Merge Develop into Release (#3082)

* update owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory rule * opensearch-serverless-cmk opensearch-serverless-cmk * Update terraform/aws/security/aws-opensearchserverless-encrypted-with-cmk.yaml Co-authored-by: colleend <colleen@r2c.dev> * Change message and severity of rule (#3061) * change message to reflect severity level * update severity * change message a bit --------- Co-authored-by: enno <14846866+enncoded@users.noreply.github.com> * add solidity smart contract rules * add semicolons * Add metadata (#3078) * Add metadata * Change subcategory to array * Rewrote patterns * Fixed patterns more and updated example * fix: make ruby class names constants (#3076) * fix ruby class names * a few more --------- Co-authored-by: enno <14846866+enncoded@users.noreply.github.com> * Fixed false positive with `usedforsecurity` flag in `hashlib.md5` (#3077) * Fixed false positive when unpacking safe array (#3079) --------- Co-authored-by: hocnc <nguyencaohoc52@gmail.com> Co-authored-by: FrozenSolid <frozenSolid@users.noreply.github.com> Co-authored-by: colleend <colleen@returntocorp.com> Co-authored-by: colleend <colleen@r2c.dev> Co-authored-by: enno <14846866+enncoded@users.noreply.github.com> Co-authored-by: raz0r <me@raz0r.name> Co-authored-by: Lewis <LewisArdern@live.co.uk> Co-authored-by: Brandon Wu <49291449+brandonspark@users.noreply.github.com>
semgrep · Aug 29, 2023 · b33db28 · b33db28
1 parent 9fd26d8
commit b33db28
Show file tree

Hide file tree

Showing 112 changed files with 22,268 additions and 51 deletions.
diff --git a/contrib/owasp/java/xxe/documentbuilderfactory.java b/contrib/owasp/java/xxe/documentbuilderfactory.java
@@ -47,7 +47,7 @@ public String xmlReaderVuln(HttpServletRequest request) {
             String body = WebUtils.getRequestBody(request);
             logger.info(body);
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-            xmlReader.parse(new InputSource(new StringReader(body)));  // parse xml
+            xmlReader.parse(new InputSource(new StringReader(body)));  // parse xmldocumentbuilderfactory
             return "xmlReader xxe vuln code";
         } catch (Exception e) {
             logger.error(e.toString());
@@ -229,11 +229,11 @@ public String DocumentBuilderVuln01(HttpServletRequest request) {
         try {
             String body = WebUtils.getRequestBody(request);
             logger.info(body);
-            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
             StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
+            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
             Document document = db.parse(is);  // parse xml
 
             // 遍历xml节点name和value
@@ -262,11 +262,45 @@ public String DocumentBuilderVuln02(HttpServletRequest request) {
         try {
             String body = WebUtils.getRequestBody(request);
             logger.info(body);
-            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             DocumentBuilder db = dbf.newDocumentBuilder();
             StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
+            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
+            Document document = db.parse(is);  // parse xml
+
+            // 遍历xml节点name和value
+            StringBuilder result = new StringBuilder();
+            NodeList rootNodeList = document.getChildNodes();
+            for (int i = 0; i < rootNodeList.getLength(); i++) {
+                Node rootNode = rootNodeList.item(i);
+                NodeList child = rootNode.getChildNodes();
+                for (int j = 0; j < child.getLength(); j++) {
+                    Node node = child.item(j);
+                    // 正常解析XML，需要判断是否是ELEMENT_NODE类型。否则会出现多余的的节点。
+                    if (child.item(j).getNodeType() == Node.ELEMENT_NODE) {
+                        result.append(String.format("%s: %s\n", node.getNodeName(), node.getFirstChild()));
+                    }
+                }
+            }
+            sr.close();
+            return result.toString();
+        } catch (Exception e) {
+            logger.error(e.toString());
+            return EXCEPT;
+        }
+    }
+
+
+    @RequestMapping(value = "/DocumentBuilder/vuln03", method = RequestMethod.POST)
+    public String DocumentBuilderVuln03(HttpServletRequest request) {
+        try {
+            String body = WebUtils.getRequestBody(request);
+            logger.info(body);
+            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
+            DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            StringReader sr = new StringReader(body);
+            InputSource is = new InputSource(sr);
             Document document = db.parse(is);  // parse xml
 
             // 遍历xml节点name和value
@@ -292,19 +326,20 @@ public String DocumentBuilderVuln02(HttpServletRequest request) {
     }
 
 
+
     @RequestMapping(value = "/DocumentBuilder/Sec", method = RequestMethod.POST)
     public String DocumentBuilderSec(HttpServletRequest request) {
         try {
             String body = WebUtils.getRequestBody(request);
             logger.info(body);
-            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
             dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             DocumentBuilder db = dbf.newDocumentBuilder();
             StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
+            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
             db.parse(is);  // parse xml
             sr.close();
         } catch (Exception e) {
@@ -321,13 +356,13 @@ public String DocumentBuilderXincludeVuln(HttpServletRequest request) {
             String body = WebUtils.getRequestBody(request);
             logger.info(body);
 
-            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setXIncludeAware(true);   // 支持XInclude
             dbf.setNamespaceAware(true);  // 支持XInclude
             DocumentBuilder db = dbf.newDocumentBuilder();
             StringReader sr = new StringReader(body);
             InputSource is = new InputSource(sr);
+            // ruleid:owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
             Document document = db.parse(is);  // parse xml
 
             NodeList rootNodeList = document.getChildNodes();
@@ -445,5 +480,4 @@ private static void response(NodeList rootNodeList){
 
     public static void main(String[] args)  {
     }
-
 }
diff --git a/contrib/owasp/java/xxe/documentbuilderfactory.yaml b/contrib/owasp/java/xxe/documentbuilderfactory.yaml
@@ -1,43 +1,63 @@
 rules:
   - id: owasp.java.xxe.javax.xml.parsers.DocumentBuilderFactory
     message: >-
-      DocumentBuilderFactory being instantiated without calling the setFeature functions that are generally used for disabling
-      entity processing
+      DocumentBuilderFactory being instantiated without calling the setFeature functions that are generally used for disabling entity processing, which can allow for XXE vulnerabilities
     metadata:
       cwe: "CWE-611: Improper Restriction of XML External Entity Reference"
       owasp: "A04:2017 - XML External Entities (XXE)"
       source-rule-url: https://cheatsheetseries.owasp.org//cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
       category: security
+      technology:
+        - java
+        - xml
+      cwe2022-top25: true
+      cwe2021-top25: true
+      references:
+        - https://www.programcreek.com/java-api-examples/?api=javax.xml.parsers.DocumentBuilderFactory
+      likelihood: LOW
+      impact: HIGH
+      subcategory:
+        - vuln
+      confidence: HIGH
     severity: ERROR
     patterns:
-      # Reference: https://www.programcreek.com/java-api-examples/?api=javax.xml.parsers.DocumentBuilderFactory
       - pattern-either:
-          - pattern: |
-              DocumentBuilderFactory $DBF =  ... ;
-              ...
-              DocumentBuilder $DB = $DBF.newDocumentBuilder();
-              ...
-              $DB.parse(...);
-          - pattern: DocumentBuilderFactory $DBF = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-      - pattern-not-inside: |
-          $RETURNTYPE $METHOD(...) {
-            ...
-            $DBF.setXIncludeAware(true);
-            $DBF.setNamespaceAware(true);
-            ...
-            $DBF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-            $DBF.setFeature("http://xml.org/sax/features/external-general-entities", false);
-            $DBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            ...
-          }
-      - pattern-not-inside: |
-          DocumentBuilderFactory $DBF =  ... ;
-          ...
-          $DBF.setXIncludeAware(true);
-          $DBF.setNamespaceAware(true);
-          ...
-          $DBF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-          $DBF.setFeature("http://xml.org/sax/features/external-general-entities", false);
-          $DBF.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+          - patterns:
+              - pattern-inside: |
+                  DocumentBuilderFactory $DBF =  ... ;
+                  ...
+              - pattern-inside: |
+                  DocumentBuilder $DB = $DBF.newDocumentBuilder();
+                  ...
+              - pattern: |
+                  $DB.parse(...);
+          - patterns:
+              - pattern-inside: |
+                  (DocumentBuilder $DB) = (DocumentBuilderFactory $DBF).newDocumentBuilder();
+                  ...
+              - pattern: |
+                  (DocumentBuilder $DB).parse(...);
+          - pattern: DocumentBuilder $DB = DocumentBuilderFactory. ... .newInstance(). ... .newDocumentBuilder();
+      - pattern-not:
+          patterns:
+            - pattern-inside: |
+                DocumentBuilderFactory $DBF =  ... ;
+                ...
+            - pattern-inside: |
+                $DBF. ... .setXIncludeAware(true);
+                ...
+            - pattern-inside: |
+                $DBF. ... .setNamespaceAware(true);
+                ...
+            - pattern-inside: |
+                $DBF. ... .setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                ...
+            - pattern-inside: |
+                $DBF. ... .setFeature("http://xml.org/sax/features/external-general-entities", false);
+                ...
+            - pattern-inside: |
+                $DBF. ... .setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                ...
     languages:
       - java
+
diff --git a/java/spring/security/audit/spring-actuator-fully-enabled.yaml b/java/spring/security/audit/spring-actuator-fully-enabled.yaml
@@ -5,8 +5,8 @@ rules:
     Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile,
     /actuator/heapdump and others.
     Unless you have Spring Security enabled or another means to protect these endpoints, this functionality
-    is available without authentication, causing a severe security risk.
-  severity: WARNING
+    is available without authentication, causing a significant security risk.
+  severity: ERROR
   languages: [generic]
   paths:
     include:

diff --git a/python/lang/security/audit/dangerous-subprocess-use-audit.py b/python/lang/security/audit/dangerous-subprocess-use-audit.py
@@ -38,6 +38,17 @@ def foobar(user_input):
 # ruleid:dangerous-subprocess-use-audit
 subprocess.run(["bash", "-c", sys.argv[1]], shell=True)
 
+# ok:dangerous-subprocess-use-audit
+subprocess.call(["echo", "a", ";", "rm", "-rf", "/"])
+
+cmd_cmd = ["sh", "-c"]
+# ruleid:dangerous-subprocess-use-audit
+subprocess.call([*cmd_cmd, "rm", "-rf", "/"])
+
+echo_cmd = ["echo", "a", ";"]
+# ok:dangerous-subprocess-use-audit
+subprocess.call([*echo_cmd, "rm", "-rf", "/"])
+
 def vuln_payload(payload: str) -> None:
   with tempfile.TemporaryDirectory() as directory:
     python_file = Path(directory) / "hello_world.py"
@@ -49,3 +60,4 @@ def vuln_payload(payload: str) -> None:
     # ruleid:dangerous-subprocess-use-audit
     program = subprocess.Popen(['python2', str(python_file)], stdin=subprocess.PIPE, text=True)
     program.communicate(input=payload, timeout=1)
+
diff --git a/python/lang/security/audit/dangerous-subprocess-use-audit.yaml b/python/lang/security/audit/dangerous-subprocess-use-audit.yaml
@@ -5,6 +5,17 @@ rules:
     - pattern-not: subprocess.$FUNC("...", ...)
     - pattern-not: subprocess.$FUNC(["...",...], ...)
     - pattern-not: subprocess.$FUNC(("...",...), ...)
+    - pattern-not:
+        patterns:
+        - pattern-not-inside: | # Double negative, so this creates findings when a shell array is present
+            $ARR = ["=~/(sh|bash|ksh|csh|tcsh|zsh)/", "-c", ...]
+            ...
+        - pattern-inside: | # Filter out safe non-shell arrays
+            $ARR = [...]
+            ...
+        - pattern-either:
+          - pattern: subprocess.$FUNC(*$ARR, ...)
+          - pattern: subprocess.$FUNC([*$ARR, ...])
     - pattern-not: subprocess.CalledProcessError(...)
     - pattern-not: subprocess.SubprocessError(...)
     - pattern: subprocess.$FUNC(...)
@@ -60,3 +71,4 @@ rules:
     impact: HIGH
   languages: [python]
   severity: ERROR
+
diff --git a/python/lang/security/insecure-hash-algorithms-md5.py b/python/lang/security/insecure-hash-algorithms-md5.py
@@ -13,6 +13,11 @@
 # ruleid:insecure-hash-algorithm-md5
 print(hashlib.md5("1"))
 
-
 # ok:insecure-hash-algorithm-md5
 hashlib.sha256(1)
+
+# ruleid:insecure-hash-algorithm-md5
+foo = hashlib.md5(data, usedforsecurity=True)
+
+# ok
+bar = hashlib.md5(data, usedforsecurity=False)
diff --git a/python/lang/security/insecure-hash-algorithms-md5.yaml b/python/lang/security/insecure-hash-algorithms-md5.yaml
@@ -1,6 +1,8 @@
 rules:
 - id: insecure-hash-algorithm-md5
-  pattern: hashlib.md5(...)
+  patterns:
+    - pattern: hashlib.md5(...)
+    - pattern-not: hashlib.md5(..., usedforsecurity=False, ...)
   message: >-
     Detected MD5 hash algorithm which is considered insecure. MD5 is not
     collision resistant and is therefore not suitable as a cryptographic

diff --git a/ruby/lang/security/cookie-serialization.rb b/ruby/lang/security/cookie-serialization.rb
@@ -1,11 +1,11 @@
-class bad_cookie_serialization
+class Bad_cookie_serialization
   # ruleid: cookie-serialization
   Rails.application.config.action_dispatch.cookies_serializer = :hybrid
   # ruleid: cookie-serialization
   Rails.application.config.action_dispatch.cookies_serializer = :marshal
 end
 
-class cookie_serialization
+class Cookie_serialization
   # ok.
   Rails.application.config.action_dispatch.cookies_serializer = :json
 end
diff --git a/ruby/lang/security/model-attr-accessible.rb b/ruby/lang/security/model-attr-accessible.rb
@@ -1,4 +1,4 @@
-class bad_attr_accessible
+class Bad_attr_accessible
    include  ActiveModel::MassAssignmentSecurity
 
    # ruleid: model-attr-accessible
@@ -38,7 +38,7 @@ class bad_attr_accessible
    params.permit!
 end
 
-class ok_attr_accessible
+class Ok_attr_accessible
    # ok: model-attr-accessible
    attr_accessible :name, :address, :age,
                    :telephone, as: :create_params

diff --git a/ruby/lang/security/model-attributes-attr-protected.rb b/ruby/lang/security/model-attributes-attr-protected.rb
@@ -1,10 +1,10 @@
-class bad_use_attr_protected
+class Bad_use_attr_protected
   attr_protected :admin
 
   public :sanitize_for_mass_assignment
 end
 
-class ok_use_attr_protected
+class Ok_use_attr_protected
   include ActiveModel::MassAssignmentSecurity
   attr_accessible :name, :email
   attr_accessible :name, :email, :admin, :as => :admin

diff --git a/ruby/lang/security/nested-attributes.rb b/ruby/lang/security/nested-attributes.rb
@@ -1,11 +1,11 @@
-class bad_use_nested_attrs
+class Bad_use_nested_attrs
   has_one :author
   has_many :pages
 
   accepts_nested_attributes_for :author, :pages
 end
 
-class ok_use_nested_attrs
+class Ok_use_nested_attrs
   has_one :author
   has_many :pages
 end
diff --git a/ruby/lang/security/timing-attack.rb b/ruby/lang/security/timing-attack.rb
@@ -1,4 +1,4 @@
-class timing_attack
+class Timing_attack
   http_basic_authenticate_with name: "Chris", password: "LimpBizkitRules420"
   http_basic_authenticate_with :name => ENV["NAME"], :password => ENV["PASSWORD"]
 end
diff --git a/ruby/lang/security/weak-hashes-md5.rb b/ruby/lang/security/weak-hashes-md5.rb
@@ -1,5 +1,5 @@
 require 'digest'
-class bad_md5
+class Bad_md5
     def bad_md5_code()
         # ruleid: weak-hashes-md5
         md5 = Digest::MD5.hexdigest 'abc'

diff --git a/ruby/lang/security/weak-hashes-sha1.rb b/ruby/lang/security/weak-hashes-sha1.rb
@@ -1,5 +1,5 @@
 require 'digest'
-class bad_md5
+class Bad_md5
     def bad_md5_code()
         # ruleid: weak-hashes-sha1
         sha = Digest::SHA1.hexdigest 'abc'