(java.util.Locale.US, "Formatted like: %1$s and %2$s.", obj);
     } // end doPost
 

java/spring/security/injection/tainted-system-command.java

@@ -41,14 +41,14 @@ StringBuilder getResponseFromPingCommand(String ipAddress, boolean isValid) thro
         if (isValid) {
             Process process;
             if (!isWindows) {
+                // proruleid: tainted-system-command
                 process =
-                        // deepruleid: tainted-system-command
                         new ProcessBuilder(new String[] {"sh", "-c", "ping -c 2 " + ipAddress})
                                 .redirectErrorStream(true)
                                 .start();
             } else {
+               	// proruleid: tainted-system-command
                 process =
-                        // deepruleid: tainted-system-command
                         new ProcessBuilder(new String[] {"cmd", "/c", "ping -n 2 " + ipAddress})
                                 .redirectErrorStream(true)
                                 .start();

javascript/browser/security/raw-html-concat.js

@@ -14,7 +14,7 @@ $(function ($) {
 
                 var x = `<div align="left">${content}</div>`
 
-                // ruleid: raw-html-concat
+                // ruleid: deepok: raw-html-concat
                 return '<div align="' + (attrs.defaultattr || 'left') + '">' + newContent + '</div>';
             },
             isInline: false

python/pycryptodome/security/insecure-cipher-algorithm-blowfish.py

@@ -25,10 +25,12 @@
 bs = pycrypto_blowfish.block_size
 # ruleid:insecure-cipher-algorithm-blowfish
 cipher = pycrypto_blowfish.new(key, pycrypto_blowfish.MODE_CBC, iv)
+# deepruleid:insecure-cipher-algorithm-blowfish
 msg = iv + cipher.encrypt(plaintext + padding)
 bs = pycryptodomex_blowfish.block_size
 # ruleid:insecure-cipher-algorithm-blowfish
 cipher = pycryptodomex_blowfish.new(key, pycryptodomex_blowfish.MODE_CBC, iv)
+# deepruleid:insecure-cipher-algorithm-blowfish
 msg = iv + cipher.encrypt(plaintext + padding)
 
 key = b'Sixteen byte key'

python/pycryptodome/security/insecure-cipher-algorithm-des.py

@@ -23,11 +23,13 @@
 ctr = Counter.new(pycrypto_des.block_size*8/2, prefix=nonce)
 # ruleid:insecure-cipher-algorithm-des
 cipher = pycrypto_des.new(key, pycrypto_des.MODE_CTR, counter=ctr)
+# deepruleid:insecure-cipher-algorithm-des
 msg = nonce + cipher.encrypt(plaintext)
 nonce = Random.new().read(pycryptodomex_des.block_size/2)
 ctr = Counter.new(pycryptodomex_des.block_size*8/2, prefix=nonce)
 # ruleid:insecure-cipher-algorithm-des
 cipher = pycryptodomex_des.new(key, pycryptodomex_des.MODE_CTR, counter=ctr)
+# deepruleid:insecure-cipher-algorithm-des
 msg = nonce + cipher.encrypt(plaintext)
 
 

python/pycryptodome/security/insecure-cipher-algorithm-rc2.py

@@ -19,9 +19,11 @@
 iv = Random.new().read(pycrypto_arc2.block_size)
 # ruleid:insecure-cipher-algorithm-rc2
 cipher = pycrypto_arc2.new(key, pycrypto_arc2.MODE_CFB, iv)
+# deepruleid:insecure-cipher-algorithm-rc2
 msg = iv + cipher.encrypt(b'Attack at dawn')
 # ruleid:insecure-cipher-algorithm-rc2
 cipher = pycryptodomex_arc2.new(key, pycryptodomex_arc2.MODE_CFB, iv)
+# deepruleid:insecure-cipher-algorithm-rc2
 msg = iv + cipher.encrypt(b'Attack at dawn')
 
 key = b'Sixteen byte key'

python/sqlalchemy/security/sqlalchemy-execute-raw-query.py

@@ -198,6 +198,7 @@
 # ok: sqlalchemy-execute-raw-query
 engine = create_engine('postgresql://user@localhost/database')
 query = select(literal_column("users.fullname", String) + ', ' + literal_column("addresses.email_address").label("title")).where(and_(literal_column("users.id") == literal_column("addresses.user_id"), text("users.name BETWEEN 'm' AND 'z'"), text("(addresses.email_address LIKE :x OR addresses.email_address LIKE :y)"))).select_from(table('users')).select_from(table('addresses'))
+# deepruleid: sqlalchemy-execute-raw-query
 conn.execute(query, {"x":"%@aol.com", "y":"%@msn.com"}).fetchall()