From 97c871979f8bc989b8f4a0f4557067cfc4fb4095 Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Thu, 17 Aug 2023 15:11:14 -0400 Subject: [PATCH 01/89] Only warn if string-concatenation is used This is rule is false-positive heavy. Use taint-mode and only alert if the argument to `sqlalchemy.text(...)` is built using string concatentation, f-strings, etc. --- .../security/audit/avoid-sqlalchemy-text.py | 46 ++++++++++++++----- .../security/audit/avoid-sqlalchemy-text.yaml | 35 ++++++++++++-- 2 files changed, 66 insertions(+), 15 deletions(-) diff --git a/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.py b/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.py index 5ec027dd2f..8ad2c47a7f 100644 --- a/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.py +++ b/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.py @@ -1,24 +1,46 @@ from sqlalchemy import text -# ruleid: avoid-sqlalchemy-text -text(5) - - @view_config(route_name='home_bad', renderer='my_app:templates/mytemplate.jinja2') def my_bad_home(request): try: param = request.params['foo'] query = request.dbsession.query(models.MyModel) + search_non_string = text(5) + # ok: avoid-sqlalchemy-text + one = query.distinct(search_non_string) + + search_bind_params = text(":n").bindparams(n=5) + # ok: avoid-sqlalchemy-text + one = query.distinct(search_bind_params) + + search_param = text(param) + # ok: avoid-sqlalchemy-text + one = query.distinct(search_param) + + search_fixed_string = text("foo") + # ok: avoid-sqlalchemy-text + one = query.distinct(search_fixed_string) + + search_param_concat_prefix = "foo" + param # ruleid: avoid-sqlalchemy-text - one = query.distinct(text(param)) - except SQLAlchemyError: - return Response("Database error", content_type='text/plain', status=500) - return {'one': one, 'project': 'my_proj'} + one = query.distinct(text(search_param_concat_prefix)) + search_param_concat_suffix = param + "bar" + # ruleid: avoid-sqlalchemy-text + one = query.distinct(text(search_param_concat_suffix)) + + search_param_f_string = f"foo{param}bar" + # ruleid: avoid-sqlalchemy-text + one = query.distinct(text(search_param_f_string)) -# ok -text("5") + search_param_format = "foo{}bar".format(param) + # ruleid: avoid-sqlalchemy-text + one = query.distinct(text(search_param_format)) -# ok -text(":n").bindparams(n=5) + search_param_percent_format = "foo %s bar" % param + # ruleid: avoid-sqlalchemy-text + one = query.distinct(text(search_param_percent_format)) + except SQLAlchemyError: + return Response("Database error", content_type='text/plain', status=500) + return {'one': one, 'project': 'my_proj'} diff --git a/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml b/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml index 32a707a087..de4163e14e 100644 --- a/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml +++ b/python/sqlalchemy/security/audit/avoid-sqlalchemy-text.yaml @@ -1,8 +1,37 @@ rules: - id: avoid-sqlalchemy-text - patterns: - - pattern: sqlalchemy.text(...) - - pattern-not-inside: sqlalchemy.text("...") + mode: taint + pattern-sinks: + - pattern: | + sqlalchemy.text(...) + pattern-sources: + - patterns: + - pattern: | + $X + $Y + - metavariable-type: + metavariable: $X + type: string + - patterns: + - pattern: | + $X + $Y + - metavariable-type: + metavariable: $Y + type: string + - patterns: + - pattern: | + f"..." + - patterns: + - pattern: | + $X.format(...) + - metavariable-type: + metavariable: $X + type: string + - patterns: + - pattern: | + $X % $Y + - metavariable-type: + metavariable: $X + type: string message: sqlalchemy.text passes the constructed SQL statement to the database mostly unchanged. This means that the usual SQL injection protections are not applied and this function is vulnerable to SQL injection if user input can reach here. Use normal SQLAlchemy operators (such as or_, and_, etc.) From c8680548d1d18fbcdd1f87996985d47da9ef47a2 Mon Sep 17 00:00:00 2001 From: Marcus Watson Date: Wed, 22 Nov 2023 21:57:45 +0000 Subject: [PATCH 02/89] Checks for ProcessStartInfo instantiator --- csharp/lang/security/injections/os-command.cs | 60 +++++++++++++++++++ .../lang/security/injections/os-command.yaml | 19 ++++++ 2 files changed, 79 insertions(+) diff --git a/csharp/lang/security/injections/os-command.cs b/csharp/lang/security/injections/os-command.cs index 572e39e78a..6cd4207125 100644 --- a/csharp/lang/security/injections/os-command.cs +++ b/csharp/lang/security/injections/os-command.cs @@ -116,5 +116,65 @@ public void RunConstantAppWithArgs(string args) // ok: os-command-injection var process = Process.Start(processStartInfo); } + + public void RunOsCommandAndArgsWithProcessParam(string command, string arguments) + { + Process process = new Process + { + StartInfo = new ProcessStartInfo + { + FileName = command, + Arguments = args + } + }; + + // ruleid: os-command-injection + process.Start(); + } + + public void RunOsCommandAndArgsWithProcessParam(string command, string arguments) + { + Process process = new Process + { + StartInfo = new ProcessStartInfo + { + FileName = "constant", + Arguments = arguments + } + }; + + // ruleid: os-command-injection + process.Start(); + } + + public void RunOsCommandAndArgsWithProcessParam(string command, string arguments) + { + Process process = new Process + { + StartInfo = new ProcessStartInfo + { + FileName = command, + Arguments = "constant" + } + }; + + // ruleid: os-command-injection + process.Start(); + } + + public void RunOsCommandAndArgsWithProcessParam(string command, string arguments) + { + Process process = new Process + { + StartInfo = new ProcessStartInfo + { + FileName = "constant", + Arguments = "constant" + } + }; + + // ok: os-command-injection + process.Start(); + } } } diff --git a/csharp/lang/security/injections/os-command.yaml b/csharp/lang/security/injections/os-command.yaml index bc3f1e0233..5d9631f30a 100644 --- a/csharp/lang/security/injections/os-command.yaml +++ b/csharp/lang/security/injections/os-command.yaml @@ -72,3 +72,22 @@ rules: - pattern: | Process.Start($PSINFO); - focus-metavariable: $PSINFO + - patterns: + - pattern-inside: | + Process $PROC = new Process() + { + StartInfo = new ProcessStartInfo() + { + ... + } + }; + ... + - pattern-either: + - pattern-inside: | + FileName = $ARG; + ... + - pattern-inside: | + Arguments = $ARG; + ... + - pattern: | + $PROC.Start(); From 49b216945d4cc007f49c2f947842f5c4b944d660 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 Nov 2023 01:04:17 +0000 Subject: [PATCH 03/89] Bump aiohttp from 3.8.6 to 3.9.0 in /.github/rulerascal Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.8.6 to 3.9.0. - [Release notes](https://github.com/aio-libs/aiohttp/releases) - [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst) - [Commits](https://github.com/aio-libs/aiohttp/compare/v3.8.6...v3.9.0) --- updated-dependencies: - dependency-name: aiohttp dependency-type: indirect ... Signed-off-by: dependabot[bot] --- .github/rulerascal/poetry.lock | 256 +++++++++++---------------------- 1 file changed, 80 insertions(+), 176 deletions(-) diff --git a/.github/rulerascal/poetry.lock b/.github/rulerascal/poetry.lock index 142f898a07..a3c4130f4f 100644 --- a/.github/rulerascal/poetry.lock +++ b/.github/rulerascal/poetry.lock @@ -16,111 +16,99 @@ aiohttp = "*" [[package]] name = "aiohttp" -version = "3.8.6" +version = "3.9.0" description = "Async http client/server framework (asyncio)" optional = false -python-versions = ">=3.6" +python-versions = ">=3.8" files = [ - {file = "aiohttp-3.8.6-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:41d55fc043954cddbbd82503d9cc3f4814a40bcef30b3569bc7b5e34130718c1"}, - {file = "aiohttp-3.8.6-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:1d84166673694841d8953f0a8d0c90e1087739d24632fe86b1a08819168b4566"}, - {file = "aiohttp-3.8.6-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:253bf92b744b3170eb4c4ca2fa58f9c4b87aeb1df42f71d4e78815e6e8b73c9e"}, - {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3fd194939b1f764d6bb05490987bfe104287bbf51b8d862261ccf66f48fb4096"}, - {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6c5f938d199a6fdbdc10bbb9447496561c3a9a565b43be564648d81e1102ac22"}, - {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2817b2f66ca82ee699acd90e05c95e79bbf1dc986abb62b61ec8aaf851e81c93"}, - {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0fa375b3d34e71ccccf172cab401cd94a72de7a8cc01847a7b3386204093bb47"}, - {file = "aiohttp-3.8.6-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9de50a199b7710fa2904be5a4a9b51af587ab24c8e540a7243ab737b45844543"}, - {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e1d8cb0b56b3587c5c01de3bf2f600f186da7e7b5f7353d1bf26a8ddca57f965"}, - {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:8e31e9db1bee8b4f407b77fd2507337a0a80665ad7b6c749d08df595d88f1cf5"}, - {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:7bc88fc494b1f0311d67f29fee6fd636606f4697e8cc793a2d912ac5b19aa38d"}, - {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:ec00c3305788e04bf6d29d42e504560e159ccaf0be30c09203b468a6c1ccd3b2"}, - {file = "aiohttp-3.8.6-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:ad1407db8f2f49329729564f71685557157bfa42b48f4b93e53721a16eb813ed"}, - {file = "aiohttp-3.8.6-cp310-cp310-win32.whl", hash = "sha256:ccc360e87341ad47c777f5723f68adbb52b37ab450c8bc3ca9ca1f3e849e5fe2"}, - {file = "aiohttp-3.8.6-cp310-cp310-win_amd64.whl", hash = "sha256:93c15c8e48e5e7b89d5cb4613479d144fda8344e2d886cf694fd36db4cc86865"}, - {file = "aiohttp-3.8.6-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6e2f9cc8e5328f829f6e1fb74a0a3a939b14e67e80832975e01929e320386b34"}, - {file = "aiohttp-3.8.6-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:e6a00ffcc173e765e200ceefb06399ba09c06db97f401f920513a10c803604ca"}, - {file = "aiohttp-3.8.6-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:41bdc2ba359032e36c0e9de5a3bd00d6fb7ea558a6ce6b70acedf0da86458321"}, - {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:14cd52ccf40006c7a6cd34a0f8663734e5363fd981807173faf3a017e202fec9"}, - {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2d5b785c792802e7b275c420d84f3397668e9d49ab1cb52bd916b3b3ffcf09ad"}, - {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1bed815f3dc3d915c5c1e556c397c8667826fbc1b935d95b0ad680787896a358"}, - {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:96603a562b546632441926cd1293cfcb5b69f0b4159e6077f7c7dbdfb686af4d"}, - {file = "aiohttp-3.8.6-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d76e8b13161a202d14c9584590c4df4d068c9567c99506497bdd67eaedf36403"}, - {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:e3f1e3f1a1751bb62b4a1b7f4e435afcdade6c17a4fd9b9d43607cebd242924a"}, - {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:76b36b3124f0223903609944a3c8bf28a599b2cc0ce0be60b45211c8e9be97f8"}, - {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:a2ece4af1f3c967a4390c284797ab595a9f1bc1130ef8b01828915a05a6ae684"}, - {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:16d330b3b9db87c3883e565340d292638a878236418b23cc8b9b11a054aaa887"}, - {file = "aiohttp-3.8.6-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:42c89579f82e49db436b69c938ab3e1559e5a4409eb8639eb4143989bc390f2f"}, - {file = "aiohttp-3.8.6-cp311-cp311-win32.whl", hash = "sha256:efd2fcf7e7b9d7ab16e6b7d54205beded0a9c8566cb30f09c1abe42b4e22bdcb"}, - {file = "aiohttp-3.8.6-cp311-cp311-win_amd64.whl", hash = "sha256:3b2ab182fc28e7a81f6c70bfbd829045d9480063f5ab06f6e601a3eddbbd49a0"}, - {file = "aiohttp-3.8.6-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:fdee8405931b0615220e5ddf8cd7edd8592c606a8e4ca2a00704883c396e4479"}, - {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d25036d161c4fe2225d1abff2bd52c34ed0b1099f02c208cd34d8c05729882f0"}, - {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5d791245a894be071d5ab04bbb4850534261a7d4fd363b094a7b9963e8cdbd31"}, - {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0cccd1de239afa866e4ce5c789b3032442f19c261c7d8a01183fd956b1935349"}, - {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1f13f60d78224f0dace220d8ab4ef1dbc37115eeeab8c06804fec11bec2bbd07"}, - {file = "aiohttp-3.8.6-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8a9b5a0606faca4f6cc0d338359d6fa137104c337f489cd135bb7fbdbccb1e39"}, - {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_aarch64.whl", hash = "sha256:13da35c9ceb847732bf5c6c5781dcf4780e14392e5d3b3c689f6d22f8e15ae31"}, - {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:4d4cbe4ffa9d05f46a28252efc5941e0462792930caa370a6efaf491f412bc66"}, - {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_ppc64le.whl", hash = "sha256:229852e147f44da0241954fc6cb910ba074e597f06789c867cb7fb0621e0ba7a"}, - {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_s390x.whl", hash = "sha256:713103a8bdde61d13490adf47171a1039fd880113981e55401a0f7b42c37d071"}, - {file = "aiohttp-3.8.6-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:45ad816b2c8e3b60b510f30dbd37fe74fd4a772248a52bb021f6fd65dff809b6"}, - {file = "aiohttp-3.8.6-cp36-cp36m-win32.whl", hash = "sha256:2b8d4e166e600dcfbff51919c7a3789ff6ca8b3ecce16e1d9c96d95dd569eb4c"}, - {file = "aiohttp-3.8.6-cp36-cp36m-win_amd64.whl", hash = "sha256:0912ed87fee967940aacc5306d3aa8ba3a459fcd12add0b407081fbefc931e53"}, - {file = "aiohttp-3.8.6-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:e2a988a0c673c2e12084f5e6ba3392d76c75ddb8ebc6c7e9ead68248101cd446"}, - {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ebf3fd9f141700b510d4b190094db0ce37ac6361a6806c153c161dc6c041ccda"}, - {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3161ce82ab85acd267c8f4b14aa226047a6bee1e4e6adb74b798bd42c6ae1f80"}, - {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d95fc1bf33a9a81469aa760617b5971331cdd74370d1214f0b3109272c0e1e3c"}, - {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c43ecfef7deaf0617cee936836518e7424ee12cb709883f2c9a1adda63cc460"}, - {file = "aiohttp-3.8.6-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ca80e1b90a05a4f476547f904992ae81eda5c2c85c66ee4195bb8f9c5fb47f28"}, - {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:90c72ebb7cb3a08a7f40061079817133f502a160561d0675b0a6adf231382c92"}, - {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:bb54c54510e47a8c7c8e63454a6acc817519337b2b78606c4e840871a3e15349"}, - {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:de6a1c9f6803b90e20869e6b99c2c18cef5cc691363954c93cb9adeb26d9f3ae"}, - {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:a3628b6c7b880b181a3ae0a0683698513874df63783fd89de99b7b7539e3e8a8"}, - {file = "aiohttp-3.8.6-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:fc37e9aef10a696a5a4474802930079ccfc14d9f9c10b4662169671ff034b7df"}, - {file = "aiohttp-3.8.6-cp37-cp37m-win32.whl", hash = "sha256:f8ef51e459eb2ad8e7a66c1d6440c808485840ad55ecc3cafefadea47d1b1ba2"}, - {file = "aiohttp-3.8.6-cp37-cp37m-win_amd64.whl", hash = "sha256:b2fe42e523be344124c6c8ef32a011444e869dc5f883c591ed87f84339de5976"}, - {file = "aiohttp-3.8.6-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:9e2ee0ac5a1f5c7dd3197de309adfb99ac4617ff02b0603fd1e65b07dc772e4b"}, - {file = "aiohttp-3.8.6-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:01770d8c04bd8db568abb636c1fdd4f7140b284b8b3e0b4584f070180c1e5c62"}, - {file = "aiohttp-3.8.6-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:3c68330a59506254b556b99a91857428cab98b2f84061260a67865f7f52899f5"}, - {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:89341b2c19fb5eac30c341133ae2cc3544d40d9b1892749cdd25892bbc6ac951"}, - {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:71783b0b6455ac8f34b5ec99d83e686892c50498d5d00b8e56d47f41b38fbe04"}, - {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f628dbf3c91e12f4d6c8b3f092069567d8eb17814aebba3d7d60c149391aee3a"}, - {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b04691bc6601ef47c88f0255043df6f570ada1a9ebef99c34bd0b72866c217ae"}, - {file = "aiohttp-3.8.6-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7ee912f7e78287516df155f69da575a0ba33b02dd7c1d6614dbc9463f43066e3"}, - {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:9c19b26acdd08dd239e0d3669a3dddafd600902e37881f13fbd8a53943079dbc"}, - {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:99c5ac4ad492b4a19fc132306cd57075c28446ec2ed970973bbf036bcda1bcc6"}, - {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:f0f03211fd14a6a0aed2997d4b1c013d49fb7b50eeb9ffdf5e51f23cfe2c77fa"}, - {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:8d399dade330c53b4106160f75f55407e9ae7505263ea86f2ccca6bfcbdb4921"}, - {file = "aiohttp-3.8.6-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:ec4fd86658c6a8964d75426517dc01cbf840bbf32d055ce64a9e63a40fd7b771"}, - {file = "aiohttp-3.8.6-cp38-cp38-win32.whl", hash = "sha256:33164093be11fcef3ce2571a0dccd9041c9a93fa3bde86569d7b03120d276c6f"}, - {file = "aiohttp-3.8.6-cp38-cp38-win_amd64.whl", hash = "sha256:bdf70bfe5a1414ba9afb9d49f0c912dc524cf60141102f3a11143ba3d291870f"}, - {file = "aiohttp-3.8.6-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:d52d5dc7c6682b720280f9d9db41d36ebe4791622c842e258c9206232251ab2b"}, - {file = "aiohttp-3.8.6-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:4ac39027011414dbd3d87f7edb31680e1f430834c8cef029f11c66dad0670aa5"}, - {file = "aiohttp-3.8.6-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3f5c7ce535a1d2429a634310e308fb7d718905487257060e5d4598e29dc17f0b"}, - {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b30e963f9e0d52c28f284d554a9469af073030030cef8693106d918b2ca92f54"}, - {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:918810ef188f84152af6b938254911055a72e0f935b5fbc4c1a4ed0b0584aed1"}, - {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:002f23e6ea8d3dd8d149e569fd580c999232b5fbc601c48d55398fbc2e582e8c"}, - {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4fcf3eabd3fd1a5e6092d1242295fa37d0354b2eb2077e6eb670accad78e40e1"}, - {file = "aiohttp-3.8.6-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:255ba9d6d5ff1a382bb9a578cd563605aa69bec845680e21c44afc2670607a95"}, - {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:d67f8baed00870aa390ea2590798766256f31dc5ed3ecc737debb6e97e2ede78"}, - {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:86f20cee0f0a317c76573b627b954c412ea766d6ada1a9fcf1b805763ae7feeb"}, - {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:39a312d0e991690ccc1a61f1e9e42daa519dcc34ad03eb6f826d94c1190190dd"}, - {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:e827d48cf802de06d9c935088c2924e3c7e7533377d66b6f31ed175c1620e05e"}, - {file = "aiohttp-3.8.6-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:bd111d7fc5591ddf377a408ed9067045259ff2770f37e2d94e6478d0f3fc0c17"}, - {file = "aiohttp-3.8.6-cp39-cp39-win32.whl", hash = "sha256:caf486ac1e689dda3502567eb89ffe02876546599bbf915ec94b1fa424eeffd4"}, - {file = "aiohttp-3.8.6-cp39-cp39-win_amd64.whl", hash = "sha256:3f0e27e5b733803333bb2371249f41cf42bae8884863e8e8965ec69bebe53132"}, - {file = "aiohttp-3.8.6.tar.gz", hash = "sha256:b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"}, + {file = "aiohttp-3.9.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:6896b8416be9ada4d22cd359d7cb98955576ce863eadad5596b7cdfbf3e17c6c"}, + {file = "aiohttp-3.9.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:1736d87dad8ef46a8ec9cddd349fa9f7bd3a064c47dd6469c0d6763d3d49a4fc"}, + {file = "aiohttp-3.9.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:8c9e5f4d7208cda1a2bb600e29069eecf857e6980d0ccc922ccf9d1372c16f4b"}, + {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8488519aa05e636c5997719fe543c8daf19f538f4fa044f3ce94bee608817cff"}, + {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5ab16c254e2312efeb799bc3c06897f65a133b38b69682bf75d1f1ee1a9c43a9"}, + {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7a94bde005a8f926d0fa38b88092a03dea4b4875a61fbcd9ac6f4351df1b57cd"}, + {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4b777c9286b6c6a94f50ddb3a6e730deec327e9e2256cb08b5530db0f7d40fd8"}, + {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:571760ad7736b34d05597a1fd38cbc7d47f7b65deb722cb8e86fd827404d1f6b"}, + {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:deac0a32aec29608eb25d730f4bc5a261a65b6c48ded1ed861d2a1852577c932"}, + {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:4ee1b4152bc3190cc40ddd6a14715e3004944263ea208229ab4c297712aa3075"}, + {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:3607375053df58ed6f23903aa10cf3112b1240e8c799d243bbad0f7be0666986"}, + {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:65b0a70a25456d329a5e1426702dde67be0fb7a4ead718005ba2ca582d023a94"}, + {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:5a2eb5311a37fe105aa35f62f75a078537e1a9e4e1d78c86ec9893a3c97d7a30"}, + {file = "aiohttp-3.9.0-cp310-cp310-win32.whl", hash = "sha256:2cbc14a13fb6b42d344e4f27746a4b03a2cb0c1c3c5b932b0d6ad8881aa390e3"}, + {file = "aiohttp-3.9.0-cp310-cp310-win_amd64.whl", hash = "sha256:ac9669990e2016d644ba8ae4758688534aabde8dbbc81f9af129c3f5f01ca9cd"}, + {file = "aiohttp-3.9.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:f8e05f5163528962ce1d1806fce763ab893b1c5b7ace0a3538cd81a90622f844"}, + {file = "aiohttp-3.9.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:4afa8f71dba3a5a2e1e1282a51cba7341ae76585345c43d8f0e624882b622218"}, + {file = "aiohttp-3.9.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f929f4c9b9a00f3e6cc0587abb95ab9c05681f8b14e0fe1daecfa83ea90f8318"}, + {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:28185e36a78d247c55e9fbea2332d16aefa14c5276a582ce7a896231c6b1c208"}, + {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a486ddf57ab98b6d19ad36458b9f09e6022de0381674fe00228ca7b741aacb2f"}, + {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:70e851f596c00f40a2f00a46126c95c2e04e146015af05a9da3e4867cfc55911"}, + {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c5b7bf8fe4d39886adc34311a233a2e01bc10eb4e842220235ed1de57541a896"}, + {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c67a51ea415192c2e53e4e048c78bab82d21955b4281d297f517707dc836bf3d"}, + {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:694df243f394629bcae2d8ed94c589a181e8ba8604159e6e45e7b22e58291113"}, + {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:3dd8119752dd30dd7bca7d4bc2a92a59be6a003e4e5c2cf7e248b89751b8f4b7"}, + {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:eb6dfd52063186ac97b4caa25764cdbcdb4b10d97f5c5f66b0fa95052e744eb7"}, + {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:d97c3e286d0ac9af6223bc132dc4bad6540b37c8d6c0a15fe1e70fb34f9ec411"}, + {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:816f4db40555026e4cdda604a1088577c1fb957d02f3f1292e0221353403f192"}, + {file = "aiohttp-3.9.0-cp311-cp311-win32.whl", hash = "sha256:3abf0551874fecf95f93b58f25ef4fc9a250669a2257753f38f8f592db85ddea"}, + {file = "aiohttp-3.9.0-cp311-cp311-win_amd64.whl", hash = "sha256:e18d92c3e9e22553a73e33784fcb0ed484c9874e9a3e96c16a8d6a1e74a0217b"}, + {file = "aiohttp-3.9.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:99ae01fb13a618b9942376df77a1f50c20a281390dad3c56a6ec2942e266220d"}, + {file = "aiohttp-3.9.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:05857848da443c8c12110d99285d499b4e84d59918a21132e45c3f0804876994"}, + {file = "aiohttp-3.9.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:317719d7f824eba55857fe0729363af58e27c066c731bc62cd97bc9c3d9c7ea4"}, + {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a1e3b3c107ccb0e537f309f719994a55621acd2c8fdf6d5ce5152aed788fb940"}, + {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:45820ddbb276113ead8d4907a7802adb77548087ff5465d5c554f9aa3928ae7d"}, + {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:05a183f1978802588711aed0dea31e697d760ce9055292db9dc1604daa9a8ded"}, + {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51a4cd44788ea0b5e6bb8fa704597af3a30be75503a7ed1098bc5b8ffdf6c982"}, + {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:673343fbc0c1ac44d0d2640addc56e97a052504beacd7ade0dc5e76d3a4c16e8"}, + {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:7e8a3b79b6d186a9c99761fd4a5e8dd575a48d96021f220ac5b5fa856e5dd029"}, + {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:6777a390e41e78e7c45dab43a4a0196c55c3b8c30eebe017b152939372a83253"}, + {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:7ae5f99a32c53731c93ac3075abd3e1e5cfbe72fc3eaac4c27c9dd64ba3b19fe"}, + {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:f1e4f254e9c35d8965d377e065c4a8a55d396fe87c8e7e8429bcfdeeb229bfb3"}, + {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:11ca808f9a6b63485059f5f6e164ef7ec826483c1212a44f268b3653c91237d8"}, + {file = "aiohttp-3.9.0-cp312-cp312-win32.whl", hash = "sha256:de3cc86f4ea8b4c34a6e43a7306c40c1275e52bfa9748d869c6b7d54aa6dad80"}, + {file = "aiohttp-3.9.0-cp312-cp312-win_amd64.whl", hash = "sha256:ca4fddf84ac7d8a7d0866664936f93318ff01ee33e32381a115b19fb5a4d1202"}, + {file = "aiohttp-3.9.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:f09960b5bb1017d16c0f9e9f7fc42160a5a49fa1e87a175fd4a2b1a1833ea0af"}, + {file = "aiohttp-3.9.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:8303531e2c17b1a494ffaeba48f2da655fe932c4e9a2626c8718403c83e5dd2b"}, + {file = "aiohttp-3.9.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:4790e44f46a4aa07b64504089def5744d3b6780468c4ec3a1a36eb7f2cae9814"}, + {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a1d7edf74a36de0e5ca50787e83a77cf352f5504eb0ffa3f07000a911ba353fb"}, + {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:94697c7293199c2a2551e3e3e18438b4cba293e79c6bc2319f5fd652fccb7456"}, + {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a1b66dbb8a7d5f50e9e2ea3804b01e766308331d0cac76eb30c563ac89c95985"}, + {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9623cfd9e85b76b83ef88519d98326d4731f8d71869867e47a0b979ffec61c73"}, + {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f32c86dc967ab8c719fd229ce71917caad13cc1e8356ee997bf02c5b368799bf"}, + {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:f50b4663c3e0262c3a361faf440761fbef60ccdde5fe8545689a4b3a3c149fb4"}, + {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:dcf71c55ec853826cd70eadb2b6ac62ec577416442ca1e0a97ad875a1b3a0305"}, + {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:42fe4fd9f0dfcc7be4248c162d8056f1d51a04c60e53366b0098d1267c4c9da8"}, + {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:76a86a9989ebf82ee61e06e2bab408aec4ea367dc6da35145c3352b60a112d11"}, + {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:f9e09a1c83521d770d170b3801eea19b89f41ccaa61d53026ed111cb6f088887"}, + {file = "aiohttp-3.9.0-cp38-cp38-win32.whl", hash = "sha256:a00ce44c21612d185c5275c5cba4bab8d7c1590f248638b667ed8a782fa8cd6f"}, + {file = "aiohttp-3.9.0-cp38-cp38-win_amd64.whl", hash = "sha256:d5b9345ab92ebe6003ae11d8092ce822a0242146e6fa270889b9ba965457ca40"}, + {file = "aiohttp-3.9.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:98d21092bf2637c5fa724a428a69e8f5955f2182bff61f8036827cf6ce1157bf"}, + {file = "aiohttp-3.9.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:35a68cd63ca6aaef5707888f17a70c36efe62b099a4e853d33dc2e9872125be8"}, + {file = "aiohttp-3.9.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3d7f6235c7475658acfc1769d968e07ab585c79f6ca438ddfecaa9a08006aee2"}, + {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:db04d1de548f7a62d1dd7e7cdf7c22893ee168e22701895067a28a8ed51b3735"}, + {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:536b01513d67d10baf6f71c72decdf492fb7433c5f2f133e9a9087379d4b6f31"}, + {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:87c8b0a6487e8109427ccf638580865b54e2e3db4a6e0e11c02639231b41fc0f"}, + {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7276fe0017664414fdc3618fca411630405f1aaf0cc3be69def650eb50441787"}, + {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:23170247ef89ffa842a02bbfdc425028574d9e010611659abeb24d890bc53bb8"}, + {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b1a2ea8252cacc7fd51df5a56d7a2bb1986ed39be9397b51a08015727dfb69bd"}, + {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:2d71abc15ff7047412ef26bf812dfc8d0d1020d664617f4913df2df469f26b76"}, + {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:2d820162c8c2bdbe97d328cd4f417c955ca370027dce593345e437b2e9ffdc4d"}, + {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:2779f5e7c70f7b421915fd47db332c81de365678180a9f3ab404088f87ba5ff9"}, + {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:366bc870d7ac61726f32a489fbe3d1d8876e87506870be66b01aeb84389e967e"}, + {file = "aiohttp-3.9.0-cp39-cp39-win32.whl", hash = "sha256:1df43596b826022b14998f0460926ce261544fedefe0d2f653e1b20f49e96454"}, + {file = "aiohttp-3.9.0-cp39-cp39-win_amd64.whl", hash = "sha256:9c196b30f1b1aa3363a69dd69079ae9bec96c2965c4707eaa6914ba099fb7d4f"}, + {file = "aiohttp-3.9.0.tar.gz", hash = "sha256:09f23292d29135025e19e8ff4f0a68df078fe4ee013bca0105b2e803989de92d"}, ] [package.dependencies] aiosignal = ">=1.1.2" -async-timeout = ">=4.0.0a3,<5.0" +async-timeout = {version = ">=4.0,<5.0", markers = "python_version < \"3.11\""} attrs = ">=17.3.0" -charset-normalizer = ">=2.0,<4.0" frozenlist = ">=1.1.1" multidict = ">=4.5,<7.0" yarl = ">=1.0,<2.0" [package.extras] -speedups = ["Brotli", "aiodns", "cchardet"] +speedups = ["Brotli", "aiodns", "brotlicffi"] [[package]] name = "aiosignal" @@ -197,90 +185,6 @@ files = [ {file = "certifi-2023.7.22.tar.gz", hash = "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082"}, ] -[[package]] -name = "charset-normalizer" -version = "3.2.0" -description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." -optional = false -python-versions = ">=3.7.0" -files = [ - {file = "charset-normalizer-3.2.0.tar.gz", hash = "sha256:3bb3d25a8e6c0aedd251753a79ae98a093c7e7b471faa3aa9a93a81431987ace"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0b87549028f680ca955556e3bd57013ab47474c3124dc069faa0b6545b6c9710"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7c70087bfee18a42b4040bb9ec1ca15a08242cf5867c58726530bdf3945672ed"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:a103b3a7069b62f5d4890ae1b8f0597618f628b286b03d4bc9195230b154bfa9"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:94aea8eff76ee6d1cdacb07dd2123a68283cb5569e0250feab1240058f53b623"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:db901e2ac34c931d73054d9797383d0f8009991e723dab15109740a63e7f902a"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b0dac0ff919ba34d4df1b6131f59ce95b08b9065233446be7e459f95554c0dc8"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:193cbc708ea3aca45e7221ae58f0fd63f933753a9bfb498a3b474878f12caaad"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:09393e1b2a9461950b1c9a45d5fd251dc7c6f228acab64da1c9c0165d9c7765c"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:baacc6aee0b2ef6f3d308e197b5d7a81c0e70b06beae1f1fcacffdbd124fe0e3"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:bf420121d4c8dce6b889f0e8e4ec0ca34b7f40186203f06a946fa0276ba54029"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:c04a46716adde8d927adb9457bbe39cf473e1e2c2f5d0a16ceb837e5d841ad4f"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:aaf63899c94de41fe3cf934601b0f7ccb6b428c6e4eeb80da72c58eab077b19a"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:d62e51710986674142526ab9f78663ca2b0726066ae26b78b22e0f5e571238dd"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-win32.whl", hash = "sha256:04e57ab9fbf9607b77f7d057974694b4f6b142da9ed4a199859d9d4d5c63fe96"}, - {file = "charset_normalizer-3.2.0-cp310-cp310-win_amd64.whl", hash = "sha256:48021783bdf96e3d6de03a6e39a1171ed5bd7e8bb93fc84cc649d11490f87cea"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:4957669ef390f0e6719db3613ab3a7631e68424604a7b448f079bee145da6e09"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:46fb8c61d794b78ec7134a715a3e564aafc8f6b5e338417cb19fe9f57a5a9bf2"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f779d3ad205f108d14e99bb3859aa7dd8e9c68874617c72354d7ecaec2a054ac"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f25c229a6ba38a35ae6e25ca1264621cc25d4d38dca2942a7fce0b67a4efe918"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2efb1bd13885392adfda4614c33d3b68dee4921fd0ac1d3988f8cbb7d589e72a"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1f30b48dd7fa1474554b0b0f3fdfdd4c13b5c737a3c6284d3cdc424ec0ffff3a"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:246de67b99b6851627d945db38147d1b209a899311b1305dd84916f2b88526c6"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9bd9b3b31adcb054116447ea22caa61a285d92e94d710aa5ec97992ff5eb7cf3"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:8c2f5e83493748286002f9369f3e6607c565a6a90425a3a1fef5ae32a36d749d"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:3170c9399da12c9dc66366e9d14da8bf7147e1e9d9ea566067bbce7bb74bd9c2"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:7a4826ad2bd6b07ca615c74ab91f32f6c96d08f6fcc3902ceeedaec8cdc3bcd6"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:3b1613dd5aee995ec6d4c69f00378bbd07614702a315a2cf6c1d21461fe17c23"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:9e608aafdb55eb9f255034709e20d5a83b6d60c054df0802fa9c9883d0a937aa"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-win32.whl", hash = "sha256:f2a1d0fd4242bd8643ce6f98927cf9c04540af6efa92323e9d3124f57727bfc1"}, - {file = "charset_normalizer-3.2.0-cp311-cp311-win_amd64.whl", hash = "sha256:681eb3d7e02e3c3655d1b16059fbfb605ac464c834a0c629048a30fad2b27489"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:c57921cda3a80d0f2b8aec7e25c8aa14479ea92b5b51b6876d975d925a2ea346"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:41b25eaa7d15909cf3ac4c96088c1f266a9a93ec44f87f1d13d4a0e86c81b982"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f058f6963fd82eb143c692cecdc89e075fa0828db2e5b291070485390b2f1c9c"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a7647ebdfb9682b7bb97e2a5e7cb6ae735b1c25008a70b906aecca294ee96cf4"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eef9df1eefada2c09a5e7a40991b9fc6ac6ef20b1372abd48d2794a316dc0449"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e03b8895a6990c9ab2cdcd0f2fe44088ca1c65ae592b8f795c3294af00a461c3"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:ee4006268ed33370957f55bf2e6f4d263eaf4dc3cfc473d1d90baff6ed36ce4a"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:c4983bf937209c57240cff65906b18bb35e64ae872da6a0db937d7b4af845dd7"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:3bb7fda7260735efe66d5107fb7e6af6a7c04c7fce9b2514e04b7a74b06bf5dd"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:72814c01533f51d68702802d74f77ea026b5ec52793c791e2da806a3844a46c3"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:70c610f6cbe4b9fce272c407dd9d07e33e6bf7b4aa1b7ffb6f6ded8e634e3592"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-win32.whl", hash = "sha256:a401b4598e5d3f4a9a811f3daf42ee2291790c7f9d74b18d75d6e21dda98a1a1"}, - {file = "charset_normalizer-3.2.0-cp37-cp37m-win_amd64.whl", hash = "sha256:c0b21078a4b56965e2b12f247467b234734491897e99c1d51cee628da9786959"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:95eb302ff792e12aba9a8b8f8474ab229a83c103d74a750ec0bd1c1eea32e669"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1a100c6d595a7f316f1b6f01d20815d916e75ff98c27a01ae817439ea7726329"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:6339d047dab2780cc6220f46306628e04d9750f02f983ddb37439ca47ced7149"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e4b749b9cc6ee664a3300bb3a273c1ca8068c46be705b6c31cf5d276f8628a94"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a38856a971c602f98472050165cea2cdc97709240373041b69030be15047691f"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f87f746ee241d30d6ed93969de31e5ffd09a2961a051e60ae6bddde9ec3583aa"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:89f1b185a01fe560bc8ae5f619e924407efca2191b56ce749ec84982fc59a32a"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e1c8a2f4c69e08e89632defbfabec2feb8a8d99edc9f89ce33c4b9e36ab63037"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:2f4ac36d8e2b4cc1aa71df3dd84ff8efbe3bfb97ac41242fbcfc053c67434f46"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:a386ebe437176aab38c041de1260cd3ea459c6ce5263594399880bbc398225b2"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:ccd16eb18a849fd8dcb23e23380e2f0a354e8daa0c984b8a732d9cfaba3a776d"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:e6a5bf2cba5ae1bb80b154ed68a3cfa2fa00fde979a7f50d6598d3e17d9ac20c"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:45de3f87179c1823e6d9e32156fb14c1927fcc9aba21433f088fdfb555b77c10"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-win32.whl", hash = "sha256:1000fba1057b92a65daec275aec30586c3de2401ccdcd41f8a5c1e2c87078706"}, - {file = "charset_normalizer-3.2.0-cp38-cp38-win_amd64.whl", hash = "sha256:8b2c760cfc7042b27ebdb4a43a4453bd829a5742503599144d54a032c5dc7e9e"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:855eafa5d5a2034b4621c74925d89c5efef61418570e5ef9b37717d9c796419c"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:203f0c8871d5a7987be20c72442488a0b8cfd0f43b7973771640fc593f56321f"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e857a2232ba53ae940d3456f7533ce6ca98b81917d47adc3c7fd55dad8fab858"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5e86d77b090dbddbe78867a0275cb4df08ea195e660f1f7f13435a4649e954e5"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c4fb39a81950ec280984b3a44f5bd12819953dc5fa3a7e6fa7a80db5ee853952"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2dee8e57f052ef5353cf608e0b4c871aee320dd1b87d351c28764fc0ca55f9f4"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8700f06d0ce6f128de3ccdbc1acaea1ee264d2caa9ca05daaf492fde7c2a7200"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1920d4ff15ce893210c1f0c0e9d19bfbecb7983c76b33f046c13a8ffbd570252"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:c1c76a1743432b4b60ab3358c937a3fe1341c828ae6194108a94c69028247f22"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:f7560358a6811e52e9c4d142d497f1a6e10103d3a6881f18d04dbce3729c0e2c"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:c8063cf17b19661471ecbdb3df1c84f24ad2e389e326ccaf89e3fb2484d8dd7e"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:cd6dbe0238f7743d0efe563ab46294f54f9bc8f4b9bcf57c3c666cc5bc9d1299"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:1249cbbf3d3b04902ff081ffbb33ce3377fa6e4c7356f759f3cd076cc138d020"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-win32.whl", hash = "sha256:6c409c0deba34f147f77efaa67b8e4bb83d2f11c8806405f76397ae5b8c0d1c9"}, - {file = "charset_normalizer-3.2.0-cp39-cp39-win_amd64.whl", hash = "sha256:7095f6fbfaa55defb6b733cfeb14efaae7a29f0b59d8cf213be4e7ca0b857b80"}, - {file = "charset_normalizer-3.2.0-py3-none-any.whl", hash = "sha256:8e098148dd37b4ce3baca71fb394c81dc5d9c7728c95df695d2dca218edf40e6"}, -] - [[package]] name = "exceptiongroup" version = "1.1.2" From f8c978adb75be4e870d2c17555f25d1171c14805 Mon Sep 17 00:00:00 2001 From: Sjoerd Langkemper Date: Tue, 28 Nov 2023 13:32:36 +0100 Subject: [PATCH 04/89] Add list.remove() as instance of modification within loop Removing an item when looping causes the loop to skip over certain items. --- python/lang/correctness/list-modify-iterating.py | 5 +++++ python/lang/correctness/list-modify-iterating.yaml | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/python/lang/correctness/list-modify-iterating.py b/python/lang/correctness/list-modify-iterating.py index 9c1f65af4a..7791c85b05 100644 --- a/python/lang/correctness/list-modify-iterating.py +++ b/python/lang/correctness/list-modify-iterating.py @@ -30,3 +30,8 @@ for i in e: print(i) d.append(i) + +# ruleid:list-modify-while-iterate +for i in e: + if i == 1: + e.remove(i) diff --git a/python/lang/correctness/list-modify-iterating.yaml b/python/lang/correctness/list-modify-iterating.yaml index 2e935e1dc4..33dac7f882 100644 --- a/python/lang/correctness/list-modify-iterating.yaml +++ b/python/lang/correctness/list-modify-iterating.yaml @@ -22,6 +22,10 @@ rules: for $ELEMENT in $LIST: ... $LIST.extend(...) + - pattern: | + for $ELEMENT in $LIST: + ... + $LIST.remove(...) metadata: category: correctness technology: From e8228f1aa6ee5e49e6ad622f16cf20063584323d Mon Sep 17 00:00:00 2001 From: "Pieter De Cremer (Semgrep)" Date: Thu, 11 Jan 2024 09:22:09 +0100 Subject: [PATCH 05/89] Add fixes to python cryptography rules (#3267) * Add fixes to python cryptography rules * Move rule test syntaxt to reflect focus metavariable changes * update mode recommendation to gcn * update fixtest to reflect changes to fix --- .../insecure-cipher-algorithms-arc4.fixed.py | 17 ++++++++++ .../insecure-cipher-algorithms-arc4.yaml | 12 ++++++- ...secure-cipher-algorithms-blowfish.fixed.py | 18 ++++++++++ .../insecure-cipher-algorithms-blowfish.yaml | 11 ++++++- .../insecure-cipher-algorithms.fixed.py | 17 ++++++++++ .../security/insecure-cipher-algorithms.yaml | 11 ++++++- .../insecure-cipher-mode-ecb.fixed.py | 17 ++++++++++ .../security/insecure-cipher-mode-ecb.yaml | 5 +-- .../insecure-hash-algorithms-md5.fixed.py | 10 ++++++ .../insecure-hash-algorithms-md5.yaml | 8 ++++- .../insufficient-dsa-key-size.fixed.py | 18 ++++++++++ .../security/insufficient-dsa-key-size.yaml | 3 ++ .../insufficient-rsa-key-size.fixed.py | 33 +++++++++++++++++++ .../security/insufficient-rsa-key-size.py | 12 +++---- .../security/insufficient-rsa-key-size.yaml | 3 ++ 15 files changed, 183 insertions(+), 12 deletions(-) create mode 100644 python/cryptography/security/insecure-cipher-algorithms-arc4.fixed.py create mode 100644 python/cryptography/security/insecure-cipher-algorithms-blowfish.fixed.py create mode 100644 python/cryptography/security/insecure-cipher-algorithms.fixed.py create mode 100644 python/cryptography/security/insecure-cipher-mode-ecb.fixed.py create mode 100644 python/cryptography/security/insecure-hash-algorithms-md5.fixed.py create mode 100644 python/cryptography/security/insufficient-dsa-key-size.fixed.py create mode 100644 python/cryptography/security/insufficient-rsa-key-size.fixed.py diff --git a/python/cryptography/security/insecure-cipher-algorithms-arc4.fixed.py b/python/cryptography/security/insecure-cipher-algorithms-arc4.fixed.py new file mode 100644 index 0000000000..063ca70214 --- /dev/null +++ b/python/cryptography/security/insecure-cipher-algorithms-arc4.fixed.py @@ -0,0 +1,17 @@ +# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py + +from cryptography.hazmat.primitives.ciphers import Cipher +from cryptography.hazmat.primitives.ciphers import algorithms +from cryptography.hazmat.primitives.ciphers import modes +from cryptography.hazmat.backends import default_backend +from struct import pack + +# ruleid:insecure-cipher-algorithm-arc4 +cipher = Cipher(algorithms.AES(key), mode=None, backend=default_backend()) +encryptor = cipher.encryptor() +ct = encryptor.update(b"a secret message") + +# ok:insecure-cipher-algorithm-arc4 +cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) +encryptor = cipher.encryptor() +ct = encryptor.update(b"a secret message") + encryptor.finalize() diff --git a/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml b/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml index a914878d06..d144ff1d60 100644 --- a/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml +++ b/python/cryptography/security/insecure-cipher-algorithms-arc4.yaml @@ -1,10 +1,12 @@ rules: - id: insecure-cipher-algorithm-arc4 - pattern: cryptography.hazmat.primitives.ciphers.algorithms.ARC4(...) message: >- ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. Its use is strongly discouraged. ARC4 does not use mode constructions. Use a strong symmetric cipher such as EAS instead. + With the `cryptography` package it is recommended to use the `Fernet` which is a secure implementation + of AES in CBC mode with a 128-bit key. + Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 cwe: @@ -28,3 +30,11 @@ rules: severity: WARNING languages: - python + patterns: + - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$ARC4($KEY) + - pattern-inside: cryptography.hazmat.primitives.ciphers.Cipher(...) + - metavariable-regex: + metavariable: $ARC4 + regex: ^(ARC4)$ + - focus-metavariable: $ARC4 + fix: AES diff --git a/python/cryptography/security/insecure-cipher-algorithms-blowfish.fixed.py b/python/cryptography/security/insecure-cipher-algorithms-blowfish.fixed.py new file mode 100644 index 0000000000..edb9fd8ad6 --- /dev/null +++ b/python/cryptography/security/insecure-cipher-algorithms-blowfish.fixed.py @@ -0,0 +1,18 @@ +# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py + +from cryptography.hazmat.primitives.ciphers import Cipher +from cryptography.hazmat.primitives.ciphers import algorithms +from cryptography.hazmat.primitives.ciphers import modes +from cryptography.hazmat.backends import default_backend +from struct import pack + + +# ruleid:insecure-cipher-algorithm-blowfish +cipher = Cipher(algorithms.AES(key), mode=None, backend=default_backend()) +encryptor = cipher.encryptor() +ct = encryptor.update(b"a secret message") + +# ok:insecure-cipher-algorithm-blowfish +cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) +encryptor = cipher.encryptor() +ct = encryptor.update(b"a secret message") + encryptor.finalize() diff --git a/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml b/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml index 96a16b48a2..2005b698c6 100644 --- a/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml +++ b/python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml @@ -1,9 +1,11 @@ rules: - id: insecure-cipher-algorithm-blowfish - pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...) message: >- Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. + With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation + of AES in CBC mode with a 128-bit key. + Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 cwe: @@ -28,3 +30,10 @@ rules: severity: WARNING languages: - python + patterns: + - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$BLOWFISH($KEY) + - metavariable-regex: + metavariable: $BLOWFISH + regex: ^(Blowfish)$ + - focus-metavariable: $BLOWFISH + fix: AES diff --git a/python/cryptography/security/insecure-cipher-algorithms.fixed.py b/python/cryptography/security/insecure-cipher-algorithms.fixed.py new file mode 100644 index 0000000000..539c88d319 --- /dev/null +++ b/python/cryptography/security/insecure-cipher-algorithms.fixed.py @@ -0,0 +1,17 @@ +# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py + +from cryptography.hazmat.primitives.ciphers import Cipher +from cryptography.hazmat.primitives.ciphers import algorithms +from cryptography.hazmat.primitives.ciphers import modes +from cryptography.hazmat.backends import default_backend +from struct import pack + +# ruleid:insecure-cipher-algorithm-idea +cipher = Cipher(algorithms.AES(key), mode=None, backend=default_backend()) +encryptor = cipher.encryptor() +ct = encryptor.update(b"a secret message") + +# ok:insecure-cipher-algorithm-idea +cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) +encryptor = cipher.encryptor() +ct = encryptor.update(b"a secret message") + encryptor.finalize() diff --git a/python/cryptography/security/insecure-cipher-algorithms.yaml b/python/cryptography/security/insecure-cipher-algorithms.yaml index 2748dfc16b..37289904a8 100644 --- a/python/cryptography/security/insecure-cipher-algorithms.yaml +++ b/python/cryptography/security/insecure-cipher-algorithms.yaml @@ -1,11 +1,13 @@ rules: - id: insecure-cipher-algorithm-idea - pattern: cryptography.hazmat.primitives.ciphers.algorithms.IDEA(...) message: >- IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. + With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation + of AES in CBC mode with a 128-bit key. + Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98 cwe: @@ -30,3 +32,10 @@ rules: severity: WARNING languages: - python + patterns: + - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$IDEA($KEY) + - metavariable-regex: + metavariable: $IDEA + regex: ^(IDEA)$ + - focus-metavariable: $IDEA + fix: AES diff --git a/python/cryptography/security/insecure-cipher-mode-ecb.fixed.py b/python/cryptography/security/insecure-cipher-mode-ecb.fixed.py new file mode 100644 index 0000000000..334ca7dbdf --- /dev/null +++ b/python/cryptography/security/insecure-cipher-mode-ecb.fixed.py @@ -0,0 +1,17 @@ +# cf. https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/examples/cipher-modes.py + +from cryptography.hazmat.primitives.ciphers.modes import CBC +from cryptography.hazmat.primitives.ciphers.modes import ECB + + +# Insecure mode +# ruleid: insecure-cipher-mode-ecb +mode = cryptography.hazmat.primitives.ciphers.modes.GCM(iv) + +# Secure cipher and mode +# ok: insecure-cipher-mode-ecb +cipher = AES.new(key, blockalgo.MODE_CTR, iv) + +# Secure mode +# ok: insecure-cipher-mode-ecb +mode = CBC(iv) diff --git a/python/cryptography/security/insecure-cipher-mode-ecb.yaml b/python/cryptography/security/insecure-cipher-mode-ecb.yaml index ea4c79c92d..8f48154191 100644 --- a/python/cryptography/security/insecure-cipher-mode-ecb.yaml +++ b/python/cryptography/security/insecure-cipher-mode-ecb.yaml @@ -1,11 +1,10 @@ rules: - id: insecure-cipher-mode-ecb - pattern: cryptography.hazmat.primitives.ciphers.modes.ECB(...) message: >- ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. Each block of data is encrypted in the same way. This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output. - Use a different, more secure mode instead. + Use a different, cryptographically strong mode instead, such as GCM. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101 cwe: @@ -30,3 +29,5 @@ rules: severity: WARNING languages: - python + pattern: cryptography.hazmat.primitives.ciphers.modes.ECB($IV) + fix: cryptography.hazmat.primitives.ciphers.modes.GCM($IV) diff --git a/python/cryptography/security/insecure-hash-algorithms-md5.fixed.py b/python/cryptography/security/insecure-hash-algorithms-md5.fixed.py new file mode 100644 index 0000000000..f56a5ebfde --- /dev/null +++ b/python/cryptography/security/insecure-hash-algorithms-md5.fixed.py @@ -0,0 +1,10 @@ +# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/crypto-md5.py + +from cryptography.hazmat.primitives import hashes + +# ruleid:insecure-hash-algorithm-md5 +hashes.SHA256() +# ok:insecure-hash-algorithm-md5 +hashes.SHA256() +# ok:insecure-hash-algorithm-md5 +hashes.SHA3_256() diff --git a/python/cryptography/security/insecure-hash-algorithms-md5.yaml b/python/cryptography/security/insecure-hash-algorithms-md5.yaml index 6dccc4f184..b34cf9b516 100644 --- a/python/cryptography/security/insecure-hash-algorithms-md5.yaml +++ b/python/cryptography/security/insecure-hash-algorithms-md5.yaml @@ -1,6 +1,5 @@ rules: - id: insecure-hash-algorithm-md5 - pattern: cryptography.hazmat.primitives.hashes.MD5(...) message: >- Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic @@ -32,3 +31,10 @@ rules: severity: WARNING languages: - python + patterns: + - pattern: cryptography.hazmat.primitives.hashes.$MD5() + - metavariable-regex: + metavariable: $MD5 + regex: ^(MD5)$ + - focus-metavariable: $MD5 + fix: SHA256 diff --git a/python/cryptography/security/insufficient-dsa-key-size.fixed.py b/python/cryptography/security/insufficient-dsa-key-size.fixed.py new file mode 100644 index 0000000000..ef412c935a --- /dev/null +++ b/python/cryptography/security/insufficient-dsa-key-size.fixed.py @@ -0,0 +1,18 @@ +from cryptography.hazmat import backends +from cryptography.hazmat.primitives.asymmetric import dsa + +# ok: insufficient-dsa-key-size +dsa.generate_private_key(key_size=2048, + backend=backends.default_backend()) + +# ok: insufficient-dsa-key-size +dsa.generate_private_key(2048, + backend=backends.default_backend()) + +# ruleid: insufficient-dsa-key-size +dsa.generate_private_key(key_size=2048, + backend=backends.default_backend()) + +# ruleid: insufficient-dsa-key-size +dsa.generate_private_key(2048, + backend=backends.default_backend()) diff --git a/python/cryptography/security/insufficient-dsa-key-size.yaml b/python/cryptography/security/insufficient-dsa-key-size.yaml index cf5ab0bb9b..6976642173 100644 --- a/python/cryptography/security/insufficient-dsa-key-size.yaml +++ b/python/cryptography/security/insufficient-dsa-key-size.yaml @@ -8,6 +8,9 @@ rules: - metavariable-comparison: metavariable: $SIZE comparison: $SIZE < 2048 + - focus-metavariable: $SIZE + fix: | + 2048 message: >- Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher. diff --git a/python/cryptography/security/insufficient-rsa-key-size.fixed.py b/python/cryptography/security/insufficient-rsa-key-size.fixed.py new file mode 100644 index 0000000000..22cb4a0437 --- /dev/null +++ b/python/cryptography/security/insufficient-rsa-key-size.fixed.py @@ -0,0 +1,33 @@ +import os +from cryptography.hazmat import backends +from cryptography.hazmat.primitives.asymmetric import rsa + +rsa.generate_private_key(public_exponent=65537, +# ok: insufficient-rsa-key-size + key_size=2048, + backend=backends.default_backend()) + +rsa.generate_private_key(65537, +# ok: insufficient-rsa-key-size + 2048, + backends.default_backend()) + +rsa.generate_private_key(public_exponent=65537, +# ok: insufficient-rsa-key-size + key_size=os.getenv("KEY_SIZE"), + backend=backends.default_backend()) + +rsa.generate_private_key(65537, +# ok: insufficient-rsa-key-size + 2048, + backends.default_backend()) + +rsa.generate_private_key(public_exponent=65537, +# ruleid: insufficient-rsa-key-size + key_size=2048, + backend=backends.default_backend()) + +rsa.generate_private_key(65537, +# ruleid: insufficient-rsa-key-size + 2048, + backends.default_backend()) diff --git a/python/cryptography/security/insufficient-rsa-key-size.py b/python/cryptography/security/insufficient-rsa-key-size.py index cbd5378f32..8f1f45b298 100644 --- a/python/cryptography/security/insufficient-rsa-key-size.py +++ b/python/cryptography/security/insufficient-rsa-key-size.py @@ -2,32 +2,32 @@ from cryptography.hazmat import backends from cryptography.hazmat.primitives.asymmetric import rsa -# ok: insufficient-rsa-key-size rsa.generate_private_key(public_exponent=65537, +# ok: insufficient-rsa-key-size key_size=2048, backend=backends.default_backend()) -# ok: insufficient-rsa-key-size rsa.generate_private_key(65537, +# ok: insufficient-rsa-key-size 2048, backends.default_backend()) -# ok: insufficient-rsa-key-size rsa.generate_private_key(public_exponent=65537, +# ok: insufficient-rsa-key-size key_size=os.getenv("KEY_SIZE"), backend=backends.default_backend()) -# ok: insufficient-rsa-key-size rsa.generate_private_key(65537, +# ok: insufficient-rsa-key-size 2048, backends.default_backend()) -# ruleid: insufficient-rsa-key-size rsa.generate_private_key(public_exponent=65537, +# ruleid: insufficient-rsa-key-size key_size=1024, backend=backends.default_backend()) -# ruleid: insufficient-rsa-key-size rsa.generate_private_key(65537, +# ruleid: insufficient-rsa-key-size 1024, backends.default_backend()) diff --git a/python/cryptography/security/insufficient-rsa-key-size.yaml b/python/cryptography/security/insufficient-rsa-key-size.yaml index a2898d3623..1ec1dcd035 100644 --- a/python/cryptography/security/insufficient-rsa-key-size.yaml +++ b/python/cryptography/security/insufficient-rsa-key-size.yaml @@ -8,6 +8,9 @@ rules: - metavariable-comparison: metavariable: $SIZE comparison: $SIZE < 2048 + - focus-metavariable: $SIZE + fix : | + 2048 message: >- Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher. From d9fe6c66de9a1e2cd8515b66b80eb64e31d12d31 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 08:36:33 +0100 Subject: [PATCH 06/89] Bump jinja2 from 2.11.3 to 3.1.3 (#3271) Bumps [jinja2](https://github.com/pallets/jinja) from 2.11.3 to 3.1.3. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/2.11.3...3.1.3) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:development ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Pipfile | 2 +- Pipfile.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Pipfile b/Pipfile index 67ac5b0669..a7a292cc8c 100644 --- a/Pipfile +++ b/Pipfile @@ -4,7 +4,7 @@ url = "https://pypi.org/simple" verify_ssl = true [dev-packages] -jinja2 = "~=2.11.3" +jinja2 = "~=3.1.3" pytest = "*" semgrep = "*" pyyaml = "*" diff --git a/Pipfile.lock b/Pipfile.lock index f486329a09..2e87da7092 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "40d5608e6fdc1066084f413eb1f976c2fd5ea39fd0c78aa7a01ae120c11a614b" + "sha256": "762f3c7cbb0a3ecd999e7b644a02421c6132ab10439b5eb9a2531519c86351b9" }, "pipfile-spec": 6, "requires": { @@ -433,12 +433,12 @@ }, "jinja2": { "hashes": [ - "sha256:03e47ad063331dd6a3f04a43eddca8a966a26ba0c5b7207a9a9e4e08f1b29419", - "sha256:a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6" + "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa", + "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90" ], "index": "pypi", - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==2.11.3" + "markers": "python_version >= '3.7'", + "version": "==3.1.3" }, "jsonschema": { "hashes": [ From 0c04c57ee0294e12a887569e4858b28d99f8085f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jan 2024 07:46:43 +0000 Subject: [PATCH 07/89] Bump tj-actions/changed-files from 23.1 to 41 in /.github/workflows (#3256) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 23.1 to 41. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/v23.1...v41) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Pieter De Cremer (Semgrep) --- .github/workflows/semgrep-rules-test-historical.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep-rules-test-historical.yml b/.github/workflows/semgrep-rules-test-historical.yml index a0dda1d676..2c8d9faf5b 100644 --- a/.github/workflows/semgrep-rules-test-historical.yml +++ b/.github/workflows/semgrep-rules-test-historical.yml @@ -22,7 +22,7 @@ jobs: python-version: 3.9.2 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v23.1 + uses: tj-actions/changed-files@v41 with: path: semgrep-rules separator: "," From 79c03a0b0bfe2686d857f2e49f5cf88e2098e2dd Mon Sep 17 00:00:00 2001 From: Sjoerd Langkemper Date: Fri, 12 Jan 2024 10:26:47 +0100 Subject: [PATCH 08/89] Create rule for A fairly common mistake, possibly by a mass replacement of "http" by "https" throughout the source code. --- html/correctness/https-equiv.html | 28 ++++++++++++++++++++++++++++ html/correctness/https-equiv.yaml | 17 +++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 html/correctness/https-equiv.html create mode 100644 html/correctness/https-equiv.yaml diff --git a/html/correctness/https-equiv.html b/html/correctness/https-equiv.html new file mode 100644 index 0000000000..2662ca5a4a --- /dev/null +++ b/html/correctness/https-equiv.html @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + https-equiv test + + diff --git a/html/correctness/https-equiv.yaml b/html/correctness/https-equiv.yaml new file mode 100644 index 0000000000..4f3a844e2e --- /dev/null +++ b/html/correctness/https-equiv.yaml @@ -0,0 +1,17 @@ +rules: + - id: https-equiv + metadata: + category: correctness + technology: + - html + references: + - https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta#http-equiv + message: > + The correct attribute name for this meta tag is `http-equiv`, not `https-equiv`. + severity: ERROR + languages: [html] + pattern-either: + - pattern: + fix-regex: + regex: 'https-equiv=' + replacement: 'http-equiv=' From 95d0f0e228efb9f5a2ef451b1efd2f4e293cfd1f Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Fri, 12 Jan 2024 15:43:44 -0800 Subject: [PATCH 09/89] separate open redirect from tainted-url-host --- go/lang/security/injection/open-redirect.go | 48 +++++++++++++++ go/lang/security/injection/open-redirect.yaml | 60 +++++++++++++++++++ 2 files changed, 108 insertions(+) create mode 100644 go/lang/security/injection/open-redirect.go create mode 100644 go/lang/security/injection/open-redirect.yaml diff --git a/go/lang/security/injection/open-redirect.go b/go/lang/security/injection/open-redirect.go new file mode 100644 index 0000000000..869099d7f3 --- /dev/null +++ b/go/lang/security/injection/open-redirect.go @@ -0,0 +1,48 @@ +package main + +import ( + "fmt" + "net/http" + "strings" +) + +func newRedirectServerFmt(addr string, rootPath string) *http.Server { + return &http.Server{ + Addr: addr, + Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + target := fmt.Sprintf("https://%s/path/to/%s", req.Host, req.URL.Path) + if rootPath != "" { + target += "/" + strings.TrimRight(strings.TrimLeft(rootPath, "/"), "/") + } + target += req.URL.Path + if len(req.URL.RawQuery) > 0 { + target += "?" + req.URL.RawQuery + } + // ruleid: open-redirect + http.Redirect(w, req, target, http.StatusTemporaryRedirect) + }), + } +} + +func newRedirectServerAdd(addr string, rootPath string) *http.Server { + return &http.Server{ + Addr: addr, + Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + target := "https://" + req.Host + "/path/to/" + req.URL.Path + if rootPath != "" { + target += "/" + strings.TrimRight(strings.TrimLeft(rootPath, "/"), "/") + } + target += req.URL.Path + if len(req.URL.RawQuery) > 0 { + target += "?" + req.URL.RawQuery + } + // ruleid: open-redirect + http.Redirect(w, req, target, http.StatusTemporaryRedirect) + }), + } +} + +func main() { + newRedirectServerAdd("127.0.0.1:8080", "/test") + newRedirectServerFmt("127.0.0.1:8080", "/test") +} diff --git a/go/lang/security/injection/open-redirect.yaml b/go/lang/security/injection/open-redirect.yaml new file mode 100644 index 0000000000..5d2f14b2ef --- /dev/null +++ b/go/lang/security/injection/open-redirect.yaml @@ -0,0 +1,60 @@ +rules: + - id: open-redirect + languages: [ go ] + severity: WARNING + message: An HTTP redirect was found to be crafted from user-input `$REQUEST`. + This can lead to open redirect vulnerabilities, potentially allowing attackers + to redirect users to malicious web sites. It is recommend where possible to + not allow user-input to craft the redirect URL. When user-input is necessary + to craft the request, it is recommended to follow OWASP best practices to + restrict the URL to domains in an allowlist. + options: + interfile: true + metadata: + cwe: + - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" + references: + - https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html + category: security + technology: + - go + confidence: HIGH + description: "An HTTP redirect was found to be crafted from user-input leading to an open redirect vulnerability" + subcategory: + - vuln + impact: LOW + likelihood: LOW + interfile: true + vulnerability_class: + - URL Redirection to Untrusted Site ('Open Redirect') + mode: taint + pattern-sources: + - label: INPUT + patterns: + - pattern-either: + - pattern: | + ($REQUEST : *http.Request).$ANYTHING + - pattern: | + ($REQUEST : http.Request).$ANYTHING + - metavariable-regex: + metavariable: $ANYTHING + regex: ^(BasicAuth|Body|Cookie|Cookies|Form|FormValue|GetBody|Host|MultipartReader|ParseForm|ParseMultipartForm|PostForm|PostFormValue|Referer|RequestURI|Trailer|TransferEncoding|UserAgent|URL)$ + - label: CLEAN + requires: INPUT + patterns: + - pattern-either: + - pattern: | + "$URLSTR" + $INPUT + - patterns: + - pattern-either: + - pattern: fmt.Fprintf($F, "$URLSTR", $INPUT, ...) + - pattern: fmt.Sprintf("$URLSTR", $INPUT, ...) + - pattern: fmt.Printf("$URLSTR", $INPUT, ...) + - metavariable-regex: + metavariable: $URLSTR + regex: .*//[a-zA-Z0-10]+\..* + pattern-sinks: + - requires: INPUT and not CLEAN + patterns: + - pattern: http.Redirect($W, $REQ, $URL, ...) + - focus-metavariable: $URL From 4fd19a018a613ce14fd5da0dcb4020037c6a9f7d Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 16 Jan 2024 12:09:16 +0100 Subject: [PATCH 10/89] Remove redundant terraform rule --- .../lang/security/ebs-unencrypted-volume.tf | 9 ------ .../lang/security/ebs-unencrypted-volume.yaml | 30 ------------------- 2 files changed, 39 deletions(-) delete mode 100644 terraform/lang/security/ebs-unencrypted-volume.tf delete mode 100644 terraform/lang/security/ebs-unencrypted-volume.yaml diff --git a/terraform/lang/security/ebs-unencrypted-volume.tf b/terraform/lang/security/ebs-unencrypted-volume.tf deleted file mode 100644 index 5de0b8e139..0000000000 --- a/terraform/lang/security/ebs-unencrypted-volume.tf +++ /dev/null @@ -1,9 +0,0 @@ -# ruleid: unencrypted-ebs-volume -resource "aws_ebs_volume" "web_host_storage" { - availability_zone = "ap-southeast-2" - encrypted = false - size = 1 - tags = { - Name = "abcd-ebs" - } -} diff --git a/terraform/lang/security/ebs-unencrypted-volume.yaml b/terraform/lang/security/ebs-unencrypted-volume.yaml deleted file mode 100644 index 1b1c3b841f..0000000000 --- a/terraform/lang/security/ebs-unencrypted-volume.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: unencrypted-ebs-volume - languages: - - hcl - message: >- - An EBS volume is configured without encryption enabled. - patterns: - - pattern: resource - - pattern-not-inside: | - resource "aws_ebs_volume" "..." {... encrypted=true ...} - - pattern-inside: | - resource "aws_ebs_volume" "..." {...} - severity: WARNING - metadata: - cwe: - - 'CWE-311: Missing Encryption of Sensitive Data' - category: security - technology: - - terraform - - aws - owasp: - - A03:2017 - Sensitive Data Exposure - - A04:2021 - Insecure Design - references: - - https://owasp.org/Top10/A04_2021-Insecure_Design - subcategory: - - vuln - likelihood: LOW - impact: MEDIUM - confidence: MEDIUM From a796055ea9846ee707d5278eb9b68d3dcaa0614e Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 16 Jan 2024 12:17:23 +0100 Subject: [PATCH 11/89] Update message for AWS account id detection --- generic/secrets/security/detected-aws-account-id.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/generic/secrets/security/detected-aws-account-id.yaml b/generic/secrets/security/detected-aws-account-id.yaml index 70f1697056..790446e0be 100644 --- a/generic/secrets/security/detected-aws-account-id.yaml +++ b/generic/secrets/security/detected-aws-account-id.yaml @@ -31,8 +31,9 @@ rules: regex: (AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')? languages: - generic - message: AWS Account ID detected. This is a sensitive credential and should not - be hardcoded here. Instead, read the value from an environment variable or + message: AWS Account ID detected. While not considered sensitive information, it is important + to use them and share them carefully. For that reason it would be preferrable avoiding to + hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file. severity: ERROR metadata: From f6506ec30a1ec370bc0f7184af1f516e46cbecec Mon Sep 17 00:00:00 2001 From: Alexis Grant Date: Tue, 16 Jan 2024 08:30:03 -0800 Subject: [PATCH 12/89] Update message to match version formats in rule --- terraform/aws/security/aws-cloudfront-insecure-tls.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/security/aws-cloudfront-insecure-tls.yaml b/terraform/aws/security/aws-cloudfront-insecure-tls.yaml index 5cd425fdb4..f544171c10 100644 --- a/terraform/aws/security/aws-cloudfront-insecure-tls.yaml +++ b/terraform/aws/security/aws-cloudfront-insecure-tls.yaml @@ -43,7 +43,7 @@ rules: Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to - `"TLS1.2_2018", "TLS1.2_2019" or "TLS1.2_2021"`. + `"TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021"`. metadata: category: security technology: From 1edd18bbc2bd970b16a47ecac0d85a8201d3cf40 Mon Sep 17 00:00:00 2001 From: LewisArdern Date: Tue, 16 Jan 2024 10:19:54 -0800 Subject: [PATCH 13/89] Improve check-render rule --- .../brakeman/check-render-local-file-include.rb | 4 ++++ .../brakeman/check-render-local-file-include.yaml | 11 ++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ruby/rails/security/brakeman/check-render-local-file-include.rb b/ruby/rails/security/brakeman/check-render-local-file-include.rb index 9caef67b63..8000ee6438 100644 --- a/ruby/rails/security/brakeman/check-render-local-file-include.rb +++ b/ruby/rails/security/brakeman/check-render-local-file-include.rb @@ -55,3 +55,7 @@ def test_param_ok + def test_render_static_template_name + # ok: check-render-local-file-include + render :update, locals: { username: params[:username] } + end \ No newline at end of file diff --git a/ruby/rails/security/brakeman/check-render-local-file-include.yaml b/ruby/rails/security/brakeman/check-render-local-file-include.yaml index 6d18459c4f..f817ca87e4 100644 --- a/ruby/rails/security/brakeman/check-render-local-file-include.yaml +++ b/ruby/rails/security/brakeman/check-render-local-file-include.yaml @@ -8,15 +8,16 @@ rules: - patterns: - pattern-either: - pattern: | - render ..., file: ... + render ..., file: $X - pattern: | - render ..., inline: ... + render ..., inline: $X - pattern: | - render ..., template: ... + render ..., template: $X - pattern: | - render ..., action: ... + render ..., action: $X - pattern: | - render $FILE, ... + render $X, ... + - focus-metavariable: $X pattern-sanitizers: - patterns: - pattern: $MAP[...] From 3c4de50d8f4b1257bfd7427a4a212d19e9020742 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 11:30:56 -0800 Subject: [PATCH 14/89] initial updates --- .../audit/database/string-formatted-query.go | 63 ++++++-- .../database/string-formatted-query.yaml | 138 ++++++++++-------- 2 files changed, 133 insertions(+), 68 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.go b/go/lang/security/audit/database/string-formatted-query.go index bf41ed18ce..2c55413478 100644 --- a/go/lang/security/audit/database/string-formatted-query.go +++ b/go/lang/security/audit/database/string-formatted-query.go @@ -57,6 +57,24 @@ func dbQuery3(r *http.Request, username string) { } } +func dbQuery4(r *http.Request, username string) { + // ruleid: string-formatted-query + query := fmt.Sprintf("%s AND INSERT into users (username, password)", username) + _, err = db.Exec(query) + if err != nil { + http.Error("mistake") + } +} + +func dbQuery5(r *http.Request, username string, password string) { + // ruleid: string-formatted-query + query := fmt.Sprintf("INSERT into users (username, password) VALUES(%s, %s)", username, password) + _, err = db.QueryRow(query) + if err != nil { + http.Error("mistake") + } +} + func okDbQuery1(r *http.Request) { // ok: string-formatted-query _, err = db.Exec("INSERT into users (username, password) VALUES(" + "username" + ", " + "smth)") @@ -110,9 +128,9 @@ func dbQueryRowContext(r *http.Request) { func dbExecFmt(r *http.Request) { customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.Exec(query) } @@ -136,31 +154,49 @@ func dbQueryFmt(r *http.Request) { row, _ := db.Query(query) } -func dbQueryContextFmt(r *http.Request) { +func dbQueryContextFmtReassign(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.QueryContext(ctx, query) } -func dbQueryRowFmt(r *http.Request) { + +func dbQueryContextFmt(r *http.Request) { + ctx := context.Background() customerId := r.URL.Query().Get("id") // ruleid: string-formatted-query + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) + row, _ := db.QueryContext(ctx, query) +} + +func dbQueryRowFmt(r *http.Request) { + customerId := r.URL.Query().Get("id") query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.QueryRow(query) } +func dbQueryRowContextReassign(r *http.Request) { + ctx := context.Background() + customerId := r.URL.Query().Get("id") + query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) + + row, _ := db.QueryRowContext(ctx, query) +} + func dbQueryRowContextFmt(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") // ruleid: string-formatted-query - query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) row, _ := db.QueryRowContext(ctx, query) } @@ -200,6 +236,15 @@ func postgresBadDirectQueryFmt(r *http.Request) { row, _ := postgresDb.QueryRow(ctx, fmt.Printf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId)) } +func postgresQueryFmt(r *http.Request) { + ctx := context.Background() + customerId := r.URL.Query().Get("id") + // ruleid: string-formatted-query + query := fmt.Sprintf("SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s", customerId) + + row, _ := postgresDb.QueryRow(ctx, query) +} + package main import ( diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 91864da625..27c2794049 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -55,12 +55,12 @@ rules: - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.Exec($QUERY, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.Exec($QUERY, ...) - pattern: | $QUERY = "..." ... @@ -73,36 +73,36 @@ rules: $QUERY = $FXN(..., $QUERY, ...) ... $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.Exec($OTHER, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryContext($CTX, $QUERY, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($QUERY) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($CTX, $QUERY) + # - pattern: | + # $QUERY = "..." + # ... + # $QUERY = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRowContext($CTX, $QUERY, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.Exec($OTHER, ...) - pattern: | $QUERY = "..." ... @@ -115,55 +115,75 @@ rules: $OTHER = $FXN(..., $QUERY, ...) ... $OBJ.ExecContext($CTX, $OTHER, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryContext($CTX, $OTHER, ...) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($OTHER) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRow($CTX, $OTHER) + # - pattern: | + # $QUERY = "..." + # ... + # $OTHER = $FXN(..., $QUERY, ...) + # ... + # $OBJ.QueryRowContext($CTX, $OTHER, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryContext($CTX, $OTHER, ...) + $OBJ.Exec($QUERY, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryRow($OTHER) + $OBJ.Query($QUERY, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryRow($CTX, $OTHER) + $OBJ.ExecContext($CTX, $QUERY, ...) - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) + $QUERY = $X + ... ... - $OBJ.QueryRowContext($CTX, $OTHER, ...) + $OBJ.QueryContext($CTX, $QUERY, ...) - pattern: | $QUERY = $X + ... ... - $OBJ.Exec($QUERY, ...) + $OBJ.QueryRow($QUERY) - pattern: | $QUERY = $X + ... ... - $OBJ.Query($QUERY, ...) + $OBJ.QueryRow($CTX, $QUERY) - pattern: | $QUERY = $X + ... ... - $OBJ.ExecContext($CTX, $QUERY, ...) + $OBJ.QueryRowContext($CTX, $QUERY, ...) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryContext($CTX, $QUERY, ...) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryRow($QUERY) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) + ... + $OBJ.Exec($QUERY) + - pattern: | + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryRow($CTX, $QUERY) - pattern: | - $QUERY = $X + ... + $QUERY = fmt.$F("...", ...) ... $OBJ.QueryRowContext($CTX, $QUERY, ...) From f8baff9ea88c20df70ece6ef536169e3b5c68aa9 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 11:32:53 -0800 Subject: [PATCH 15/89] t/s duplicates --- .../database/string-formatted-query.yaml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 27c2794049..e3cc72a834 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -91,12 +91,12 @@ rules: # $QUERY = $FXN(..., $QUERY, ...) # ... # $OBJ.QueryRow($CTX, $QUERY) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRowContext($CTX, $QUERY, ...) + - pattern: | + $QUERY = "..." + ... + $QUERY = $FXN(..., $QUERY, ...) + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) # - pattern: | # $QUERY = "..." # ... @@ -133,12 +133,12 @@ rules: # $OTHER = $FXN(..., $QUERY, ...) # ... # $OBJ.QueryRow($CTX, $OTHER) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRowContext($CTX, $OTHER, ...) + - pattern: | + $QUERY = "..." + ... + $OTHER = $FXN(..., $QUERY, ...) + ... + $OBJ.QueryRowContext($CTX, $OTHER, ...) - pattern: | $QUERY = $X + ... ... From c4611ad2ea435b9e40cb2f6716c76d66bf00da88 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 11:37:31 -0800 Subject: [PATCH 16/89] removed open-redirect cases from tainted-url-host --- .../security/injection/tainted-url-host.go | 606 ++++++++---------- .../security/injection/tainted-url-host.yaml | 3 +- 2 files changed, 285 insertions(+), 324 deletions(-) diff --git a/go/lang/security/injection/tainted-url-host.go b/go/lang/security/injection/tainted-url-host.go index 9097970b3a..079a796b01 100644 --- a/go/lang/security/injection/tainted-url-host.go +++ b/go/lang/security/injection/tainted-url-host.go @@ -1,145 +1,143 @@ package main import ( - "crypto/tls" - "encoding/json" - "encoding/hex" - "fmt" - "io/ioutil" - "net/http" - "net/url" + "crypto/tls" + "encoding/hex" + "fmt" + "io/ioutil" + "net/http" ) func handlerIndexFmt(w http.ResponseWriter, r *http.Request) { - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - - client := &http.Client{Transport: tr} - - if r.Method == "POST" && r.URL.Path == "/api" { - url := fmt.Sprintf("https://%v/api", r.URL.Query().Get("proxy")) - - // ruleid: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - - if err != nil { - w.WriteHeader(http.StatusInternalServerError) - return - } - - defer resp.Body.Close() - - if resp.StatusCode != 200 { - w.WriteHeader(500) - return - } - - w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) - return - } else { - proxy := r.URL.Query()["proxy"] - secure := r.URL.Query()["secure"] - - url := "" - if (secure) { - url = fmt.Sprintf("https://%s", proxy) - } else { - url = fmt.Sprintf("http://%q", proxy) - } - // ruleid: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + client := &http.Client{Transport: tr} + + if r.Method == "POST" && r.URL.Path == "/api" { + url := fmt.Sprintf("https://%v/api", r.URL.Query().Get("proxy")) + + // ruleid: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + + defer resp.Body.Close() + + if resp.StatusCode != 200 { + w.WriteHeader(500) + return + } + + w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) + return + } else { + proxy := r.URL.Query()["proxy"] + secure := r.URL.Query()["secure"] + + url := "" + if secure { + url = fmt.Sprintf("https://%s", proxy) + } else { + url = fmt.Sprintf("http://%q", proxy) + } + // ruleid: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + } } func handlerOtherFmt(w http.ResponseWriter, r *http.Request) { - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - - client := &http.Client{Transport: tr} - - if r.Method == "POST" && r.URL.Path == "/api" { - url := fmt.Printf("https://%v/api", r.URL.Query().Get("proxy")) - - // ruleid: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - - if err != nil { - w.WriteHeader(http.StatusInternalServerError) - return - } - - defer resp.Body.Close() - - if resp.StatusCode != 200 { - w.WriteHeader(500) - return - } - - w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) - return - } else { - proxy := r.URL.Query()["proxy"] - secure := r.URL.Query()["secure"] - - url := "" - if (secure) { - url = fmt.Fprintf(w, "https://%s", proxy) - } else { - url = fmt.Fprintf(w, "http://%q", proxy) - } - // ruleid: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + client := &http.Client{Transport: tr} + + if r.Method == "POST" && r.URL.Path == "/api" { + url := fmt.Printf("https://%v/api", r.URL.Query().Get("proxy")) + + // ruleid: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + + defer resp.Body.Close() + + if resp.StatusCode != 200 { + w.WriteHeader(500) + return + } + + w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) + return + } else { + proxy := r.URL.Query()["proxy"] + secure := r.URL.Query()["secure"] + + url := "" + if secure { + url = fmt.Fprintf(w, "https://%s", proxy) + } else { + url = fmt.Fprintf(w, "http://%q", proxy) + } + // ruleid: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + } } func handlerOkFmt(w http.ResponseWriter, r *http.Request) { - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - - client := &http.Client{Transport: tr} - - if r.Method == "POST" && r.URL.Path == "/api" { - url := fmt.Printf("https://example.com/%v", r.URL.Query().Get("proxy")) - - // ok: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - - if err != nil { - w.WriteHeader(http.StatusInternalServerError) - return - } - - defer resp.Body.Close() - - if resp.StatusCode != 200 { - w.WriteHeader(500) - return - } - - w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) - return - } else { - proxy := r.URL.Query()["proxy"] - secure := r.URL.Query()["secure"] - - url := "" - if (secure) { - url = fmt.Sprintf("https://example.com/%s", proxy) - } else { - url = fmt.Fprintf(w, "http://example.com%q", proxy) - } - // ok: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + client := &http.Client{Transport: tr} + + if r.Method == "POST" && r.URL.Path == "/api" { + url := fmt.Printf("https://example.com/%v", r.URL.Query().Get("proxy")) + + // ok: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + + defer resp.Body.Close() + + if resp.StatusCode != 200 { + w.WriteHeader(500) + return + } + + w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) + return + } else { + proxy := r.URL.Query()["proxy"] + secure := r.URL.Query()["secure"] + + url := "" + if secure { + url = fmt.Sprintf("https://example.com/%s", proxy) + } else { + url = fmt.Fprintf(w, "http://example.com%q", proxy) + } + // ok: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + } } -func (s *server) handlerBadFmt (w http.ResponseWriter, r *http.Request) { - urls, ok := r.URL.Query()["url"] // extract url from query params +func (s *server) handlerBadFmt(w http.ResponseWriter, r *http.Request) { + urls, ok := r.URL.Query()["url"] // extract url from query params - if !ok { + if !ok { http.Error(w, "url missing", 500) return } @@ -148,200 +146,182 @@ func (s *server) handlerBadFmt (w http.ResponseWriter, r *http.Request) { http.Error(w, "url missing", 500) return } - - url := fmt.Sprintf("//%s/path", urls[0]) - // ruleid: tainted-url-host - resp, err := http.Get(url) // sink - if err != nil { + url := fmt.Sprintf("//%s/path", urls[0]) + + // ruleid: tainted-url-host + resp, err := http.Get(url) // sink + if err != nil { http.Error(w, err.Error(), 500) return } - client := &http.Client {} + client := &http.Client{} - // ruleid: tainted-url-host - req2, err := http.NewRequest("GET", url, nil) - _, err2 := client.Do(req2) + // ruleid: tainted-url-host + req2, err := http.NewRequest("GET", url, nil) + _, err2 := client.Do(req2) if err2 != nil { http.Error(w, err.Error(), 500) return } - // ok: tainted-url-host + // ok: tainted-url-host _, err3 := http.Get("https://semgrep.dev") if err3 != nil { http.Error(w, err.Error(), 500) return - } - - url4 := fmt.Sprintf("ftps://%s/path/to/%s", "test", r.URL.Path) - // ok: tainted-url-host + } + + url4 := fmt.Sprintf("ftps://%s/path/to/%s", "test", r.URL.Path) + // ok: tainted-url-host _, err4 := http.Get("https://semgrep.dev") if err3 != nil { http.Error(w, err.Error(), 500) return } - defer resp.Body.Close() + defer resp.Body.Close() - bytes, err := ioutil.ReadAll(resp.Body) - if err != nil { + bytes, err := ioutil.ReadAll(resp.Body) + if err != nil { http.Error(w, err.Error(), 500) return } - // Write out the hexdump of the bytes as plaintext. + // Write out the hexdump of the bytes as plaintext. w.Header().Set("Content-Type", "text/plain; charset=utf-8") fmt.Fprint(w, hex.Dump(bytes)) } -func newRedirectServerFmt(addr string, rootPath string) *http.Server { - return &http.Server{ - Addr: addr, - Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - target := fmt.Printf("https://%s/path/to/%s", req.Host, req.URL.Path) - if rootPath != "" { - target += "/" + strings.TrimRight(strings.TrimLeft(rootPath, "/"), "/") - } - target += req.URL.Path - if len(req.URL.RawQuery) > 0 { - target += "?" + req.URL.RawQuery - } - // ruleid: tainted-url-host - http.Redirect(w, req, target, http.StatusTemporaryRedirect) - }), - } -} - func handlerIndexAdd(w http.ResponseWriter, r *http.Request) { - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - - client := &http.Client{Transport: tr} - - if r.Method == "POST" && r.URL.Path == "/api" { - url := "https://" + r.URL.Query().Get("proxy") + "/api" - - // ruleid: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - - if err != nil { - w.WriteHeader(http.StatusInternalServerError) - return - } - - defer resp.Body.Close() - - if resp.StatusCode != 200 { - w.WriteHeader(500) - return - } - - w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) - return - } else { - proxy := r.URL.Query()["proxy"] - secure := r.URL.Query()["secure"] - - url := "" - if (secure) { - url = "https://" + proxy - } else { - url = "http://" + proxy - } - // ruleid: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + client := &http.Client{Transport: tr} + + if r.Method == "POST" && r.URL.Path == "/api" { + url := "https://" + r.URL.Query().Get("proxy") + "/api" + + // ruleid: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + + defer resp.Body.Close() + + if resp.StatusCode != 200 { + w.WriteHeader(500) + return + } + + w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) + return + } else { + proxy := r.URL.Query()["proxy"] + secure := r.URL.Query()["secure"] + + url := "" + if secure { + url = "https://" + proxy + } else { + url = "http://" + proxy + } + // ruleid: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + } } func handlerOtherAdd(w http.ResponseWriter, r *http.Request) { - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - - client := &http.Client{Transport: tr} - - if r.Method == "POST" && r.URL.Path == "/api" { - url := "https://" + r.URL.Query().Get("proxy") + "/api" - - // ruleid: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - - if err != nil { - w.WriteHeader(http.StatusInternalServerError) - return - } - - defer resp.Body.Close() - - if resp.StatusCode != 200 { - w.WriteHeader(500) - return - } - - w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) - return - } else { - proxy := r.URL.Query()["proxy"] - secure := r.URL.Query()["secure"] - - url := "" - if (secure) { - url = "https://example.com/" + proxy - } else { - url = "http://example.com/api/test/" + proxy - } - // ok: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + client := &http.Client{Transport: tr} + + if r.Method == "POST" && r.URL.Path == "/api" { + url := "https://" + r.URL.Query().Get("proxy") + "/api" + + // ruleid: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + + defer resp.Body.Close() + + if resp.StatusCode != 200 { + w.WriteHeader(500) + return + } + + w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) + return + } else { + proxy := r.URL.Query()["proxy"] + secure := r.URL.Query()["secure"] + + url := "" + if secure { + url = "https://example.com/" + proxy + } else { + url = "http://example.com/api/test/" + proxy + } + // ok: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + } } func handlerOkAdd(w http.ResponseWriter, r *http.Request) { - tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } - - client := &http.Client{Transport: tr} - - if r.Method == "POST" && r.URL.Path == "/api" { - // ok: tainted-url-host - resp, err := client.Post("https://example.com/" + r.URL.Query().Get("proxy"), "application/json", r.Body) - - if err != nil { - w.WriteHeader(http.StatusInternalServerError) - return - } - - defer resp.Body.Close() - - if resp.StatusCode != 200 { - w.WriteHeader(500) - return - } - - w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) - return - } else { - proxy := r.URL.Query()["proxy"] - secure := r.URL.Query()["secure"] - - url := "" - if (secure) { - url = "https://example.com/" + proxy - } else { - url = "http://example.com" + proxy - } - // ok: tainted-url-host - resp, err := client.Post(url, "application/json", r.Body) - } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + + client := &http.Client{Transport: tr} + + if r.Method == "POST" && r.URL.Path == "/api" { + // ok: tainted-url-host + resp, err := client.Post("https://example.com/"+r.URL.Query().Get("proxy"), "application/json", r.Body) + + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + + defer resp.Body.Close() + + if resp.StatusCode != 200 { + w.WriteHeader(500) + return + } + + w.Write([]byte(fmt.Sprintf("{\"host\":\"%v\"}", r.URL.Query().Get("proxy")))) + return + } else { + proxy := r.URL.Query()["proxy"] + secure := r.URL.Query()["secure"] + + url := "" + if secure { + url = "https://example.com/" + proxy + } else { + url = "http://example.com" + proxy + } + // ok: tainted-url-host + resp, err := client.Post(url, "application/json", r.Body) + } } -func (s *server) handlerBadAdd (w http.ResponseWriter, r *http.Request) { - urls, ok := r.URL.Query()["url"] // extract url from query params +func (s *server) handlerBadAdd(w http.ResponseWriter, r *http.Request) { + urls, ok := r.URL.Query()["url"] // extract url from query params - if !ok { + if !ok { http.Error(w, "url missing", 500) return } @@ -350,76 +330,58 @@ func (s *server) handlerBadAdd (w http.ResponseWriter, r *http.Request) { http.Error(w, "url missing", 500) return } - - url := urls[0] - // ruleid: tainted-url-host - resp, err := http.Get(url) // sink - if err != nil { + url := urls[0] + + // ruleid: tainted-url-host + resp, err := http.Get(url) // sink + if err != nil { http.Error(w, err.Error(), 500) return } - client := &http.Client {} + client := &http.Client{} - // ruleid: tainted-url-host - req2, err := http.NewRequest("GET", r.URL.Path, nil) - _, err2 := client.Do(req2) + // ruleid: tainted-url-host + req2, err := http.NewRequest("GET", r.URL.Path, nil) + _, err2 := client.Do(req2) if err2 != nil { http.Error(w, err.Error(), 500) return } - // ok: tainted-url-host + // ok: tainted-url-host _, err3 := http.Get("https://semgrep.dev") if err3 != nil { http.Error(w, err.Error(), 500) return - } - - url4 := fmt.Sprintf("ftps://%s/path/to/%s", "test", r.URL.Path) - // ok: tainted-url-host + } + + url4 := fmt.Sprintf("ftps://%s/path/to/%s", "test", r.URL.Path) + // ok: tainted-url-host _, err4 := http.Get("https://semgrep.dev") if err3 != nil { http.Error(w, err.Error(), 500) return } - defer resp.Body.Close() + defer resp.Body.Close() - bytes, err := ioutil.ReadAll(resp.Body) - if err != nil { + bytes, err := ioutil.ReadAll(resp.Body) + if err != nil { http.Error(w, err.Error(), 500) return } - // Write out the hexdump of the bytes as plaintext. + // Write out the hexdump of the bytes as plaintext. w.Header().Set("Content-Type", "text/plain; charset=utf-8") fmt.Fprint(w, hex.Dump(bytes)) } -func newRedirectServerAdd(addr string, rootPath string) *http.Server { - return &http.Server{ - Addr: addr, - Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - target := "https://" + req.Host + "/path/to/" + req.URL.Path - if rootPath != "" { - target += "/" + strings.TrimRight(strings.TrimLeft(rootPath, "/"), "/") - } - target += req.URL.Path - if len(req.URL.RawQuery) > 0 { - target += "?" + req.URL.RawQuery - } - // ruleid: tainted-url-host - http.Redirect(w, req, target, http.StatusTemporaryRedirect) - }), - } -} - func main() { - http.HandleFunc("/", handlerIndex) - http.HandleFunc("/other", handleOther) - http.HandleFunc("/ok", handleOk) - http.HandleFunc("/bad", handlerBad) - http.ListenAndServe(":8888", nil) + http.HandleFunc("/", handlerIndex) + http.HandleFunc("/other", handleOther) + http.HandleFunc("/ok", handleOk) + http.HandleFunc("/bad", handlerBad) + http.ListenAndServe(":8888", nil) } diff --git a/go/lang/security/injection/tainted-url-host.yaml b/go/lang/security/injection/tainted-url-host.yaml index 01c66edd5a..e7fa9a9102 100644 --- a/go/lang/security/injection/tainted-url-host.yaml +++ b/go/lang/security/injection/tainted-url-host.yaml @@ -71,7 +71,6 @@ rules: - metavariable-regex: metavariable: $METHOD regex: ^(Get|Head|Post|PostForm)$ - - pattern: http.Redirect($W, $REQ, $URL, ...) - patterns: - pattern: | http.NewRequest("$METHOD", $URL, ...) @@ -79,4 +78,4 @@ rules: metavariable: $METHOD regex: ^(GET|HEAD|POST|POSTFORM)$ - focus-metavariable: $URL - severity: WARNING + severity: WARNING \ No newline at end of file From ff5e3a2650919b3d13c310798d26350b0309de0b Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 12:26:36 -0800 Subject: [PATCH 17/89] removed redundant rules --- .../database/string-formatted-query.yaml | 72 ------------------- 1 file changed, 72 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index e3cc72a834..8772707ec4 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -55,12 +55,6 @@ rules: - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.Exec($QUERY, ...) - pattern: | $QUERY = "..." ... @@ -73,72 +67,6 @@ rules: $QUERY = $FXN(..., $QUERY, ...) ... $OBJ.ExecContext($CTX, $QUERY, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryContext($CTX, $QUERY, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($QUERY) - # - pattern: | - # $QUERY = "..." - # ... - # $QUERY = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.Exec($OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.Query($OTHER, ...) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.ExecContext($CTX, $OTHER, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryContext($CTX, $OTHER, ...) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($OTHER) - # - pattern: | - # $QUERY = "..." - # ... - # $OTHER = $FXN(..., $QUERY, ...) - # ... - # $OBJ.QueryRow($CTX, $OTHER) - - pattern: | - $QUERY = "..." - ... - $OTHER = $FXN(..., $QUERY, ...) - ... - $OBJ.QueryRowContext($CTX, $OTHER, ...) - pattern: | $QUERY = $X + ... ... From 8543131c0996a993a0073495859e0e34cae02358 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Tue, 16 Jan 2024 15:18:16 -0800 Subject: [PATCH 18/89] update metedata for open-redirect --- go/lang/security/injection/open-redirect.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/go/lang/security/injection/open-redirect.yaml b/go/lang/security/injection/open-redirect.yaml index 5d2f14b2ef..6bafe1ed95 100644 --- a/go/lang/security/injection/open-redirect.yaml +++ b/go/lang/security/injection/open-redirect.yaml @@ -22,11 +22,9 @@ rules: description: "An HTTP redirect was found to be crafted from user-input leading to an open redirect vulnerability" subcategory: - vuln - impact: LOW - likelihood: LOW + impact: MEDIUM + likelihood: MEDIUM interfile: true - vulnerability_class: - - URL Redirection to Untrusted Site ('Open Redirect') mode: taint pattern-sources: - label: INPUT From f56d2750198e22f6cafb6cf5bb86067927a0b83d Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Wed, 17 Jan 2024 14:59:42 -0500 Subject: [PATCH 19/89] Update confidence of C rules --- c/lang/security/double-free.yaml | 2 +- c/lang/security/function-use-after-free.yaml | 2 +- c/lang/security/info-leak-on-non-formatted-string.yaml | 2 +- c/lang/security/insecure-use-printf-fn.yaml | 2 +- c/lang/security/use-after-free.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/c/lang/security/double-free.yaml b/c/lang/security/double-free.yaml index 5cda8c015b..a10f530ef2 100644 --- a/c/lang/security/double-free.yaml +++ b/c/lang/security/double-free.yaml @@ -35,7 +35,7 @@ rules: category: security technology: - c - confidence: MEDIUM + confidence: LOW subcategory: - vuln likelihood: LOW diff --git a/c/lang/security/function-use-after-free.yaml b/c/lang/security/function-use-after-free.yaml index e91cc0c85f..b5691307ef 100644 --- a/c/lang/security/function-use-after-free.yaml +++ b/c/lang/security/function-use-after-free.yaml @@ -32,7 +32,7 @@ rules: category: security technology: - c - confidence: MEDIUM + confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: diff --git a/c/lang/security/info-leak-on-non-formatted-string.yaml b/c/lang/security/info-leak-on-non-formatted-string.yaml index 9a83019cbf..699ee697ab 100644 --- a/c/lang/security/info-leak-on-non-formatted-string.yaml +++ b/c/lang/security/info-leak-on-non-formatted-string.yaml @@ -10,7 +10,7 @@ rules: category: security technology: - c - confidence: MEDIUM + confidence: LOW owasp: - A09:2021 - Security Logging and Monitoring Failures subcategory: diff --git a/c/lang/security/insecure-use-printf-fn.yaml b/c/lang/security/insecure-use-printf-fn.yaml index eb00a471e1..61c295f722 100644 --- a/c/lang/security/insecure-use-printf-fn.yaml +++ b/c/lang/security/insecure-use-printf-fn.yaml @@ -15,7 +15,7 @@ rules: category: security technology: - c - confidence: MEDIUM + confidence: LOW subcategory: - vuln likelihood: MEDIUM diff --git a/c/lang/security/use-after-free.yaml b/c/lang/security/use-after-free.yaml index 8efc80c33b..3ca34bd4a3 100644 --- a/c/lang/security/use-after-free.yaml +++ b/c/lang/security/use-after-free.yaml @@ -27,7 +27,7 @@ rules: category: security technology: - c - confidence: MEDIUM + confidence: LOW cwe2022-top25: true cwe2021-top25: true subcategory: From 1e14e81f5e552c12824084c377767e449ec6fea4 Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Wed, 17 Jan 2024 16:03:12 -0500 Subject: [PATCH 20/89] Fix `yaml.semgrep.multi-line-message` CI error --- html/correctness/https-equiv.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/correctness/https-equiv.yaml b/html/correctness/https-equiv.yaml index 4f3a844e2e..03a97b5719 100644 --- a/html/correctness/https-equiv.yaml +++ b/html/correctness/https-equiv.yaml @@ -6,7 +6,7 @@ rules: - html references: - https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta#http-equiv - message: > + message: >- The correct attribute name for this meta tag is `http-equiv`, not `https-equiv`. severity: ERROR languages: [html] From f54889dace7d3e7493120528a38979689c911508 Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Fri, 19 Jan 2024 09:29:57 -0800 Subject: [PATCH 21/89] refectored string-formatted-query for go --- .../audit/database/string-formatted-query.go | 8 +- .../database/string-formatted-query.yaml | 91 ++++++------------- 2 files changed, 34 insertions(+), 65 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.go b/go/lang/security/audit/database/string-formatted-query.go index 2c55413478..4197bde809 100644 --- a/go/lang/security/audit/database/string-formatted-query.go +++ b/go/lang/security/audit/database/string-formatted-query.go @@ -138,18 +138,18 @@ func dbExecFmt(r *http.Request) { func dbExecContextFmt(r *http.Request) { ctx := context.Background() customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.ExecContext(ctx, query) } func dbQueryFmt(r *http.Request) { customerId := r.URL.Query().Get("id") - // ruleid: string-formatted-query query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = %s" - query = fmt.Printf(query, customerId) + // ruleid: string-formatted-query + query = fmt.Printf(query, customerId) row, _ := db.Query(query) } diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 8772707ec4..d0a497e17f 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -53,65 +53,34 @@ rules: - pattern: $OBJ.Query(fmt.$P("...", ...)) - pattern: $OBJ.QueryContext($CTX, fmt.$P("...", ...)) - pattern: $OBJ.QueryRow(fmt.$P("...", ...)) - - pattern: $OBJ.QueryRow($CTX, fmt.$P("...", ...)) + - pattern: $OBJ.QueryRow($CTX, fmt.$U("...", ...)) - pattern: $OBJ.QueryRowContext($CTX, fmt.$P("...", ...)) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.Query($QUERY, ...) - - pattern: | - $QUERY = "..." - ... - $QUERY = $FXN(..., $QUERY, ...) - ... - $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.Exec($QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.Query($QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.ExecContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = $X + ... - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryContext($CTX, $QUERY, ...) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryRow($QUERY) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.Exec($QUERY) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryRow($CTX, $QUERY) - - pattern: | - $QUERY = fmt.$F("...", ...) - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) + - patterns: + - pattern-either: + - pattern: $QUERY = fmt.Fprintf($F, "$SQLSTR", ...) + - pattern: $QUERY = fmt.Sprintf("$SQLSTR", ...) + - pattern: $QUERY = fmt.Printf("$SQLSTR", ...) + - pattern: $QUERY = $X + ... + - pattern-either: + - pattern-inside: | + ... + $OBJ.Query($QUERY, ...) + - pattern-inside: | + ... + $OBJ.ExecContext($CTX, $QUERY, ...) + - pattern-inside: | + ... + $OBJ.Exec($QUERY, ...) + - pattern-inside: | + ... + $OBJ.QueryRow($CTX, $QUERY) + - pattern-inside: | + ... + $OBJ.QueryRow($QUERY) + - pattern-inside: | + ... + $OBJ.QueryContext($CTX, $QUERY) + - pattern-inside: | + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) + \ No newline at end of file From f221bf7eb21f309a9dede24649617bca058a03c5 Mon Sep 17 00:00:00 2001 From: Claudio Date: Wed, 24 Jan 2024 11:54:14 +0100 Subject: [PATCH 22/89] Fix message folding --- c/lang/security/use-after-free.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/c/lang/security/use-after-free.yaml b/c/lang/security/use-after-free.yaml index 3ca34bd4a3..ab33a30bd8 100644 --- a/c/lang/security/use-after-free.yaml +++ b/c/lang/security/use-after-free.yaml @@ -16,8 +16,8 @@ rules: ... $VAR = malloc(...); ... - message: Variable '$VAR' was used after being freed. This can lead to undefined - behavior. + message: >- + Variable '$VAR' was used after being freed. This can lead to undefined behavior. metadata: cwe: - "CWE-416: Use After Free" From 4cfd0e6f7e0bcb241d27876936ecaa488df8df08 Mon Sep 17 00:00:00 2001 From: Kurt Boberg Date: Wed, 24 Jan 2024 10:46:01 -0800 Subject: [PATCH 23/89] remove non-literal header rule: fixed in PHP 5, PHP 4 EOL in 2008, PHP 5 EOL in 2019 --- php/lang/security/non-literal-header.php | 12 ---------- php/lang/security/non-literal-header.yaml | 29 ----------------------- 2 files changed, 41 deletions(-) delete mode 100644 php/lang/security/non-literal-header.php delete mode 100644 php/lang/security/non-literal-header.yaml diff --git a/php/lang/security/non-literal-header.php b/php/lang/security/non-literal-header.php deleted file mode 100644 index a9714b1282..0000000000 --- a/php/lang/security/non-literal-header.php +++ /dev/null @@ -1,12 +0,0 @@ -- - Using user input when setting headers with `header()` is potentially dangerous. - This could allow an attacker to inject a new line and add a new header into the - response. - This is called HTTP response splitting. - To fix, do not allow whitespace inside `header()`: '[^\s]+'. - metadata: - references: - - https://www.php.net/manual/en/function.header.php - - https://owasp.org/www-community/attacks/HTTP_Response_Splitting - category: security - technology: - - php - cwe: - - "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')" - owasp: - - A03:2021 - Injection - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: [php] - severity: WARNING From 5211fd7bb916b0d88302e77530e7db9e738c6e5a Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Thu, 25 Jan 2024 00:12:23 -0800 Subject: [PATCH 24/89] updated string-fromatted-query to avoid performance issues --- .../database/string-formatted-query.yaml | 42 ++++++++++++------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index d0a497e17f..7b65f3044f 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -63,24 +63,38 @@ rules: - pattern: $QUERY = $X + ... - pattern-either: - pattern-inside: | - ... - $OBJ.Query($QUERY, ...) + func $FUNC(...) { + ... + $OBJ.Query($QUERY, ...) + } - pattern-inside: | - ... - $OBJ.ExecContext($CTX, $QUERY, ...) + func $FUNC(...) { + ... + $OBJ.ExecContext($CTX, $QUERY, ...) + } - pattern-inside: | - ... - $OBJ.Exec($QUERY, ...) + func $FUNC(...) { + ... + $OBJ.Exec($QUERY, ...) + } - pattern-inside: | - ... - $OBJ.QueryRow($CTX, $QUERY) + func $FUNC(...) { + ... + $OBJ.QueryRow($CTX, $QUERY) + } - pattern-inside: | - ... - $OBJ.QueryRow($QUERY) + func $FUNC(...) { + ... + $OBJ.QueryRow($QUERY) + } - pattern-inside: | - ... - $OBJ.QueryContext($CTX, $QUERY) + func $FUNC(...) { + ... + $OBJ.QueryContext($CTX, $QUERY) + } - pattern-inside: | - ... - $OBJ.QueryRowContext($CTX, $QUERY, ...) + func $FUNC(...) { + ... + $OBJ.QueryRowContext($CTX, $QUERY, ...) + } \ No newline at end of file From f884bb668a4c1a3bd2f2e80d8a9b75b5d520621e Mon Sep 17 00:00:00 2001 From: Brandon Wu <49291449+brandonspark@users.noreply.github.com> Date: Thu, 25 Jan 2024 01:48:27 -0800 Subject: [PATCH 25/89] feat(autofix): fix fix indentation (#3288) * fix * another test * fix some rules * fix a bunch of rules hopefully * redo --------- Co-authored-by: Yoann Padioleau --- ...y-disallow-doctype-decl-missing.fixed.java | 8 ++--- .../security/audit/unvalidated-password.yaml | 2 +- ...alation-no-securitycontext.fixed.test.yaml | 4 +-- ...ivilege-escalation-no-securitycontext.yaml | 33 ++++++++++--------- .../security/allow-privilege-escalation.yaml | 24 +++++++------- ...l-missing-security-context.fixed.test.yaml | 2 +- ...tainer-level-missing-security-context.yaml | 31 +++++++++-------- .../run-as-non-root-container-level.yaml | 22 ++++++------- ...s-non-root-security-context-pod-level.yaml | 22 ++++++------- ...le-true-under-metadata-and-no-options.yaml | 4 +-- ...nd-options-already-present.fixed.test.yaml | 2 +- ...-metadata-and-options-already-present.yaml | 6 ++-- 12 files changed, 83 insertions(+), 77 deletions(-) diff --git a/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.fixed.java b/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.fixed.java index 1a5fdf02e8..15ab5869e4 100644 --- a/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.fixed.java +++ b/java/lang/security/audit/xxe/documentbuilderfactory-disallow-doctype-decl-missing.fixed.java @@ -42,7 +42,7 @@ public void BadDocumentBuilderFactory() throws ParserConfigurationException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); //ruleid:documentbuilderfactory-disallow-doctype-decl-missing dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); -dbf.newDocumentBuilder(); + dbf.newDocumentBuilder(); } public void BadDocumentBuilderFactory2() throws ParserConfigurationException { @@ -50,7 +50,7 @@ public void BadDocumentBuilderFactory2() throws ParserConfigurationException { dbf.setFeature("somethingElse", true); //ruleid:documentbuilderfactory-disallow-doctype-decl-missing dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); -dbf.newDocumentBuilder(); + dbf.newDocumentBuilder(); } } @@ -77,7 +77,7 @@ class BadDocumentBuilderFactoryStatic { public void doSomething(){ //ruleid:documentbuilderfactory-disallow-doctype-decl-missing dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); -dbf.newDocumentBuilder(); + dbf.newDocumentBuilder(); } } @@ -115,7 +115,7 @@ public void GoodDocumentBuilderFactory(boolean condition) throws ParserConfigur } //ruleid:documentbuilderfactory-disallow-doctype-decl-missing dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); -dbf.newDocumentBuilder(); + dbf.newDocumentBuilder(); } private DocumentBuilderFactory newFactory(){ diff --git a/python/django/security/audit/unvalidated-password.yaml b/python/django/security/audit/unvalidated-password.yaml index 68b6cd0c32..36cb364f09 100644 --- a/python/django/security/audit/unvalidated-password.yaml +++ b/python/django/security/audit/unvalidated-password.yaml @@ -27,7 +27,7 @@ rules: - pattern: $MODEL.set_password($X) fix: > if django.contrib.auth.password_validation.validate_password($X, user=$MODEL): - $MODEL.set_password($X) + $MODEL.set_password($X) message: >- The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with diff --git a/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.fixed.test.yaml b/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.fixed.test.yaml index fc8ac2d2f3..fac40b7629 100644 --- a/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.fixed.test.yaml +++ b/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.fixed.test.yaml @@ -3,9 +3,9 @@ kind: Pod spec: containers: # ruleid: allow-privilege-escalation-no-securitycontext - - name: nginx - securityContext: + - securityContext: allowPrivilegeEscalation: false + name: nginx image: nginx # ok: allow-privilege-escalation-no-securitycontext - name: postgres diff --git a/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml b/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml index 05ae1a6296..2a234442d8 100644 --- a/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml +++ b/yaml/kubernetes/security/allow-privilege-escalation-no-securitycontext.yaml @@ -5,7 +5,7 @@ rules: containers: ... - pattern-inside: | - - name: $CONTAINER + - $NAME: $CONTAINER ... - pattern: | image: ... @@ -15,22 +15,25 @@ rules: ... securityContext: ... - - focus-metavariable: $CONTAINER + - metavariable-regex: + metavariable: $NAME + regex: "name" + - focus-metavariable: $NAME fix: | - $CONTAINER - securityContext: - allowPrivilegeEscalation: false + securityContext: + allowPrivilegeEscalation: false + $NAME message: >- - In Kubernetes, each pod runs in its own isolated environment with its own - set of security policies. However, certain container images may contain - `setuid` or `setgid` binaries that could allow an attacker to perform - privilege escalation and gain access to sensitive resources. To mitigate - this risk, it's recommended to add a `securityContext` to the container in - the pod, with the parameter `allowPrivilegeEscalation` set to `false`. - This will prevent the container from running any privileged processes and - limit the impact of any potential attacks. - By adding a `securityContext` to your Kubernetes pod, you can help to - ensure that your containerized applications are more secure and less + In Kubernetes, each pod runs in its own isolated environment with its own + set of security policies. However, certain container images may contain + `setuid` or `setgid` binaries that could allow an attacker to perform + privilege escalation and gain access to sensitive resources. To mitigate + this risk, it's recommended to add a `securityContext` to the container in + the pod, with the parameter `allowPrivilegeEscalation` set to `false`. + This will prevent the container from running any privileged processes and + limit the impact of any potential attacks. + By adding a `securityContext` to your Kubernetes pod, you can help to + ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: cwe: diff --git a/yaml/kubernetes/security/allow-privilege-escalation.yaml b/yaml/kubernetes/security/allow-privilege-escalation.yaml index f726196e4b..324c2b6332 100644 --- a/yaml/kubernetes/security/allow-privilege-escalation.yaml +++ b/yaml/kubernetes/security/allow-privilege-escalation.yaml @@ -27,19 +27,19 @@ rules: - focus-metavariable: $SC fix: | securityContext: - allowPrivilegeEscalation: false # + allowPrivilegeEscalation: false # message: >- - In Kubernetes, each pod runs in its own isolated environment with its own - set of security policies. However, certain container images may contain - `setuid` or `setgid` binaries that could allow an attacker to perform - privilege escalation and gain access to sensitive resources. To mitigate - this risk, it's recommended to add a `securityContext` to the container in - the pod, with the parameter `allowPrivilegeEscalation` set to `false`. - This will prevent the container from running any privileged processes and - limit the impact of any potential attacks. - By adding the `allowPrivilegeEscalation` parameter to your the - `securityContext`, you can help to - ensure that your containerized applications are more secure and less + In Kubernetes, each pod runs in its own isolated environment with its own + set of security policies. However, certain container images may contain + `setuid` or `setgid` binaries that could allow an attacker to perform + privilege escalation and gain access to sensitive resources. To mitigate + this risk, it's recommended to add a `securityContext` to the container in + the pod, with the parameter `allowPrivilegeEscalation` set to `false`. + This will prevent the container from running any privileged processes and + limit the impact of any potential attacks. + By adding the `allowPrivilegeEscalation` parameter to your the + `securityContext`, you can help to + ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: cwe: diff --git a/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.fixed.test.yaml b/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.fixed.test.yaml index b314be00c1..b506aa6c99 100644 --- a/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.fixed.test.yaml +++ b/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.fixed.test.yaml @@ -22,9 +22,9 @@ spec: containers: - name: nginx # ruleid: run-as-non-root-container-level-missing-security-context - image: nginx securityContext: runAsNonRoot: true + image: nginx - name: postgres image: postgres # this is okay because there already is a security context, requires different fix, different rule diff --git a/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml b/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml index b0e1c8996b..4319b4c5b9 100644 --- a/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml +++ b/yaml/kubernetes/security/run-as-non-root-container-level-missing-security-context.yaml @@ -37,31 +37,34 @@ rules: # Capture container image - pattern: | - name: $CONTAINER - image: $IMAGE + $IMAGE: $IMAGEVAL ... # But missing securityContext - pattern-not: | - name: $CONTAINER - image: $IMAGE + image: $IMAGEVAL ... securityContext: ... + - metavariable-regex: + metavariable: $IMAGE + regex: "image" - focus-metavariable: $IMAGE fix: | + securityContext: + runAsNonRoot: true $IMAGE - securityContext: - runAsNonRoot: true message: >- - When running containers in Kubernetes, it's important to ensure that they - are properly secured to prevent privilege escalation attacks. - One potential vulnerability is when a container is allowed to run - applications as the root user, which could allow an attacker to gain - access to sensitive resources. To mitigate this risk, it's recommended to - add a `securityContext` to the container, with the parameter `runAsNonRoot` - set to `true`. This will ensure that the container runs as a non-root user, - limiting the damage that could be caused by any potential attacks. By - adding a `securityContext` to the container in your Kubernetes pod, you can - help to ensure that your containerized applications are more secure and + When running containers in Kubernetes, it's important to ensure that they + are properly secured to prevent privilege escalation attacks. + One potential vulnerability is when a container is allowed to run + applications as the root user, which could allow an attacker to gain + access to sensitive resources. To mitigate this risk, it's recommended to + add a `securityContext` to the container, with the parameter `runAsNonRoot` + set to `true`. This will ensure that the container runs as a non-root user, + limiting the damage that could be caused by any potential attacks. By + adding a `securityContext` to the container in your Kubernetes pod, you can + help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: diff --git a/yaml/kubernetes/security/run-as-non-root-container-level.yaml b/yaml/kubernetes/security/run-as-non-root-container-level.yaml index 5aa15c063f..f2eefcb3de 100644 --- a/yaml/kubernetes/security/run-as-non-root-container-level.yaml +++ b/yaml/kubernetes/security/run-as-non-root-container-level.yaml @@ -55,18 +55,18 @@ rules: - focus-metavariable: $SC fix: | $SC: - runAsNonRoot: true # + runAsNonRoot: true # message: >- - When running containers in Kubernetes, it's important to ensure that they - are properly secured to prevent privilege escalation attacks. - One potential vulnerability is when a container is allowed to run - applications as the root user, which could allow an attacker to gain - access to sensitive resources. To mitigate this risk, it's recommended to - add a `securityContext` to the container, with the parameter `runAsNonRoot` - set to `true`. This will ensure that the container runs as a non-root user, - limiting the damage that could be caused by any potential attacks. By - adding a `securityContext` to the container in your Kubernetes pod, you can - help to ensure that your containerized applications are more secure and + When running containers in Kubernetes, it's important to ensure that they + are properly secured to prevent privilege escalation attacks. + One potential vulnerability is when a container is allowed to run + applications as the root user, which could allow an attacker to gain + access to sensitive resources. To mitigate this risk, it's recommended to + add a `securityContext` to the container, with the parameter `runAsNonRoot` + set to `true`. This will ensure that the container runs as a non-root user, + limiting the damage that could be caused by any potential attacks. By + adding a `securityContext` to the container in your Kubernetes pod, you can + help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: diff --git a/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml b/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml index ea273331e1..09649c0366 100644 --- a/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml +++ b/yaml/kubernetes/security/run-as-non-root-security-context-pod-level.yaml @@ -40,18 +40,18 @@ rules: - focus-metavariable: $SC fix: | $SC: - runAsNonRoot: true # + runAsNonRoot: true # message: >- - When running containers in Kubernetes, it's important to ensure that they - are properly secured to prevent privilege escalation attacks. - One potential vulnerability is when a container is allowed to run - applications as the root user, which could allow an attacker to gain - access to sensitive resources. To mitigate this risk, it's recommended to - add a `securityContext` to the container, with the parameter `runAsNonRoot` - set to `true`. This will ensure that the container runs as a non-root user, - limiting the damage that could be caused by any potential attacks. By - adding a `securityContext` to the container in your Kubernetes pod, you can - help to ensure that your containerized applications are more secure and + When running containers in Kubernetes, it's important to ensure that they + are properly secured to prevent privilege escalation attacks. + One potential vulnerability is when a container is allowed to run + applications as the root user, which could allow an attacker to gain + access to sensitive resources. To mitigate this risk, it's recommended to + add a `securityContext` to the container, with the parameter `runAsNonRoot` + set to `true`. This will ensure that the container runs as a non-root user, + limiting the damage that could be caused by any potential attacks. By + adding a `securityContext` to the container in your Kubernetes pod, you can + help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks. metadata: references: diff --git a/yaml/semgrep/interfile-true-under-metadata-and-no-options.yaml b/yaml/semgrep/interfile-true-under-metadata-and-no-options.yaml index fc87f97cec..11a60d8f14 100644 --- a/yaml/semgrep/interfile-true-under-metadata-and-no-options.yaml +++ b/yaml/semgrep/interfile-true-under-metadata-and-no-options.yaml @@ -31,5 +31,5 @@ rules: - focus-metavariable: $METADATA fix: | options: - interfile: true - metadata + interfile: true + metadata diff --git a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml index e46ab60f60..de60392bb9 100644 --- a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml +++ b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.fixed.test.yaml @@ -15,8 +15,8 @@ rules: severity: ERROR options: # ruleid: interfile-true-under-metadata-and-options-already-present - symbolic_propagation: true interfile: true + symbolic_propagation: true metadata: likelihood: MEDIUM impact: HIGH diff --git a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.yaml b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.yaml index c65a7a35a7..31a3e3b3cb 100644 --- a/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.yaml +++ b/yaml/semgrep/interfile-true-under-metadata-and-options-already-present.yaml @@ -40,7 +40,7 @@ rules: - metavariable-regex: metavariable: $OPTIONS regex: options - - focus-metavariable: $VAL + - focus-metavariable: $FIRST_OPT fix: | - $VAL - interfile: true + interfile: true + $FIRST_OPT From a96c808b189d5d66ba0129e4b430ee1ad181de6e Mon Sep 17 00:00:00 2001 From: Kurt Boberg Date: Fri, 26 Jan 2024 11:36:19 -0800 Subject: [PATCH 26/89] add required metadata field --- python/lang/correctness/list-modify-iterating.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/lang/correctness/list-modify-iterating.yaml b/python/lang/correctness/list-modify-iterating.yaml index 33dac7f882..174edcefff 100644 --- a/python/lang/correctness/list-modify-iterating.yaml +++ b/python/lang/correctness/list-modify-iterating.yaml @@ -30,3 +30,5 @@ rules: category: correctness technology: - python + references: + - https://unspecified.wordpress.com/2009/02/12/thou-shalt-not-modify-a-list-during-iteration/ From 73a2330e693442c960fc5bd0123a3da4126bde8d Mon Sep 17 00:00:00 2001 From: Alex Useche Date: Fri, 26 Jan 2024 15:54:59 -0800 Subject: [PATCH 27/89] trailing ellipsis added to string-formatted-query --- .../security/audit/database/string-formatted-query.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/go/lang/security/audit/database/string-formatted-query.yaml b/go/lang/security/audit/database/string-formatted-query.yaml index 7b65f3044f..7aeb388a60 100644 --- a/go/lang/security/audit/database/string-formatted-query.yaml +++ b/go/lang/security/audit/database/string-formatted-query.yaml @@ -66,35 +66,42 @@ rules: func $FUNC(...) { ... $OBJ.Query($QUERY, ...) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.ExecContext($CTX, $QUERY, ...) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.Exec($QUERY, ...) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRow($CTX, $QUERY) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRow($QUERY) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryContext($CTX, $QUERY) + ... } - pattern-inside: | func $FUNC(...) { ... $OBJ.QueryRowContext($CTX, $QUERY, ...) + ... } \ No newline at end of file From e4e8073dfc81e5d8d8d931ca37165216e9b524ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jan 2024 00:17:43 +0000 Subject: [PATCH 28/89] Bump aiohttp from 3.9.0 to 3.9.2 in /.github/rulerascal Bumps [aiohttp](https://github.com/aio-libs/aiohttp) from 3.9.0 to 3.9.2. - [Release notes](https://github.com/aio-libs/aiohttp/releases) - [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst) - [Commits](https://github.com/aio-libs/aiohttp/compare/v3.9.0...v3.9.2) --- updated-dependencies: - dependency-name: aiohttp dependency-type: indirect ... Signed-off-by: dependabot[bot] --- .github/rulerascal/poetry.lock | 156 ++++++++++++++++----------------- 1 file changed, 78 insertions(+), 78 deletions(-) diff --git a/.github/rulerascal/poetry.lock b/.github/rulerascal/poetry.lock index a3c4130f4f..e72053f870 100644 --- a/.github/rulerascal/poetry.lock +++ b/.github/rulerascal/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand. [[package]] name = "aiogpt" @@ -16,87 +16,87 @@ aiohttp = "*" [[package]] name = "aiohttp" -version = "3.9.0" +version = "3.9.2" description = "Async http client/server framework (asyncio)" optional = false python-versions = ">=3.8" files = [ - {file = "aiohttp-3.9.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:6896b8416be9ada4d22cd359d7cb98955576ce863eadad5596b7cdfbf3e17c6c"}, - {file = "aiohttp-3.9.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:1736d87dad8ef46a8ec9cddd349fa9f7bd3a064c47dd6469c0d6763d3d49a4fc"}, - {file = "aiohttp-3.9.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:8c9e5f4d7208cda1a2bb600e29069eecf857e6980d0ccc922ccf9d1372c16f4b"}, - {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8488519aa05e636c5997719fe543c8daf19f538f4fa044f3ce94bee608817cff"}, - {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5ab16c254e2312efeb799bc3c06897f65a133b38b69682bf75d1f1ee1a9c43a9"}, - {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7a94bde005a8f926d0fa38b88092a03dea4b4875a61fbcd9ac6f4351df1b57cd"}, - {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4b777c9286b6c6a94f50ddb3a6e730deec327e9e2256cb08b5530db0f7d40fd8"}, - {file = "aiohttp-3.9.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:571760ad7736b34d05597a1fd38cbc7d47f7b65deb722cb8e86fd827404d1f6b"}, - {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:deac0a32aec29608eb25d730f4bc5a261a65b6c48ded1ed861d2a1852577c932"}, - {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:4ee1b4152bc3190cc40ddd6a14715e3004944263ea208229ab4c297712aa3075"}, - {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:3607375053df58ed6f23903aa10cf3112b1240e8c799d243bbad0f7be0666986"}, - {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:65b0a70a25456d329a5e1426702dde67be0fb7a4ead718005ba2ca582d023a94"}, - {file = "aiohttp-3.9.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:5a2eb5311a37fe105aa35f62f75a078537e1a9e4e1d78c86ec9893a3c97d7a30"}, - {file = "aiohttp-3.9.0-cp310-cp310-win32.whl", hash = "sha256:2cbc14a13fb6b42d344e4f27746a4b03a2cb0c1c3c5b932b0d6ad8881aa390e3"}, - {file = "aiohttp-3.9.0-cp310-cp310-win_amd64.whl", hash = "sha256:ac9669990e2016d644ba8ae4758688534aabde8dbbc81f9af129c3f5f01ca9cd"}, - {file = "aiohttp-3.9.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:f8e05f5163528962ce1d1806fce763ab893b1c5b7ace0a3538cd81a90622f844"}, - {file = "aiohttp-3.9.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:4afa8f71dba3a5a2e1e1282a51cba7341ae76585345c43d8f0e624882b622218"}, - {file = "aiohttp-3.9.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f929f4c9b9a00f3e6cc0587abb95ab9c05681f8b14e0fe1daecfa83ea90f8318"}, - {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:28185e36a78d247c55e9fbea2332d16aefa14c5276a582ce7a896231c6b1c208"}, - {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a486ddf57ab98b6d19ad36458b9f09e6022de0381674fe00228ca7b741aacb2f"}, - {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:70e851f596c00f40a2f00a46126c95c2e04e146015af05a9da3e4867cfc55911"}, - {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c5b7bf8fe4d39886adc34311a233a2e01bc10eb4e842220235ed1de57541a896"}, - {file = "aiohttp-3.9.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c67a51ea415192c2e53e4e048c78bab82d21955b4281d297f517707dc836bf3d"}, - {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:694df243f394629bcae2d8ed94c589a181e8ba8604159e6e45e7b22e58291113"}, - {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:3dd8119752dd30dd7bca7d4bc2a92a59be6a003e4e5c2cf7e248b89751b8f4b7"}, - {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:eb6dfd52063186ac97b4caa25764cdbcdb4b10d97f5c5f66b0fa95052e744eb7"}, - {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:d97c3e286d0ac9af6223bc132dc4bad6540b37c8d6c0a15fe1e70fb34f9ec411"}, - {file = "aiohttp-3.9.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:816f4db40555026e4cdda604a1088577c1fb957d02f3f1292e0221353403f192"}, - {file = "aiohttp-3.9.0-cp311-cp311-win32.whl", hash = "sha256:3abf0551874fecf95f93b58f25ef4fc9a250669a2257753f38f8f592db85ddea"}, - {file = "aiohttp-3.9.0-cp311-cp311-win_amd64.whl", hash = "sha256:e18d92c3e9e22553a73e33784fcb0ed484c9874e9a3e96c16a8d6a1e74a0217b"}, - {file = "aiohttp-3.9.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:99ae01fb13a618b9942376df77a1f50c20a281390dad3c56a6ec2942e266220d"}, - {file = "aiohttp-3.9.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:05857848da443c8c12110d99285d499b4e84d59918a21132e45c3f0804876994"}, - {file = "aiohttp-3.9.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:317719d7f824eba55857fe0729363af58e27c066c731bc62cd97bc9c3d9c7ea4"}, - {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a1e3b3c107ccb0e537f309f719994a55621acd2c8fdf6d5ce5152aed788fb940"}, - {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:45820ddbb276113ead8d4907a7802adb77548087ff5465d5c554f9aa3928ae7d"}, - {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:05a183f1978802588711aed0dea31e697d760ce9055292db9dc1604daa9a8ded"}, - {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51a4cd44788ea0b5e6bb8fa704597af3a30be75503a7ed1098bc5b8ffdf6c982"}, - {file = "aiohttp-3.9.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:673343fbc0c1ac44d0d2640addc56e97a052504beacd7ade0dc5e76d3a4c16e8"}, - {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:7e8a3b79b6d186a9c99761fd4a5e8dd575a48d96021f220ac5b5fa856e5dd029"}, - {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:6777a390e41e78e7c45dab43a4a0196c55c3b8c30eebe017b152939372a83253"}, - {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:7ae5f99a32c53731c93ac3075abd3e1e5cfbe72fc3eaac4c27c9dd64ba3b19fe"}, - {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:f1e4f254e9c35d8965d377e065c4a8a55d396fe87c8e7e8429bcfdeeb229bfb3"}, - {file = "aiohttp-3.9.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:11ca808f9a6b63485059f5f6e164ef7ec826483c1212a44f268b3653c91237d8"}, - {file = "aiohttp-3.9.0-cp312-cp312-win32.whl", hash = "sha256:de3cc86f4ea8b4c34a6e43a7306c40c1275e52bfa9748d869c6b7d54aa6dad80"}, - {file = "aiohttp-3.9.0-cp312-cp312-win_amd64.whl", hash = "sha256:ca4fddf84ac7d8a7d0866664936f93318ff01ee33e32381a115b19fb5a4d1202"}, - {file = "aiohttp-3.9.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:f09960b5bb1017d16c0f9e9f7fc42160a5a49fa1e87a175fd4a2b1a1833ea0af"}, - {file = "aiohttp-3.9.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:8303531e2c17b1a494ffaeba48f2da655fe932c4e9a2626c8718403c83e5dd2b"}, - {file = "aiohttp-3.9.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:4790e44f46a4aa07b64504089def5744d3b6780468c4ec3a1a36eb7f2cae9814"}, - {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a1d7edf74a36de0e5ca50787e83a77cf352f5504eb0ffa3f07000a911ba353fb"}, - {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:94697c7293199c2a2551e3e3e18438b4cba293e79c6bc2319f5fd652fccb7456"}, - {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a1b66dbb8a7d5f50e9e2ea3804b01e766308331d0cac76eb30c563ac89c95985"}, - {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9623cfd9e85b76b83ef88519d98326d4731f8d71869867e47a0b979ffec61c73"}, - {file = "aiohttp-3.9.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f32c86dc967ab8c719fd229ce71917caad13cc1e8356ee997bf02c5b368799bf"}, - {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:f50b4663c3e0262c3a361faf440761fbef60ccdde5fe8545689a4b3a3c149fb4"}, - {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:dcf71c55ec853826cd70eadb2b6ac62ec577416442ca1e0a97ad875a1b3a0305"}, - {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:42fe4fd9f0dfcc7be4248c162d8056f1d51a04c60e53366b0098d1267c4c9da8"}, - {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:76a86a9989ebf82ee61e06e2bab408aec4ea367dc6da35145c3352b60a112d11"}, - {file = "aiohttp-3.9.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:f9e09a1c83521d770d170b3801eea19b89f41ccaa61d53026ed111cb6f088887"}, - {file = "aiohttp-3.9.0-cp38-cp38-win32.whl", hash = "sha256:a00ce44c21612d185c5275c5cba4bab8d7c1590f248638b667ed8a782fa8cd6f"}, - {file = "aiohttp-3.9.0-cp38-cp38-win_amd64.whl", hash = "sha256:d5b9345ab92ebe6003ae11d8092ce822a0242146e6fa270889b9ba965457ca40"}, - {file = "aiohttp-3.9.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:98d21092bf2637c5fa724a428a69e8f5955f2182bff61f8036827cf6ce1157bf"}, - {file = "aiohttp-3.9.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:35a68cd63ca6aaef5707888f17a70c36efe62b099a4e853d33dc2e9872125be8"}, - {file = "aiohttp-3.9.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3d7f6235c7475658acfc1769d968e07ab585c79f6ca438ddfecaa9a08006aee2"}, - {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:db04d1de548f7a62d1dd7e7cdf7c22893ee168e22701895067a28a8ed51b3735"}, - {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:536b01513d67d10baf6f71c72decdf492fb7433c5f2f133e9a9087379d4b6f31"}, - {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:87c8b0a6487e8109427ccf638580865b54e2e3db4a6e0e11c02639231b41fc0f"}, - {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7276fe0017664414fdc3618fca411630405f1aaf0cc3be69def650eb50441787"}, - {file = "aiohttp-3.9.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:23170247ef89ffa842a02bbfdc425028574d9e010611659abeb24d890bc53bb8"}, - {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b1a2ea8252cacc7fd51df5a56d7a2bb1986ed39be9397b51a08015727dfb69bd"}, - {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:2d71abc15ff7047412ef26bf812dfc8d0d1020d664617f4913df2df469f26b76"}, - {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:2d820162c8c2bdbe97d328cd4f417c955ca370027dce593345e437b2e9ffdc4d"}, - {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:2779f5e7c70f7b421915fd47db332c81de365678180a9f3ab404088f87ba5ff9"}, - {file = "aiohttp-3.9.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:366bc870d7ac61726f32a489fbe3d1d8876e87506870be66b01aeb84389e967e"}, - {file = "aiohttp-3.9.0-cp39-cp39-win32.whl", hash = "sha256:1df43596b826022b14998f0460926ce261544fedefe0d2f653e1b20f49e96454"}, - {file = "aiohttp-3.9.0-cp39-cp39-win_amd64.whl", hash = "sha256:9c196b30f1b1aa3363a69dd69079ae9bec96c2965c4707eaa6914ba099fb7d4f"}, - {file = "aiohttp-3.9.0.tar.gz", hash = "sha256:09f23292d29135025e19e8ff4f0a68df078fe4ee013bca0105b2e803989de92d"}, + {file = "aiohttp-3.9.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:772fbe371788e61c58d6d3d904268e48a594ba866804d08c995ad71b144f94cb"}, + {file = "aiohttp-3.9.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:edd4f1af2253f227ae311ab3d403d0c506c9b4410c7fc8d9573dec6d9740369f"}, + {file = "aiohttp-3.9.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:cfee9287778399fdef6f8a11c9e425e1cb13cc9920fd3a3df8f122500978292b"}, + {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3cc158466f6a980a6095ee55174d1de5730ad7dec251be655d9a6a9dd7ea1ff9"}, + {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:54ec82f45d57c9a65a1ead3953b51c704f9587440e6682f689da97f3e8defa35"}, + {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:abeb813a18eb387f0d835ef51f88568540ad0325807a77a6e501fed4610f864e"}, + {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cc91d07280d7d169f3a0f9179d8babd0ee05c79d4d891447629ff0d7d8089ec2"}, + {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b65e861f4bebfb660f7f0f40fa3eb9f2ab9af10647d05dac824390e7af8f75b7"}, + {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:04fd8ffd2be73d42bcf55fd78cde7958eeee6d4d8f73c3846b7cba491ecdb570"}, + {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:3d8d962b439a859b3ded9a1e111a4615357b01620a546bc601f25b0211f2da81"}, + {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:8ceb658afd12b27552597cf9a65d9807d58aef45adbb58616cdd5ad4c258c39e"}, + {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:0e4ee4df741670560b1bc393672035418bf9063718fee05e1796bf867e995fad"}, + {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:2dec87a556f300d3211decf018bfd263424f0690fcca00de94a837949fbcea02"}, + {file = "aiohttp-3.9.2-cp310-cp310-win32.whl", hash = "sha256:3e1a800f988ce7c4917f34096f81585a73dbf65b5c39618b37926b1238cf9bc4"}, + {file = "aiohttp-3.9.2-cp310-cp310-win_amd64.whl", hash = "sha256:ea510718a41b95c236c992b89fdfc3d04cc7ca60281f93aaada497c2b4e05c46"}, + {file = "aiohttp-3.9.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6aaa6f99256dd1b5756a50891a20f0d252bd7bdb0854c5d440edab4495c9f973"}, + {file = "aiohttp-3.9.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:a27d8c70ad87bcfce2e97488652075a9bdd5b70093f50b10ae051dfe5e6baf37"}, + {file = "aiohttp-3.9.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:54287bcb74d21715ac8382e9de146d9442b5f133d9babb7e5d9e453faadd005e"}, + {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5bb3d05569aa83011fcb346b5266e00b04180105fcacc63743fc2e4a1862a891"}, + {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c8534e7d69bb8e8d134fe2be9890d1b863518582f30c9874ed7ed12e48abe3c4"}, + {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4bd9d5b989d57b41e4ff56ab250c5ddf259f32db17159cce630fd543376bd96b"}, + {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa6904088e6642609981f919ba775838ebf7df7fe64998b1a954fb411ffb4663"}, + {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bda42eb410be91b349fb4ee3a23a30ee301c391e503996a638d05659d76ea4c2"}, + {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:193cc1ccd69d819562cc7f345c815a6fc51d223b2ef22f23c1a0f67a88de9a72"}, + {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:b9f1cb839b621f84a5b006848e336cf1496688059d2408e617af33e3470ba204"}, + {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:d22a0931848b8c7a023c695fa2057c6aaac19085f257d48baa24455e67df97ec"}, + {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4112d8ba61fbd0abd5d43a9cb312214565b446d926e282a6d7da3f5a5aa71d36"}, + {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c4ad4241b52bb2eb7a4d2bde060d31c2b255b8c6597dd8deac2f039168d14fd7"}, + {file = "aiohttp-3.9.2-cp311-cp311-win32.whl", hash = "sha256:ee2661a3f5b529f4fc8a8ffee9f736ae054adfb353a0d2f78218be90617194b3"}, + {file = "aiohttp-3.9.2-cp311-cp311-win_amd64.whl", hash = "sha256:4deae2c165a5db1ed97df2868ef31ca3cc999988812e82386d22937d9d6fed52"}, + {file = "aiohttp-3.9.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:6f4cdba12539215aaecf3c310ce9d067b0081a0795dd8a8805fdb67a65c0572a"}, + {file = "aiohttp-3.9.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:84e843b33d5460a5c501c05539809ff3aee07436296ff9fbc4d327e32aa3a326"}, + {file = "aiohttp-3.9.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8008d0f451d66140a5aa1c17e3eedc9d56e14207568cd42072c9d6b92bf19b52"}, + {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:61c47ab8ef629793c086378b1df93d18438612d3ed60dca76c3422f4fbafa792"}, + {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bc71f748e12284312f140eaa6599a520389273174b42c345d13c7e07792f4f57"}, + {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a1c3a4d0ab2f75f22ec80bca62385db2e8810ee12efa8c9e92efea45c1849133"}, + {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9a87aa0b13bbee025faa59fa58861303c2b064b9855d4c0e45ec70182bbeba1b"}, + {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2cc0d04688b9f4a7854c56c18aa7af9e5b0a87a28f934e2e596ba7e14783192"}, + {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:1956e3ac376b1711c1533266dec4efd485f821d84c13ce1217d53e42c9e65f08"}, + {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:114da29f39eccd71b93a0fcacff178749a5c3559009b4a4498c2c173a6d74dff"}, + {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:3f17999ae3927d8a9a823a1283b201344a0627272f92d4f3e3a4efe276972fe8"}, + {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:f31df6a32217a34ae2f813b152a6f348154f948c83213b690e59d9e84020925c"}, + {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:7a75307ffe31329928a8d47eae0692192327c599113d41b278d4c12b54e1bd11"}, + {file = "aiohttp-3.9.2-cp312-cp312-win32.whl", hash = "sha256:972b63d589ff8f305463593050a31b5ce91638918da38139b9d8deaba9e0fed7"}, + {file = "aiohttp-3.9.2-cp312-cp312-win_amd64.whl", hash = "sha256:200dc0246f0cb5405c80d18ac905c8350179c063ea1587580e3335bfc243ba6a"}, + {file = "aiohttp-3.9.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:158564d0d1020e0d3fe919a81d97aadad35171e13e7b425b244ad4337fc6793a"}, + {file = "aiohttp-3.9.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:da1346cd0ccb395f0ed16b113ebb626fa43b7b07fd7344fce33e7a4f04a8897a"}, + {file = "aiohttp-3.9.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:eaa9256de26ea0334ffa25f1913ae15a51e35c529a1ed9af8e6286dd44312554"}, + {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1543e7fb00214fb4ccead42e6a7d86f3bb7c34751ec7c605cca7388e525fd0b4"}, + {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:186e94570433a004e05f31f632726ae0f2c9dee4762a9ce915769ce9c0a23d89"}, + {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d52d20832ac1560f4510d68e7ba8befbc801a2b77df12bd0cd2bcf3b049e52a4"}, + {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1c45e4e815ac6af3b72ca2bde9b608d2571737bb1e2d42299fc1ffdf60f6f9a1"}, + {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:aa906b9bdfd4a7972dd0628dbbd6413d2062df5b431194486a78f0d2ae87bd55"}, + {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:68bbee9e17d66f17bb0010aa15a22c6eb28583edcc8b3212e2b8e3f77f3ebe2a"}, + {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:4c189b64bd6d9a403a1a3f86a3ab3acbc3dc41a68f73a268a4f683f89a4dec1f"}, + {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:8a7876f794523123bca6d44bfecd89c9fec9ec897a25f3dd202ee7fc5c6525b7"}, + {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:d23fba734e3dd7b1d679b9473129cd52e4ec0e65a4512b488981a56420e708db"}, + {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:b141753be581fab842a25cb319f79536d19c2a51995d7d8b29ee290169868eab"}, + {file = "aiohttp-3.9.2-cp38-cp38-win32.whl", hash = "sha256:103daf41ff3b53ba6fa09ad410793e2e76c9d0269151812e5aba4b9dd674a7e8"}, + {file = "aiohttp-3.9.2-cp38-cp38-win_amd64.whl", hash = "sha256:328918a6c2835861ff7afa8c6d2c70c35fdaf996205d5932351bdd952f33fa2f"}, + {file = "aiohttp-3.9.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:5264d7327c9464786f74e4ec9342afbbb6ee70dfbb2ec9e3dfce7a54c8043aa3"}, + {file = "aiohttp-3.9.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:07205ae0015e05c78b3288c1517afa000823a678a41594b3fdc870878d645305"}, + {file = "aiohttp-3.9.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ae0a1e638cffc3ec4d4784b8b4fd1cf28968febc4bd2718ffa25b99b96a741bd"}, + {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d43302a30ba1166325974858e6ef31727a23bdd12db40e725bec0f759abce505"}, + {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:16a967685907003765855999af11a79b24e70b34dc710f77a38d21cd9fc4f5fe"}, + {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6fa3ee92cd441d5c2d07ca88d7a9cef50f7ec975f0117cd0c62018022a184308"}, + {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b500c5ad9c07639d48615a770f49618130e61be36608fc9bc2d9bae31732b8f"}, + {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c07327b368745b1ce2393ae9e1aafed7073d9199e1dcba14e035cc646c7941bf"}, + {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:cc7d6502c23a0ec109687bf31909b3fb7b196faf198f8cff68c81b49eb316ea9"}, + {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:07be2be7071723c3509ab5c08108d3a74f2181d4964e869f2504aaab68f8d3e8"}, + {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:122468f6fee5fcbe67cb07014a08c195b3d4c41ff71e7b5160a7bcc41d585a5f"}, + {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:00a9abcea793c81e7f8778ca195a1714a64f6d7436c4c0bb168ad2a212627000"}, + {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:7a9825fdd64ecac5c670234d80bb52bdcaa4139d1f839165f548208b3779c6c6"}, + {file = "aiohttp-3.9.2-cp39-cp39-win32.whl", hash = "sha256:5422cd9a4a00f24c7244e1b15aa9b87935c85fb6a00c8ac9b2527b38627a9211"}, + {file = "aiohttp-3.9.2-cp39-cp39-win_amd64.whl", hash = "sha256:7d579dcd5d82a86a46f725458418458fa43686f6a7b252f2966d359033ffc8ab"}, + {file = "aiohttp-3.9.2.tar.gz", hash = "sha256:b0ad0a5e86ce73f5368a164c10ada10504bf91869c05ab75d982c6048217fbf7"}, ] [package.dependencies] From 036407fd6d1b8727c574dfa842bbf1c73e0ddc6b Mon Sep 17 00:00:00 2001 From: "r2c-argo[bot]" <89167470+r2c-argo[bot]@users.noreply.github.com> Date: Tue, 6 Feb 2024 10:45:42 +0100 Subject: [PATCH 29/89] Merge Gitleaks rules 2024-02-06 # 01:30 (#3297) Co-authored-by: Security Research (r2c-argo) --- generic/secrets/gitleaks/aws-access-token.yaml | 2 +- generic/secrets/gitleaks/stripe-access-token.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/generic/secrets/gitleaks/aws-access-token.yaml b/generic/secrets/gitleaks/aws-access-token.yaml index d765ca51df..8fa251c7d6 100644 --- a/generic/secrets/gitleaks/aws-access-token.yaml +++ b/generic/secrets/gitleaks/aws-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16} + - pattern-regex: (?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16} diff --git a/generic/secrets/gitleaks/stripe-access-token.yaml b/generic/secrets/gitleaks/stripe-access-token.yaml index c35c686a48..6719ff3c89 100644 --- a/generic/secrets/gitleaks/stripe-access-token.yaml +++ b/generic/secrets/gitleaks/stripe-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b((sk|pk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: (?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$) From f8a6e08b1195cda885fe4b52bced4cb14bc3937e Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 6 Feb 2024 19:37:46 +0100 Subject: [PATCH 30/89] Update CWE for use-of-md5 (#3300) * Update use-of-md5.yaml Using CWE-328 for all "use-of-md5" rules * Update use-of-md5.yaml * Update use_of_weak_crypto.yaml --- clojure/lang/security/use-of-md5.yaml | 1 - go/lang/security/audit/crypto/use_of_weak_crypto.yaml | 4 ++-- kotlin/lang/security/use-of-md5.yaml | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/clojure/lang/security/use-of-md5.yaml b/clojure/lang/security/use-of-md5.yaml index 7b12c02288..c5440175bd 100644 --- a/clojure/lang/security/use-of-md5.yaml +++ b/clojure/lang/security/use-of-md5.yaml @@ -18,7 +18,6 @@ rules: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures cwe: - - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm" - "CWE-328: Use of Weak Hash" author: Gabriel Marquet category: security diff --git a/go/lang/security/audit/crypto/use_of_weak_crypto.yaml b/go/lang/security/audit/crypto/use_of_weak_crypto.yaml index d3cc25846d..3c8e6175cd 100644 --- a/go/lang/security/audit/crypto/use_of_weak_crypto.yaml +++ b/go/lang/security/audit/crypto/use_of_weak_crypto.yaml @@ -11,7 +11,7 @@ rules: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures cwe: - - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + - 'CWE-328: Use of Weak Hash' source-rule-url: https://github.com/securego/gosec#available-rules category: security technology: @@ -44,7 +44,7 @@ rules: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures cwe: - - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + - 'CWE-328: Use of Weak Hash' source-rule-url: https://github.com/securego/gosec#available-rules category: security technology: diff --git a/kotlin/lang/security/use-of-md5.yaml b/kotlin/lang/security/use-of-md5.yaml index f758382e6a..9f32ba366e 100644 --- a/kotlin/lang/security/use-of-md5.yaml +++ b/kotlin/lang/security/use-of-md5.yaml @@ -10,7 +10,7 @@ rules: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures cwe: - - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' + - 'CWE-328: Use of Weak Hash' source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5 category: security technology: From 21cc62f0106a813a997f5ebb18e92a1261dcd93c Mon Sep 17 00:00:00 2001 From: Lewis Date: Wed, 7 Feb 2024 02:44:57 -0800 Subject: [PATCH 31/89] Remove reference (#3302) --- go/lang/security/decompression_bomb.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/go/lang/security/decompression_bomb.yaml b/go/lang/security/decompression_bomb.yaml index 36b21e44b5..295d81b5ad 100644 --- a/go/lang/security/decompression_bomb.yaml +++ b/go/lang/security/decompression_bomb.yaml @@ -3,9 +3,7 @@ rules: message: >- Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. - `io.CopyN()` can specify a size. Refer to https://bomb.codes/ to learn more about - this attack and other ways to mitigate - it. + `io.CopyN()` can specify a size. severity: WARNING languages: [go] patterns: @@ -51,7 +49,6 @@ rules: - 'CWE-400: Uncontrolled Resource Consumption' source-rule-url: https://github.com/securego/gosec references: - - https://bomb.codes/ - https://golang.org/pkg/io/#CopyN - https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go category: security From 43bdb01cb92d95aa9e1858be39d5d02a2e30f518 Mon Sep 17 00:00:00 2001 From: Claudio Date: Wed, 7 Feb 2024 18:20:58 +0100 Subject: [PATCH 32/89] Improve detect-etc-shadow (#3299) --- generic/secrets/security/detected-etc-shadow.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/generic/secrets/security/detected-etc-shadow.yaml b/generic/secrets/security/detected-etc-shadow.yaml index 09837c7dcc..db48648a91 100644 --- a/generic/secrets/security/detected-etc-shadow.yaml +++ b/generic/secrets/security/detected-etc-shadow.yaml @@ -1,6 +1,8 @@ rules: - id: detected-etc-shadow - pattern-regex: root:[x!*]*:[0-9]*:[0-9]* + patterns: + - pattern-regex: ^(\s*)(?Proot:[x!*]*:[0-9]*:[0-9]*) + - focus-metavariable: $ROOT languages: [regex] message: linux shadow file detected severity: ERROR From 3206599bc158e0ca97b7c270266e864a8ad51fa9 Mon Sep 17 00:00:00 2001 From: Sjoerd Langkemper Date: Mon, 19 Feb 2024 19:01:02 +0100 Subject: [PATCH 33/89] Add PHP base-convert-loses-precision (#3307) * Add PHP base-convert-loses-precision The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens. * PHP base-convert-loses-precision: Correctly name rule in test --- .../security/base-convert-loses-precision.php | 80 +++++++++++++++++++ .../base-convert-loses-precision.yaml | 50 ++++++++++++ 2 files changed, 130 insertions(+) create mode 100644 php/lang/security/base-convert-loses-precision.php create mode 100644 php/lang/security/base-convert-loses-precision.yaml diff --git a/php/lang/security/base-convert-loses-precision.php b/php/lang/security/base-convert-loses-precision.php new file mode 100644 index 0000000000..5dcea3ebe4 --- /dev/null +++ b/php/lang/security/base-convert-loses-precision.php @@ -0,0 +1,80 @@ +security->get_random_bytes(20)), 16,36); + +// ok: base-convert-loses-precision +$currentByteBits = str_pad(base_convert(bin2hex(fread($fp,1)), 16, 2),8,'0',STR_PAD_LEFT); + +// ok: base-convert-loses-precision +base_convert(bin2hex(random_bytes(7)), 16, 36); \ No newline at end of file diff --git a/php/lang/security/base-convert-loses-precision.yaml b/php/lang/security/base-convert-loses-precision.yaml new file mode 100644 index 0000000000..3ede9b6f53 --- /dev/null +++ b/php/lang/security/base-convert-loses-precision.yaml @@ -0,0 +1,50 @@ +rules: +- id: base-convert-loses-precision + message: >- + The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. + It is not suitable for random tokens such as those used for session tokens or CSRF tokens. + metadata: + references: + - https://www.php.net/base_convert + - https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/ + category: security + technology: + - php + cwe: + - 'CWE-190: Integer Overflow or Wraparound' + subcategory: + - audit + likelihood: LOW + impact: LOW + confidence: HIGH + languages: [php] + severity: WARNING + mode: taint + pattern-sources: + - pattern: hash(...) + - pattern: hash_hmac(...) + - pattern: sha1(...) + - pattern: md5(...) + - patterns: + - pattern: random_bytes($N) + - metavariable-comparison: + metavariable: $N + comparison: $N > 7 + - patterns: + - pattern: openssl_random_pseudo_bytes($N) + - metavariable-comparison: + metavariable: $N + comparison: $N > 7 + - patterns: + - pattern: $OBJ->get_random_bytes($N) + - metavariable-comparison: + metavariable: $N + comparison: $N > 7 + pattern-sinks: + - pattern: base_convert(...) + pattern-sanitizers: + - patterns: + - pattern: substr(..., $LENGTH) + - metavariable-comparison: + metavariable: $LENGTH + comparison: $LENGTH <= 7 From b688bbbe03143a4cad085bb20c2f3a814bbd6ebc Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 20 Feb 2024 04:09:11 +0100 Subject: [PATCH 34/89] Deny in policy is ok (#3306) Co-authored-by: Vasilii Ermilov --- .../security/iam/no-iam-creds-exposure.tf | 34 +++++++++++++++++++ .../security/iam/no-iam-creds-exposure.yaml | 24 +++++++++++++ .../iam/no-iam-data-exfiltration.yaml | 24 +++++++++++++ .../security/iam/no-iam-priv-esc-funcs.yaml | 24 +++++++++++++ .../iam/no-iam-priv-esc-other-users.yaml | 24 +++++++++++++ .../security/iam/no-iam-priv-esc-roles.yaml | 24 +++++++++++++ .../iam/no-iam-resource-exposure.yaml | 24 +++++++++++++ .../security/iam/no-iam-star-actions.yaml | 24 +++++++++++++ 8 files changed, 202 insertions(+) diff --git a/terraform/lang/security/iam/no-iam-creds-exposure.tf b/terraform/lang/security/iam/no-iam-creds-exposure.tf index c5bed4921d..bc08362f11 100644 --- a/terraform/lang/security/iam/no-iam-creds-exposure.tf +++ b/terraform/lang/security/iam/no-iam-creds-exposure.tf @@ -67,6 +67,26 @@ resource "aws_iam_policy" "policy" { }) } +resource "aws_iam_policy" "policy" { + name = "test_policy" + path = "/" + description = "My test policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + # ok: no-iam-creds-exposure + Action = ["ec2:GetPasswordData"] + Effect = "Deny" + Resource = "*" + }, + ] + }) +} + data aws_iam_policy_document "policy" { statement { # ruleid: no-iam-creds-exposure @@ -78,3 +98,17 @@ data aws_iam_policy_document "policy" { resources = ["*"] } } + +data aws_iam_policy_document "policy" { + statement { + # ok: no-iam-creds-exposure + actions = ["chime:CreateApiKey"] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = ["*"] + effect = "Deny" + } +} + diff --git a/terraform/lang/security/iam/no-iam-creds-exposure.yaml b/terraform/lang/security/iam/no-iam-creds-exposure.yaml index 029bbabb2b..e6f611d58e 100644 --- a/terraform/lang/security/iam/no-iam-creds-exposure.yaml +++ b/terraform/lang/security/iam/no-iam-creds-exposure.yaml @@ -15,6 +15,20 @@ rules: }) ... } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } - pattern: | Action = $ACTION - metavariable-pattern: @@ -37,6 +51,16 @@ rules: } ... } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: diff --git a/terraform/lang/security/iam/no-iam-data-exfiltration.yaml b/terraform/lang/security/iam/no-iam-data-exfiltration.yaml index 0d7cf315e4..075f7f5964 100644 --- a/terraform/lang/security/iam/no-iam-data-exfiltration.yaml +++ b/terraform/lang/security/iam/no-iam-data-exfiltration.yaml @@ -17,6 +17,20 @@ rules: }) ... } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } - pattern: | Action = $ACTION - metavariable-pattern: @@ -41,6 +55,16 @@ rules: } ... } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: diff --git a/terraform/lang/security/iam/no-iam-priv-esc-funcs.yaml b/terraform/lang/security/iam/no-iam-priv-esc-funcs.yaml index 388a08b249..5cc69ffc3e 100644 --- a/terraform/lang/security/iam/no-iam-priv-esc-funcs.yaml +++ b/terraform/lang/security/iam/no-iam-priv-esc-funcs.yaml @@ -15,6 +15,20 @@ rules: }) ... } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } - pattern: Action = $ACTION - metavariable-pattern: metavariable: $TYPE @@ -36,6 +50,16 @@ rules: } ... } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: diff --git a/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml b/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml index 97b4149e81..f9250dbf9d 100644 --- a/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml +++ b/terraform/lang/security/iam/no-iam-priv-esc-other-users.yaml @@ -17,6 +17,20 @@ rules: }) ... } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } - pattern: | Action = $ACTION - metavariable-pattern: @@ -41,6 +55,16 @@ rules: } ... } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: diff --git a/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml b/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml index 00a993a960..be8d3128b7 100644 --- a/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml +++ b/terraform/lang/security/iam/no-iam-priv-esc-roles.yaml @@ -15,6 +15,20 @@ rules: }) ... } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } - pattern: | Action = $ACTION - metavariable-pattern: @@ -37,6 +51,16 @@ rules: } ... } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } - pattern: | actions = $ACTION - metavariable-pattern: diff --git a/terraform/lang/security/iam/no-iam-resource-exposure.yaml b/terraform/lang/security/iam/no-iam-resource-exposure.yaml index 53ffbf5446..97f76d8e42 100644 --- a/terraform/lang/security/iam/no-iam-resource-exposure.yaml +++ b/terraform/lang/security/iam/no-iam-resource-exposure.yaml @@ -15,6 +15,20 @@ rules: }) ... } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } - pattern: | Action = $ACTION - metavariable-pattern: @@ -37,6 +51,16 @@ rules: } ... } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } - pattern: | actions = [..., $ACTION, ...] - metavariable-pattern: diff --git a/terraform/lang/security/iam/no-iam-star-actions.yaml b/terraform/lang/security/iam/no-iam-star-actions.yaml index 51e2fa3284..1d0a5a1000 100644 --- a/terraform/lang/security/iam/no-iam-star-actions.yaml +++ b/terraform/lang/security/iam/no-iam-star-actions.yaml @@ -15,6 +15,20 @@ rules: }) ... } + - pattern-not-inside: | + resource $TYPE "..." { + ... + policy = jsonencode({ + ... + Statement = [ + ..., + {... Effect = "Deny" ...}, + ... + ] + ... + }) + ... + } - pattern-either: - pattern: Action = "*" - pattern: Action = ["*"] @@ -38,6 +52,16 @@ rules: } ... } + - pattern-not-inside: | + data aws_iam_policy_document "..." { + ... + statement { + ... + effect = "Deny" + ... + } + ... + } - pattern: | actions = ["*"] message: >- From 931012bcba561ca6298ae3f2cd92fe3608b4848e Mon Sep 17 00:00:00 2001 From: Alex Leahu Date: Tue, 20 Feb 2024 03:39:30 -0600 Subject: [PATCH 35/89] update jwt-none-alg to include latest fork (#3305) Co-authored-by: Claudio --- go/jwt-go/security/jwt-none-alg.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/go/jwt-go/security/jwt-none-alg.yaml b/go/jwt-go/security/jwt-none-alg.yaml index c39dfdcd59..f99e91dd23 100644 --- a/go/jwt-go/security/jwt-none-alg.yaml +++ b/go/jwt-go/security/jwt-none-alg.yaml @@ -26,9 +26,13 @@ rules: languages: [go] severity: ERROR patterns: - - pattern-inside: | - import "github.com/dgrijalva/jwt-go" - ... + - pattern-either: + - pattern-inside: | + import "github.com/golang-jwt/jwt" + ... + - pattern-inside: | + import "github.com/dgrijalva/jwt-go" + ... - pattern-either: - pattern: | jwt.SigningMethodNone From 3abb4d5f4e8a79d0631709190515924a2ed86c40 Mon Sep 17 00:00:00 2001 From: Naveen S Date: Wed, 21 Feb 2024 14:36:07 +0530 Subject: [PATCH 36/89] Add more negative patterns to exclude cases of reading from a file for Yaml bad deserialization (#3296) * Add more negative patterns to exclude cases of reading from a file * Update .fixed file for autofix test case --- .../bad-deserialization-yaml.fixed.rb | 56 +++++++++++++------ .../lang/security/bad-deserialization-yaml.rb | 56 +++++++++++++------ .../security/bad-deserialization-yaml.yaml | 18 +++++- 3 files changed, 91 insertions(+), 39 deletions(-) diff --git a/ruby/lang/security/bad-deserialization-yaml.fixed.rb b/ruby/lang/security/bad-deserialization-yaml.fixed.rb index 7d94f30abd..6ae11e9446 100644 --- a/ruby/lang/security/bad-deserialization-yaml.fixed.rb +++ b/ruby/lang/security/bad-deserialization-yaml.fixed.rb @@ -1,23 +1,43 @@ - def bad_deserialization +def bad_deserialization - o = Klass.new("hello\n") - data = YAML.dump(o) - # ruleid: bad-deserialization-yaml - obj = Psych.safe_load(data) + o = Klass.new("hello\n") + data = YAML.dump(o) + # ruleid: bad-deserialization-yaml + obj = Psych.safe_load(data) +end - end +def ok_deserialization + o = Klass.new("hello\n") + data = YAML.dump(o) + # ok: bad-deserialization-yaml + obj = YAML.load(data, safe: true) - def ok_deserialization - o = Klass.new("hello\n") - data = YAML.dump(o) - # ok: bad-deserialization-yaml - obj = YAML.load(data, safe: true) + filename = File.read("test.txt") + data = YAML.dump(filename) + # ok: bad-deserialization-yaml + YAML.load(filename) - filename = File.read("test.txt") - data = YAML.dump(filename) - # ok: bad-deserialization-yaml - YAML.load(filename) + # ok: bad-deserialization-yaml + YAML.load(File.read("test.txt")) - # ok: bad-deserialization-yaml - YAML.load(File.read("test.txt")) - end + # ok: bad-deserialization-yaml + obj = YAML::load(ERB.new(File.read("test.yml")).result) + + # ok: bad-deserialization-yaml + obj = YAML::load(ERB.new(File.read("test.yml"))) + + template = ERB.new(File.read("test.yml")) + # ok: bad-deserialization-yaml + obj = YAML::load(template) + + template = ERB.new(File.read("test.yml")).result + # ok: bad-deserialization-yaml + obj = YAML::load(template) + + template = ERB.new(File.read("test.yml")) + # ok: bad-deserialization-yaml + obj = YAML::load(template.result) + + # ok: bad-deserialization-yaml + obj = YAML.load(File.read(File.join(Pathname.pwd, "hello.yml"))) +end diff --git a/ruby/lang/security/bad-deserialization-yaml.rb b/ruby/lang/security/bad-deserialization-yaml.rb index aee3f14a01..f4c289d687 100644 --- a/ruby/lang/security/bad-deserialization-yaml.rb +++ b/ruby/lang/security/bad-deserialization-yaml.rb @@ -1,23 +1,43 @@ - def bad_deserialization +def bad_deserialization - o = Klass.new("hello\n") - data = YAML.dump(o) - # ruleid: bad-deserialization-yaml - obj = YAML.load(data) + o = Klass.new("hello\n") + data = YAML.dump(o) + # ruleid: bad-deserialization-yaml + obj = YAML.load(data) +end - end +def ok_deserialization + o = Klass.new("hello\n") + data = YAML.dump(o) + # ok: bad-deserialization-yaml + obj = YAML.load(data, safe: true) - def ok_deserialization - o = Klass.new("hello\n") - data = YAML.dump(o) - # ok: bad-deserialization-yaml - obj = YAML.load(data, safe: true) + filename = File.read("test.txt") + data = YAML.dump(filename) + # ok: bad-deserialization-yaml + YAML.load(filename) - filename = File.read("test.txt") - data = YAML.dump(filename) - # ok: bad-deserialization-yaml - YAML.load(filename) + # ok: bad-deserialization-yaml + YAML.load(File.read("test.txt")) - # ok: bad-deserialization-yaml - YAML.load(File.read("test.txt")) - end + # ok: bad-deserialization-yaml + obj = YAML::load(ERB.new(File.read("test.yml")).result) + + # ok: bad-deserialization-yaml + obj = YAML::load(ERB.new(File.read("test.yml"))) + + template = ERB.new(File.read("test.yml")) + # ok: bad-deserialization-yaml + obj = YAML::load(template) + + template = ERB.new(File.read("test.yml")).result + # ok: bad-deserialization-yaml + obj = YAML::load(template) + + template = ERB.new(File.read("test.yml")) + # ok: bad-deserialization-yaml + obj = YAML::load(template.result) + + # ok: bad-deserialization-yaml + obj = YAML.load(File.read(File.join(Pathname.pwd, "hello.yml"))) +end diff --git a/ruby/lang/security/bad-deserialization-yaml.yaml b/ruby/lang/security/bad-deserialization-yaml.yaml index 45cfd91649..bf403557bf 100644 --- a/ruby/lang/security/bad-deserialization-yaml.yaml +++ b/ruby/lang/security/bad-deserialization-yaml.yaml @@ -8,17 +8,29 @@ rules: - pattern-not: | YAML.load("...", ...) - pattern-not-inside: | - $FILE = File.read("...", ...) + YAML.load(..., File.read(...), ...) + - pattern-not-inside: | + $FILE = File.read(...) ... YAML.load(..., $FILE, ...) - pattern-not-inside: | - $FILENAME = "..." + $FILENAME = ... ... $FILE = File.read($FILENAME, ...) ... YAML.load(..., $FILE, ...) - pattern-not-inside: | - YAML.load(..., File.read("...", ...), ...) + YAML.load(..., $X.$Y(File.read(...)), ...) + - pattern-not-inside: | + YAML.load(..., $X.$Y(File.read(...)).$Z, ...) + - pattern-not-inside: | + $T = $MOD.$MET(File.read(...)) + ... + YAML.load(..., $T, ...) + - pattern-not-inside: | + $T = $MOD.$MET(File.read(...)) + ... + YAML.load(..., $T.$R, ...) fix: Psych.safe_load($...ARGS) message: >- Unsafe deserialization from YAML. Objects in Ruby can be serialized into strings, From 643446c519b6cd254966228f37a688317205405f Mon Sep 17 00:00:00 2001 From: LewisArdern Date: Thu, 22 Feb 2024 12:05:12 -0800 Subject: [PATCH 37/89] Remove deprecated rules --- .../ci/security/use-frozen-lockfile.generic | 48 --- generic/ci/security/use-frozen-lockfile.yaml | 130 -------- .../missing-noopener-or-noreferrer.html | 151 ---------- .../missing-noopener-or-noreferrer.yaml | 28 -- html/security/missing-noopener.html | 151 ---------- html/security/missing-noopener.yaml | 28 -- html/security/missing-noreferrer.html | 151 ---------- html/security/missing-noreferrer.yaml | 24 -- .../audit/cookie-missing-samesite.yaml | 31 -- .../audit/cookie-missing-secure-flag.java | 114 ------- .../log4j-message-lookup-injection.java | 15 - .../log4j-message-lookup-injection.yaml | 27 -- java/spring/security/cve/cve-2022-22965.java | 32 -- java/spring/security/cve/cve-2022-22965.yaml | 26 -- .../browser/security/new-function-detected.js | 43 --- .../security/new-function-detected.yaml | 27 -- ...ome-remote-interface-evaluate-injection.js | 22 -- ...e-remote-interface-evaluate-injection.yaml | 28 -- ...ome-remote-interface-navigate-injection.js | 25 -- ...e-remote-interface-navigate-injection.yaml | 28 -- ...e-remote-interface-printtopdf-injection.js | 27 -- ...remote-interface-printtopdf-injection.yaml | 28 -- ...-interface-setdocumentcontent-injection.js | 20 -- ...nterface-setdocumentcontent-injection.yaml | 28 -- javascript/dompurify.jsx | 31 -- javascript/dompurify.yaml | 30 -- .../jose/security/jwt-exposed-credentials.js | 70 ----- .../security/jwt-exposed-credentials.yaml | 29 -- .../security/jwt-exposed-credentials.js | 70 ----- .../security/jwt-exposed-credentials.yaml | 34 --- .../audit/detect-bracket-object-injection.js | 27 -- .../detect-bracket-object-injection.yaml | 29 -- .../security/audit/non-constant-sql-query.js | 69 ----- .../audit/non-constant-sql-query.yaml | 30 -- .../prototype-pollution-function.js | 44 --- .../prototype-pollution-function.yaml | 27 -- .../lang/security/audit/vm-injection.js | 133 --------- .../lang/security/audit/vm-injection.yaml | 282 ------------------ .../security/detect-non-literal-require.js | 8 - .../security/detect-non-literal-require.yaml | 27 -- php/lang/security/preg-replace-eval.php | 15 - php/lang/security/preg-replace-eval.yaml | 28 -- .../django-ratelimit/missing-ratelimit.py | 16 - .../django-ratelimit/missing-ratelimit.yaml | 26 -- .../xss/template-translate-no-escape.html | 12 - .../xss/template-translate-no-escape.yaml | 29 -- .../audit/dangerous-subprocess-use.py | 3 - .../audit/dangerous-subprocess-use.yaml | 36 --- python/lang/security/unquoted-csv-writer.py | 7 - python/lang/security/unquoted-csv-writer.yaml | 27 -- ruby/lang/security/jruby-xml.rb | 11 - ruby/lang/security/jruby-xml.yaml | 27 -- ruby/lang/security/json-encoding.rb | 8 - ruby/lang/security/json-encoding.yaml | 28 -- .../model-attributes-attr-protected.rb | 13 - .../model-attributes-attr-protected.yaml | 26 -- .../lang/security/nested-attributes-bypass.rb | 12 - .../security/nested-attributes-bypass.yaml | 25 -- ruby/lang/security/nested-attributes.rb | 11 - ruby/lang/security/nested-attributes.yaml | 27 -- ruby/lang/security/timing-attack.rb | 4 - ruby/lang/security/timing-attack.yaml | 23 -- ruby/lang/security/yaml-parsing.rb | 6 - ruby/lang/security/yaml-parsing.yaml | 25 -- ruby/rails/security/audit/dynamic-finders.rb | 15 - .../rails/security/audit/dynamic-finders.yaml | 27 -- ruby/rails/security/audit/mail-to-erb.erb | 6 - ruby/rails/security/audit/mail-to-erb.yaml | 27 -- ruby/rails/security/audit/mail-to.rb | 19 -- ruby/rails/security/audit/mail-to.yaml | 27 -- ruby/rails/security/audit/mime-type-dos.rb | 9 - ruby/rails/security/audit/mime-type-dos.yaml | 24 -- .../security/audit/number-to-currency-erb.erb | 7 - .../audit/number-to-currency-erb.yaml | 27 -- .../security/audit/number-to-currency.rb | 17 -- .../security/audit/number-to-currency.yaml | 27 -- ruby/rails/security/audit/quote-table-name.rb | 17 -- .../security/audit/quote-table-name.yaml | 27 -- .../audit/rails-check-header-dos.Gemfile | 26 -- .../audit/rails-check-header-dos.yaml | 27 -- .../audit/rails-check-page-caching-cve.rb | 12 - .../audit/rails-check-page-caching-cve.yaml | 29 -- .../rails-check-page-caching-gem.Gemfile | 17 -- .../audit/rails-check-page-caching-gem.yaml | 29 -- .../audit/rails-check-render-dos-cve.rb | 8 - .../audit/rails-check-render-dos-cve.yaml | 29 -- .../audit/rails-check-render-dos-gem.Gemfile | 20 -- .../audit/rails-check-render-dos-gem.yaml | 28 -- .../rails-check-response-splitting.Gemfile | 10 - .../audit/rails-check-response-splitting.yaml | 26 -- .../rails-check-json-parsing-rce.Gemfile | 20 -- .../rails-check-json-parsing-rce.yaml | 26 -- ...he-replication-group-encrypted-with-cmk.tf | 27 -- ...-replication-group-encrypted-with-cmk.yaml | 25 -- .../security/audit/react-css-injection.jsx | 55 ---- .../security/audit/react-css-injection.tsx | 55 ---- .../security/audit/react-css-injection.yaml | 30 -- .../audit/react-html-element-spreading.jsx | 24 -- .../audit/react-html-element-spreading.tsx | 24 -- .../audit/react-html-element-spreading.yaml | 30 -- .../react/security/audit/react-http-leak.jsx | 56 ---- .../react/security/audit/react-http-leak.tsx | 61 ---- .../react/security/audit/react-http-leak.yaml | 28 -- .../security/audit/react-missing-noopener.jsx | 44 --- .../security/audit/react-missing-noopener.tsx | 44 --- .../audit/react-missing-noopener.yaml | 29 -- .../audit/react-missing-noreferrer.jsx | 52 ---- .../audit/react-missing-noreferrer.tsx | 52 ---- .../audit/react-missing-noreferrer.yaml | 28 -- .../react/security/audit/react-no-refs.jsx | 33 -- .../react/security/audit/react-no-refs.tsx | 33 -- .../react/security/audit/react-no-refs.yaml | 30 -- .../security/audit/react-props-injection.jsx | 45 --- .../security/audit/react-props-injection.tsx | 45 --- .../security/audit/react-props-injection.yaml | 30 -- .../security/audit/react-router-redirect.jsx | 37 --- .../security/audit/react-router-redirect.tsx | 37 --- .../security/audit/react-router-redirect.yaml | 32 -- .../react-styled-components-injection.jsx | 50 ---- .../react-styled-components-injection.tsx | 60 ---- .../react-styled-components-injection.yaml | 30 -- .../react-controlled-component-password.jsx | 90 ------ .../react-controlled-component-password.tsx | 90 ------ .../react-controlled-component-password.yaml | 30 -- 124 files changed, 4536 deletions(-) delete mode 100644 generic/ci/security/use-frozen-lockfile.generic delete mode 100644 generic/ci/security/use-frozen-lockfile.yaml delete mode 100644 html/security/missing-noopener-or-noreferrer.html delete mode 100644 html/security/missing-noopener-or-noreferrer.yaml delete mode 100644 html/security/missing-noopener.html delete mode 100644 html/security/missing-noopener.yaml delete mode 100644 html/security/missing-noreferrer.html delete mode 100644 html/security/missing-noreferrer.yaml delete mode 100644 java/lang/security/audit/cookie-missing-samesite.yaml delete mode 100644 java/lang/security/audit/cookie-missing-secure-flag.java delete mode 100644 java/log4j/security/log4j-message-lookup-injection.java delete mode 100644 java/log4j/security/log4j-message-lookup-injection.yaml delete mode 100644 java/spring/security/cve/cve-2022-22965.java delete mode 100644 java/spring/security/cve/cve-2022-22965.yaml delete mode 100644 javascript/browser/security/new-function-detected.js delete mode 100644 javascript/browser/security/new-function-detected.yaml delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.js delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.yaml delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.js delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.yaml delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.js delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.yaml delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.js delete mode 100644 javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.yaml delete mode 100644 javascript/dompurify.jsx delete mode 100644 javascript/dompurify.yaml delete mode 100644 javascript/jose/security/jwt-exposed-credentials.js delete mode 100644 javascript/jose/security/jwt-exposed-credentials.yaml delete mode 100644 javascript/jsonwebtoken/security/jwt-exposed-credentials.js delete mode 100644 javascript/jsonwebtoken/security/jwt-exposed-credentials.yaml delete mode 100644 javascript/lang/security/audit/detect-bracket-object-injection.js delete mode 100644 javascript/lang/security/audit/detect-bracket-object-injection.yaml delete mode 100644 javascript/lang/security/audit/non-constant-sql-query.js delete mode 100644 javascript/lang/security/audit/non-constant-sql-query.yaml delete mode 100644 javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.js delete mode 100644 javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.yaml delete mode 100644 javascript/lang/security/audit/vm-injection.js delete mode 100644 javascript/lang/security/audit/vm-injection.yaml delete mode 100644 javascript/lang/security/detect-non-literal-require.js delete mode 100644 javascript/lang/security/detect-non-literal-require.yaml delete mode 100644 php/lang/security/preg-replace-eval.php delete mode 100644 php/lang/security/preg-replace-eval.yaml delete mode 100644 python/django/security/audit/django-ratelimit/missing-ratelimit.py delete mode 100644 python/django/security/audit/django-ratelimit/missing-ratelimit.yaml delete mode 100644 python/django/security/audit/xss/template-translate-no-escape.html delete mode 100644 python/django/security/audit/xss/template-translate-no-escape.yaml delete mode 100644 python/lang/security/audit/dangerous-subprocess-use.py delete mode 100644 python/lang/security/audit/dangerous-subprocess-use.yaml delete mode 100644 python/lang/security/unquoted-csv-writer.py delete mode 100644 python/lang/security/unquoted-csv-writer.yaml delete mode 100644 ruby/lang/security/jruby-xml.rb delete mode 100644 ruby/lang/security/jruby-xml.yaml delete mode 100644 ruby/lang/security/json-encoding.rb delete mode 100644 ruby/lang/security/json-encoding.yaml delete mode 100644 ruby/lang/security/model-attributes-attr-protected.rb delete mode 100644 ruby/lang/security/model-attributes-attr-protected.yaml delete mode 100644 ruby/lang/security/nested-attributes-bypass.rb delete mode 100644 ruby/lang/security/nested-attributes-bypass.yaml delete mode 100644 ruby/lang/security/nested-attributes.rb delete mode 100644 ruby/lang/security/nested-attributes.yaml delete mode 100644 ruby/lang/security/timing-attack.rb delete mode 100644 ruby/lang/security/timing-attack.yaml delete mode 100644 ruby/lang/security/yaml-parsing.rb delete mode 100644 ruby/lang/security/yaml-parsing.yaml delete mode 100644 ruby/rails/security/audit/dynamic-finders.rb delete mode 100644 ruby/rails/security/audit/dynamic-finders.yaml delete mode 100644 ruby/rails/security/audit/mail-to-erb.erb delete mode 100644 ruby/rails/security/audit/mail-to-erb.yaml delete mode 100644 ruby/rails/security/audit/mail-to.rb delete mode 100644 ruby/rails/security/audit/mail-to.yaml delete mode 100644 ruby/rails/security/audit/mime-type-dos.rb delete mode 100644 ruby/rails/security/audit/mime-type-dos.yaml delete mode 100644 ruby/rails/security/audit/number-to-currency-erb.erb delete mode 100644 ruby/rails/security/audit/number-to-currency-erb.yaml delete mode 100644 ruby/rails/security/audit/number-to-currency.rb delete mode 100644 ruby/rails/security/audit/number-to-currency.yaml delete mode 100644 ruby/rails/security/audit/quote-table-name.rb delete mode 100644 ruby/rails/security/audit/quote-table-name.yaml delete mode 100644 ruby/rails/security/audit/rails-check-header-dos.Gemfile delete mode 100644 ruby/rails/security/audit/rails-check-header-dos.yaml delete mode 100644 ruby/rails/security/audit/rails-check-page-caching-cve.rb delete mode 100644 ruby/rails/security/audit/rails-check-page-caching-cve.yaml delete mode 100644 ruby/rails/security/audit/rails-check-page-caching-gem.Gemfile delete mode 100644 ruby/rails/security/audit/rails-check-page-caching-gem.yaml delete mode 100644 ruby/rails/security/audit/rails-check-render-dos-cve.rb delete mode 100644 ruby/rails/security/audit/rails-check-render-dos-cve.yaml delete mode 100644 ruby/rails/security/audit/rails-check-render-dos-gem.Gemfile delete mode 100644 ruby/rails/security/audit/rails-check-render-dos-gem.yaml delete mode 100644 ruby/rails/security/audit/rails-check-response-splitting.Gemfile delete mode 100644 ruby/rails/security/audit/rails-check-response-splitting.yaml delete mode 100644 ruby/rails/security/injection/rails-check-json-parsing-rce.Gemfile delete mode 100644 ruby/rails/security/injection/rails-check-json-parsing-rce.yaml delete mode 100644 terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.tf delete mode 100644 terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.yaml delete mode 100644 typescript/react/security/audit/react-css-injection.jsx delete mode 100644 typescript/react/security/audit/react-css-injection.tsx delete mode 100644 typescript/react/security/audit/react-css-injection.yaml delete mode 100644 typescript/react/security/audit/react-html-element-spreading.jsx delete mode 100644 typescript/react/security/audit/react-html-element-spreading.tsx delete mode 100644 typescript/react/security/audit/react-html-element-spreading.yaml delete mode 100644 typescript/react/security/audit/react-http-leak.jsx delete mode 100644 typescript/react/security/audit/react-http-leak.tsx delete mode 100644 typescript/react/security/audit/react-http-leak.yaml delete mode 100644 typescript/react/security/audit/react-missing-noopener.jsx delete mode 100644 typescript/react/security/audit/react-missing-noopener.tsx delete mode 100644 typescript/react/security/audit/react-missing-noopener.yaml delete mode 100644 typescript/react/security/audit/react-missing-noreferrer.jsx delete mode 100644 typescript/react/security/audit/react-missing-noreferrer.tsx delete mode 100644 typescript/react/security/audit/react-missing-noreferrer.yaml delete mode 100644 typescript/react/security/audit/react-no-refs.jsx delete mode 100644 typescript/react/security/audit/react-no-refs.tsx delete mode 100644 typescript/react/security/audit/react-no-refs.yaml delete mode 100644 typescript/react/security/audit/react-props-injection.jsx delete mode 100644 typescript/react/security/audit/react-props-injection.tsx delete mode 100644 typescript/react/security/audit/react-props-injection.yaml delete mode 100644 typescript/react/security/audit/react-router-redirect.jsx delete mode 100644 typescript/react/security/audit/react-router-redirect.tsx delete mode 100644 typescript/react/security/audit/react-router-redirect.yaml delete mode 100644 typescript/react/security/audit/react-styled-components-injection.jsx delete mode 100644 typescript/react/security/audit/react-styled-components-injection.tsx delete mode 100644 typescript/react/security/audit/react-styled-components-injection.yaml delete mode 100644 typescript/react/security/react-controlled-component-password.jsx delete mode 100644 typescript/react/security/react-controlled-component-password.tsx delete mode 100644 typescript/react/security/react-controlled-component-password.yaml diff --git a/generic/ci/security/use-frozen-lockfile.generic b/generic/ci/security/use-frozen-lockfile.generic deleted file mode 100644 index c907a04401..0000000000 --- a/generic/ci/security/use-frozen-lockfile.generic +++ /dev/null @@ -1,48 +0,0 @@ -# Install dependencies separately to improve caching -COPY package.json yarn.lock /app/ -WORKDIR /app -# ruleid: use-frozen-lockfile-yarn -RUN yarn install -# trailing space -# ruleid: use-frozen-lockfile-yarn -RUN yarn install - -# ok: use-frozen-lockfile-yarn -RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --no-progress -# ok: use-frozen-lockfile-yarn -RUN yarn install --production --frozen-lockfile - -# ok: use-frozen-lockfile-npm -# i am a comment, just to explain.. npm install - -RUN yarn install --frozen-lockfile -RUN yarn install --immutable -# ruleid: use-frozen-lockfile-yarn -RUN yarn install some_package -RUN yarn install -g some_package -RUN yarn install --global some_package - -RUN echo 'yarn installing foo' - -RUN yarn install --frozen-lockfile -RUN yarn install --immutable -COPY . /app -RUN yarn build - -WORKDIR /app -# ruleid: use-frozen-lockfile-yarn -RUN yarn install foo - -RUN npm install foo -# ruleid: use-frozen-lockfile-npm -RUN npm install -RUN npm install -g some_package -RUN npm install --global some_package -RUN npm ci -COPY . /app -RUN yarn build - -RUN echo 'npm installing foo' - -# ok: use-frozen-lockfile-npm -RUN pnpm install diff --git a/generic/ci/security/use-frozen-lockfile.yaml b/generic/ci/security/use-frozen-lockfile.yaml deleted file mode 100644 index 60f50491cf..0000000000 --- a/generic/ci/security/use-frozen-lockfile.yaml +++ /dev/null @@ -1,130 +0,0 @@ -rules: - - id: use-frozen-lockfile-yarn - patterns: - - pattern: | - RUN ... yarn $INSTALL ... - - pattern-not-inside: | - RUN ... yarn $INSTALL ... --frozen-lockfile ... - - pattern-not-inside: | - RUN ... yarn $INSTALL ... --immutable ... - - pattern-not-inside: | - RUN ... yarn $INSTALL ... -g ... - - pattern-not-inside: | - RUN ... yarn $INSTALL ... --global ... - - metavariable-regex: - metavariable: $INSTALL - regex: ^(install)$ - - focus-metavariable: $INSTALL - fix: | - install --immutable - message: >- - To ensure reproducible and deterministic builds, when performing yarn install, make sure to use the - lockfile. Yarn will update the lockfile rather than using the pinned - versions. By using `--immutable` yarn will throw an exit code if the lockfile was - to be modified. - languages: - - dockerfile - severity: INFO - metadata: - category: security - cwe: - - 'CWE-494: Download of Code Without Integrity Check' - owasp: - - A08:2021 - Software and Data Integrity Failures - technology: - - dockerfile - - javascript - - typescript - - yarn - references: - - https://classic.yarnpkg.com/lang/en/docs/cli/install/ - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - - id: use-frozen-lockfile-npm - patterns: - - pattern-regex: npm install\b - - pattern-not-regex: pnpm install - - pattern-not-regex: npm install -g - - pattern-not-regex: npm install --global - - pattern-not-regex: npm install [\w]+ - - pattern-not-regex: \#(.*) - fix: npm ci - message: >- - To ensure reproducible and deterministic builds, use `npm ci` rather than `npm install` in scripts. - This will use the lockfile rather than updating it. - languages: - - generic - severity: INFO - metadata: - category: security - cwe: - - 'CWE-494: Download of Code Without Integrity Check' - owasp: - - A08:2021 - Software and Data Integrity Failures - technology: - - dockerfile - - javascript - - typescript - - npm - references: - - https://docs.npmjs.com/cli/v6/commands/npm-ci - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - - id: use-frozen-lockfile-pipenv - patterns: - - pattern: a() - - pattern: b() - message: >- - This rule has been deprecated. - languages: - - generic - severity: INFO - metadata: - category: security - cwe: - - 'CWE-494: Download of Code Without Integrity Check' - owasp: - - A08:2021 - Software and Data Integrity Failures - technology: - - dockerfile - - javascript - - typescript - references: - - https://semgrep.dev - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - - id: use-frozen-lockfile-pip - patterns: - - pattern: a() - - pattern: b() - message: >- - This rule has been deprecated. - languages: - - generic - severity: INFO - metadata: - category: security - cwe: - - 'CWE-494: Download of Code Without Integrity Check' - owasp: - - A08:2021 - Software and Data Integrity Failures - technology: - - dockerfile - - javascript - - typescript - references: - - https://semgrep.dev - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/html/security/missing-noopener-or-noreferrer.html b/html/security/missing-noopener-or-noreferrer.html deleted file mode 100644 index ef44eae891..0000000000 --- a/html/security/missing-noopener-or-noreferrer.html +++ /dev/null @@ -1,151 +0,0 @@ - - - - - - - - - - - - - - diff --git a/html/security/missing-noopener-or-noreferrer.yaml b/html/security/missing-noopener-or-noreferrer.yaml deleted file mode 100644 index 86d6b10a24..0000000000 --- a/html/security/missing-noopener-or-noreferrer.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: missing-noopener-or-noreferrer - metadata: - category: security - technology: - - html - cwe: - - 'CWE-1022: Use of Web Link to Untrusted Target with window.opener Access' - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - confidence: LOW - references: - - https://cwe.mitre.org/data/definitions/1022.html - subcategory: - - audit - likelihood: LOW - impact: LOW - patterns: - - pattern: a() - - pattern: b() - paths: - include: - - '*.html' - message: >- - This rule has been deprecated. - severity: WARNING - languages: [generic] diff --git a/html/security/missing-noopener.html b/html/security/missing-noopener.html deleted file mode 100644 index 6902f46483..0000000000 --- a/html/security/missing-noopener.html +++ /dev/null @@ -1,151 +0,0 @@ - - - - - - - - - - - - - - diff --git a/html/security/missing-noopener.yaml b/html/security/missing-noopener.yaml deleted file mode 100644 index 290393191e..0000000000 --- a/html/security/missing-noopener.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: missing-noopener - metadata: - category: security - technology: - - html - cwe: - - 'CWE-1022: Use of Web Link to Untrusted Target with window.opener Access' - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - confidence: LOW - references: - - https://cwe.mitre.org/data/definitions/1022.html - subcategory: - - audit - likelihood: LOW - impact: LOW - patterns: - - pattern: a() - - pattern: b() - paths: - include: - - '*.html' - message: >- - This rule has been deprecated. - severity: WARNING - languages: [generic] diff --git a/html/security/missing-noreferrer.html b/html/security/missing-noreferrer.html deleted file mode 100644 index b895e26989..0000000000 --- a/html/security/missing-noreferrer.html +++ /dev/null @@ -1,151 +0,0 @@ - - - - - - - - - - - - - - diff --git a/html/security/missing-noreferrer.yaml b/html/security/missing-noreferrer.yaml deleted file mode 100644 index 1a707cae45..0000000000 --- a/html/security/missing-noreferrer.yaml +++ /dev/null @@ -1,24 +0,0 @@ -rules: - - id: missing-noreferrer - metadata: - category: correctness - technology: - - html - cwe: "CWE-1022: Use of Web Link to Untrusted Target with window.opener Access" - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - confidence: MEDIUM - license: Commons Clause License Condition v1.0[LGPL-2.1-only] - references: - - https://chromestatus.com/feature/6140064063029248 - patterns: - - pattern: a() - - pattern: b() - paths: - include: - - "*.html" - message: This rule has been deprecated. - severity: WARNING - languages: - - generic diff --git a/java/lang/security/audit/cookie-missing-samesite.yaml b/java/lang/security/audit/cookie-missing-samesite.yaml deleted file mode 100644 index 1408a20355..0000000000 --- a/java/lang/security/audit/cookie-missing-samesite.yaml +++ /dev/null @@ -1,31 +0,0 @@ -rules: -- id: cookie-missing-samesite - metadata: - cwe: - - 'CWE-352: Cross-Site Request Forgery (CSRF)' - owasp: - - A01:2021 - Broken Access Control - asvs: - section: 'V3: Session Management Verification Requirements' - control_id: 3.4.3 Missing Cookie Attribute - control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management - version: '4' - references: - - https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application - category: security - technology: - - java - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - message: >- - Detected cookie without the SameSite attribute. - severity: WARNING - languages: [java] - patterns: - - pattern: a() - - pattern: b() diff --git a/java/lang/security/audit/cookie-missing-secure-flag.java b/java/lang/security/audit/cookie-missing-secure-flag.java deleted file mode 100644 index 4362d99dd3..0000000000 --- a/java/lang/security/audit/cookie-missing-secure-flag.java +++ /dev/null @@ -1,114 +0,0 @@ -@Controller -public class CookieController { - - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - // ruleid:cookie-missing-secure-flag - response.addCookie(cookie); - } - - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - // ok:cookie-missing-secure-flag - cookie.setSecure(true); - response.addCookie(cookie); - } - - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - // ok:cookie-missing-secure-flag - cookie.setSecure(true); - cookie.setHttpOnly(true); - response.addCookie(cookie); - } - - @RequestMapping(value = "/cookie4", method = "GET") - public void explicitDisable(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - // ruleid:cookie-missing-secure-flag - cookie.setSecure(false); - cookie.setHttpOnly(false); - response.addCookie(cookie); - } - - @RequestMapping(value = "/cookie5", method = "GET") - public void explicitDisable(@RequestParam String value, HttpServletResponse response) { - // ignore cookies created by Spring's ResponseCookie builder, since the interface is different - Cookie cookie = ResponseCookie.from("name", "value").build(); - // ok:cookie-missing-secure-flag - response.addCookie(cookie); - } - - // test case cf. https://github.com/Dreampie/Resty//blob/9ef059c065d1894c79e7d69c150e588a61eb1cd5/resty-common/src/main/java/cn/dreampie/common/http/HttpResponse.java#L69 - public Response addCookie(String name, String value, int expiration, boolean httpOnly) { - Cookie existingCookie = HttpRequest.getCookie(request.getCookies(), name); - if (existingCookie != null) { - if (Constant.cookiePath.equals(existingCookie.getPath()) - || existingCookie.getPath() == null // in some cases cookies set on path '/' are returned with a null path - ) { - // update existing cookie - existingCookie.setPath(Constant.cookiePath); - existingCookie.setValue(value); - existingCookie.setMaxAge(expiration); - if (Constant.cookieHttpOnly) { - setHttpOnly(existingCookie); - } - existingCookie.setSecure(Constant.cookieSecure); - if (Constant.cookieDomain != null) { - existingCookie.setDomain(Constant.cookieDomain); - } - // ok:cookie-missing-secure-flag - response.addCookie(existingCookie); - } else { - // we have an existing cookie on another path: clear it, and add a new cookie on root path - existingCookie.setValue(""); - existingCookie.setMaxAge(0); - // ok:cookie-missing-secure-flag - response.addCookie(existingCookie); - - Cookie c = new Cookie(name, value); - c.setPath(Constant.cookiePath); - c.setMaxAge(expiration); - if (Constant.cookieHttpOnly) { - setHttpOnly(existingCookie); - } - c.setSecure(Constant.cookieSecure); - if (Constant.cookieDomain != null) { - c.setDomain(Constant.cookieDomain); - } - // ok:cookie-missing-secure-flag - response.addCookie(c); - } - } else { - Cookie c = new Cookie(name, value); - c.setPath(Constant.cookiePath); - c.setMaxAge(expiration); - if (Constant.cookieHttpOnly) { - setHttpOnly(c); - } - c.setSecure(Constant.cookieSecure); - if (Constant.cookieDomain != null) { - c.setDomain(Constant.cookieDomain); - } - // ok:cookie-missing-secure-flag - response.addCookie(c); - } - return this; - } - - public Response clearCookie(String cookie) { - Cookie existingCookie = HttpRequest.getCookie(request.getCookies(), cookie); - if (existingCookie != null) { - existingCookie.setPath(Constant.cookiePath); - existingCookie.setValue(""); - existingCookie.setMaxAge(0); - // ok:cookie-missing-secure-flag - response.addCookie(existingCookie); - } - return this; - } - -} diff --git a/java/log4j/security/log4j-message-lookup-injection.java b/java/log4j/security/log4j-message-lookup-injection.java deleted file mode 100644 index e81a13c10f..0000000000 --- a/java/log4j/security/log4j-message-lookup-injection.java +++ /dev/null @@ -1,15 +0,0 @@ -import org.apache.log4j.Logger; - -import java.io.*; -import java.util.*; - -public class VulnerableLog4jExampleHandler implements HttpHandler { - - static Logger log = Logger.getLogger(log4jExample.class.getName()); - - public void handle(HttpExchange he) throws IOException { - string userAgent = he.getRequestHeader("user-agent"); - log.info("Request User Agent:" + userAgent); - - } -} diff --git a/java/log4j/security/log4j-message-lookup-injection.yaml b/java/log4j/security/log4j-message-lookup-injection.yaml deleted file mode 100644 index 5ac86d2d7c..0000000000 --- a/java/log4j/security/log4j-message-lookup-injection.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: log4j-message-lookup-injection - metadata: - cwe: - - "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" - owasp: - - A03:2021 - Injection - source-rule-url: https://www.lunasec.io/docs/blog/log4j-zero-day/ - references: - - https://issues.apache.org/jira/browse/LOG4J2-3198 - - https://www.lunasec.io/docs/blog/log4j-zero-day/ - - https://logging.apache.org/log4j/2.x/manual/lookups.html - category: security - technology: - - java - confidence: LOW - subcategory: - - audit - likelihood: LOW - impact: HIGH - message: This rule is deprecated. - patterns: - - pattern: a() - - pattern: b() - severity: WARNING - languages: - - java diff --git a/java/spring/security/cve/cve-2022-22965.java b/java/spring/security/cve/cve-2022-22965.java deleted file mode 100644 index 719096f2f2..0000000000 --- a/java/spring/security/cve/cve-2022-22965.java +++ /dev/null @@ -1,32 +0,0 @@ -package com.example.demo.controller; - -import com.example.demo.model.EvalBean; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RestController; - -@RestController -public class IndexController { - - @RequestMapping("/index") - public void index(EvalBean evalBean) { - - } - - - @RequestMapping("/index2") - public void index2(@RequestBody EvalBean evalBean) { - - } - - - @RequestMapping("/index3") - public void index3(String str) { - - } - - - @RequestMapping("/index4") - public void index4(HttpServletResponse res, EvalBean evalBean) { - - } -} diff --git a/java/spring/security/cve/cve-2022-22965.yaml b/java/spring/security/cve/cve-2022-22965.yaml deleted file mode 100644 index 61e670d4fa..0000000000 --- a/java/spring/security/cve/cve-2022-22965.yaml +++ /dev/null @@ -1,26 +0,0 @@ -rules: -- id: cve-2022-22965 - patterns: - - pattern: a() - - pattern: b() - message: This rule has been deprecated. - languages: - - java - severity: WARNING - metadata: - category: security - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - technology: - - spring - references: - - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement - owasp: - - A03:2021 - Injection - cwe2022-top25: true - deprecated: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW diff --git a/javascript/browser/security/new-function-detected.js b/javascript/browser/security/new-function-detected.js deleted file mode 100644 index f6e59e25c7..0000000000 --- a/javascript/browser/security/new-function-detected.js +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Only report `eval` when we provide it with non-constant parameters. - */ - -/** - * Negative matches - */ - -let func = new Function('var x = "static strings are okay";'); -func(); - -const constVar = "function staticStrings() { return 'static strings are okay';}"; -let constVarFunc = new Function(constVar); -constVarFunc(); - -let func2 = new Function(`${constVar}`); -func2(); - -const secondConstVar = 'this is a const variable'; -let func3 = new Function(constVar + secondConstVar); - -let notEvaluatedFunc = new Function(document.getElementById('userInput')); - -/** - * Positive Matches - */ - -let dynamic = window.prompt() // arbitrary user input - - -func = new Function(dynamic + 'possibly malicious code'); -func(); - -func2 = new Function(`${dynamic} possibly malicious code`); -func2(); - -func3 = new Function(dynamic.concat('')); -func3(); - -function evalSomething(something) { - let func = new Function(something); - func(); -} diff --git a/javascript/browser/security/new-function-detected.yaml b/javascript/browser/security/new-function-detected.yaml deleted file mode 100644 index f005854cfd..0000000000 --- a/javascript/browser/security/new-function-detected.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: new-function-detected - message: >- - this rule has been deprecated. - metadata: - deprecated: true - cwe: - - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" - owasp: - - A03:2021 - Injection - category: security - technology: - - browser - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - references: - - https://owasp.org/Top10/A03_2021-Injection - languages: - - javascript - - typescript - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.js b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.js deleted file mode 100644 index 63dcbbbf2e..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.js +++ /dev/null @@ -1,22 +0,0 @@ -const CDP = require('chrome-remote-interface'); - -async function example(userInput) { - let client; - try { - client = await CDP(); - const {Runtime} = client; - const script1 = "document.querySelector('p').textContent" - // ok - const result = await Runtime.evaluate({expression: script1}); - // chrome-remote-interface-evaluate-injection - const result2 = await Runtime.evaluate({expression: userInput}); - // chrome-remote-interface-evaluate-injection - const result3 = await Runtime.evaluate({expression: 'var x = 123;' + userInput}); - } catch (err) { - console.error(err); - } finally { - if (client) { - await client.close(); - } - } -} diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.yaml b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.yaml deleted file mode 100644 index 51d52cc670..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-evaluate-injection.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: chrome-remote-interface-evaluate-injection - message: >- - this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.js b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.js deleted file mode 100644 index 58a5c9e855..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.js +++ /dev/null @@ -1,25 +0,0 @@ -const CDP = require('chrome-remote-interface'); - -async function example(userInput) { - let client; - try { - client = await CDP(); - const {Network, Page} = client; - Network.requestWillBeSent((params) => { - console.log(params.request.url); - }); - await Network.enable(); - await Page.enable(); - // ok - await Page.navigate({url: 'https://github.com'}); - // chrome-remote-interface-navigate-injection - await Page.navigate({url: userInput}); - await Page.loadEventFired(); - } catch (err) { - console.error(err); - } finally { - if (client) { - await client.close(); - } - } -} diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.yaml b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.yaml deleted file mode 100644 index e9f27a605d..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-navigate-injection.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: chrome-remote-interface-navigate-injection - message: >- - this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.js b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.js deleted file mode 100644 index da04a8442f..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.js +++ /dev/null @@ -1,27 +0,0 @@ -const CDP = require('chrome-remote-interface'); - -function example(userInput) { - - CDP(async (client) => { - const {Page} = client; - try { - await Page.enable(); - await Page.navigate({url: 'https://github.com'}); - await Page.loadEventFired(); - // ok - const result = await Page.printToPDF({landscape: true, printBackground: true, headerTemplate: '

Title

'}); - // chrome-remote-interface-printtopdf-injection - const result2 = await Page.printToPDF({landscape: true, printBackground: true, footerTemplate: userInput}); - // chrome-remote-interface-printtopdf-injection - const result3 = await Page.printToPDF({landscape: true, printBackground: true, headerTemplate: '

' + userInput + '

'}); - fs.writeFileSync('page.pdf', Buffer.from(data, 'base64')); - } catch (err) { - console.error(err); - } finally { - await client.close(); - } - }).on('error', (err) => { - console.error(err); - }); - -} diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.yaml b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.yaml deleted file mode 100644 index 2214f1b1fc..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-printtopdf-injection.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: chrome-remote-interface-printtopdf-injection - message: >- - this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.js b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.js deleted file mode 100644 index 857b59cb1f..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.js +++ /dev/null @@ -1,20 +0,0 @@ -const CDP = require('chrome-remote-interface'); - -function example(userInput) { - CDP(async (client) => { - const {Page} = client; - try { - const {frameId} = await Page.navigate({url: 'about:blank'}); - const html = 'test'; - // ok - await Page.setDocumentContent({frameId, html}); - // chrome-remote-interface-setdocumentcontent-injection - await Page.setDocumentContent({frameId, html: userInput}); - } catch (err) { - console.error(err); - client.close(); - } - }).on('error', (err) => { - console.error(err); - }); -} diff --git a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.yaml b/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.yaml deleted file mode 100644 index 58a1ab755e..0000000000 --- a/javascript/chrome-remote-interface/security/audit/chrome-remote-interface-setdocumentcontent-injection.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: chrome-remote-interface-setdocumentcontent-injection - message: >- - this rule has been deprecated. - metadata: - owasp: - - A10:2021 - Server-Side Request Forgery (SSRF) - cwe: - - 'CWE-918: Server-Side Request Forgery (SSRF)' - category: security - technology: - - chrome-remote-interface - references: - - https://github.com/cyrus-and/chrome-remote-interface - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/dompurify.jsx b/javascript/dompurify.jsx deleted file mode 100644 index 7399ec1f30..0000000000 --- a/javascript/dompurify.jsx +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Control permitted attribute values - */ - -/** - * Influence the return-type - */ - -// return a DOM HTMLBodyElement instead of an HTML string (default is false) -// ok -var clean = DOMPurify.sanitize(dirty, {RETURN_DOM: true}); - -// return a DOM DocumentFragment instead of an HTML string (default is false) -// ok -var clean = DOMPurify.sanitize(dirty, {RETURN_DOM_FRAGMENT: true}); - -// return a DOM DocumentFragment instead of an HTML string (default is false) -// also import it into the current document (default is false). -// RETURN_DOM_IMPORT must be set if you would like to append -// the returned node to the current document -// ok -var clean = DOMPurify.sanitize(dirty, {RETURN_DOM_FRAGMENT: true, RETURN_DOM_IMPORT: true}); -document.body.appendChild(clean); - -// ok: harden-dompurify-usage -var yikes = DOMPurify.sanitize(dirty, {}) -document.body.innerHTML = yikes; - - -// ok: harden-dompurify-usage -dosomethingsketchy(DOMPurify.sanitize(dirty, {})); diff --git a/javascript/dompurify.yaml b/javascript/dompurify.yaml deleted file mode 100644 index 6c958e4510..0000000000 --- a/javascript/dompurify.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: harden-dompurify-usage - message: >- - This rule has been deprecated. - metadata: - category: security - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - technology: - - javascript - - typescript - references: - - https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - languages: - - javascript - - typescript - severity: ERROR - patterns: - - pattern: a() - - pattern: b() \ No newline at end of file diff --git a/javascript/jose/security/jwt-exposed-credentials.js b/javascript/jose/security/jwt-exposed-credentials.js deleted file mode 100644 index 0bd2632273..0000000000 --- a/javascript/jose/security/jwt-exposed-credentials.js +++ /dev/null @@ -1,70 +0,0 @@ -const jsonwt = require('jsonwebtoken') - -function example1 () { - - const token1 = jsonwt.sign({password: config}, 'secret', {some: 'params'}) -} - -function example2 () { - const payload = {one: 1, two: 2, password: "a"} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example3 () { - let payload; - payload = {one: 1, two: 2, password: "a"} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example4 () { - const payload = {} - payload.password = "a" - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example5 () { - const payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}) - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example6 () { - let payload; - payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}) - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example7 () { - - const token1 = jsonwt.sign(Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}), 'secret', {some: 'params'}) -} - -function example8 () { - - const token1 = jsonwt.sign({user: {password: "123"}}, 'secret', {some: 'params'}) -} - -function example9 () { - const payload = {one: 1, two: 2, user: {password: "123"}} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example10 () { - let payload; - payload = {one: 1, two: 2, user: {password: "123"}} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example11 () { - const payload = {...} - payload.password = "123" - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - diff --git a/javascript/jose/security/jwt-exposed-credentials.yaml b/javascript/jose/security/jwt-exposed-credentials.yaml deleted file mode 100644 index 01fadb9ecb..0000000000 --- a/javascript/jose/security/jwt-exposed-credentials.yaml +++ /dev/null @@ -1,29 +0,0 @@ -rules: -- id: jwt-exposed-credentials - message: >- - this rule has been deprecated. - metadata: - cwe: - - 'CWE-798: Use of Hard-coded Credentials' - references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - owasp: - - A07:2021 - Identification and Authentication Failures - category: security - technology: - - jose - - jwt - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/jsonwebtoken/security/jwt-exposed-credentials.js b/javascript/jsonwebtoken/security/jwt-exposed-credentials.js deleted file mode 100644 index 0bd2632273..0000000000 --- a/javascript/jsonwebtoken/security/jwt-exposed-credentials.js +++ /dev/null @@ -1,70 +0,0 @@ -const jsonwt = require('jsonwebtoken') - -function example1 () { - - const token1 = jsonwt.sign({password: config}, 'secret', {some: 'params'}) -} - -function example2 () { - const payload = {one: 1, two: 2, password: "a"} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example3 () { - let payload; - payload = {one: 1, two: 2, password: "a"} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example4 () { - const payload = {} - payload.password = "a" - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example5 () { - const payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}) - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example6 () { - let payload; - payload = Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}) - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example7 () { - - const token1 = jsonwt.sign(Object.assign({password: 'bar'}, {bar: 123}, {one: 1, two: 2}), 'secret', {some: 'params'}) -} - -function example8 () { - - const token1 = jsonwt.sign({user: {password: "123"}}, 'secret', {some: 'params'}) -} - -function example9 () { - const payload = {one: 1, two: 2, user: {password: "123"}} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example10 () { - let payload; - payload = {one: 1, two: 2, user: {password: "123"}} - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - -function example11 () { - const payload = {...} - payload.password = "123" - - const token1 = jsonwt.sign(payload, 'secret', {some: 'params'}) -} - diff --git a/javascript/jsonwebtoken/security/jwt-exposed-credentials.yaml b/javascript/jsonwebtoken/security/jwt-exposed-credentials.yaml deleted file mode 100644 index 36f63dfa18..0000000000 --- a/javascript/jsonwebtoken/security/jwt-exposed-credentials.yaml +++ /dev/null @@ -1,34 +0,0 @@ -rules: -- id: jwt-exposed-credentials - message: >- - this rule has been deprecated. - metadata: - cwe: - - 'CWE-798: Use of Hard-coded Credentials' - references: - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - owasp: - - A07:2021 - Identification and Authentication Failures - asvs: - section: 'V3: Session Management Verification Requirements' - control_id: 3.5.2 Static API keys or secret - control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management - version: '4' - category: security - technology: - - jwt - - secrets - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: ERROR - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/lang/security/audit/detect-bracket-object-injection.js b/javascript/lang/security/audit/detect-bracket-object-injection.js deleted file mode 100644 index d054385d59..0000000000 --- a/javascript/lang/security/audit/detect-bracket-object-injection.js +++ /dev/null @@ -1,27 +0,0 @@ -const { CONSTANTS, SOME_MAP } = ModuleImport; - -const fieldName = CONSTANTS.A_VALUE; -const someOtherField = "FOO"; -const validations = SOME_MAP[fieldName]; - -const validate = function() { - const field = formData[fieldName]; - if (field !== undefined) { - return ValidationManager.validateField(fieldName, field.value, validations); - } - const badField = formData[formData["foo"]]; - const goodField = formData[someOtherField]; - const someField = formData["bar"] - const email = formData.split("@")[0]; - const email = formData.split("@")[0 + a]; - const email = formData.split("@")[a + 0]; - return { - name: fieldName, - value: '', - error: '', - }; -}; - -export default { - validate, -}; diff --git a/javascript/lang/security/audit/detect-bracket-object-injection.yaml b/javascript/lang/security/audit/detect-bracket-object-injection.yaml deleted file mode 100644 index 78b857b79c..0000000000 --- a/javascript/lang/security/audit/detect-bracket-object-injection.yaml +++ /dev/null @@ -1,29 +0,0 @@ -rules: -- id: detect-bracket-object-injection - message: >- - This rule is deprecated. - metadata: - category: security - technology: - - javascript - cwe: - - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm' - owasp: - - A03:2017 - Sensitive Data Exposure - - A02:2021 - Cryptographic Failures - references: - - https://github.com/nodesecurity/eslint-plugin-security/issues/21 - - https://github.com/nodesecurity/eslint-plugin-security#rules - deprecated: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/lang/security/audit/non-constant-sql-query.js b/javascript/lang/security/audit/non-constant-sql-query.js deleted file mode 100644 index ee4885c7aa..0000000000 --- a/javascript/lang/security/audit/non-constant-sql-query.js +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (c) 2014-2020 Bjoern Kimminich. - * SPDX-License-Identifier: MIT - */ - -const utils = require('../lib/utils') -const models = require('../models/index') -const challenges = require('../data/datacache').challenges - -function okTest() { -// non-constant-sql-query -nock('https://api.url.com') - .get('/endpoint') - .query({ limit: '100' }) -} - -module.exports = function searchProducts () { - return (req, res, next) => { - let criteria = req.query.q === 'undefined' ? '' : req.query.q || '' - criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200) - // non-constant-sql-query - models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) - .then(([products]) => { - const dataString = JSON.stringify(products) - if (utils.notSolved(challenges.unionSqlInjectionChallenge)) { - let solved = true - models.User.findAll().then(data => { - const users = utils.queryResultToJson(data) - if (users.data && users.data.length) { - for (let i = 0; i < users.data.length; i++) { - solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password) - if (!solved) { - break - } - } - if (solved) { - utils.solve(challenges.unionSqlInjectionChallenge) - } - } - }) - } - if (utils.notSolved(challenges.dbSchemaChallenge)) { - let solved = true - // non-constant-sql-query - models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]) => { - const tableDefinitions = utils.queryResultToJson(data) - if (tableDefinitions.data && tableDefinitions.data.length) { - for (let i = 0; i < tableDefinitions.data.length; i++) { - solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql) - if (!solved) { - break - } - } - if (solved) { - utils.solve(challenges.dbSchemaChallenge) - } - } - }) - } - for (let i = 0; i < products.length; i++) { - products[i].name = req.__(products[i].name) - products[i].description = req.__(products[i].description) - } - res.json(utils.queryResultToJson(products)) - }).catch(error => { - next(error) - }) - } -} diff --git a/javascript/lang/security/audit/non-constant-sql-query.yaml b/javascript/lang/security/audit/non-constant-sql-query.yaml deleted file mode 100644 index 91e1dc84bc..0000000000 --- a/javascript/lang/security/audit/non-constant-sql-query.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: non-constant-sql-query - message: >- - This rule has been deprecated. - It duplicates `javascript/sequelize/security/audit/sequelize-raw-query` rule. - metadata: - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - cwe: - - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" - category: security - technology: - - sequelize - references: - - https://sequelize.org/docs/v6/core-concepts/raw-queries/ - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.js b/javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.js deleted file mode 100644 index 2e4464e477..0000000000 --- a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.js +++ /dev/null @@ -1,44 +0,0 @@ -const merge1 = (dst, src) => { - for (let key in src) { - if (!src.hasOwnProperty(key)) continue; - if (isObject(dst[key])) { - merge1(dst[key], src[key]); - } else { - dst[key] = src[key]; - } - } -} - -function merge2(dst, src) { - for (let key in src) { - if (!src.hasOwnProperty(key)) continue; - if (isObject(dst[key])) { - merge2(dst[key], src[key]); - } else { - dst[key] = src[key]; - } - } -} - -function okMerge1(dst, src) { - for (let key in src) { - if (!src.hasOwnProperty(key)) continue; - if (dst.hasOwnProperty(key) && isObject(dst[key])) { - okMerge1(dst[key], src[key]); - } else { - dst[key] = src[key]; - } - } -} - -function okMerge2(dst, src) { - for (let key in src) { - if (!src.hasOwnProperty(key)) continue; - if (key === "__proto__" || key === "constructor") continue; - if (isObject(dst[key])) { - okMerge2(dst[key], src[key]); - } else { - dst[key] = src[key]; - } - } -} diff --git a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.yaml b/javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.yaml deleted file mode 100644 index 172d905f19..0000000000 --- a/javascript/lang/security/audit/prototype-pollution/prototype-pollution-function.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: prototype-pollution-function - message: >- - This rule is deprecated. - metadata: - cwe: - - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' - category: security - references: - - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf - technology: - - javascript - owasp: - - A08:2021 - Software and Data Integrity Failures - deprecated: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/lang/security/audit/vm-injection.js b/javascript/lang/security/audit/vm-injection.js deleted file mode 100644 index eb7178b2ea..0000000000 --- a/javascript/lang/security/audit/vm-injection.js +++ /dev/null @@ -1,133 +0,0 @@ -const vm = require('vm') -const { runInContext } = require('vm') - -function test1(userInput) { - var input = userInput.something || '' - var sandbox = { - foo: input - } - vm.createContext(sandbox) - //ruleid: vm-runincontext-context-injection - vm.runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 }) -} - -foo(function(userInput) { - var sandbox = { - foo: userInput - } - vm.createContext(sandbox) - //ruleid: vm-runincontext-context-injection - runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 }) -}) - -function testOk1(userInput) { - var sandbox = { - foo: 1 - } - vm.createContext(sandbox) - vm.runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 }) -} - -function test2(userInput) { - var input = userInput.something || '' - var sandbox = { - foo: input - } - //ruleid: vm-runincontext-context-injection - vm.runInNewContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 }) -} - -foo(function(userInput) { - var sandbox = { - foo: userInput - } - //ruleid: vm-runincontext-context-injection - vm.runInNewContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 }) -}) - -function testOk1(userInput) { - var sandbox = { - foo: 1 - } - vm.runInNewContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 }) -} - -function test3(userInput) { - const code = ` - var x = ${userInput}; - ` - //ruleid: vm-runincontext-context-injection - vm.runInThisContext(code) -} - -function okTest3(userInput) { - const code = ` - var x = 1; - ` - vm.runInThisContext(code) -} - -function test4(userInput) { - const parsingContext = vm.createContext({ name: 'world' }) - const code = `return 'hello ' + ${userInput}` - //ruleid: vm-runincontext-context-injection - const fn = vm.compileFunction(code, [], { parsingContext }) -} - -function okTest4(userInput) { - const parsingContext = vm.createContext({ name: 'world' }) - const code = `return 'hello ' + name` - const fn = vm.compileFunction(code, [], { parsingContext }) -} - -function test5(userInput) { - const context = vm.createContext({ name: userInput }) - const code = `return 'hello ' name` - //ruleid: vm-runincontext-context-injection - const fn = vm.compileFunction(code, [], { parsingContext: context }) -} - -function okTest5(userInput) { - const parsingContext = vm.createContext({ name: 'world' }) - const code = `return 'hello ' + name` - const fn = vm.compileFunction(code, [], { parsingContext }) -} - -function test6(userInput) { - //ruleid: vm-runincontext-context-injection - const script = new vm.Script(` - function add(a, b) { - return a + ${userInput}; - } - const x = add(1, 2); - `); - - script.runInThisContext(); -} - -function okTest6(userInput) { - const script = new vm.Script(` - function add(a, b) { - return a + b; - } - const x = add(1, 2); - `); - - script.runInThisContext(); -} - -async function test6(userInput) { - const contextifiedObject = vm.createContext({ secret: 42 }); - - const module = new vm.SourceTextModule( - //ruleid: vm-runincontext-context-injection - `Object.getPrototypeOf(import.meta.prop).secret = ${userInput};`, - { - initializeImportMeta(meta) { - meta.prop = {}; - } - }); - await module.link(() => { }); - await module.evaluate(); -} - diff --git a/javascript/lang/security/audit/vm-injection.yaml b/javascript/lang/security/audit/vm-injection.yaml deleted file mode 100644 index 05e50dffe2..0000000000 --- a/javascript/lang/security/audit/vm-injection.yaml +++ /dev/null @@ -1,282 +0,0 @@ -rules: - - id: vm-runincontext-context-injection - message: >- - Make sure that unverified user data can not reach vm.runInContext. - severity: WARNING - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - mode: taint - pattern-sources: - - patterns: - - pattern-inside: function ... (..., $ARG,...) {...} - - focus-metavariable: $ARG - pattern-sinks: - - patterns: - - pattern-either: - - pattern-inside: | - $VM = require('vm') - ... - - pattern-inside: | - import * as $VM from 'vm' - ... - - pattern-inside: | - import $VM from 'vm' - ... - - pattern-either: - - pattern: $VM.runInContext($CODE,$INPUT,...) - - pattern: $VM.runInContext($INPUT,...) - - pattern: $VM.runInNewContext($CODE,$INPUT,...) - - pattern: $VM.runInNewContext($INPUT,...) - - pattern: $VM.runInThisContext($INPUT,...) - - pattern: $VM.compileFunction($INPUT,...) - - pattern: | - $VM.compileFunction($CODE,$PARAMS,{parsingContext: $INPUT},...) - - pattern: | - $OPTS = {parsingContext: $INPUT}; - ... - $VM.compileFunction($CODE,$PARAMS,$OPTS,...) - - pattern: new $VM.Script($INPUT,...) - - pattern: new $VM.SourceTextModule($INPUT,...) - - focus-metavariable: $INPUT - - patterns: - - pattern-either: - - pattern: vm.runInContext($CODE,$INPUT,...) - - pattern: vm.runInContext($INPUT,...) - - pattern: vm.runInNewContext($CODE,$INPUT,...) - - pattern: vm.runInNewContext($INPUT,...) - - pattern: vm.runInThisContext($INPUT,...) - - pattern: vm.compileFunction($INPUT,...) - - pattern: | - vm.compileFunction($CODE,$PARAMS,{parsingContext: $INPUT},...) - - pattern: | - $OPTS = {parsingContext: $INPUT}; - ... - vm.compileFunction($CODE,$PARAMS,$OPTS,...) - - pattern: new vm.Script($INPUT,...) - - pattern: new vm.SourceTextModule($INPUT,...) - - focus-metavariable: $INPUT - - id: vm-runinnewcontext-context-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() - - id: vm-compilefunction-context-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() - - id: vm-script-code-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() - - id: vm-sourcetextmodule-code-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() - - id: vm-runincontext-code-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() - - id: vm-runinnewcontext-code-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() - - id: vm-runinthiscontext-code-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() - - id: vm-compilefunction-code-injection - message: >- - this rule has been deprecated. - severity: INFO - languages: - - javascript - - typescript - metadata: - owasp: - - A03:2021 - Injection - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - javascript - references: - - https://nodejs.org/dist/latest-v16.x/docs/api/vm.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - patterns: - - pattern: a() - - pattern: b() diff --git a/javascript/lang/security/detect-non-literal-require.js b/javascript/lang/security/detect-non-literal-require.js deleted file mode 100644 index 50c981da77..0000000000 --- a/javascript/lang/security/detect-non-literal-require.js +++ /dev/null @@ -1,8 +0,0 @@ -// detect-non-literal-require -var a = require('b') - -// detect-non-literal-require -var a = require(process.env.VAR) - -// detect-non-literal-require -var a = require(c) diff --git a/javascript/lang/security/detect-non-literal-require.yaml b/javascript/lang/security/detect-non-literal-require.yaml deleted file mode 100644 index b25340d414..0000000000 --- a/javascript/lang/security/detect-non-literal-require.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: detect-non-literal-require - message: >- - This rule is deprecated. - metadata: - cwe: - - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" - owasp: - - A03:2021 - Injection - source-rule-url: https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js - references: - - https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-require.js - category: security - technology: - - javascript - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - javascript - - typescript - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/php/lang/security/preg-replace-eval.php b/php/lang/security/preg-replace-eval.php deleted file mode 100644 index 0d55c157a0..0000000000 --- a/php/lang/security/preg-replace-eval.php +++ /dev/null @@ -1,15 +0,0 @@ -- - This rule has been deprecated, see https://github.com/returntocorp/semgrep-rules/issues/2506. - metadata: - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - references: - - https://www.php.net/manual/en/function.preg-replace.php - - https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php - - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PregReplaceSniff.php - category: security - deprecated: true - technology: - - php - owasp: - - A03:2021 - Injection - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - languages: [php] - severity: ERROR diff --git a/python/django/security/audit/django-ratelimit/missing-ratelimit.py b/python/django/security/audit/django-ratelimit/missing-ratelimit.py deleted file mode 100644 index 8656fe3f71..0000000000 --- a/python/django/security/audit/django-ratelimit/missing-ratelimit.py +++ /dev/null @@ -1,16 +0,0 @@ -from ratelimit.decorators import ratelimit - -def missing_view(request): - pass - -@csrf_exempt -def other_decorator(request): - pass - -@ratelimit(key=’user’, rate=’10/s’) -def my_view(request): - pass - -@ratelimit(key='ip', rate='100/h') -def secondview(request): - pass diff --git a/python/django/security/audit/django-ratelimit/missing-ratelimit.yaml b/python/django/security/audit/django-ratelimit/missing-ratelimit.yaml deleted file mode 100644 index 6c2409afd2..0000000000 --- a/python/django/security/audit/django-ratelimit/missing-ratelimit.yaml +++ /dev/null @@ -1,26 +0,0 @@ -rules: -- id: missing-ratelimit - patterns: - - pattern: a() - - pattern: b() - message: >- - This rule is deprecated. - metadata: - owasp: - - A06:2017 - Security Misconfiguration - cwe: - - 'CWE-400: Uncontrolled Resource Consumption' - references: - - https://github.com/jsocol/django-ratelimit/blob/main/docs/index.rst#quickstart - category: security - technology: - - django - deprecated: true - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - severity: INFO - languages: [python] diff --git a/python/django/security/audit/xss/template-translate-no-escape.html b/python/django/security/audit/xss/template-translate-no-escape.html deleted file mode 100644 index 81dcc2b8e3..0000000000 --- a/python/django/security/audit/xss/template-translate-no-escape.html +++ /dev/null @@ -1,12 +0,0 @@ -{% translate "This is the title." %} -{% translate myvar %} -{% trans foobar %} - -{% translate "This is the title" as the_title %} -{{ the_title | force_escape }} - -
- {% filter force_escape %} - {% translate "This is the title." %} - {% endfilter %} -
diff --git a/python/django/security/audit/xss/template-translate-no-escape.yaml b/python/django/security/audit/xss/template-translate-no-escape.yaml deleted file mode 100644 index 39b8d38a9a..0000000000 --- a/python/django/security/audit/xss/template-translate-no-escape.yaml +++ /dev/null @@ -1,29 +0,0 @@ -rules: -- id: template-translate-no-escape - languages: [generic] - severity: INFO - message: >- - This rule is deprecated. It will no longer produce findings. - patterns: - - pattern: a() - - pattern: b() - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates - - https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code - category: security - technology: - - django - deprecated: true - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/python/lang/security/audit/dangerous-subprocess-use.py b/python/lang/security/audit/dangerous-subprocess-use.py deleted file mode 100644 index 65747c742f..0000000000 --- a/python/lang/security/audit/dangerous-subprocess-use.py +++ /dev/null @@ -1,3 +0,0 @@ -# The rule is deprecated. -# This file exists only to satisfy test suites that expect one test target -# per rule. diff --git a/python/lang/security/audit/dangerous-subprocess-use.yaml b/python/lang/security/audit/dangerous-subprocess-use.yaml deleted file mode 100644 index 68fac5039c..0000000000 --- a/python/lang/security/audit/dangerous-subprocess-use.yaml +++ /dev/null @@ -1,36 +0,0 @@ -rules: -- id: dangerous-subprocess-use - patterns: - - pattern: a() - - pattern: b() - message: >- - This rule is deprecated. It will no longer produce findings. - metadata: - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - cwe: - - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" - asvs: - section: 'V5: Validation, Sanitization and Encoding Verification Requirements' - control_id: 5.3.8 OS Command Injection - control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements - version: '4' - references: - - https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess - - https://docs.python.org/3/library/subprocess.html - - https://docs.python.org/3/library/shlex.html - - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ - category: security - technology: - - python - confidence: LOW - deprecated: true - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - languages: [python] - severity: INFO diff --git a/python/lang/security/unquoted-csv-writer.py b/python/lang/security/unquoted-csv-writer.py deleted file mode 100644 index c4049c6a5a..0000000000 --- a/python/lang/security/unquoted-csv-writer.py +++ /dev/null @@ -1,7 +0,0 @@ -import csv - -csv.writer(csvfile, delimiter=',', quotechar='"') -csv.writer(csvfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_ALL) -csv.writer(csvfile, delimiter=',', quotechar='"', quoting=1) -csv.writer(csvfile, dialect='unix') -csv.writer(csvfile, dialect=csv.unix_dialect) diff --git a/python/lang/security/unquoted-csv-writer.yaml b/python/lang/security/unquoted-csv-writer.yaml deleted file mode 100644 index 2deb4ed24d..0000000000 --- a/python/lang/security/unquoted-csv-writer.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: unquoted-csv-writer - patterns: - - pattern: a() - - pattern: b() - message: >- - This rule is deprecated. - metadata: - cwe: - - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File' - owasp: A01:2017 - Injection - references: - - https://github.com/returntocorp/semgrep-rules/issues/2351 - category: security - technology: - - python - deprecated: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - fix-regex: - regex: (.*)\) - replacement: \1, quoting=csv.QUOTE_ALL) - languages: [python] - severity: ERROR diff --git a/ruby/lang/security/jruby-xml.rb b/ruby/lang/security/jruby-xml.rb deleted file mode 100644 index 7761979a66..0000000000 --- a/ruby/lang/security/jruby-xml.rb +++ /dev/null @@ -1,11 +0,0 @@ -include ActiveSupport - - def bad_xml - XmlMini.backend = 'JDOM' - - XmlMini.backend = 'LibXMLSAX' - end - - def ok_xml - XmlMini.backend = 'REXML' - end diff --git a/ruby/lang/security/jruby-xml.yaml b/ruby/lang/security/jruby-xml.yaml deleted file mode 100644 index 80376cdc2d..0000000000 --- a/ruby/lang/security/jruby-xml.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: jruby-xml - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-611: Improper Restriction of XML External Entity Reference' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_jruby_xml.rb - category: security - technology: - - ruby - owasp: - - A04:2017 - XML External Entities (XXE) - - A05:2021 - Security Misconfiguration - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - languages: - - ruby - severity: WARNING diff --git a/ruby/lang/security/json-encoding.rb b/ruby/lang/security/json-encoding.rb deleted file mode 100644 index 2831eeadd9..0000000000 --- a/ruby/lang/security/json-encoding.rb +++ /dev/null @@ -1,8 +0,0 @@ - def bad_json_encoding - params[:User].to_json - JSON.encode(params[:User]).html_safe - end - - def ok_xml - "hello".to_json - end diff --git a/ruby/lang/security/json-encoding.yaml b/ruby/lang/security/json-encoding.yaml deleted file mode 100644 index aa619c9656..0000000000 --- a/ruby/lang/security/json-encoding.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: json-encoding - message: This rule is deprecated. - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_encoding.rb - - https://groups.google.com/g/rubyonrails-security/c/7VlB_pck3hU/m/3QZrGIaQW6cJ - category: security - technology: - - ruby - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: HIGH - impact: MEDIUM - confidence: LOW - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/lang/security/model-attributes-attr-protected.rb b/ruby/lang/security/model-attributes-attr-protected.rb deleted file mode 100644 index f29422595e..0000000000 --- a/ruby/lang/security/model-attributes-attr-protected.rb +++ /dev/null @@ -1,13 +0,0 @@ -class Bad_use_attr_protected - attr_protected :admin - - public :sanitize_for_mass_assignment -end - -class Ok_use_attr_protected - include ActiveModel::MassAssignmentSecurity - attr_accessible :name, :email - attr_accessible :name, :email, :admin, :as => :admin - - public :sanitize_for_mass_assignment -end diff --git a/ruby/lang/security/model-attributes-attr-protected.yaml b/ruby/lang/security/model-attributes-attr-protected.yaml deleted file mode 100644 index 938f867336..0000000000 --- a/ruby/lang/security/model-attributes-attr-protected.yaml +++ /dev/null @@ -1,26 +0,0 @@ -rules: -- id: model-attributes-attr-protected - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-284: Improper Access Control' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attributes.rb - - https://groups.google.com/g/rubyonrails-security/c/AFBKNY7VSH8/discussion - category: security - technology: - - ruby - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/lang/security/nested-attributes-bypass.rb b/ruby/lang/security/nested-attributes-bypass.rb deleted file mode 100644 index 8e4f8519ad..0000000000 --- a/ruby/lang/security/nested-attributes-bypass.rb +++ /dev/null @@ -1,12 +0,0 @@ -def bad_nested_attributes_bypass - accepts_nested_attributes_for allow_destroy: false - - accepts_nested_attributes_for :avatar, :book, allow_destroy: false - - accepts_nested_attributes_for :avatar, :book, allow_destroy: false, :name -end - -def ok_nested_attributes_bypass - has_one :avatar - accepts_nested_attributes_for :avatar, allow_destroy: true -end diff --git a/ruby/lang/security/nested-attributes-bypass.yaml b/ruby/lang/security/nested-attributes-bypass.yaml deleted file mode 100644 index 1f74ff32b2..0000000000 --- a/ruby/lang/security/nested-attributes-bypass.yaml +++ /dev/null @@ -1,25 +0,0 @@ -rules: -- id: nested-attributes-bypass - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' - references: - - https://groups.google.com/g/rubyonrails-security/c/cawsWcQ6c8g/m/tegZtYdbFQAJ - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_nested_attributes_bypass.rb - category: security - technology: - - ruby - owasp: - - A08:2021 - Software and Data Integrity Failures - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/lang/security/nested-attributes.rb b/ruby/lang/security/nested-attributes.rb deleted file mode 100644 index 415fefc698..0000000000 --- a/ruby/lang/security/nested-attributes.rb +++ /dev/null @@ -1,11 +0,0 @@ -class Bad_use_nested_attrs - has_one :author - has_many :pages - - accepts_nested_attributes_for :author, :pages -end - -class Ok_use_nested_attrs - has_one :author - has_many :pages -end diff --git a/ruby/lang/security/nested-attributes.yaml b/ruby/lang/security/nested-attributes.yaml deleted file mode 100644 index 94ce6ff44d..0000000000 --- a/ruby/lang/security/nested-attributes.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: nested-attributes - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-20: Improper Input Validation' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_nested_attributes.rb - - https://groups.google.com/g/rubyonrails-security/c/-fkT0yja_gw/discussion - category: security - technology: - - ruby - owasp: - - A03:2021 - Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - languages: - - ruby - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/lang/security/timing-attack.rb b/ruby/lang/security/timing-attack.rb deleted file mode 100644 index 12a32b62ee..0000000000 --- a/ruby/lang/security/timing-attack.rb +++ /dev/null @@ -1,4 +0,0 @@ -class Timing_attack - http_basic_authenticate_with name: "Chris", password: "LimpBizkitRules420" - http_basic_authenticate_with :name => ENV["NAME"], :password => ENV["PASSWORD"] -end diff --git a/ruby/lang/security/timing-attack.yaml b/ruby/lang/security/timing-attack.yaml deleted file mode 100644 index fdc95f22f9..0000000000 --- a/ruby/lang/security/timing-attack.yaml +++ /dev/null @@ -1,23 +0,0 @@ -rules: -- id: timing-attack - message: This rule is deprecated. - metadata: - cwe: - - 'CWE-208: Observable Timing Discrepancy' - references: - - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_basic_auth_timing_attack.rb - - https://groups.google.com/g/rubyonrails-security/c/ANv0HDHEC3k/m/mt7wNGxbFQAJ - category: security - technology: - - ruby - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - languages: - - ruby - severity: ERROR - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/lang/security/yaml-parsing.rb b/ruby/lang/security/yaml-parsing.rb deleted file mode 100644 index bcd0ab6df6..0000000000 --- a/ruby/lang/security/yaml-parsing.rb +++ /dev/null @@ -1,6 +0,0 @@ -# cf. https://github.com/presidentbeef/brakeman/blob/v3.6.2/test/apps/rails_with_xss_plugin/config/initializers/yaml_parsing.rb - -ActionController::Base.param_parsers[Mime::YAML] = :yaml - -ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol') -ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml') diff --git a/ruby/lang/security/yaml-parsing.yaml b/ruby/lang/security/yaml-parsing.yaml deleted file mode 100644 index 7ad80277ef..0000000000 --- a/ruby/lang/security/yaml-parsing.yaml +++ /dev/null @@ -1,25 +0,0 @@ -rules: -- id: yaml-parsing - message: This rule is deprecated. - severity: WARNING - languages: - - ruby - patterns: - - pattern: a() - - pattern: b() - metadata: - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - category: security - technology: - - ruby - owasp: - - A03:2021 - Injection - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/ruby/rails/security/audit/dynamic-finders.rb b/ruby/rails/security/audit/dynamic-finders.rb deleted file mode 100644 index 7ca76c43be..0000000000 --- a/ruby/rails/security/audit/dynamic-finders.rb +++ /dev/null @@ -1,15 +0,0 @@ -def bad1 - User.find_by_token(params[:user][:token]) -end - -def bad2 - Record.find_by_password(params[:record][:password]) -end - -def ok1 - Record.find_by_name(params[:record][:password]) -end - -def ok2 - PostItemCategory.create!(item: Item.find_by(item_number: 633)) -end diff --git a/ruby/rails/security/audit/dynamic-finders.yaml b/ruby/rails/security/audit/dynamic-finders.yaml deleted file mode 100644 index f863efbd13..0000000000 --- a/ruby/rails/security/audit/dynamic-finders.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: dynamic-finders - metadata: - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - cwe: - - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_dynamic_finders.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: HIGH - impact: MEDIUM - confidence: LOW - message: This rule is deprecated. - languages: [ruby] - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/rails/security/audit/mail-to-erb.erb b/ruby/rails/security/audit/mail-to-erb.erb deleted file mode 100644 index ce4ed8823b..0000000000 --- a/ruby/rails/security/audit/mail-to-erb.erb +++ /dev/null @@ -1,6 +0,0 @@ -<%= mail_to user.email, user.name, :encode => :javascript %> -<%= mail_to user.email, user.name, :encode => :javascript, :replace_at => :_at_ %> -<%= mail_to user.email, user.name, :encode => :hex %> -<%= mail_to escape_javascript(user.email), -escape_javascript(user.name), :encode => :javascript %> -<%= mail_to "domain", "email", :encode => :javascript %> diff --git a/ruby/rails/security/audit/mail-to-erb.yaml b/ruby/rails/security/audit/mail-to-erb.yaml deleted file mode 100644 index dcbf92564b..0000000000 --- a/ruby/rails/security/audit/mail-to-erb.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: mail-to-erb - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mail_to.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - message: This rule is deprecated. - languages: [generic] - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/rails/security/audit/mail-to.rb b/ruby/rails/security/audit/mail-to.rb deleted file mode 100644 index 489edeac0e..0000000000 --- a/ruby/rails/security/audit/mail-to.rb +++ /dev/null @@ -1,19 +0,0 @@ -def bad1(email, domain) - mail_to domain, email, :encode => "javascript" -end - -def bad2() - mail_to domain, "email", :replace_at => "_at_", encode: "javascript", :replace_dot => "_dot_", :class => "email" -end - -def ok1() - mail_to "me@domain.com", "My email", :encode => "hex" -end - -def ok2() - mail_to "me@domain.com", "My email", encode: "javascript" -end - -def ok3() - mail_to escape_javascript("me@domain.com"), escape_javascript("My email"), :encode => "javascript" -end diff --git a/ruby/rails/security/audit/mail-to.yaml b/ruby/rails/security/audit/mail-to.yaml deleted file mode 100644 index dac91107d0..0000000000 --- a/ruby/rails/security/audit/mail-to.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: mail-to - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mail_to.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - message: This rule is deprecated. - languages: [ruby] - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/rails/security/audit/mime-type-dos.rb b/ruby/rails/security/audit/mime-type-dos.rb deleted file mode 100644 index 76018dfca0..0000000000 --- a/ruby/rails/security/audit/mime-type-dos.rb +++ /dev/null @@ -1,9 +0,0 @@ -def bad(string, symbol, mime_type_synonyms = [], extension_synonyms = [], skip_lookup = false) - Mime.const_set(symbol.to_s.upcase, Type.new(string, symbol, mime_type_synonyms)) -end - -def ok() - Mime.const_set :LOOKUP, Hash.new { |h,k| - Mime::Type.new(k) unless k.blank? - } -end diff --git a/ruby/rails/security/audit/mime-type-dos.yaml b/ruby/rails/security/audit/mime-type-dos.yaml deleted file mode 100644 index 10258e45b9..0000000000 --- a/ruby/rails/security/audit/mime-type-dos.yaml +++ /dev/null @@ -1,24 +0,0 @@ -rules: -- id: mime-type-dos - metadata: - owasp: 'A05:2021 - Security Misconfiguration' - cwe: - - 'CWE-400: Uncontrolled Resource Consumption' - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_mime_type_dos.rb - category: security - technology: - - rails - references: - - https://cwe.mitre.org/data/definitions/400.html - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW - message: This rule is deprecated. - languages: [ruby] - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/rails/security/audit/number-to-currency-erb.erb b/ruby/rails/security/audit/number-to-currency-erb.erb deleted file mode 100644 index f34cb58f3e..0000000000 --- a/ruby/rails/security/audit/number-to-currency-erb.erb +++ /dev/null @@ -1,7 +0,0 @@ -<%= number_to_currency(1.02, unit: params[:currency]) %> - -<%= number_to_currency(1.02, unit: params[:currency], separator: ",", delimiter: "") %> - -<%= number_to_currency(1.02, unit: h(params[:currency])) %> - -<%= number_to_currency(1.02, unit: h(params[:currency]), separator: ",", delimiter: "") %> diff --git a/ruby/rails/security/audit/number-to-currency-erb.yaml b/ruby/rails/security/audit/number-to-currency-erb.yaml deleted file mode 100644 index e745781f6f..0000000000 --- a/ruby/rails/security/audit/number-to-currency-erb.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: number-to-currency-erb - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: MEDIUM - confidence: LOW - message: This rule is deprecated. - languages: [generic] - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/rails/security/audit/number-to-currency.rb b/ruby/rails/security/audit/number-to-currency.rb deleted file mode 100644 index e63ba9d9ac..0000000000 --- a/ruby/rails/security/audit/number-to-currency.rb +++ /dev/null @@ -1,17 +0,0 @@ -def bad1() - number_to_currency(1.02, unit: params[:currency]) -end - -def bad2() - currency = params[:currency] - currency = currency + "unit" - number_to_currency(1.02, unit: currency) -end - -def ok1() - number_to_currency(1.03, unit: h(params[:currency])) -end - -def ok2() - number_to_currency(1234567890.50, unit: "R$", separator: ",", delimiter: "") -end diff --git a/ruby/rails/security/audit/number-to-currency.yaml b/ruby/rails/security/audit/number-to-currency.yaml deleted file mode 100644 index fb0ec2a31a..0000000000 --- a/ruby/rails/security/audit/number-to-currency.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: number-to-currency - metadata: - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_number_to_currency.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: LOW - impact: MEDIUM - confidence: LOW - message: This rule is deprecated. - languages: [ruby] - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/rails/security/audit/quote-table-name.rb b/ruby/rails/security/audit/quote-table-name.rb deleted file mode 100644 index 563b7e208b..0000000000 --- a/ruby/rails/security/audit/quote-table-name.rb +++ /dev/null @@ -1,17 +0,0 @@ -def bad1() - quote_table_name(params[:table]) -end - -def bad2() - table = params[:table] - quote_table_name(table) -end - -def ok1() - quote_table_name("name") -end - -def ok2() - table = "table" - quote_table_name(table) -end diff --git a/ruby/rails/security/audit/quote-table-name.yaml b/ruby/rails/security/audit/quote-table-name.yaml deleted file mode 100644 index c0034d4279..0000000000 --- a/ruby/rails/security/audit/quote-table-name.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: quote-table-name - metadata: - owasp: - - A01:2017 - Injection - - A03:2021 - Injection - cwe: - - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_quote_table_name.rb - category: security - technology: - - rails - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - vuln - likelihood: HIGH - impact: MEDIUM - confidence: LOW - message: This rule is deprecated. - languages: [ruby] - severity: WARNING - patterns: - - pattern: a() - - pattern: b() diff --git a/ruby/rails/security/audit/rails-check-header-dos.Gemfile b/ruby/rails/security/audit/rails-check-header-dos.Gemfile deleted file mode 100644 index ab5a2d4859..0000000000 --- a/ruby/rails/security/audit/rails-check-header-dos.Gemfile +++ /dev/null @@ -1,26 +0,0 @@ -source 'https://rubygems.org' - -gem 'rails', '5.2.4' - -gem 'rails', '3.3.16' - -gem 'rails', '3.2.16' - -gem 'rails', '4.0.2' - -gem 'rails', '4.1.0' - -gem 'rails', '~> 3.2.15' - -gem 'rails', '~> 3.0' - -gem 'rails', '3.0.1' - -gem 'rails', '3.2.15' - -gem 'rails', '3.1.16' - -gem 'rails', '4.0.0' - -gem 'rails', '4.0.1' - diff --git a/ruby/rails/security/audit/rails-check-header-dos.yaml b/ruby/rails/security/audit/rails-check-header-dos.yaml deleted file mode 100644 index 87a5b36986..0000000000 --- a/ruby/rails/security/audit/rails-check-header-dos.yaml +++ /dev/null @@ -1,27 +0,0 @@ -rules: -- id: rails-check-header-dos - languages: - - generic - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - severity: WARNING - metadata: - technology: - - rails - category: security - cwe: - - 'CWE-20: Improper Input Validation' - owasp: - - A03:2021 - Injection - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_header_dos.rb - references: - - https://owasp.org/Top10/A03_2021-Injection - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW diff --git a/ruby/rails/security/audit/rails-check-page-caching-cve.rb b/ruby/rails/security/audit/rails-check-page-caching-cve.rb deleted file mode 100644 index 95f0d23b8c..0000000000 --- a/ruby/rails/security/audit/rails-check-page-caching-cve.rb +++ /dev/null @@ -1,12 +0,0 @@ -class CachingController < ApplicationController - caches_page :show -end - -class CachingController2 < ApplicationController - caches_page :uhoh -end - -class SafeController < ApplicationController - asdf :show -end - diff --git a/ruby/rails/security/audit/rails-check-page-caching-cve.yaml b/ruby/rails/security/audit/rails-check-page-caching-cve.yaml deleted file mode 100644 index 3d1063f720..0000000000 --- a/ruby/rails/security/audit/rails-check-page-caching-cve.yaml +++ /dev/null @@ -1,29 +0,0 @@ -rules: -- id: rails-check-page-caching-cve - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - ruby - severity: WARNING - metadata: - cwe: - - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - technology: - - rails - category: security - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_page_caching_cve.rb - references: - - https://nvd.nist.gov/vuln/detail/CVE-2020-8159 - - https://groups.google.com/g/rubyonrails-security/c/CFRVkEytdP8 - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/ruby/rails/security/audit/rails-check-page-caching-gem.Gemfile b/ruby/rails/security/audit/rails-check-page-caching-gem.Gemfile deleted file mode 100644 index 56348a0c7b..0000000000 --- a/ruby/rails/security/audit/rails-check-page-caching-gem.Gemfile +++ /dev/null @@ -1,17 +0,0 @@ -source 'https://rubygems.org' - -gem 'actionpack_page-caching', '1.2.1' - -gem 'actionpack_page-caching', '2.0.0' - -gem 'actionpack_page-caching', '~> 1.2' - -gem 'actionpack_page-caching', '1.2.0' - -gem 'actionpack_page-caching', '1.0.99' - -gem 'actionpack_page-caching', '~> 0.99' - -gem 'actionpack_page-caching', '~> 1.1' - -gem 'actionpack_page-caching', '~> 1.1.2' diff --git a/ruby/rails/security/audit/rails-check-page-caching-gem.yaml b/ruby/rails/security/audit/rails-check-page-caching-gem.yaml deleted file mode 100644 index 0711339192..0000000000 --- a/ruby/rails/security/audit/rails-check-page-caching-gem.yaml +++ /dev/null @@ -1,29 +0,0 @@ -rules: -- id: rails-check-page-caching-gem - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" - owasp: - - A05:2017 - Broken Access Control - - A01:2021 - Broken Access Control - technology: - - rails - category: security - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_page_caching_cve.rb - references: - - https://nvd.nist.gov/vuln/detail/CVE-2020-8159 - - https://groups.google.com/g/rubyonrails-security/c/CFRVkEytdP8 - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/ruby/rails/security/audit/rails-check-render-dos-cve.rb b/ruby/rails/security/audit/rails-check-render-dos-cve.rb deleted file mode 100644 index 6c74d03e7f..0000000000 --- a/ruby/rails/security/audit/rails-check-render-dos-cve.rb +++ /dev/null @@ -1,8 +0,0 @@ -class Text < ApplicationController - render :hello -end - -class Text < ApplicationController - send :hello -end - diff --git a/ruby/rails/security/audit/rails-check-render-dos-cve.yaml b/ruby/rails/security/audit/rails-check-render-dos-cve.yaml deleted file mode 100644 index 069aaf50c7..0000000000 --- a/ruby/rails/security/audit/rails-check-render-dos-cve.yaml +++ /dev/null @@ -1,29 +0,0 @@ -rules: -- id: rails-check-render-dos - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - 'CWE-20: Improper Input Validation' - owasp: - - A03:2021 - Injection - technology: - - rails - category: security - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_dos.rb - references: - - https://groups.google.com/g/rubyonrails-security/c/LMxO_3_eCuc/m/ozGBEhKaJbIJ - - https://nvd.nist.gov/vuln/detail/CVE-2014-0082 - - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/ruby/rails/security/audit/rails-check-render-dos-gem.Gemfile b/ruby/rails/security/audit/rails-check-render-dos-gem.Gemfile deleted file mode 100644 index 57dbb9030d..0000000000 --- a/ruby/rails/security/audit/rails-check-render-dos-gem.Gemfile +++ /dev/null @@ -1,20 +0,0 @@ -source 'https://rubygems.org' - -gem 'rails', '3.2.17' - -gem 'rails', '2.0.0' - -gem 'rails', '~> 3.2' - -gem 'rails', '3.0.30' - -gem 'rails', '3.2.16' - -gem 'rails', '3.1.5' - -gem 'rails', '3.2.0' - -gem 'rails', '3.1' - -gem 'rails', '~> 3.1' - diff --git a/ruby/rails/security/audit/rails-check-render-dos-gem.yaml b/ruby/rails/security/audit/rails-check-render-dos-gem.yaml deleted file mode 100644 index 74a0ba81fb..0000000000 --- a/ruby/rails/security/audit/rails-check-render-dos-gem.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: rails-check-render-dos - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - 'CWE-20: Improper Input Validation' - owasp: - - A03:2021 - Injection - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_render_dos.rb - technology: - - rails - category: security - references: - - https://groups.google.com/g/rubyonrails-security/c/LMxO_3_eCuc/m/ozGBEhKaJbIJ - - https://nvd.nist.gov/vuln/detail/CVE-2014-0082 - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/ruby/rails/security/audit/rails-check-response-splitting.Gemfile b/ruby/rails/security/audit/rails-check-response-splitting.Gemfile deleted file mode 100644 index 2f577ba1c1..0000000000 --- a/ruby/rails/security/audit/rails-check-response-splitting.Gemfile +++ /dev/null @@ -1,10 +0,0 @@ -source 'https://rubygems.org' - -gem 'rails', '2.3.15' - -gem 'rails', '~> 2.3' - -gem 'rails', '2.3.0' - -gem 'rails', '~> 2.3.12' - diff --git a/ruby/rails/security/audit/rails-check-response-splitting.yaml b/ruby/rails/security/audit/rails-check-response-splitting.yaml deleted file mode 100644 index 23797f053e..0000000000 --- a/ruby/rails/security/audit/rails-check-response-splitting.yaml +++ /dev/null @@ -1,26 +0,0 @@ -rules: -- id: rails-check-response-splitting - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - "CWE-94: Improper Control of Generation of Code ('Code Injection')" - owasp: - - A03:2021 - Injection - technology: - - rails - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_response_splitting.rb - category: security - references: - - https://groups.google.com/d/topic/rubyonrails-security/b_yTveAph2g/discussion - cwe2022-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW diff --git a/ruby/rails/security/injection/rails-check-json-parsing-rce.Gemfile b/ruby/rails/security/injection/rails-check-json-parsing-rce.Gemfile deleted file mode 100644 index c89a4244e3..0000000000 --- a/ruby/rails/security/injection/rails-check-json-parsing-rce.Gemfile +++ /dev/null @@ -1,20 +0,0 @@ -source 'https://rubygems.org' - -gem 'rails', '2.3.16' - -gem 'rails', '3.0.20' - -gem 'rails', '~> 2.3.15' - -gem 'rails', '~> 0.99.99' - -gem 'rails', '~> 2.2.99' - -gem 'rails', '2.3.0' - -gem 'rails', '~> 2.3.0' - -gem 'rails', '3.0.15' - -gem 'rails', '~> 3.0.15' - diff --git a/ruby/rails/security/injection/rails-check-json-parsing-rce.yaml b/ruby/rails/security/injection/rails-check-json-parsing-rce.yaml deleted file mode 100644 index 999b7a6f05..0000000000 --- a/ruby/rails/security/injection/rails-check-json-parsing-rce.yaml +++ /dev/null @@ -1,26 +0,0 @@ -rules: -- id: rails-check-json-parsing-rce - patterns: - - pattern: a() - - pattern: b() - message: This rule is deprecated. - languages: - - generic - severity: WARNING - metadata: - cwe: - - "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" - owasp: - - A03:2021 - Injection - technology: - - rails - source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_json_parsing.rb - category: security - references: - - https://nvd.nist.gov/vuln/detail/CVE-2013-0333 - - https://groups.google.com/g/rubyonrails-security/c/1h2DR63ViGo - subcategory: - - audit - likelihood: LOW - impact: HIGH - confidence: LOW diff --git a/terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.tf b/terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.tf deleted file mode 100644 index 757ad8bf5a..0000000000 --- a/terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.tf +++ /dev/null @@ -1,27 +0,0 @@ -resource "aws_elasticache_replication_group" "pass" { - replication_group_id = "tf-%s" - replication_group_description = "test description" - node_type = "cache.t2.micro" - number_cache_clusters = "1" - port = 6379 - subnet_group_name = aws_elasticache_subnet_group.bar.name - security_group_ids = [aws_security_group.bar.id] - parameter_group_name = "default.redis3.2" - availability_zones = [data.aws_availability_zones.available.names[0]] - engine_version = "3.2.6" - at_rest_encryption_enabled = true - kms_key_id = aws_kms_key.bar.arn -} -resource "aws_elasticache_replication_group" "fail" { - replication_group_id = "tf-%s" - replication_group_description = "test description" - node_type = "cache.t2.micro" - number_cache_clusters = "1" - port = 6379 - subnet_group_name = aws_elasticache_subnet_group.bar.name - security_group_ids = [aws_security_group.bar.id] - parameter_group_name = "default.redis3.2" - availability_zones = [data.aws_availability_zones.available.names[0]] - engine_version = "3.2.6" - at_rest_encryption_enabled = true -} diff --git a/terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.yaml b/terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.yaml deleted file mode 100644 index 7680b3e163..0000000000 --- a/terraform/aws/security/aws-elasticache-replication-group-encrypted-with-cmk.yaml +++ /dev/null @@ -1,25 +0,0 @@ -rules: -- id: aws-elasticache-replication-group-encrypted-with-cmk - patterns: - - pattern: a() - - pattern: b() - message: >- - This rule has been deprecated. - metadata: - category: security - technology: - - terraform - - aws - owasp: - - A03:2017 - Sensitive Data Exposure - cwe: - - 'CWE-320: CWE CATEGORY: Key Management Errors' - references: - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: [hcl] - severity: WARNING diff --git a/typescript/react/security/audit/react-css-injection.jsx b/typescript/react/security/audit/react-css-injection.jsx deleted file mode 100644 index 9c4bf06de8..0000000000 --- a/typescript/react/security/audit/react-css-injection.jsx +++ /dev/null @@ -1,55 +0,0 @@ -function Vulnerable1(input) { - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function Vulnerable3() { - const input = loadUserInput(); - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function Vulnerable4(input) { -// ok: react-css-injection - return React.createElement('div', {style: input}, `foobar`); -} - -function OkTest({siteUrl, input}) { - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function OkTest2(input) { - let styles = {color: input}; - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function OkTest3(input) { -// ok: react-css-injection - return React.createElement('div', {style: {width: 100}}, `foobar`); -} diff --git a/typescript/react/security/audit/react-css-injection.tsx b/typescript/react/security/audit/react-css-injection.tsx deleted file mode 100644 index b1878b7ba2..0000000000 --- a/typescript/react/security/audit/react-css-injection.tsx +++ /dev/null @@ -1,55 +0,0 @@ -function Vulnerable1(input) { - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function Vulnerable3() { - const input = loadUserInput(); - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function Vulnerable4(input) { -// ok: react-css-injection - return React.createElement('div', {style: input}, `foobar`); -} - -function OkTest({siteUrl, input}) { - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function OkTest(input) { - let styles = {color: input}; - return ( - -// ok: react-css-injection -
- Hello world -
- - ); -} - -function OkTest3(input) { -// ok: react-css-injection - return React.createElement('div', {style: {width: 100}}, `foobar`); -} diff --git a/typescript/react/security/audit/react-css-injection.yaml b/typescript/react/security/audit/react-css-injection.yaml deleted file mode 100644 index 8c2430d3f0..0000000000 --- a/typescript/react/security/audit/react-css-injection.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: react-css-injection - message: >- - this rule has been deprecated. - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1 - category: security - deprecated: true - technology: - - react - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-html-element-spreading.jsx b/typescript/react/security/audit/react-html-element-spreading.jsx deleted file mode 100644 index 59bcc70450..0000000000 --- a/typescript/react/security/audit/react-html-element-spreading.jsx +++ /dev/null @@ -1,24 +0,0 @@ -function Test1(props) { -// ok: react-html-element-spreading - const el = < div {...props} >123; - return el; -} - -function Test1(props) { -// ok: react-html-element-spreading - const el = 123; - return el; -} - -function OkTest1(props) { -// ok: react-html-element-spreading - const el = ; - return el; -} - -function OkTest2(props, otherProps) { - const {src, alt} = props; - const {one_prop, two_prop} = otherProps; -// ok: react-html-element-spreading - return 123; -} diff --git a/typescript/react/security/audit/react-html-element-spreading.tsx b/typescript/react/security/audit/react-html-element-spreading.tsx deleted file mode 100644 index 59bcc70450..0000000000 --- a/typescript/react/security/audit/react-html-element-spreading.tsx +++ /dev/null @@ -1,24 +0,0 @@ -function Test1(props) { -// ok: react-html-element-spreading - const el = < div {...props} >123; - return el; -} - -function Test1(props) { -// ok: react-html-element-spreading - const el = 123; - return el; -} - -function OkTest1(props) { -// ok: react-html-element-spreading - const el = ; - return el; -} - -function OkTest2(props, otherProps) { - const {src, alt} = props; - const {one_prop, two_prop} = otherProps; -// ok: react-html-element-spreading - return 123; -} diff --git a/typescript/react/security/audit/react-html-element-spreading.yaml b/typescript/react/security/audit/react-html-element-spreading.yaml deleted file mode 100644 index 4904038ca7..0000000000 --- a/typescript/react/security/audit/react-html-element-spreading.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: react-html-element-spreading - message: >- - this rule has been deprecated. - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://pragmaticwebsecurity.com/articles/spasecurity/react-xss-part2.html - category: security - deprecated: true - technology: - - react - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-http-leak.jsx b/typescript/react/security/audit/react-http-leak.jsx deleted file mode 100644 index 959ec306e0..0000000000 --- a/typescript/react/security/audit/react-http-leak.jsx +++ /dev/null @@ -1,56 +0,0 @@ -const url = 'https://www.example.com'; - -// ok: react-http-leak -const okTest1 = ; - -// ok: react-http-leak -const okTest2 = ; - -// ok: react-http-leak -const okTest3 = ; - -// ok: react-http-leak -const okTest4 = Hello world; - -// ok: react-http-leak -const okTest5 = Hello world; - -function test(attackersUrl) { -// ok: react-http-leak - const test1 = (); - -// ok: react-http-leak - const test2 =
123
; - - const test3 = ( -// ok: react-http-leak - -
- - ); - -// ok: react-http-leak - const test4 = ; - - const test5 = ( -// ok: react-http-leak - - hello world - - ); - -// ok: react-http-leak - const test6 = ; - -// ok: react-http-leak - const test7 = ; - -// ok: react-http-leak - const test8 = ; - -// ok: react-http-leak - const test9 = Hello world; - -// ok: react-http-leak - const test10 = Hello world; -} diff --git a/typescript/react/security/audit/react-http-leak.tsx b/typescript/react/security/audit/react-http-leak.tsx deleted file mode 100644 index 9e85469c99..0000000000 --- a/typescript/react/security/audit/react-http-leak.tsx +++ /dev/null @@ -1,61 +0,0 @@ -import importImg from "./my/image.jpg"; - -const url = 'https://www.example.com'; - -// ok: react-http-leak -const okTest1 = ; - -// ok: react-http-leak -const okTest2 = ; - -// ok: react-http-leak -const okTest3 = ; - -// ok: react-http-leak -const okTest4 = Hello world; - -// ok: react-http-leak -const okTest5 = Hello world; - -// ok: react-http-leak -const okTest6 = ; - -function test(attackersUrl) { -// ok: react-http-leak - const test1 = (); - -// ok: react-http-leak - const test2 =
123
; - - const test3 = ( -// ok: react-http-leak - -
- - ); - -// ok: react-http-leak - const test4 = ; - - const test5 = ( -// ok: react-http-leak - - hello world - - ); - -// ok: react-http-leak - const test6 = ; - -// ok: react-http-leak - const test7 = ; - -// ok: react-http-leak - const test8 = ; - -// ok: react-http-leak - const test9 = Hello world; - -// ok: react-http-leak - const test10 = Hello world; -} diff --git a/typescript/react/security/audit/react-http-leak.yaml b/typescript/react/security/audit/react-http-leak.yaml deleted file mode 100644 index 409209da86..0000000000 --- a/typescript/react/security/audit/react-http-leak.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: react-http-leak - message: >- - this rule has been deprecated. - metadata: - owasp: - - A01:2021 - Broken Access Control - cwe: - - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' - deprecated: true - references: - - https://github.com/cure53/HTTPLeaks - category: security - technology: - - react - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-missing-noopener.jsx b/typescript/react/security/audit/react-missing-noopener.jsx deleted file mode 100644 index 1a27948ca0..0000000000 --- a/typescript/react/security/audit/react-missing-noopener.jsx +++ /dev/null @@ -1,44 +0,0 @@ - -var Test1 = - - -var Test2 = - - -var Test3 = - - -var Test4 = - - -var Test5 = - -// ok: react-missing-noopener -var OkTest1 = - -// ok: react-missing-noopener -var OkTest2 = - -// ok: react-missing-noopener -var OkTest3 = - -function TestComponent1() { - - let params = {target: '_blank', href: 'http://example.com/'}; - return React.createElement('a', params); -} - -function TestComponent2() { - - return React.createElement('a', {target: '_blank', href: 'http://example.com/'}); -} - -function TestComponent3() { - - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: 'noreferrer'}); -} - -function OkComponent1() { -// ok: react-missing-noopener - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: "noopener noreferrer"}); -} diff --git a/typescript/react/security/audit/react-missing-noopener.tsx b/typescript/react/security/audit/react-missing-noopener.tsx deleted file mode 100644 index 1a27948ca0..0000000000 --- a/typescript/react/security/audit/react-missing-noopener.tsx +++ /dev/null @@ -1,44 +0,0 @@ - -var Test1 = - - -var Test2 = - - -var Test3 = - - -var Test4 = - - -var Test5 = - -// ok: react-missing-noopener -var OkTest1 = - -// ok: react-missing-noopener -var OkTest2 = - -// ok: react-missing-noopener -var OkTest3 = - -function TestComponent1() { - - let params = {target: '_blank', href: 'http://example.com/'}; - return React.createElement('a', params); -} - -function TestComponent2() { - - return React.createElement('a', {target: '_blank', href: 'http://example.com/'}); -} - -function TestComponent3() { - - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: 'noreferrer'}); -} - -function OkComponent1() { -// ok: react-missing-noopener - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: "noopener noreferrer"}); -} diff --git a/typescript/react/security/audit/react-missing-noopener.yaml b/typescript/react/security/audit/react-missing-noopener.yaml deleted file mode 100644 index 6cdca4d567..0000000000 --- a/typescript/react/security/audit/react-missing-noopener.yaml +++ /dev/null @@ -1,29 +0,0 @@ -rules: -- id: react-missing-noopener - message: >- - This rule has been deprecated - metadata: - cwe: - - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' - owasp: - - A01:2021 - Broken Access Control - references: - - https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer - - https://web.dev/external-anchors-use-rel-noopener/ - - https://owasp.org/www-community/attacks/Reverse_Tabnabbing - category: security - technology: - - react - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-missing-noreferrer.jsx b/typescript/react/security/audit/react-missing-noreferrer.jsx deleted file mode 100644 index f5a22d7740..0000000000 --- a/typescript/react/security/audit/react-missing-noreferrer.jsx +++ /dev/null @@ -1,52 +0,0 @@ - -var Test1 = - -// ok: react-missing-noreferrer -var Test2 = - -// ok: react-missing-noreferrer -var Test3 = - - -var Test4 = - - -var Test5 = - -// ok: react-missing-noreferrer -var OkTest1 = - -// ok: react-missing-noreferrer -var OkTest2 = - -// ok: react-missing-noreferrer -var OkTest3 = - -// ok: react-missing-noreferrer -var OkTest4 = - -function TestComponent1() { - - let params = {target: '_blank', href: 'http://example.com/'}; - return React.createElement('a', params); -} - -function TestComponent2() { - - return React.createElement('a', {target: '_blank', href: 'http://example.com/'}); -} - -function TestComponent3() { -// ok: react-missing-noreferrer - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: 'noopener'}); -} - -function OkComponent1() { -// ok: react-missing-noreferrer - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: "noopener noreferrer"}); -} - -function OkComponent2() { -// ok: react-missing-noreferrer - return React.createElement('a', {target: '_blank', href: '/test', rel: 'noopener'}); -} diff --git a/typescript/react/security/audit/react-missing-noreferrer.tsx b/typescript/react/security/audit/react-missing-noreferrer.tsx deleted file mode 100644 index f5a22d7740..0000000000 --- a/typescript/react/security/audit/react-missing-noreferrer.tsx +++ /dev/null @@ -1,52 +0,0 @@ - -var Test1 = - -// ok: react-missing-noreferrer -var Test2 = - -// ok: react-missing-noreferrer -var Test3 = - - -var Test4 = - - -var Test5 = - -// ok: react-missing-noreferrer -var OkTest1 = - -// ok: react-missing-noreferrer -var OkTest2 = - -// ok: react-missing-noreferrer -var OkTest3 = - -// ok: react-missing-noreferrer -var OkTest4 = - -function TestComponent1() { - - let params = {target: '_blank', href: 'http://example.com/'}; - return React.createElement('a', params); -} - -function TestComponent2() { - - return React.createElement('a', {target: '_blank', href: 'http://example.com/'}); -} - -function TestComponent3() { -// ok: react-missing-noreferrer - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: 'noopener'}); -} - -function OkComponent1() { -// ok: react-missing-noreferrer - return React.createElement('a', {target: '_blank', href: 'http://example.com/', rel: "noopener noreferrer"}); -} - -function OkComponent2() { -// ok: react-missing-noreferrer - return React.createElement('a', {target: '_blank', href: '/test', rel: 'noopener'}); -} diff --git a/typescript/react/security/audit/react-missing-noreferrer.yaml b/typescript/react/security/audit/react-missing-noreferrer.yaml deleted file mode 100644 index dec76f26b5..0000000000 --- a/typescript/react/security/audit/react-missing-noreferrer.yaml +++ /dev/null @@ -1,28 +0,0 @@ -rules: -- id: react-missing-noreferrer - message: >- - This rule has been deprecated. - metadata: - confidence: LOW - cwe: - - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' - owasp: - - A01:2021 - Broken Access Control - references: - - https://web.dev/external-anchors-use-rel-noopener/ - - https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer - category: security - technology: - - react - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-no-refs.jsx b/typescript/react/security/audit/react-no-refs.jsx deleted file mode 100644 index f86143ee2c..0000000000 --- a/typescript/react/security/audit/react-no-refs.jsx +++ /dev/null @@ -1,33 +0,0 @@ -const test1 =
; -const okTest =
; - -class MyComponent extends React.Component { - constructor(props) { - super(props); - this.myRef = React.createRef(); - } - render() { - return
; - } -} - -function CustomTextInput(props) { - const textInput = useRef(null); - - function handleClick() { - textInput.current.focus(); - } - - return ( -
- - -
- ); -} diff --git a/typescript/react/security/audit/react-no-refs.tsx b/typescript/react/security/audit/react-no-refs.tsx deleted file mode 100644 index f86143ee2c..0000000000 --- a/typescript/react/security/audit/react-no-refs.tsx +++ /dev/null @@ -1,33 +0,0 @@ -const test1 =
; -const okTest =
; - -class MyComponent extends React.Component { - constructor(props) { - super(props); - this.myRef = React.createRef(); - } - render() { - return
; - } -} - -function CustomTextInput(props) { - const textInput = useRef(null); - - function handleClick() { - textInput.current.focus(); - } - - return ( -
- - -
- ); -} diff --git a/typescript/react/security/audit/react-no-refs.yaml b/typescript/react/security/audit/react-no-refs.yaml deleted file mode 100644 index 1e1eb4b591..0000000000 --- a/typescript/react/security/audit/react-no-refs.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: react-no-refs - message: >- - this rule has been deprecated. - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - category: security - deprecated: true - technology: - - react - references: - - https://pragmaticwebsecurity.com/articles/spasecurity/react-xss-part3.html - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-props-injection.jsx b/typescript/react/security/audit/react-props-injection.jsx deleted file mode 100644 index cb57a92570..0000000000 --- a/typescript/react/security/audit/react-props-injection.jsx +++ /dev/null @@ -1,45 +0,0 @@ -import something from "foobar"; - -const userInput = JSON.parse(storedValue); - -function test1() { - // ok: react-props-injection - return
; -} - -function test2() { - // ok: react-props-injection - return
; -} - -function test3(input) { - // ok: react-props-injection - return
; -} - -function test4() { - const input = JSON.parse(storedValue); - // ok: react-props-injection - return React.createElement("span", input); -} - -function test5(input) { - // ok: react-props-injection - return React.createElement("span", doSmth(input)); -} - -function test6() { - // ok: react-props-injection - return
; -} - -function okTest1(input) { - // ok: react-props-injection - return
; -} - -function okTest2() { - const input = JSON.parse(storedValue); - // ok: react-props-injection - return React.createElement("span", {attr: input.attr}); -} diff --git a/typescript/react/security/audit/react-props-injection.tsx b/typescript/react/security/audit/react-props-injection.tsx deleted file mode 100644 index cb57a92570..0000000000 --- a/typescript/react/security/audit/react-props-injection.tsx +++ /dev/null @@ -1,45 +0,0 @@ -import something from "foobar"; - -const userInput = JSON.parse(storedValue); - -function test1() { - // ok: react-props-injection - return
; -} - -function test2() { - // ok: react-props-injection - return
; -} - -function test3(input) { - // ok: react-props-injection - return
; -} - -function test4() { - const input = JSON.parse(storedValue); - // ok: react-props-injection - return React.createElement("span", input); -} - -function test5(input) { - // ok: react-props-injection - return React.createElement("span", doSmth(input)); -} - -function test6() { - // ok: react-props-injection - return
; -} - -function okTest1(input) { - // ok: react-props-injection - return
; -} - -function okTest2() { - const input = JSON.parse(storedValue); - // ok: react-props-injection - return React.createElement("span", {attr: input.attr}); -} diff --git a/typescript/react/security/audit/react-props-injection.yaml b/typescript/react/security/audit/react-props-injection.yaml deleted file mode 100644 index c881f16433..0000000000 --- a/typescript/react/security/audit/react-props-injection.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: react-props-injection - message: >- - this rule has been deprecated. - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - deprecated: true - references: - - https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1 - category: security - technology: - - react - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-router-redirect.jsx b/typescript/react/security/audit/react-router-redirect.jsx deleted file mode 100644 index c92cff7c96..0000000000 --- a/typescript/react/security/audit/react-router-redirect.jsx +++ /dev/null @@ -1,37 +0,0 @@ -import { - BrowserRouter as Router, - Switch, - Route, - Link, - Redirect, - useParams -} from "react-router-dom"; - -function App() { - return ( - - {loggedIn ? : } - - ); -} - -function App2() { - return ( - - {loggedIn ? : } - - ); -} - -function App3({userInput}) { - return ( - -// ok: react-router-redirect - {loggedIn ? : } - - ); -} diff --git a/typescript/react/security/audit/react-router-redirect.tsx b/typescript/react/security/audit/react-router-redirect.tsx deleted file mode 100644 index c92cff7c96..0000000000 --- a/typescript/react/security/audit/react-router-redirect.tsx +++ /dev/null @@ -1,37 +0,0 @@ -import { - BrowserRouter as Router, - Switch, - Route, - Link, - Redirect, - useParams -} from "react-router-dom"; - -function App() { - return ( - - {loggedIn ? : } - - ); -} - -function App2() { - return ( - - {loggedIn ? : } - - ); -} - -function App3({userInput}) { - return ( - -// ok: react-router-redirect - {loggedIn ? : } - - ); -} diff --git a/typescript/react/security/audit/react-router-redirect.yaml b/typescript/react/security/audit/react-router-redirect.yaml deleted file mode 100644 index 7f751d01ad..0000000000 --- a/typescript/react/security/audit/react-router-redirect.yaml +++ /dev/null @@ -1,32 +0,0 @@ -rules: -- id: react-router-redirect - message: >- - this rule has been deprecated. - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - deprecated: true - category: security - technology: - - react - references: - - https://v5.reactrouter.com/web/api/Redirect - - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html - - https://semgrep.dev - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/audit/react-styled-components-injection.jsx b/typescript/react/security/audit/react-styled-components-injection.jsx deleted file mode 100644 index 448a855ec2..0000000000 --- a/typescript/react/security/audit/react-styled-components-injection.jsx +++ /dev/null @@ -1,50 +0,0 @@ -import styled from "styled-components"; - -function Vulnerable1(userInput) { - const ArbitraryComponent = styled.div` - background: url(${ - // ok: react-styled-components-injection - userInput - }); - ` - return ArbitraryComponent -} - -function Vulnerable2(userInput) { - const input = fooBar(userInput) - - return styled.div` - background: url(${ - // ok: react-styled-components-injection - input - }); - ` -} - -function Vulnerable3(nevermind, {userInput}) { - const input = '#' + userInput; - - return styled.div` - background: ${ - // ok: react-styled-components-injection - input - }; - ` -} - -function OkTest({siteUrl, input}) { -// ok: react-styled-components-injection - const ArbitraryComponent = styled.div` - background: red; - ` - return ArbitraryComponent -} - -function OkTest(input) { - const css = 'red'; -// ok: react-styled-components-injection - const ArbitraryComponent = styled.div` - background: ${css}; - ` - return ArbitraryComponent -} diff --git a/typescript/react/security/audit/react-styled-components-injection.tsx b/typescript/react/security/audit/react-styled-components-injection.tsx deleted file mode 100644 index 1010c6f27d..0000000000 --- a/typescript/react/security/audit/react-styled-components-injection.tsx +++ /dev/null @@ -1,60 +0,0 @@ -import styled, { keyframes } from "styled-components"; - -function Vulnerable1(userInput) { - const ArbitraryComponent = styled.div` - background: url(${ - // ok: react-styled-components-injection - userInput - }); - ` - return ArbitraryComponent -} - -function Vulnerable2(userInput) { - const input = fooBar(userInput) - - return styled.div` - background: url(${ - // ok: react-styled-components-injection - input - }); - ` -} - -function Vulnerable3(nevermind, {userInput}) { - const input = '#' + userInput; - - return styled.div` - background: ${ - // ok: react-styled-components-injection - input - }; - ` -} - -function OkTest({siteUrl, input}) { - // ok: react-styled-components-injection - const ArbitraryComponent = styled.div` - background: red; - ` - return ArbitraryComponent -} - -function OkTest(input) { - const css = 'red'; - // ok: react-styled-components-injection - const ArbitraryComponent = styled.div` - background: ${css}; - ` - return ArbitraryComponent -} - -function OkTest(input) { - const css = "red"; - const anim = keyframes`from {width: 1;} to {width: 2;}`; - // ok: react-styled-components-injection - const ArbitraryComponent = styled.div` - animation: ${anim}; - `; - return ArbitraryComponent; -} diff --git a/typescript/react/security/audit/react-styled-components-injection.yaml b/typescript/react/security/audit/react-styled-components-injection.yaml deleted file mode 100644 index 20be09a550..0000000000 --- a/typescript/react/security/audit/react-styled-components-injection.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: react-styled-components-injection - message: >- - this rule has been deprecated. - metadata: - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - references: - - https://styled-components.com/docs/advanced#security - category: security - deprecated: true - technology: - - react - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() diff --git a/typescript/react/security/react-controlled-component-password.jsx b/typescript/react/security/react-controlled-component-password.jsx deleted file mode 100644 index 6c54e4c1ec..0000000000 --- a/typescript/react/security/react-controlled-component-password.jsx +++ /dev/null @@ -1,90 +0,0 @@ -class NameForm extends React.Component { - constructor(props) { - super(props); - this.state = {value: ''}; - - this.handleChange = this.handleChange.bind(this); - this.handleSubmit = this.handleSubmit.bind(this); - } - - handleChange(event) { - this.setState({value: event.target.value}); - } - - handleSubmit(event) { - alert('A name was submitted: ' + this.state.value); - event.preventDefault(); - } - - render() { - return ( -
- - -
- ); - } -} - -class Password extends React.Component { - constructor(props) { - super(props); - this.state = { value: '' }; - - this.handleChange = this.handleChange.bind(this); - } - - handleChange(event) { - this.setState({ value: event.target.value }); - } - - render() { -// ok: react-controlled-component-password - return React.createElement( - 'input', - { - onChange: this.handleChange, - 'placeholder': 'type password here and watch network log', - 'size': '40', - 'type': 'password', - 'value': this.state.value - }, - null - ); - } -} - -class NameForm extends React.Component { - constructor(props) { - super(props); - this.state = {value: ''}; - - this.handleChange = this.handleChange.bind(this); - this.handleSubmit = this.handleSubmit.bind(this); - } - - handleChange(event) { - this.setState({value: event.target.value}); - } - - handleSubmit(event) { - alert('A name was submitted: ' + this.state.value); - event.preventDefault(); - } - - render() { - return ( -
- - -
- ); - } -} diff --git a/typescript/react/security/react-controlled-component-password.tsx b/typescript/react/security/react-controlled-component-password.tsx deleted file mode 100644 index 6c54e4c1ec..0000000000 --- a/typescript/react/security/react-controlled-component-password.tsx +++ /dev/null @@ -1,90 +0,0 @@ -class NameForm extends React.Component { - constructor(props) { - super(props); - this.state = {value: ''}; - - this.handleChange = this.handleChange.bind(this); - this.handleSubmit = this.handleSubmit.bind(this); - } - - handleChange(event) { - this.setState({value: event.target.value}); - } - - handleSubmit(event) { - alert('A name was submitted: ' + this.state.value); - event.preventDefault(); - } - - render() { - return ( -
- - -
- ); - } -} - -class Password extends React.Component { - constructor(props) { - super(props); - this.state = { value: '' }; - - this.handleChange = this.handleChange.bind(this); - } - - handleChange(event) { - this.setState({ value: event.target.value }); - } - - render() { -// ok: react-controlled-component-password - return React.createElement( - 'input', - { - onChange: this.handleChange, - 'placeholder': 'type password here and watch network log', - 'size': '40', - 'type': 'password', - 'value': this.state.value - }, - null - ); - } -} - -class NameForm extends React.Component { - constructor(props) { - super(props); - this.state = {value: ''}; - - this.handleChange = this.handleChange.bind(this); - this.handleSubmit = this.handleSubmit.bind(this); - } - - handleChange(event) { - this.setState({value: event.target.value}); - } - - handleSubmit(event) { - alert('A name was submitted: ' + this.state.value); - event.preventDefault(); - } - - render() { - return ( -
- - -
- ); - } -} diff --git a/typescript/react/security/react-controlled-component-password.yaml b/typescript/react/security/react-controlled-component-password.yaml deleted file mode 100644 index 5fcdaf97b1..0000000000 --- a/typescript/react/security/react-controlled-component-password.yaml +++ /dev/null @@ -1,30 +0,0 @@ -rules: -- id: react-controlled-component-password - message: >- - this rule has been deprecated. - metadata: - category: security - deprecated: true - technology: - - react - owasp: - - A07:2017 - Cross-Site Scripting (XSS) - - A03:2021 - Injection - cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" - references: - - https://semgrep.dev - cwe2022-top25: true - cwe2021-top25: true - subcategory: - - audit - likelihood: LOW - impact: LOW - confidence: LOW - languages: - - typescript - - javascript - severity: INFO - patterns: - - pattern: a() - - pattern: b() From d0c2461ec4ab284e3e101801489450e728442244 Mon Sep 17 00:00:00 2001 From: Chris Dolan Date: Fri, 23 Feb 2024 15:02:25 -0700 Subject: [PATCH 38/89] Update Argo URL (#3313) --- .github/workflows/trigger-pro-benchmark-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trigger-pro-benchmark-scan.yaml b/.github/workflows/trigger-pro-benchmark-scan.yaml index 7dd0462414..a763a61295 100644 --- a/.github/workflows/trigger-pro-benchmark-scan.yaml +++ b/.github/workflows/trigger-pro-benchmark-scan.yaml @@ -20,5 +20,5 @@ jobs: COMP_BRANCH: ${{ github.head_ref }} BASE_BRANCH: ${{ github.event.pull_request.base.ref }} run: | - curl -X POST https://argoworkflows-dev2.corp.r2c.dev/api/v1/events/security-research/pro-perf-scan-test -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"base_branch\": \"$BASE_BRANCH\", \"comparison_branch\": \"$COMP_BRANCH\", \"rules_repository\": \"$RULES_REPO\"}" + curl -X POST https://argoworkflows-dev2.corp.semgrep.dev/api/v1/events/security-research/pro-perf-scan-test -H "Authorization: ${{ secrets.ARGO_WORKFLOWS_TOKEN }}" -d "{\"base_branch\": \"$BASE_BRANCH\", \"comparison_branch\": \"$COMP_BRANCH\", \"rules_repository\": \"$RULES_REPO\"}" From 5d47026a23376ecc9fc649154ba246d9dc52e236 Mon Sep 17 00:00:00 2001 From: LewisArdern Date: Mon, 4 Mar 2024 07:26:40 -0800 Subject: [PATCH 39/89] Fix incorrect deleted test file --- .../audit/cookie-missing-samesite.java | 37 ------ .../audit/cookie-missing-secure-flag.java | 114 ++++++++++++++++++ 2 files changed, 114 insertions(+), 37 deletions(-) delete mode 100644 java/lang/security/audit/cookie-missing-samesite.java create mode 100644 java/lang/security/audit/cookie-missing-secure-flag.java diff --git a/java/lang/security/audit/cookie-missing-samesite.java b/java/lang/security/audit/cookie-missing-samesite.java deleted file mode 100644 index 297b999350..0000000000 --- a/java/lang/security/audit/cookie-missing-samesite.java +++ /dev/null @@ -1,37 +0,0 @@ -@Controller -public class CookieController { - - @RequestMapping(value = "/cookie1", method = "GET") - public void setCookie(@RequestParam String value, HttpServletResponse response) { - // ok:cookie-missing-samesite - response.setHeader("Set-Cookie", "key=value; HttpOnly; SameSite=strict"); - } - - @RequestMapping(value = "/cookie2", method = "GET") - public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { - // ok:cookie-missing-samesite - response.setHeader("Set-Cookie", "key=value; HttpOnly;"); - } - - @RequestMapping(value = "/cookie3", method = "GET") - public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { - Cookie cookie = new Cookie("cookie", value); - cookie.setSecure(true); - cookie.setHttpOnly(true); - // ok:cookie-missing-samesite - response.addCookie(cookie); - } - - @RequestMapping(value = "/cookie4", method = "GET") - public void setEverything(@RequestParam String value, HttpServletResponse response) { - // ok:cookie-missing-samesite - response.setHeader("Set-Cookie", "key=value; HttpOnly; Secure; SameSite=strict"); - response.addCookie(cookie); - } - - @RequestMapping(value = "/cookie4", method = "GET") - public void setEverything(@RequestParam String value, HttpServletResponse response) { - // ok:cookie-missing-samesite - response.setHeader("Set-Cookie", null); - } -} diff --git a/java/lang/security/audit/cookie-missing-secure-flag.java b/java/lang/security/audit/cookie-missing-secure-flag.java new file mode 100644 index 0000000000..4362d99dd3 --- /dev/null +++ b/java/lang/security/audit/cookie-missing-secure-flag.java @@ -0,0 +1,114 @@ +@Controller +public class CookieController { + + @RequestMapping(value = "/cookie1", method = "GET") + public void setCookie(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + // ruleid:cookie-missing-secure-flag + response.addCookie(cookie); + } + + @RequestMapping(value = "/cookie2", method = "GET") + public void setSecureCookie(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + // ok:cookie-missing-secure-flag + cookie.setSecure(true); + response.addCookie(cookie); + } + + @RequestMapping(value = "/cookie3", method = "GET") + public void setSecureHttponlyCookie(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + // ok:cookie-missing-secure-flag + cookie.setSecure(true); + cookie.setHttpOnly(true); + response.addCookie(cookie); + } + + @RequestMapping(value = "/cookie4", method = "GET") + public void explicitDisable(@RequestParam String value, HttpServletResponse response) { + Cookie cookie = new Cookie("cookie", value); + // ruleid:cookie-missing-secure-flag + cookie.setSecure(false); + cookie.setHttpOnly(false); + response.addCookie(cookie); + } + + @RequestMapping(value = "/cookie5", method = "GET") + public void explicitDisable(@RequestParam String value, HttpServletResponse response) { + // ignore cookies created by Spring's ResponseCookie builder, since the interface is different + Cookie cookie = ResponseCookie.from("name", "value").build(); + // ok:cookie-missing-secure-flag + response.addCookie(cookie); + } + + // test case cf. https://github.com/Dreampie/Resty//blob/9ef059c065d1894c79e7d69c150e588a61eb1cd5/resty-common/src/main/java/cn/dreampie/common/http/HttpResponse.java#L69 + public Response addCookie(String name, String value, int expiration, boolean httpOnly) { + Cookie existingCookie = HttpRequest.getCookie(request.getCookies(), name); + if (existingCookie != null) { + if (Constant.cookiePath.equals(existingCookie.getPath()) + || existingCookie.getPath() == null // in some cases cookies set on path '/' are returned with a null path + ) { + // update existing cookie + existingCookie.setPath(Constant.cookiePath); + existingCookie.setValue(value); + existingCookie.setMaxAge(expiration); + if (Constant.cookieHttpOnly) { + setHttpOnly(existingCookie); + } + existingCookie.setSecure(Constant.cookieSecure); + if (Constant.cookieDomain != null) { + existingCookie.setDomain(Constant.cookieDomain); + } + // ok:cookie-missing-secure-flag + response.addCookie(existingCookie); + } else { + // we have an existing cookie on another path: clear it, and add a new cookie on root path + existingCookie.setValue(""); + existingCookie.setMaxAge(0); + // ok:cookie-missing-secure-flag + response.addCookie(existingCookie); + + Cookie c = new Cookie(name, value); + c.setPath(Constant.cookiePath); + c.setMaxAge(expiration); + if (Constant.cookieHttpOnly) { + setHttpOnly(existingCookie); + } + c.setSecure(Constant.cookieSecure); + if (Constant.cookieDomain != null) { + c.setDomain(Constant.cookieDomain); + } + // ok:cookie-missing-secure-flag + response.addCookie(c); + } + } else { + Cookie c = new Cookie(name, value); + c.setPath(Constant.cookiePath); + c.setMaxAge(expiration); + if (Constant.cookieHttpOnly) { + setHttpOnly(c); + } + c.setSecure(Constant.cookieSecure); + if (Constant.cookieDomain != null) { + c.setDomain(Constant.cookieDomain); + } + // ok:cookie-missing-secure-flag + response.addCookie(c); + } + return this; + } + + public Response clearCookie(String cookie) { + Cookie existingCookie = HttpRequest.getCookie(request.getCookies(), cookie); + if (existingCookie != null) { + existingCookie.setPath(Constant.cookiePath); + existingCookie.setValue(""); + existingCookie.setMaxAge(0); + // ok:cookie-missing-secure-flag + response.addCookie(existingCookie); + } + return this; + } + +} From 81f7928f64cc9c2bb7eb9c386dc0c2c86bb74c34 Mon Sep 17 00:00:00 2001 From: LewisArdern Date: Thu, 7 Mar 2024 12:05:27 -0800 Subject: [PATCH 40/89] Fix cache issue for customer report --- dockerfile/best-practice/missing-apk-no-cache.dockerfile | 4 ++++ dockerfile/best-practice/missing-apk-no-cache.yaml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dockerfile/best-practice/missing-apk-no-cache.dockerfile b/dockerfile/best-practice/missing-apk-no-cache.dockerfile index 1418e12a41..7458d14466 100644 --- a/dockerfile/best-practice/missing-apk-no-cache.dockerfile +++ b/dockerfile/best-practice/missing-apk-no-cache.dockerfile @@ -29,3 +29,7 @@ RUN apk add --no-cache --virtual .build-deps \ gcc \ freetype-dev \ musl-dev + + +# ok: missing-apk-no-cache +RUN apk --no-cache add \ No newline at end of file diff --git a/dockerfile/best-practice/missing-apk-no-cache.yaml b/dockerfile/best-practice/missing-apk-no-cache.yaml index 9d4fe16b1b..cec774c0de 100644 --- a/dockerfile/best-practice/missing-apk-no-cache.yaml +++ b/dockerfile/best-practice/missing-apk-no-cache.yaml @@ -3,8 +3,8 @@ rules: patterns: - pattern: | RUN apk $COMMAND ... - - pattern-not: | - RUN apk $CMD ... --no-cache ... + - pattern-not-inside: | + RUN apk ... --no-cache ... languages: - dockerfile message: >- From 0bca48f4303e3e509d0653d93a00058826866a9e Mon Sep 17 00:00:00 2001 From: LewisArdern Date: Thu, 7 Mar 2024 12:47:32 -0800 Subject: [PATCH 41/89] Fix dockerfile for cutomer --- .../security/last-user-is-root.dockerfile | 3 ++ dockerfile/security/last-user-is-root.yaml | 28 +++++++--------- .../security/last-user-is-root.dockerfile | 8 ----- .../security/last-user-is-root.yaml | 32 ------------------- 4 files changed, 14 insertions(+), 57 deletions(-) delete mode 100644 generic/dockerfile/security/last-user-is-root.dockerfile delete mode 100644 generic/dockerfile/security/last-user-is-root.yaml diff --git a/dockerfile/security/last-user-is-root.dockerfile b/dockerfile/security/last-user-is-root.dockerfile index 788c385b9e..55d865f831 100644 --- a/dockerfile/security/last-user-is-root.dockerfile +++ b/dockerfile/security/last-user-is-root.dockerfile @@ -5,5 +5,8 @@ RUN git clone https://github.com/returntocorp/semgrep RUN pip3 install semgrep RUN semgrep -f p/xss USER swuser +USER root + +USER user1 # ruleid: last-user-is-root USER root diff --git a/dockerfile/security/last-user-is-root.yaml b/dockerfile/security/last-user-is-root.yaml index e45e0303e5..9619c80bc1 100644 --- a/dockerfile/security/last-user-is-root.yaml +++ b/dockerfile/security/last-user-is-root.yaml @@ -1,23 +1,17 @@ rules: - id: last-user-is-root patterns: - - pattern-inside: | - USER $F - ... - USER $X - # nosemgrep: yaml.semgrep.slow-pattern-top-ellipsis - - pattern-not-inside: | - ... - USER $X - ... - USER $F - - focus-metavariable: $X - - metavariable-regex: - metavariable: $X - regex: ^(root)$ - - metavariable-regex: - metavariable: $F - regex: (.*(?!root)) + - pattern: USER root + - pattern-not-inside: + patterns: + - pattern: | + USER root + ... + USER $X + - metavariable-pattern: + metavariable: $X + patterns: + - pattern-not: root message: >- The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container diff --git a/generic/dockerfile/security/last-user-is-root.dockerfile b/generic/dockerfile/security/last-user-is-root.dockerfile deleted file mode 100644 index 526ce749cc..0000000000 --- a/generic/dockerfile/security/last-user-is-root.dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM busybox - -# ruleid: last-user-is-root -USER root -RUN git clone https://github.com/returntocorp/semgrep -RUN pip3 install semgrep -RUN semgrep -f p/xss -# USER swuser diff --git a/generic/dockerfile/security/last-user-is-root.yaml b/generic/dockerfile/security/last-user-is-root.yaml deleted file mode 100644 index 0ce2a4a936..0000000000 --- a/generic/dockerfile/security/last-user-is-root.yaml +++ /dev/null @@ -1,32 +0,0 @@ -rules: -- id: last-user-is-root - patterns: - - pattern: USER root - - pattern-not-inside: | - USER root - ... - USER $ANYTHING - message: >- - The last user in the container is 'root'. This is a security - hazard because if an attacker gains control of the container - they will have root access. Switch back to another user after - running commands as 'root'. - severity: ERROR - languages: - - dockerfile - metadata: - cwe: - - 'CWE-269: Improper Privilege Management' - source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3002 - references: - - https://github.com/hadolint/hadolint/wiki/DL3002 - category: security - technology: - - dockerfile - confidence: MEDIUM - owasp: - - A04:2021 - Insecure Design - subcategory: - - audit - likelihood: MEDIUM - impact: MEDIUM From f24901a10b4be41bca9a8207852311d05ddd4db9 Mon Sep 17 00:00:00 2001 From: Sal Olivares Date: Fri, 8 Mar 2024 11:34:55 -0800 Subject: [PATCH 42/89] fix: sync dev2 properly --- .github/workflows/update-semgrep-staging-dev.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-semgrep-staging-dev.yml b/.github/workflows/update-semgrep-staging-dev.yml index 7222597832..6fc7812799 100644 --- a/.github/workflows/update-semgrep-staging-dev.yml +++ b/.github/workflows/update-semgrep-staging-dev.yml @@ -11,8 +11,8 @@ jobs: name: Update semgrep.dev runs-on: ubuntu-latest steps: - - name: update dev.semgrep.dev - run: curl --fail -X POST -L https://dev.semgrep.dev/api/admin/update-registry?rule_type=sast + - name: update dev2.semgrep.dev + run: curl --fail -X POST -L https://dev2.semgrep.dev/api/admin/update-registry?rule_type=sast continue-on-error: true - name: update staging.semgrep.dev run: curl --fail -X POST -L https://staging.semgrep.dev/api/admin/update-registry?rule_type=sast From dd8a525e6191341ac77ae6e39c66b4ec5df686a5 Mon Sep 17 00:00:00 2001 From: "semgrep-dev-pr-bot[bot]" <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com> Date: Tue, 12 Mar 2024 14:09:57 +0700 Subject: [PATCH 43/89] New Published Rules - ironclad.jwt-simple-noverify-copy-copy (#3326) * add ironclad/jwt-simple-noverify-copy-copy.yaml * add ironclad/jwt-simple-noverify-copy-copy.jsx * move ironclad rules to javascript folder * remove old ironclad files * update ironclad jwt-simple-noverify meta --------- Co-authored-by: Mohamed AboElKheir Co-authored-by: Vasilii --- .../ironclad/security/jwt-simple-noverify.js | 142 ++++++++++++++++++ .../security/jwt-simple-noverify.yaml | 46 ++++++ 2 files changed, 188 insertions(+) create mode 100644 javascript/ironclad/security/jwt-simple-noverify.js create mode 100644 javascript/ironclad/security/jwt-simple-noverify.yaml diff --git a/javascript/ironclad/security/jwt-simple-noverify.js b/javascript/ironclad/security/jwt-simple-noverify.js new file mode 100644 index 0000000000..d00a4a59b8 --- /dev/null +++ b/javascript/ironclad/security/jwt-simple-noverify.js @@ -0,0 +1,142 @@ +const express = require('express'); +const bcrypt = require('bcrypt'); +const jwt = require('jwt-simple'); +const mongoose = require('mongoose'); +const mongoSanitize = require('express-mongo-sanitize'); + +const app = express(); +app.use(express.json()); +app.use(mongoSanitize()); +const secretKey = process.env.JWT_SECRET; + +// Sample MongoDB connection URI +const mongoURI = 'mongodb://localhost:27017/test'; + +// Connect to MongoDB using Mongoose +mongoose.connect(mongoURI, { useNewUrlParser: true, useUnifiedTopology: true }); +const db = mongoose.connection; + +// Create a user schema +const userSchema = new mongoose.Schema({ + username: String, + password: String +}); + +// Create a user model +const User = mongoose.model('User', userSchema); + +// Route for user login +app.post('/login', async (req, res) => { + const { username, password } = req.body; + + try { + // Find user by username + const user = await User.findOne({ username }); + + if (!user) { + return res.status(401).json({ error: 'Authentication failed. User not found.' }); + } + + // Compare password with hashed password + const isPasswordValid = await bcrypt.compare(password, user.password); + + if (!isPasswordValid) { + return res.status(401).json({ error: 'Authentication failed. Invalid password.' }); + } + + // Issue JWT token + const token = jwt.encode({ username }, secretKey,'HS256'); + res.json({ token }); + } catch (error) { + console.error('Error occurred during login:', error); + res.status(500).json({ error: 'Internal server error.' }); + } +}); + +// Route that requires authentication +app.get('/protectedRoute1', (req, res) => { + const token = req.headers.authorization; + + if (!token) { + return res.status(401).json({ error: 'Unauthorized. Token missing.' }); + } + + try { + // ruleid: jwt-simple-noverify + const decoded = jwt.decode(token, secretKey, 'HS256'); + res.json({ message: `Hello ${decoded.username}` }); + } catch (error) { + res.status(401).json({ error: 'Unauthorized. Invalid token.' }); + } +}); + +// Route that requires authentication +app.get('/protectedRoute2', (req, res) => { + const token = req.headers.authorization; + + if (!token) { + return res.status(401).json({ error: 'Unauthorized. Token missing.' }); + } + + try { + // ruleid: jwt-simple-noverify + const decoded = jwt.decode(token, secretKey, true); + res.json({ message: `Hello ${decoded.username}` }); + } catch (error) { + res.status(401).json({ error: 'Unauthorized. Invalid token.' }); + } +}); + +// Route that requires authentication +app.get('/protectedRoute3', (req, res) => { + const token = req.headers.authorization; + + if (!token) { + return res.status(401).json({ error: 'Unauthorized. Token missing.' }); + } + + try { + // ruleid: jwt-simple-noverify + const decoded = jwt.decode(token, secretKey, 'false'); + res.json({ message: `Hello ${decoded.username}` }); + } catch (error) { + res.status(401).json({ error: 'Unauthorized. Invalid token.' }); + } +}); + +// Route that requires authentication +app.get('/protectedRoute4', (req, res) => { + const token = req.headers.authorization; + + if (!token) { + return res.status(401).json({ error: 'Unauthorized. Token missing.' }); + } + + try { + // ok: jwt-simple-noverify + const decoded = jwt.decode(token, secretKey); + res.json({ message: `Hello ${decoded.username}` }); + } catch (error) { + res.status(401).json({ error: 'Unauthorized. Invalid token.' }); + } +}); + +// Route that requires authentication +app.get('/protectedRoute5', (req, res) => { + const token = req.headers.authorization; + + if (!token) { + return res.status(401).json({ error: 'Unauthorized. Token missing.' }); + } + + try { + // ok: jwt-simple-noverify + const decoded = jwt.decode(token, secretKey, false); + res.json({ message: `Hello ${decoded.username}` }); + } catch (error) { + res.status(401).json({ error: 'Unauthorized. Invalid token.' }); + } +}); + +const PORT = process.env.PORT || 3000; +app.listen(PORT, () => console.log(`Server running on port ${PORT}`)); \ No newline at end of file diff --git a/javascript/ironclad/security/jwt-simple-noverify.yaml b/javascript/ironclad/security/jwt-simple-noverify.yaml new file mode 100644 index 0000000000..55b5164288 --- /dev/null +++ b/javascript/ironclad/security/jwt-simple-noverify.yaml @@ -0,0 +1,46 @@ +rules: +- id: jwt-simple-noverify + message: >- + Detected the decoding of a JWT token without a verify step. + JWT tokens must be verified before use, otherwise the token's + integrity is unknown. This means a malicious actor could forge + a JWT token with any claims. Set 'verify' to `true` before using the token. + severity: ERROR + metadata: + owasp: + - A05:2021 - Security Misconfiguration + - A07:2021 - Identification and Authentication Failures + cwe: + - 'CWE-287: Improper Authentication' + - 'CWE-345: Insufficient Verification of Data Authenticity' + - 'CWE-347: Improper Verification of Cryptographic Signature' + category: security + subcategory: + - vuln + technology: + - jwt-simple + - jwt + confidence: HIGH + likelihood: MEDIUM + impact: HIGH + references: + - https://www.npmjs.com/package/jwt-simple + - https://cwe.mitre.org/data/definitions/287 + - https://cwe.mitre.org/data/definitions/345 + - https://cwe.mitre.org/data/definitions/347 + languages: + - javascript + - typescript + patterns: + - pattern-inside: | + $JWT = require('jwt-simple'); + ... + - pattern: $JWT.decode($TOKEN, $SECRET, $NOVERIFY, ...) + - metavariable-pattern: + metavariable: $NOVERIFY + patterns: + - pattern-either: + - pattern: | + true + - pattern: | + "..." From 194c92ecf6edb06a124f6f05799ed05a2049cff4 Mon Sep 17 00:00:00 2001 From: Vasilii Ermilov Date: Wed, 13 Mar 2024 17:36:08 +0700 Subject: [PATCH 44/89] update detected-ssh-password rule (#3331) --- generic/secrets/security/detected-ssh-password.txt | 6 ++++++ generic/secrets/security/detected-ssh-password.yaml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/generic/secrets/security/detected-ssh-password.txt b/generic/secrets/security/detected-ssh-password.txt index 12fa8d4730..ef08699b51 100644 --- a/generic/secrets/security/detected-ssh-password.txt +++ b/generic/secrets/security/detected-ssh-password.txt @@ -1,2 +1,8 @@ # ruleid: detected-ssh-password sshpass -p 'blah' + +# ok: detected-ssh-password +cmdInput := fmt.Sprintf("sshpass -p '%s'", password) + +# ok: detected-ssh-password +cmdInput := fmt.Sprintf("sshpass -p %s", password) \ No newline at end of file diff --git a/generic/secrets/security/detected-ssh-password.yaml b/generic/secrets/security/detected-ssh-password.yaml index ca47f16a5d..6b1aab335b 100644 --- a/generic/secrets/security/detected-ssh-password.yaml +++ b/generic/secrets/security/detected-ssh-password.yaml @@ -1,7 +1,7 @@ rules: - id: detected-ssh-password pattern-regex: |- - sshpass -p.*['|\\\"] + sshpass -p\s*['|\\\"][^%] languages: [regex] message: SSH Password detected severity: ERROR From 6707ab928798571a64f9822fb50e100b064f5c70 Mon Sep 17 00:00:00 2001 From: LewisArdern Date: Wed, 13 Mar 2024 09:09:08 -0700 Subject: [PATCH 45/89] Fix ironclad to jwtsimple --- .../{ironclad => jwt-simple}/security/jwt-simple-noverify.js | 0 .../{ironclad => jwt-simple}/security/jwt-simple-noverify.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename javascript/{ironclad => jwt-simple}/security/jwt-simple-noverify.js (100%) rename javascript/{ironclad => jwt-simple}/security/jwt-simple-noverify.yaml (100%) diff --git a/javascript/ironclad/security/jwt-simple-noverify.js b/javascript/jwt-simple/security/jwt-simple-noverify.js similarity index 100% rename from javascript/ironclad/security/jwt-simple-noverify.js rename to javascript/jwt-simple/security/jwt-simple-noverify.js diff --git a/javascript/ironclad/security/jwt-simple-noverify.yaml b/javascript/jwt-simple/security/jwt-simple-noverify.yaml similarity index 100% rename from javascript/ironclad/security/jwt-simple-noverify.yaml rename to javascript/jwt-simple/security/jwt-simple-noverify.yaml From 8565518299e60755d2d5cc4fe96466f34d5d8861 Mon Sep 17 00:00:00 2001 From: Eddie Carswell Date: Thu, 14 Mar 2024 04:22:17 -0500 Subject: [PATCH 46/89] bash: Fix false positives on arithmetic expressions (#3332) * bash: Fix false positives on arithmetic expressions The bash rule `unquoted-variable-expansion-in-command` triggered a false positive on arithmetic expressions such as `$((2 + 2))` or `$((foo++))`. This fixes the issue and adds new test cases. Signed-off-by: Eddie Carswell * Update unquoted-expansion.yaml --------- Signed-off-by: Eddie Carswell Co-authored-by: Vasilii Ermilov Co-authored-by: Vasilii Ermilov --- bash/lang/correctness/unquoted-expansion.bash | 12 ++++++++++++ bash/lang/correctness/unquoted-expansion.yaml | 2 ++ 2 files changed, 14 insertions(+) diff --git a/bash/lang/correctness/unquoted-expansion.bash b/bash/lang/correctness/unquoted-expansion.bash index 6bb8bcbc5f..e6d79f361b 100644 --- a/bash/lang/correctness/unquoted-expansion.bash +++ b/bash/lang/correctness/unquoted-expansion.bash @@ -90,3 +90,15 @@ exec "bar$(foo)bar" # ok: unquoted-command-substitution-in-command x=$(foo) + +# Assignment from arithmetic expression +# ok: unquoted-command-substitution-in-command +x=$((foo++)) + +# This expression used to trigger +# ok: unquoted-command-substitution-in-command +echo $((2 + 2)) + +# Real world case that used to trigger this +# ok: unquoted-command-substitution-in-command +printf '%-*s enter %s\n' $((call_count++)) '->' "$1" diff --git a/bash/lang/correctness/unquoted-expansion.yaml b/bash/lang/correctness/unquoted-expansion.yaml index 024b7fb95b..fd80e6c137 100644 --- a/bash/lang/correctness/unquoted-expansion.yaml +++ b/bash/lang/correctness/unquoted-expansion.yaml @@ -50,3 +50,5 @@ rules: ... $(...) ... - pattern: | ... ...$(...)... ... + - pattern-regex: | + .*(\$\([^\(]|`).+([^\)]\)|`).* From 3c12dcc7b13b77f456a103d185cdbff2018152bf Mon Sep 17 00:00:00 2001 From: allanbreyes Date: Thu, 14 Mar 2024 05:51:30 -0400 Subject: [PATCH 47/89] Escape hostnames and add fonts.gstatic.com to missing-integrity (#3335) Co-authored-by: Vasilii Ermilov --- html/security/audit/missing-integrity.html | 4 +++- html/security/audit/missing-integrity.yaml | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/html/security/audit/missing-integrity.html b/html/security/audit/missing-integrity.html index 9d6fae12c2..f2d650e852 100644 --- a/html/security/audit/missing-integrity.html +++ b/html/security/audit/missing-integrity.html @@ -30,6 +30,8 @@ + + @@ -42,4 +44,4 @@ - \ No newline at end of file + diff --git a/html/security/audit/missing-integrity.yaml b/html/security/audit/missing-integrity.yaml index 6b57adcd13..d0975c8c0a 100644 --- a/html/security/audit/missing-integrity.yaml +++ b/html/security/audit/missing-integrity.yaml @@ -32,7 +32,7 @@ rules: - pattern: href='//...' - pattern: href="//..." - pattern-not-regex: (?is).*integrity= - - pattern-not-regex: (google-analytics.com|fonts.googleapis.com|googletagmanager.com) + - pattern-not-regex: (google-analytics\.com|fonts\.googleapis\.com|fonts\.gstatic\.com|googletagmanager\.com) - pattern-not-regex: .*rel\s*=\s*['"]?preconnect.* paths: include: @@ -47,4 +47,4 @@ rules: the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. severity: WARNING - languages: [generic] \ No newline at end of file + languages: [generic] From fd6aed251575173f37bf7f55ca2034bd2f1f42d7 Mon Sep 17 00:00:00 2001 From: Lewis Date: Mon, 18 Mar 2024 11:07:09 -0700 Subject: [PATCH 48/89] Update package-dependencies-check.yml --- json/npm/security/package-dependencies-check.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/json/npm/security/package-dependencies-check.yml b/json/npm/security/package-dependencies-check.yml index 9d9becb21a..727ea88664 100644 --- a/json/npm/security/package-dependencies-check.yml +++ b/json/npm/security/package-dependencies-check.yml @@ -1,10 +1,10 @@ rules: - id: package-dependencies-check patterns: - - pattern-not-regex: \"[\w-.]*\"\s*:\s*\"[\d.]+-[\w.]+\" + - pattern-not-regex: \"[\w\-.]*\"\s*:\s*\"[\d.]+-[\w.]+\" - pattern-either: - - pattern-regex: \"[\w-.]*\"\s*:\s*\"latest\" - - pattern-regex: \"[\w-.]*\"\s*:\s*\"[^~\-\^><=\"x]*[~\-\^><=x]+.*\" + - pattern-regex: \"[\w\-.]*\"\s*:\s*\"latest\" + - pattern-regex: \"[\w\-.]*\"\s*:\s*\"[^~\-\^><=\"x]*[~\-\^><=x]+.*\" - pattern-either: - pattern-inside: | "dependencies": { From 0a5ad3747adb55918d1390e91d85a1405d9145b2 Mon Sep 17 00:00:00 2001 From: Claudio Date: Wed, 20 Mar 2024 15:25:29 +0100 Subject: [PATCH 49/89] Improve ruby-jwt-hardcoded-secret --- ruby/jwt/security/jwt-hardcode.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ruby/jwt/security/jwt-hardcode.yaml b/ruby/jwt/security/jwt-hardcode.yaml index 8d43a60cee..65f44392f3 100644 --- a/ruby/jwt/security/jwt-hardcode.yaml +++ b/ruby/jwt/security/jwt-hardcode.yaml @@ -44,5 +44,9 @@ rules: $SECRET = "..." ... JWT.decode($PAYLOAD,$SECRET,...) + - pattern-not: | + JWT.encode($PAYLOAD, nil, ... , jwks: ..., ...) + - pattern-not: | + JWT.decode($PAYLOAD, nil, ..., jwks: ..., ...) languages: [ruby] severity: ERROR From 5097c33749fbb126db719faf0856ad37d8b92537 Mon Sep 17 00:00:00 2001 From: Claudio Date: Wed, 20 Mar 2024 15:26:48 +0100 Subject: [PATCH 50/89] Update jwt-hardcode.rb --- ruby/jwt/security/jwt-hardcode.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ruby/jwt/security/jwt-hardcode.rb b/ruby/jwt/security/jwt-hardcode.rb index c0507dcfa0..b19de0bb30 100644 --- a/ruby/jwt/security/jwt-hardcode.rb +++ b/ruby/jwt/security/jwt-hardcode.rb @@ -36,3 +36,14 @@ def ok1(secret_key) decoded_token = JWT.decode token, secret_key, true, { algorithm: 'HS256' } puts decoded_token end + +def ok2() + token = JWT.encode payload, hmac_secret, 'HS256' + puts token + jwk_loader = ->(options) do + # jwk_loader implementation here + end + # ok: ruby-jwt-hardcoded-secret + decoded_token = JWT.decode token, nil, true, { algorithm: 'HS256' }, jwks: jwk_loader + puts decoded_token +end From afaf953952831e3695a5882916718afc28ffbc21 Mon Sep 17 00:00:00 2001 From: "Security Research (r2c-argo)" Date: Mon, 25 Mar 2024 00:33:56 +0000 Subject: [PATCH 51/89] Merge Gitleaks rules 2024-03-25 # 00:33 --- .../gitleaks/facebook-access-token.yaml | 26 +++++++++++++++++++ .../gitleaks/facebook-page-access-token.yaml | 26 +++++++++++++++++++ generic/secrets/gitleaks/facebook-secret.yaml | 26 +++++++++++++++++++ .../secrets/gitleaks/mailchimp-api-key.yaml | 2 +- .../secrets/gitleaks/square-access-token.yaml | 2 +- 5 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 generic/secrets/gitleaks/facebook-access-token.yaml create mode 100644 generic/secrets/gitleaks/facebook-page-access-token.yaml create mode 100644 generic/secrets/gitleaks/facebook-secret.yaml diff --git a/generic/secrets/gitleaks/facebook-access-token.yaml b/generic/secrets/gitleaks/facebook-access-token.yaml new file mode 100644 index 0000000000..2a1a657f83 --- /dev/null +++ b/generic/secrets/gitleaks/facebook-access-token.yaml @@ -0,0 +1,26 @@ +rules: +- id: facebook-access-token + message: A gitleaks facebook-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)\b(\d{15,16}\|[0-9a-z\-_]{27})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/facebook-page-access-token.yaml b/generic/secrets/gitleaks/facebook-page-access-token.yaml new file mode 100644 index 0000000000..5e8191f515 --- /dev/null +++ b/generic/secrets/gitleaks/facebook-page-access-token.yaml @@ -0,0 +1,26 @@ +rules: +- id: facebook-page-access-token + message: A gitleaks facebook-page-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)\b(EAA[MC][a-z0-9]{20,})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/facebook-secret.yaml b/generic/secrets/gitleaks/facebook-secret.yaml new file mode 100644 index 0000000000..1d5facc02a --- /dev/null +++ b/generic/secrets/gitleaks/facebook-secret.yaml @@ -0,0 +1,26 @@ +rules: +- id: facebook-secret + message: A gitleaks facebook-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/mailchimp-api-key.yaml b/generic/secrets/gitleaks/mailchimp-api-key.yaml index d13f13bc8b..7f2bcc15d9 100644 --- a/generic/secrets/gitleaks/mailchimp-api-key.yaml +++ b/generic/secrets/gitleaks/mailchimp-api-key.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: (?i)(?:MailchimpSDK.initialize|mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us\d\d)(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/square-access-token.yaml b/generic/secrets/gitleaks/square-access-token.yaml index 588a35bb60..b5d503e5df 100644 --- a/generic/secrets/gitleaks/square-access-token.yaml +++ b/generic/secrets/gitleaks/square-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: (?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$) From 9e624ee87eb77f8a39827764020fa30fe809be50 Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Mon, 25 Mar 2024 11:32:19 -0400 Subject: [PATCH 52/89] Remove non-rule YAML files --- .github/workflows/semgrep-rules-test-historical.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/semgrep-rules-test-historical.yml b/.github/workflows/semgrep-rules-test-historical.yml index 2c8d9faf5b..55ecab1ac3 100644 --- a/.github/workflows/semgrep-rules-test-historical.yml +++ b/.github/workflows/semgrep-rules-test-historical.yml @@ -36,6 +36,12 @@ jobs: run: rm -rf semgrep-rules/fingerprints - name: delete rules requiring Semgrep Pro run: rm -rf semgrep-rules/apex semgrep-rules/elixir + # TODO: remove this in the future, there was a regression in semgrep that + # caused non-rule YAML files to be validated + - name: delete YAML files that are not rules + run: | + rm -f semgrep-rules/.pre-commit-config.yaml + rm -rf semgrep-rules/.github - name: grab historical semgrep version env: GH_TOKEN: ${{ github.token }} From 4b0ac74d4a05fe67829064c9fd4e9e2aa0662fb5 Mon Sep 17 00:00:00 2001 From: Vasilii Ermilov Date: Mon, 8 Apr 2024 15:29:00 +0700 Subject: [PATCH 53/89] Fix Java xmlinputfactory rules (#3347) * fix java xmlinputfactory rules * fix java xmlinputfactory rules * fix java xmlinputfactory rules --- ...nputfactory-external-entities-enabled.java | 22 +++++++++++++++++++ ...nputfactory-external-entities-enabled.yaml | 5 ++++- .../xmlinputfactory-possible-xxe.java | 20 ++++++++++++----- .../xmlinputfactory-possible-xxe.yaml | 10 ++++----- 4 files changed, 45 insertions(+), 12 deletions(-) diff --git a/java/lang/security/xmlinputfactory-external-entities-enabled.java b/java/lang/security/xmlinputfactory-external-entities-enabled.java index b97c78e1b4..c8786cb990 100644 --- a/java/lang/security/xmlinputfactory-external-entities-enabled.java +++ b/java/lang/security/xmlinputfactory-external-entities-enabled.java @@ -3,6 +3,7 @@ package example; import javax.xml.stream.XMLInputFactory; +import static javax.xml.stream.XMLInputFactory.SUPPORT_DTD; class GoodXMLInputFactory { public GoodXMLInputFactory() { @@ -16,6 +17,17 @@ public GoodXMLInputFactory() { } } +class GoodXMLInputFactory1 { + public GoodXMLInputFactory1() { + final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); + + // See + // https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser + // ok:xmlinputfactory-external-entities-enabled + xmlInputFactory.setProperty(SUPPORT_DTD, false); + } +} + class BadXMLInputFactory { public BadXMLInputFactory() { final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); @@ -23,3 +35,13 @@ public BadXMLInputFactory() { xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", true); } } + +class BadXMLInputFactory1 { + public BadXMLInputFactory1() { + final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); + // ruleid:xmlinputfactory-external-entities-enabled + xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, true); + } +} + + diff --git a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml index 2b9fc1ce4e..c4ea87df23 100644 --- a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml +++ b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml @@ -31,6 +31,9 @@ rules: to XML external entity attacks. Disable external entities by setting "javax.xml.stream.isSupportingExternalEntities" to false. - pattern: $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", true); + patterns: + - pattern-either: + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", true); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, true); languages: - java diff --git a/java/lang/security/xmlinputfactory-possible-xxe.java b/java/lang/security/xmlinputfactory-possible-xxe.java index a033c14110..ec4296ec98 100644 --- a/java/lang/security/xmlinputfactory-possible-xxe.java +++ b/java/lang/security/xmlinputfactory-possible-xxe.java @@ -3,10 +3,10 @@ package example; import javax.xml.stream.XMLInputFactory; -import static java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES; +import static javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES; class GoodXMLInputFactory { - public void Blah() { + public void blah() { final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); // See @@ -18,7 +18,7 @@ public void Blah() { } class GoodConstXMLInputFactory { - public void Blah() { + public GoodConstXMLInputFactory() { final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); // See @@ -29,16 +29,24 @@ public void Blah() { } } -class BadXMLInputFactory { - public Blah() { +class BadXMLInputFactory1 { + public BadXMLInputFactory1() { // ruleid:xmlinputfactory-possible-xxe final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", true); } } +class BadXMLInputFactory2 { + public BadXMLInputFactory2() { + // ruleid:xmlinputfactory-possible-xxe + final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); + xmlInputFactory.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, true); + } +} + class MaybeBadXMLInputFactory { - public Blah() { + public void foobar() { // ruleid:xmlinputfactory-possible-xxe final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); } diff --git a/java/lang/security/xmlinputfactory-possible-xxe.yaml b/java/lang/security/xmlinputfactory-possible-xxe.yaml index af2a70c050..813edacb39 100644 --- a/java/lang/security/xmlinputfactory-possible-xxe.yaml +++ b/java/lang/security/xmlinputfactory-possible-xxe.yaml @@ -34,19 +34,19 @@ rules: to false. patterns: - pattern-not-inside: | - $RETURNTYPE $METHOD(...) { + $METHOD(...) { ... $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); ... } - pattern-not-inside: | - $RETURNTYPE $METHOD(...) { + $METHOD(...) { ... - $XMLFACTORY.setProperty(java.xml.stream.XMLFactoryInput.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ... } - pattern-either: - - pattern: $XMLFACTORY = $W.newFactory(...); - - pattern: $XMLFACTORY = new XMLInputFactory(...); + - pattern: javax.xml.stream.XMLInputFactory.newFactory(...) + - pattern: new XMLInputFactory(...) languages: - java From 3596fccb2ebff509eb46453d15072a3252f2bdba Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 02:31:45 +0000 Subject: [PATCH 54/89] Bump idna from 3.4 to 3.7 Bumps [idna](https://github.com/kjd/idna) from 3.4 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.4...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 2e87da7092..e8bb09e9b3 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -138,11 +138,12 @@ }, "idna": { "hashes": [ - "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", - "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" + "sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc", + "sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0" ], + "index": "pypi", "markers": "python_version >= '3.5'", - "version": "==3.4" + "version": "==3.7" }, "jsonschema": { "hashes": [ From 0aa1bedb24fc2525b77d3ecf533ed7145f975c49 Mon Sep 17 00:00:00 2001 From: Alex Rosenzweig Date: Mon, 15 Apr 2024 12:41:00 +1000 Subject: [PATCH 55/89] uplift php echo rule --- .../security/injection/echoed-request.php | 10 +-- .../security/injection/echoed-request.yaml | 24 ++++- .../security/injection/printed-request.php | 87 +++++++++++++++++++ .../security/injection/printed-request.yaml | 62 +++++++++++++ 4 files changed, 176 insertions(+), 7 deletions(-) create mode 100644 php/lang/security/injection/printed-request.php create mode 100644 php/lang/security/injection/printed-request.yaml diff --git a/php/lang/security/injection/echoed-request.php b/php/lang/security/injection/echoed-request.php index c54496d05a..14077432b3 100644 --- a/php/lang/security/injection/echoed-request.php +++ b/php/lang/security/injection/echoed-request.php @@ -1,18 +1,18 @@ - + `Printing user input risks cross-site scripting vulnerability. + You should use `htmlentities()` when showing data to users. + languages: [php] + severity: ERROR + pattern-sources: + - pattern: $_REQUEST + - pattern: $_GET + - pattern: $_POST + pattern-sinks: + - pattern: print($...VARS); + pattern-sanitizers: + - pattern: isset(...) + - pattern: empty(...) + - pattern: htmlentities(...) + - pattern: htmlspecialchars(...) + - pattern: strip_tags(...) + # Wordpress Escapes + - pattern: esc_html(...) + - pattern: esc_attr(...) + - pattern: wp_kses(...) + # Laravel Escapes + - pattern: e(...) + # Symfony Escapes + - pattern: twig_escape_filter($...) + # CodeIgniter Escapes + - pattern: xss_clean(...) + - pattern: html_escape(...) + # Drupal Escapes + - pattern: Html::escape(...) + - pattern: Xss::filter(...) + # Magento Escapes + - pattern: escapeHtml(...) + # Laminas Escapes + - pattern: escapeHtml(...) + - pattern: escapeHtmlAttr(...) + fix: print(htmlentities($...VARS)); + metadata: + technology: + - php + cwe: + - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + references: + - https://www.php.net/manual/en/function.htmlentities.php + - https://www.php.net/manual/en/reserved.variables.request.php + - https://www.php.net/manual/en/reserved.variables.post.php + - https://www.php.net/manual/en/reserved.variables.get.php + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM From 92c8be5067b13f5613447170e110dc7079a3996d Mon Sep 17 00:00:00 2001 From: Alex Rosenzweig Date: Mon, 15 Apr 2024 13:19:45 +1000 Subject: [PATCH 56/89] remove false negatives and fix rule --- php/lang/security/injection/echoed-request.yaml | 3 +-- php/lang/security/injection/printed-request.yaml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/php/lang/security/injection/echoed-request.yaml b/php/lang/security/injection/echoed-request.yaml index 4e2ad925b1..e45a7edfd6 100644 --- a/php/lang/security/injection/echoed-request.yaml +++ b/php/lang/security/injection/echoed-request.yaml @@ -14,7 +14,6 @@ rules: - pattern: echo $...VARS; pattern-sanitizers: - pattern: isset(...) - - pattern: empty(...) - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) @@ -25,7 +24,7 @@ rules: # Laravel Escapes - pattern: e(...) # Symfony Escapes - - pattern: twig_escape_filter($...) + - pattern: twig_escape_filter(...) # CodeIgniter Escapes - pattern: xss_clean(...) - pattern: html_escape(...) diff --git a/php/lang/security/injection/printed-request.yaml b/php/lang/security/injection/printed-request.yaml index 1387adb787..a6846bda20 100644 --- a/php/lang/security/injection/printed-request.yaml +++ b/php/lang/security/injection/printed-request.yaml @@ -14,7 +14,6 @@ rules: - pattern: print($...VARS); pattern-sanitizers: - pattern: isset(...) - - pattern: empty(...) - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) @@ -25,7 +24,7 @@ rules: # Laravel Escapes - pattern: e(...) # Symfony Escapes - - pattern: twig_escape_filter($...) + - pattern: twig_escape_filter(...) # CodeIgniter Escapes - pattern: xss_clean(...) - pattern: html_escape(...) From 3bdc381ee8ec5127fa06c03037849a4469a679ac Mon Sep 17 00:00:00 2001 From: Alex Rosenzweig Date: Tue, 16 Apr 2024 09:26:24 +1000 Subject: [PATCH 57/89] update rules + tests --- php/lang/security/injection/echoed-request.php | 4 ++-- php/lang/security/injection/echoed-request.yaml | 1 - php/lang/security/injection/printed-request.php | 4 ++-- php/lang/security/injection/printed-request.yaml | 1 - 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/php/lang/security/injection/echoed-request.php b/php/lang/security/injection/echoed-request.php index 14077432b3..bae89171c7 100644 --- a/php/lang/security/injection/echoed-request.php +++ b/php/lang/security/injection/echoed-request.php @@ -63,11 +63,11 @@ function doOK3() { function doOK4() { // ok: echoed-request - echo "Hello ".isset($_POST['name'])." !"; + echo "Hello ".e($_POST['name'])." !"; } function doOK5() { - $safevar = empty($_GET['name']); + $safevar = esc_attr($_GET['name']); // ok: echoed-request echo "Hello $safevar !"; } diff --git a/php/lang/security/injection/echoed-request.yaml b/php/lang/security/injection/echoed-request.yaml index e45a7edfd6..b4b72635cc 100644 --- a/php/lang/security/injection/echoed-request.yaml +++ b/php/lang/security/injection/echoed-request.yaml @@ -13,7 +13,6 @@ rules: pattern-sinks: - pattern: echo $...VARS; pattern-sanitizers: - - pattern: isset(...) - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) diff --git a/php/lang/security/injection/printed-request.php b/php/lang/security/injection/printed-request.php index 7b50453349..ff8a6750ce 100644 --- a/php/lang/security/injection/printed-request.php +++ b/php/lang/security/injection/printed-request.php @@ -63,11 +63,11 @@ function doOK3() { function doOK4() { // ok: printed-request - print("Hello ".isset($_POST['name'])." !"); + print("Hello ".e($_POST['name'])." !"); } function doOK5() { - $safevar = empty($_GET['name']); + $safevar = esc_attr($_GET['name']); // ok: printed-request print("Hello $safevar !"); } diff --git a/php/lang/security/injection/printed-request.yaml b/php/lang/security/injection/printed-request.yaml index a6846bda20..f591e96c65 100644 --- a/php/lang/security/injection/printed-request.yaml +++ b/php/lang/security/injection/printed-request.yaml @@ -13,7 +13,6 @@ rules: pattern-sinks: - pattern: print($...VARS); pattern-sanitizers: - - pattern: isset(...) - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) From a320d8df0b92bb04c8cd1736f16cc9b3434d4c8b Mon Sep 17 00:00:00 2001 From: LewisArdern Date: Tue, 16 Apr 2024 10:09:42 -0700 Subject: [PATCH 58/89] Fix source in tainted-sql-string --- .../security/injection/tainted-sql-string.yaml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml index d0b07a5d1c..e5d078f933 100644 --- a/javascript/express/security/injection/tainted-sql-string.yaml +++ b/javascript/express/security/injection/tainted-sql-string.yaml @@ -35,13 +35,7 @@ rules: pattern-sources: - patterns: - pattern-either: - - pattern-inside: function ... ($REQ, $RES) {...} - - pattern-inside: function ... ($REQ, $RES, $NEXT) {...} - - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...}) - - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...}) - - metavariable-regex: - metavariable: $METHOD - regex: ^(get|post|put|head|delete|options)$ + - pattern-inside: function ... (...,$REQ, ...) {...} - pattern-either: - pattern: $REQ.query - pattern: $REQ.body @@ -50,11 +44,11 @@ rules: - pattern: $REQ.headers - patterns: - pattern-either: - - pattern-inside: | - ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) => + - pattern-inside: > + (...,{ $REQ }: Request,...) => {...} - pattern-inside: | - ({ $REQ }: Request,$RES: Response) => {...} + (...,{ $REQ }: $EXPRESS.Request,...) => {...} - focus-metavariable: $REQ - pattern-either: - pattern: params From a1a15d4516dcc1e4856be90f0f7dae10d91b094a Mon Sep 17 00:00:00 2001 From: Alex Rosenzweig Date: Wed, 24 Apr 2024 17:58:08 +1000 Subject: [PATCH 59/89] requested changes --- .../security/injection/echoed-request.php | 26 +++++++++++++++++++ .../security/injection/echoed-request.yaml | 2 ++ .../security/injection/printed-request.php | 25 ++++++++++++++++++ .../security/injection/printed-request.yaml | 2 ++ 4 files changed, 55 insertions(+) diff --git a/php/lang/security/injection/echoed-request.php b/php/lang/security/injection/echoed-request.php index bae89171c7..2780856029 100644 --- a/php/lang/security/injection/echoed-request.php +++ b/php/lang/security/injection/echoed-request.php @@ -44,6 +44,22 @@ function doSmth5() { echo "Hello ".trim($_POST['name']); } +function doSmth6() { + $VAR = $_GET['someval'] + if(isset($VAR)){ + // ruleid: echoed-request + echo $VAR; + } +} + +function doSmth7() { + $VAR = $_GET['someval'] + if(empty($VAR)){ + // ruleid: echoed-request + echo $VAR; + } + } + function doOK1() { // ok: echoed-request echo "Hello ".htmlentities($_POST['name'])." !"; @@ -84,4 +100,14 @@ function doOK7() { echo $safevar; } +function doOK8() { + // ok: echoed-request + echo "Hello ".isset($_POST['name'])." !"; +} + +function doOK9() { + $safevar = empty($_GET['name']); + // ok: echoed-request + echo "Hello $safevar !"; +} diff --git a/php/lang/security/injection/echoed-request.yaml b/php/lang/security/injection/echoed-request.yaml index b4b72635cc..88f594e82d 100644 --- a/php/lang/security/injection/echoed-request.yaml +++ b/php/lang/security/injection/echoed-request.yaml @@ -16,6 +16,8 @@ rules: - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) + - pattern: isset(...) + - pattern: empty(...) # Wordpress Escapes - pattern: esc_html(...) - pattern: esc_attr(...) diff --git a/php/lang/security/injection/printed-request.php b/php/lang/security/injection/printed-request.php index ff8a6750ce..f6b9253558 100644 --- a/php/lang/security/injection/printed-request.php +++ b/php/lang/security/injection/printed-request.php @@ -44,6 +44,22 @@ function doSmth5() { print("Hello ".trim($_POST['name'])); } +function doSmth6() { + $VAR = $_GET['someval'] + if(isset($VAR)){ + // ruleid: printed-request + print($VAR); + } + } + + function doSmth7() { + $VAR = $_GET['someval'] + if(empty($VAR)){ + // ruleid: printed-request + print($VAR); + } + } + function doOK1() { // ok: printed-request print("Hello ".htmlentities($_POST['name'])." !"); @@ -84,4 +100,13 @@ function doOK7() { print($safevar); } +function doOK8() { + // ok: printed-request + print("Hello ".isset($_POST['name'])." !"); +} +function doOK9() { + $safevar = empty($_GET['name']); + // ok: printed-request + print("Hello $safevar !"); +} diff --git a/php/lang/security/injection/printed-request.yaml b/php/lang/security/injection/printed-request.yaml index f591e96c65..9cf2ebae59 100644 --- a/php/lang/security/injection/printed-request.yaml +++ b/php/lang/security/injection/printed-request.yaml @@ -16,6 +16,8 @@ rules: - pattern: htmlentities(...) - pattern: htmlspecialchars(...) - pattern: strip_tags(...) + - pattern: isset(...) + - pattern: empty(...) # Wordpress Escapes - pattern: esc_html(...) - pattern: esc_attr(...) From 00feee7f5533942b71c6c3c2c489d286275d315d Mon Sep 17 00:00:00 2001 From: Vasilii Date: Wed, 24 Apr 2024 18:41:02 +0700 Subject: [PATCH 60/89] fix java xmlinputfactory rules (again) --- .../xmlinputfactory-external-entities-enabled.yaml | 2 ++ java/lang/security/xmlinputfactory-possible-xxe.java | 12 ++++++++++++ java/lang/security/xmlinputfactory-possible-xxe.yaml | 12 ++++++++++++ 3 files changed, 26 insertions(+) diff --git a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml index c4ea87df23..96eef6a07a 100644 --- a/java/lang/security/xmlinputfactory-external-entities-enabled.yaml +++ b/java/lang/security/xmlinputfactory-external-entities-enabled.yaml @@ -35,5 +35,7 @@ rules: - pattern-either: - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", true); - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, true); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.TRUE); + - pattern: (javax.xml.stream.XMLInputFactory $XMLFACTORY).setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, Boolean.TRUE); languages: - java diff --git a/java/lang/security/xmlinputfactory-possible-xxe.java b/java/lang/security/xmlinputfactory-possible-xxe.java index ec4296ec98..a7a9a170ff 100644 --- a/java/lang/security/xmlinputfactory-possible-xxe.java +++ b/java/lang/security/xmlinputfactory-possible-xxe.java @@ -29,6 +29,18 @@ public GoodConstXMLInputFactory() { } } +class GoodConstXMLInputFactory1 { + public GoodConstXMLInputFactory1() { + final XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory(); + + // See + // https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md#xmlinputfactory-a-stax-parser + xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); + // ok + xmlInputFactory.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, false); + } +} + class BadXMLInputFactory1 { public BadXMLInputFactory1() { // ruleid:xmlinputfactory-possible-xxe diff --git a/java/lang/security/xmlinputfactory-possible-xxe.yaml b/java/lang/security/xmlinputfactory-possible-xxe.yaml index 813edacb39..5d9a82dff0 100644 --- a/java/lang/security/xmlinputfactory-possible-xxe.yaml +++ b/java/lang/security/xmlinputfactory-possible-xxe.yaml @@ -45,6 +45,18 @@ rules: $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ... } + - pattern-not-inside: | + $METHOD(...) { + ... + $XMLFACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", Boolean.FALSE); + ... + } + - pattern-not-inside: | + $METHOD(...) { + ... + $XMLFACTORY.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); + ... + } - pattern-either: - pattern: javax.xml.stream.XMLInputFactory.newFactory(...) - pattern: new XMLInputFactory(...) From be5e2f2c0052b2f36d4e1c368ef12a2f2b43a3a2 Mon Sep 17 00:00:00 2001 From: Kurt Boberg <98792107+kurt-r2c@users.noreply.github.com> Date: Wed, 24 Apr 2024 13:32:34 -0700 Subject: [PATCH 61/89] Apply suggestions from code review --- php/lang/security/injection/echoed-request.php | 4 ++-- php/lang/security/injection/printed-request.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/php/lang/security/injection/echoed-request.php b/php/lang/security/injection/echoed-request.php index 2780856029..109854c835 100644 --- a/php/lang/security/injection/echoed-request.php +++ b/php/lang/security/injection/echoed-request.php @@ -45,7 +45,7 @@ function doSmth5() { } function doSmth6() { - $VAR = $_GET['someval'] + $VAR = $_GET['someval']; if(isset($VAR)){ // ruleid: echoed-request echo $VAR; @@ -53,7 +53,7 @@ function doSmth6() { } function doSmth7() { - $VAR = $_GET['someval'] + $VAR = $_GET['someval']; if(empty($VAR)){ // ruleid: echoed-request echo $VAR; diff --git a/php/lang/security/injection/printed-request.php b/php/lang/security/injection/printed-request.php index f6b9253558..0f9d6a75a8 100644 --- a/php/lang/security/injection/printed-request.php +++ b/php/lang/security/injection/printed-request.php @@ -45,7 +45,7 @@ function doSmth5() { } function doSmth6() { - $VAR = $_GET['someval'] + $VAR = $_GET['someval']; if(isset($VAR)){ // ruleid: printed-request print($VAR); @@ -53,7 +53,7 @@ function doSmth6() { } function doSmth7() { - $VAR = $_GET['someval'] + $VAR = $_GET['someval']; if(empty($VAR)){ // ruleid: printed-request print($VAR); From ea7810a1efe3c862658aac2aaa7a726f1fe2a7eb Mon Sep 17 00:00:00 2001 From: Claudio Date: Thu, 25 Apr 2024 11:26:28 +0200 Subject: [PATCH 62/89] Update lints to accept taint_focus_on option --- yaml/semgrep/metadata-incorrect-option.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yaml/semgrep/metadata-incorrect-option.yaml b/yaml/semgrep/metadata-incorrect-option.yaml index 4021691dab..549acef83f 100644 --- a/yaml/semgrep/metadata-incorrect-option.yaml +++ b/yaml/semgrep/metadata-incorrect-option.yaml @@ -22,4 +22,4 @@ rules: $KEY: $VALUE - metavariable-regex: metavariable: $KEY - regex: (?!options|constant_propagation|symbolic_propagation|taint_unify_mvars|taint_assume_safe_functions|taint_assume_safe_indexes|taint_assume_safe_comparisons|taint_assume_safe_booleans|taint_assume_safe_numbers|ac_matching|commutative_boolop|flddef_assign|arrow_is_function|let_is_var|go_deeper_expr|go_deeper_stmt|implicit_deep_exprstmt|implicit_ellipsis|xml_singleton_loose_matching|xml_attrs_implicit_ellipsis|xml_children_ordered|generic_engine|generic_multiline|generic_braces|generic_extra_braces|generic_extra_word_characters|generic_caseless|generic_ellipsis_max_span|generic_comment_style|interfile|generic_engine|commutative_compop) + regex: (?!options|constant_propagation|symbolic_propagation|taint_unify_mvars|taint_assume_safe_functions|taint_assume_safe_indexes|taint_assume_safe_comparisons|taint_assume_safe_booleans|taint_assume_safe_numbers|ac_matching|commutative_boolop|flddef_assign|arrow_is_function|let_is_var|go_deeper_expr|go_deeper_stmt|implicit_deep_exprstmt|implicit_ellipsis|xml_singleton_loose_matching|xml_attrs_implicit_ellipsis|xml_children_ordered|generic_engine|generic_multiline|generic_braces|generic_extra_braces|generic_extra_word_characters|generic_caseless|generic_ellipsis_max_span|generic_comment_style|interfile|generic_engine|commutative_compop|taint_focus_on) From b0fcbc16fa0b8747b27738d93a23b25dc1a203fe Mon Sep 17 00:00:00 2001 From: "Security Research (r2c-argo)" Date: Tue, 30 Apr 2024 00:30:29 +0000 Subject: [PATCH 63/89] Merge Gitleaks rules 2024-04-30 # 00:30 --- .../secrets/gitleaks/cloudflare-api-key.yaml | 26 +++++++++++++++++++ .../gitleaks/cloudflare-global-api-key.yaml | 26 +++++++++++++++++++ .../gitleaks/cloudflare-origin-ca-key.yaml | 26 +++++++++++++++++++ .../secrets/gitleaks/scalingo-api-token.yaml | 2 +- .../secrets/gitleaks/stripe-access-token.yaml | 2 +- 5 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 generic/secrets/gitleaks/cloudflare-api-key.yaml create mode 100644 generic/secrets/gitleaks/cloudflare-global-api-key.yaml create mode 100644 generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml diff --git a/generic/secrets/gitleaks/cloudflare-api-key.yaml b/generic/secrets/gitleaks/cloudflare-api-key.yaml new file mode 100644 index 0000000000..33e967153a --- /dev/null +++ b/generic/secrets/gitleaks/cloudflare-api-key.yaml @@ -0,0 +1,26 @@ +rules: +- id: cloudflare-api-key + message: A gitleaks cloudflare-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/cloudflare-global-api-key.yaml b/generic/secrets/gitleaks/cloudflare-global-api-key.yaml new file mode 100644 index 0000000000..9d014dbdb8 --- /dev/null +++ b/generic/secrets/gitleaks/cloudflare-global-api-key.yaml @@ -0,0 +1,26 @@ +rules: +- id: cloudflare-global-api-key + message: A gitleaks cloudflare-global-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{37})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml b/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml new file mode 100644 index 0000000000..adf4b23b22 --- /dev/null +++ b/generic/secrets/gitleaks/cloudflare-origin-ca-key.yaml @@ -0,0 +1,26 @@ +rules: +- id: cloudflare-origin-ca-key + message: A gitleaks cloudflare-origin-ca-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: \b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/scalingo-api-token.yaml b/generic/secrets/gitleaks/scalingo-api-token.yaml index b5d1c4fe19..c55fccb82a 100644 --- a/generic/secrets/gitleaks/scalingo-api-token.yaml +++ b/generic/secrets/gitleaks/scalingo-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: \btk-us-[a-zA-Z0-9-_]{48}\b + - pattern-regex: \b(tk-us-[a-zA-Z0-9-_]{48})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/stripe-access-token.yaml b/generic/secrets/gitleaks/stripe-access-token.yaml index 6719ff3c89..484c7a8093 100644 --- a/generic/secrets/gitleaks/stripe-access-token.yaml +++ b/generic/secrets/gitleaks/stripe-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: (?i)\b((sk|rk)_(test|live|prod)_[0-9a-z]{10,99})(?:['|\"|\n|\r|\s|\x60|;]|$) From 64c2ff6f9ec776be9b67ad8582488bfe5d76a7fc Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 30 Apr 2024 14:34:13 +0200 Subject: [PATCH 64/89] Kill rulerascal --- .github/rulerascal/README.md | 5 - .github/rulerascal/main.py | 107 ------ .github/rulerascal/poetry.lock | 539 ------------------------------ .github/rulerascal/pyproject.toml | 15 - 4 files changed, 666 deletions(-) delete mode 100644 .github/rulerascal/README.md delete mode 100644 .github/rulerascal/main.py delete mode 100644 .github/rulerascal/poetry.lock delete mode 100644 .github/rulerascal/pyproject.toml diff --git a/.github/rulerascal/README.md b/.github/rulerascal/README.md deleted file mode 100644 index a3e7603b9a..0000000000 --- a/.github/rulerascal/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# RuleRascal - -This project tries to improve rule messages with ChatGPT. It named itself and explained: - -> The name "RuleRascal" suggests that the program is capable of creating rules for your code that are a little bit playful or mischievous. However, this doesn't mean that the rules it creates will be difficult to understand or tricky to follow – in fact, the opposite is true. The program is designed to help you create clear and easy-to-understand rules for your code, so that you can quickly and easily find and fix any potential issues. By using RuleRascal, you can create rules that are effective and straightforward, without sacrificing any of the fun or creativity that goes into writing code. diff --git a/.github/rulerascal/main.py b/.github/rulerascal/main.py deleted file mode 100644 index 43952b1741..0000000000 --- a/.github/rulerascal/main.py +++ /dev/null @@ -1,107 +0,0 @@ -import asyncio -import os -import sys -import re -from pathlib import Path -from textwrap import dedent -from aiogpt import Chat -import httpx - -pr_base_url = f"https://api.github.com/repos/{os.environ['GITHUB_REPOSITORY']}/pulls/{os.environ['GITHUB_PR_NUMBER']}" - - -COMMENT_HEADER = "Heya, I'm rule rascal. I'm an AI so I'm not that good at writing rule messages. But I try. Here's what I think the message could be:" - - -async def main(): - async with httpx.AsyncClient( - headers={ - "Authorization": f"Bearer {os.environ['GITHUB_TOKEN']}", - "Accept": "application/vnd.github+json", - "X-GitHub-Api-Version": "2022-11-28", - } - ) as gh: - pr_comments = await gh.get(f"{pr_base_url}/comments") - for comment in pr_comments.json(): - if COMMENT_HEADER in comment["body"]: - print("Oh I already left a comment here, never mind bye!") - sys.exit(0) - pr_files = await gh.get(f"{pr_base_url}/files") - rule_paths = [ - Path(file["filename"]) - for file in pr_files.json() - if file["filename"].endswith(".yaml") - ] - if rule_paths != 1: - print("back in my day, we only changed one rule per PR, bye!") - sys.exit(0) - - rule_path = rule_paths[0] - resolved_rule_path = Path(os.environ["GITHUB_WORKSPACE"]) / rule_path - - chat = Chat(os.environ["CHATGPT_TOKEN"]) - response = await chat.say( - f""" - Semgrep is a static analysis tool. - It scans for vulnerabilities with rules defined by a YAML file. - Such a YAML file contains a message. - The message is intended to explain the vulnerability and how to fix it. - The message is read by developers who don't always have cybersecurity knowledge, - so it needs to be simple to understand. - We have the following Semgrep rule: - - {resolved_rule_path.read_text()} - - Please improve the message of this rule. - The message should explain what the vulnerability is and how it is exploitable. - The message explain how to remediate the issue and how the remediation works. - If you use abbreviations, explain what they mean when you introduce them. - Do not explain abbreviations that are not in the message. - Respond with a single code block containing only the new message key from the YAML file. - Do not include any other text in your response.""" - ) - new_message = "\n".join( - line.strip() - for line in dedent(response[0]).strip().splitlines() - if "message:" not in line - ) - - start_line = -1 - end_line = -1 - indent_level_at_end_of_message = -1 - - for lineno, line in enumerate(resolved_rule_path.open(), start=1): - indent = re.search(r"^\s+", line) - indent_level = len(indent.group()) if indent else 0 - - if lineno >= start_line: - if indent_level == indent_level_at_end_of_message: - break - end_line = lineno - - if "message:" in line: - start_line = lineno + 1 - indent_level_at_end_of_message = indent_level - - NEWLINE = "\n" # f-string expression part cannot include a backslash - - pr_comment_json = { - "body": COMMENT_HEADER - + "\n\n```suggestion\n" - + NEWLINE.join( - (indent_level_at_end_of_message + 2) * " " + line - for line in new_message.splitlines() - ) - + "\n```", - "commit_id": os.environ["GITHUB_SHA"], - "path": str(rule_path), - "start_side": "RIGHT", - "side": "RIGHT", - "line": end_line, - "start_line": start_line, - } - - await gh.post(f"{pr_base_url}/comments", json=pr_comment_json) - - -asyncio.run(main()) diff --git a/.github/rulerascal/poetry.lock b/.github/rulerascal/poetry.lock deleted file mode 100644 index e72053f870..0000000000 --- a/.github/rulerascal/poetry.lock +++ /dev/null @@ -1,539 +0,0 @@ -# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand. - -[[package]] -name = "aiogpt" -version = "0.0.6" -description = "An asyncio wrapper for the OpenAI ChatGPT API" -optional = false -python-versions = ">=3.6" -files = [ - {file = "aiogpt-0.0.6-py3-none-any.whl", hash = "sha256:47c8820a92787ddc2553b1253e7ca65090bfe49402feeef90d52ad074c5f5e7b"}, - {file = "aiogpt-0.0.6.tar.gz", hash = "sha256:4ec35245390e5c7da32a470faef3b016c23367a2bbdd4f3f2feca97dbec28777"}, -] - -[package.dependencies] -aiohttp = "*" - -[[package]] -name = "aiohttp" -version = "3.9.2" -description = "Async http client/server framework (asyncio)" -optional = false -python-versions = ">=3.8" -files = [ - {file = "aiohttp-3.9.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:772fbe371788e61c58d6d3d904268e48a594ba866804d08c995ad71b144f94cb"}, - {file = "aiohttp-3.9.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:edd4f1af2253f227ae311ab3d403d0c506c9b4410c7fc8d9573dec6d9740369f"}, - {file = "aiohttp-3.9.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:cfee9287778399fdef6f8a11c9e425e1cb13cc9920fd3a3df8f122500978292b"}, - {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3cc158466f6a980a6095ee55174d1de5730ad7dec251be655d9a6a9dd7ea1ff9"}, - {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:54ec82f45d57c9a65a1ead3953b51c704f9587440e6682f689da97f3e8defa35"}, - {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:abeb813a18eb387f0d835ef51f88568540ad0325807a77a6e501fed4610f864e"}, - {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cc91d07280d7d169f3a0f9179d8babd0ee05c79d4d891447629ff0d7d8089ec2"}, - {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b65e861f4bebfb660f7f0f40fa3eb9f2ab9af10647d05dac824390e7af8f75b7"}, - {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:04fd8ffd2be73d42bcf55fd78cde7958eeee6d4d8f73c3846b7cba491ecdb570"}, - {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:3d8d962b439a859b3ded9a1e111a4615357b01620a546bc601f25b0211f2da81"}, - {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:8ceb658afd12b27552597cf9a65d9807d58aef45adbb58616cdd5ad4c258c39e"}, - {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:0e4ee4df741670560b1bc393672035418bf9063718fee05e1796bf867e995fad"}, - {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:2dec87a556f300d3211decf018bfd263424f0690fcca00de94a837949fbcea02"}, - {file = "aiohttp-3.9.2-cp310-cp310-win32.whl", hash = "sha256:3e1a800f988ce7c4917f34096f81585a73dbf65b5c39618b37926b1238cf9bc4"}, - {file = "aiohttp-3.9.2-cp310-cp310-win_amd64.whl", hash = "sha256:ea510718a41b95c236c992b89fdfc3d04cc7ca60281f93aaada497c2b4e05c46"}, - {file = "aiohttp-3.9.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6aaa6f99256dd1b5756a50891a20f0d252bd7bdb0854c5d440edab4495c9f973"}, - {file = "aiohttp-3.9.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:a27d8c70ad87bcfce2e97488652075a9bdd5b70093f50b10ae051dfe5e6baf37"}, - {file = "aiohttp-3.9.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:54287bcb74d21715ac8382e9de146d9442b5f133d9babb7e5d9e453faadd005e"}, - {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5bb3d05569aa83011fcb346b5266e00b04180105fcacc63743fc2e4a1862a891"}, - {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c8534e7d69bb8e8d134fe2be9890d1b863518582f30c9874ed7ed12e48abe3c4"}, - {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4bd9d5b989d57b41e4ff56ab250c5ddf259f32db17159cce630fd543376bd96b"}, - {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa6904088e6642609981f919ba775838ebf7df7fe64998b1a954fb411ffb4663"}, - {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bda42eb410be91b349fb4ee3a23a30ee301c391e503996a638d05659d76ea4c2"}, - {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:193cc1ccd69d819562cc7f345c815a6fc51d223b2ef22f23c1a0f67a88de9a72"}, - {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:b9f1cb839b621f84a5b006848e336cf1496688059d2408e617af33e3470ba204"}, - {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:d22a0931848b8c7a023c695fa2057c6aaac19085f257d48baa24455e67df97ec"}, - {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4112d8ba61fbd0abd5d43a9cb312214565b446d926e282a6d7da3f5a5aa71d36"}, - {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c4ad4241b52bb2eb7a4d2bde060d31c2b255b8c6597dd8deac2f039168d14fd7"}, - {file = "aiohttp-3.9.2-cp311-cp311-win32.whl", hash = "sha256:ee2661a3f5b529f4fc8a8ffee9f736ae054adfb353a0d2f78218be90617194b3"}, - {file = "aiohttp-3.9.2-cp311-cp311-win_amd64.whl", hash = "sha256:4deae2c165a5db1ed97df2868ef31ca3cc999988812e82386d22937d9d6fed52"}, - {file = "aiohttp-3.9.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:6f4cdba12539215aaecf3c310ce9d067b0081a0795dd8a8805fdb67a65c0572a"}, - {file = "aiohttp-3.9.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:84e843b33d5460a5c501c05539809ff3aee07436296ff9fbc4d327e32aa3a326"}, - {file = "aiohttp-3.9.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8008d0f451d66140a5aa1c17e3eedc9d56e14207568cd42072c9d6b92bf19b52"}, - {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:61c47ab8ef629793c086378b1df93d18438612d3ed60dca76c3422f4fbafa792"}, - {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bc71f748e12284312f140eaa6599a520389273174b42c345d13c7e07792f4f57"}, - {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a1c3a4d0ab2f75f22ec80bca62385db2e8810ee12efa8c9e92efea45c1849133"}, - {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9a87aa0b13bbee025faa59fa58861303c2b064b9855d4c0e45ec70182bbeba1b"}, - {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2cc0d04688b9f4a7854c56c18aa7af9e5b0a87a28f934e2e596ba7e14783192"}, - {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:1956e3ac376b1711c1533266dec4efd485f821d84c13ce1217d53e42c9e65f08"}, - {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:114da29f39eccd71b93a0fcacff178749a5c3559009b4a4498c2c173a6d74dff"}, - {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:3f17999ae3927d8a9a823a1283b201344a0627272f92d4f3e3a4efe276972fe8"}, - {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:f31df6a32217a34ae2f813b152a6f348154f948c83213b690e59d9e84020925c"}, - {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:7a75307ffe31329928a8d47eae0692192327c599113d41b278d4c12b54e1bd11"}, - {file = "aiohttp-3.9.2-cp312-cp312-win32.whl", hash = "sha256:972b63d589ff8f305463593050a31b5ce91638918da38139b9d8deaba9e0fed7"}, - {file = "aiohttp-3.9.2-cp312-cp312-win_amd64.whl", hash = "sha256:200dc0246f0cb5405c80d18ac905c8350179c063ea1587580e3335bfc243ba6a"}, - {file = "aiohttp-3.9.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:158564d0d1020e0d3fe919a81d97aadad35171e13e7b425b244ad4337fc6793a"}, - {file = "aiohttp-3.9.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:da1346cd0ccb395f0ed16b113ebb626fa43b7b07fd7344fce33e7a4f04a8897a"}, - {file = "aiohttp-3.9.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:eaa9256de26ea0334ffa25f1913ae15a51e35c529a1ed9af8e6286dd44312554"}, - {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1543e7fb00214fb4ccead42e6a7d86f3bb7c34751ec7c605cca7388e525fd0b4"}, - {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:186e94570433a004e05f31f632726ae0f2c9dee4762a9ce915769ce9c0a23d89"}, - {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d52d20832ac1560f4510d68e7ba8befbc801a2b77df12bd0cd2bcf3b049e52a4"}, - {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1c45e4e815ac6af3b72ca2bde9b608d2571737bb1e2d42299fc1ffdf60f6f9a1"}, - {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:aa906b9bdfd4a7972dd0628dbbd6413d2062df5b431194486a78f0d2ae87bd55"}, - {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:68bbee9e17d66f17bb0010aa15a22c6eb28583edcc8b3212e2b8e3f77f3ebe2a"}, - {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:4c189b64bd6d9a403a1a3f86a3ab3acbc3dc41a68f73a268a4f683f89a4dec1f"}, - {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:8a7876f794523123bca6d44bfecd89c9fec9ec897a25f3dd202ee7fc5c6525b7"}, - {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:d23fba734e3dd7b1d679b9473129cd52e4ec0e65a4512b488981a56420e708db"}, - {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:b141753be581fab842a25cb319f79536d19c2a51995d7d8b29ee290169868eab"}, - {file = "aiohttp-3.9.2-cp38-cp38-win32.whl", hash = "sha256:103daf41ff3b53ba6fa09ad410793e2e76c9d0269151812e5aba4b9dd674a7e8"}, - {file = "aiohttp-3.9.2-cp38-cp38-win_amd64.whl", hash = "sha256:328918a6c2835861ff7afa8c6d2c70c35fdaf996205d5932351bdd952f33fa2f"}, - {file = "aiohttp-3.9.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:5264d7327c9464786f74e4ec9342afbbb6ee70dfbb2ec9e3dfce7a54c8043aa3"}, - {file = "aiohttp-3.9.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:07205ae0015e05c78b3288c1517afa000823a678a41594b3fdc870878d645305"}, - {file = "aiohttp-3.9.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ae0a1e638cffc3ec4d4784b8b4fd1cf28968febc4bd2718ffa25b99b96a741bd"}, - {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d43302a30ba1166325974858e6ef31727a23bdd12db40e725bec0f759abce505"}, - {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:16a967685907003765855999af11a79b24e70b34dc710f77a38d21cd9fc4f5fe"}, - {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6fa3ee92cd441d5c2d07ca88d7a9cef50f7ec975f0117cd0c62018022a184308"}, - {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b500c5ad9c07639d48615a770f49618130e61be36608fc9bc2d9bae31732b8f"}, - {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c07327b368745b1ce2393ae9e1aafed7073d9199e1dcba14e035cc646c7941bf"}, - {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:cc7d6502c23a0ec109687bf31909b3fb7b196faf198f8cff68c81b49eb316ea9"}, - {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:07be2be7071723c3509ab5c08108d3a74f2181d4964e869f2504aaab68f8d3e8"}, - {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:122468f6fee5fcbe67cb07014a08c195b3d4c41ff71e7b5160a7bcc41d585a5f"}, - {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:00a9abcea793c81e7f8778ca195a1714a64f6d7436c4c0bb168ad2a212627000"}, - {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:7a9825fdd64ecac5c670234d80bb52bdcaa4139d1f839165f548208b3779c6c6"}, - {file = "aiohttp-3.9.2-cp39-cp39-win32.whl", hash = "sha256:5422cd9a4a00f24c7244e1b15aa9b87935c85fb6a00c8ac9b2527b38627a9211"}, - {file = "aiohttp-3.9.2-cp39-cp39-win_amd64.whl", hash = "sha256:7d579dcd5d82a86a46f725458418458fa43686f6a7b252f2966d359033ffc8ab"}, - {file = "aiohttp-3.9.2.tar.gz", hash = "sha256:b0ad0a5e86ce73f5368a164c10ada10504bf91869c05ab75d982c6048217fbf7"}, -] - -[package.dependencies] -aiosignal = ">=1.1.2" -async-timeout = {version = ">=4.0,<5.0", markers = "python_version < \"3.11\""} -attrs = ">=17.3.0" -frozenlist = ">=1.1.1" -multidict = ">=4.5,<7.0" -yarl = ">=1.0,<2.0" - -[package.extras] -speedups = ["Brotli", "aiodns", "brotlicffi"] - -[[package]] -name = "aiosignal" -version = "1.3.1" -description = "aiosignal: a list of registered asynchronous callbacks" -optional = false -python-versions = ">=3.7" -files = [ - {file = "aiosignal-1.3.1-py3-none-any.whl", hash = "sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17"}, - {file = "aiosignal-1.3.1.tar.gz", hash = "sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc"}, -] - -[package.dependencies] -frozenlist = ">=1.1.0" - -[[package]] -name = "anyio" -version = "3.7.1" -description = "High level compatibility layer for multiple asynchronous event loop implementations" -optional = false -python-versions = ">=3.7" -files = [ - {file = "anyio-3.7.1-py3-none-any.whl", hash = "sha256:91dee416e570e92c64041bd18b900d1d6fa78dff7048769ce5ac5ddad004fbb5"}, - {file = "anyio-3.7.1.tar.gz", hash = "sha256:44a3c9aba0f5defa43261a8b3efb97891f2bd7d804e0e1f56419befa1adfc780"}, -] - -[package.dependencies] -exceptiongroup = {version = "*", markers = "python_version < \"3.11\""} -idna = ">=2.8" -sniffio = ">=1.1" - -[package.extras] -doc = ["Sphinx", "packaging", "sphinx-autodoc-typehints (>=1.2.0)", "sphinx-rtd-theme (>=1.2.2)", "sphinxcontrib-jquery"] -test = ["anyio[trio]", "coverage[toml] (>=4.5)", "hypothesis (>=4.0)", "mock (>=4)", "psutil (>=5.9)", "pytest (>=7.0)", "pytest-mock (>=3.6.1)", "trustme", "uvloop (>=0.17)"] -trio = ["trio (<0.22)"] - -[[package]] -name = "async-timeout" -version = "4.0.2" -description = "Timeout context manager for asyncio programs" -optional = false -python-versions = ">=3.6" -files = [ - {file = "async-timeout-4.0.2.tar.gz", hash = "sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15"}, - {file = "async_timeout-4.0.2-py3-none-any.whl", hash = "sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c"}, -] - -[[package]] -name = "attrs" -version = "23.1.0" -description = "Classes Without Boilerplate" -optional = false -python-versions = ">=3.7" -files = [ - {file = "attrs-23.1.0-py3-none-any.whl", hash = "sha256:1f28b4522cdc2fb4256ac1a020c78acf9cba2c6b461ccd2c126f3aa8e8335d04"}, - {file = "attrs-23.1.0.tar.gz", hash = "sha256:6279836d581513a26f1bf235f9acd333bc9115683f14f7e8fae46c98fc50e015"}, -] - -[package.extras] -cov = ["attrs[tests]", "coverage[toml] (>=5.3)"] -dev = ["attrs[docs,tests]", "pre-commit"] -docs = ["furo", "myst-parser", "sphinx", "sphinx-notfound-page", "sphinxcontrib-towncrier", "towncrier", "zope-interface"] -tests = ["attrs[tests-no-zope]", "zope-interface"] -tests-no-zope = ["cloudpickle", "hypothesis", "mypy (>=1.1.1)", "pympler", "pytest (>=4.3.0)", "pytest-mypy-plugins", "pytest-xdist[psutil]"] - -[[package]] -name = "certifi" -version = "2023.7.22" -description = "Python package for providing Mozilla's CA Bundle." -optional = false -python-versions = ">=3.6" -files = [ - {file = "certifi-2023.7.22-py3-none-any.whl", hash = "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9"}, - {file = "certifi-2023.7.22.tar.gz", hash = "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082"}, -] - -[[package]] -name = "exceptiongroup" -version = "1.1.2" -description = "Backport of PEP 654 (exception groups)" -optional = false -python-versions = ">=3.7" -files = [ - {file = "exceptiongroup-1.1.2-py3-none-any.whl", hash = "sha256:e346e69d186172ca7cf029c8c1d16235aa0e04035e5750b4b95039e65204328f"}, - {file = "exceptiongroup-1.1.2.tar.gz", hash = "sha256:12c3e887d6485d16943a309616de20ae5582633e0a2eda17f4e10fd61c1e8af5"}, -] - -[package.extras] -test = ["pytest (>=6)"] - -[[package]] -name = "frozenlist" -version = "1.4.0" -description = "A list-like structure which implements collections.abc.MutableSequence" -optional = false -python-versions = ">=3.8" -files = [ - {file = "frozenlist-1.4.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:764226ceef3125e53ea2cb275000e309c0aa5464d43bd72abd661e27fffc26ab"}, - {file = "frozenlist-1.4.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:d6484756b12f40003c6128bfcc3fa9f0d49a687e171186c2d85ec82e3758c559"}, - {file = "frozenlist-1.4.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9ac08e601308e41eb533f232dbf6b7e4cea762f9f84f6357136eed926c15d12c"}, - {file = "frozenlist-1.4.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d081f13b095d74b67d550de04df1c756831f3b83dc9881c38985834387487f1b"}, - {file = "frozenlist-1.4.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:71932b597f9895f011f47f17d6428252fc728ba2ae6024e13c3398a087c2cdea"}, - {file = "frozenlist-1.4.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:981b9ab5a0a3178ff413bca62526bb784249421c24ad7381e39d67981be2c326"}, - {file = "frozenlist-1.4.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e41f3de4df3e80de75845d3e743b3f1c4c8613c3997a912dbf0229fc61a8b963"}, - {file = "frozenlist-1.4.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6918d49b1f90821e93069682c06ffde41829c346c66b721e65a5c62b4bab0300"}, - {file = "frozenlist-1.4.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:0e5c8764c7829343d919cc2dfc587a8db01c4f70a4ebbc49abde5d4b158b007b"}, - {file = "frozenlist-1.4.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:8d0edd6b1c7fb94922bf569c9b092ee187a83f03fb1a63076e7774b60f9481a8"}, - {file = "frozenlist-1.4.0-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:e29cda763f752553fa14c68fb2195150bfab22b352572cb36c43c47bedba70eb"}, - {file = "frozenlist-1.4.0-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:0c7c1b47859ee2cac3846fde1c1dc0f15da6cec5a0e5c72d101e0f83dcb67ff9"}, - {file = "frozenlist-1.4.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:901289d524fdd571be1c7be054f48b1f88ce8dddcbdf1ec698b27d4b8b9e5d62"}, - {file = "frozenlist-1.4.0-cp310-cp310-win32.whl", hash = "sha256:1a0848b52815006ea6596c395f87449f693dc419061cc21e970f139d466dc0a0"}, - {file = "frozenlist-1.4.0-cp310-cp310-win_amd64.whl", hash = "sha256:b206646d176a007466358aa21d85cd8600a415c67c9bd15403336c331a10d956"}, - {file = "frozenlist-1.4.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:de343e75f40e972bae1ef6090267f8260c1446a1695e77096db6cfa25e759a95"}, - {file = "frozenlist-1.4.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ad2a9eb6d9839ae241701d0918f54c51365a51407fd80f6b8289e2dfca977cc3"}, - {file = "frozenlist-1.4.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:bd7bd3b3830247580de99c99ea2a01416dfc3c34471ca1298bccabf86d0ff4dc"}, - {file = "frozenlist-1.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bdf1847068c362f16b353163391210269e4f0569a3c166bc6a9f74ccbfc7e839"}, - {file = "frozenlist-1.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:38461d02d66de17455072c9ba981d35f1d2a73024bee7790ac2f9e361ef1cd0c"}, - {file = "frozenlist-1.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d5a32087d720c608f42caed0ef36d2b3ea61a9d09ee59a5142d6070da9041b8f"}, - {file = "frozenlist-1.4.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:dd65632acaf0d47608190a71bfe46b209719bf2beb59507db08ccdbe712f969b"}, - {file = "frozenlist-1.4.0-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:261b9f5d17cac914531331ff1b1d452125bf5daa05faf73b71d935485b0c510b"}, - {file = "frozenlist-1.4.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:b89ac9768b82205936771f8d2eb3ce88503b1556324c9f903e7156669f521472"}, - {file = "frozenlist-1.4.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:008eb8b31b3ea6896da16c38c1b136cb9fec9e249e77f6211d479db79a4eaf01"}, - {file = "frozenlist-1.4.0-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:e74b0506fa5aa5598ac6a975a12aa8928cbb58e1f5ac8360792ef15de1aa848f"}, - {file = "frozenlist-1.4.0-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:490132667476f6781b4c9458298b0c1cddf237488abd228b0b3650e5ecba7467"}, - {file = "frozenlist-1.4.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:76d4711f6f6d08551a7e9ef28c722f4a50dd0fc204c56b4bcd95c6cc05ce6fbb"}, - {file = "frozenlist-1.4.0-cp311-cp311-win32.whl", hash = "sha256:a02eb8ab2b8f200179b5f62b59757685ae9987996ae549ccf30f983f40602431"}, - {file = "frozenlist-1.4.0-cp311-cp311-win_amd64.whl", hash = "sha256:515e1abc578dd3b275d6a5114030b1330ba044ffba03f94091842852f806f1c1"}, - {file = "frozenlist-1.4.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:f0ed05f5079c708fe74bf9027e95125334b6978bf07fd5ab923e9e55e5fbb9d3"}, - {file = "frozenlist-1.4.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:ca265542ca427bf97aed183c1676e2a9c66942e822b14dc6e5f42e038f92a503"}, - {file = "frozenlist-1.4.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:491e014f5c43656da08958808588cc6c016847b4360e327a62cb308c791bd2d9"}, - {file = "frozenlist-1.4.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:17ae5cd0f333f94f2e03aaf140bb762c64783935cc764ff9c82dff626089bebf"}, - {file = "frozenlist-1.4.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1e78fb68cf9c1a6aa4a9a12e960a5c9dfbdb89b3695197aa7064705662515de2"}, - {file = "frozenlist-1.4.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d5655a942f5f5d2c9ed93d72148226d75369b4f6952680211972a33e59b1dfdc"}, - {file = "frozenlist-1.4.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c11b0746f5d946fecf750428a95f3e9ebe792c1ee3b1e96eeba145dc631a9672"}, - {file = "frozenlist-1.4.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e66d2a64d44d50d2543405fb183a21f76b3b5fd16f130f5c99187c3fb4e64919"}, - {file = "frozenlist-1.4.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:88f7bc0fcca81f985f78dd0fa68d2c75abf8272b1f5c323ea4a01a4d7a614efc"}, - {file = "frozenlist-1.4.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5833593c25ac59ede40ed4de6d67eb42928cca97f26feea219f21d0ed0959b79"}, - {file = "frozenlist-1.4.0-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:fec520865f42e5c7f050c2a79038897b1c7d1595e907a9e08e3353293ffc948e"}, - {file = "frozenlist-1.4.0-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:b826d97e4276750beca7c8f0f1a4938892697a6bcd8ec8217b3312dad6982781"}, - {file = "frozenlist-1.4.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:ceb6ec0a10c65540421e20ebd29083c50e6d1143278746a4ef6bcf6153171eb8"}, - {file = "frozenlist-1.4.0-cp38-cp38-win32.whl", hash = "sha256:2b8bcf994563466db019fab287ff390fffbfdb4f905fc77bc1c1d604b1c689cc"}, - {file = "frozenlist-1.4.0-cp38-cp38-win_amd64.whl", hash = "sha256:a6c8097e01886188e5be3e6b14e94ab365f384736aa1fca6a0b9e35bd4a30bc7"}, - {file = "frozenlist-1.4.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:6c38721585f285203e4b4132a352eb3daa19121a035f3182e08e437cface44bf"}, - {file = "frozenlist-1.4.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:a0c6da9aee33ff0b1a451e867da0c1f47408112b3391dd43133838339e410963"}, - {file = "frozenlist-1.4.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:93ea75c050c5bb3d98016b4ba2497851eadf0ac154d88a67d7a6816206f6fa7f"}, - {file = "frozenlist-1.4.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f61e2dc5ad442c52b4887f1fdc112f97caeff4d9e6ebe78879364ac59f1663e1"}, - {file = "frozenlist-1.4.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:aa384489fefeb62321b238e64c07ef48398fe80f9e1e6afeff22e140e0850eef"}, - {file = "frozenlist-1.4.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:10ff5faaa22786315ef57097a279b833ecab1a0bfb07d604c9cbb1c4cdc2ed87"}, - {file = "frozenlist-1.4.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:007df07a6e3eb3e33e9a1fe6a9db7af152bbd8a185f9aaa6ece10a3529e3e1c6"}, - {file = "frozenlist-1.4.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7f4f399d28478d1f604c2ff9119907af9726aed73680e5ed1ca634d377abb087"}, - {file = "frozenlist-1.4.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:c5374b80521d3d3f2ec5572e05adc94601985cc526fb276d0c8574a6d749f1b3"}, - {file = "frozenlist-1.4.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:ce31ae3e19f3c902de379cf1323d90c649425b86de7bbdf82871b8a2a0615f3d"}, - {file = "frozenlist-1.4.0-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:7211ef110a9194b6042449431e08c4d80c0481e5891e58d429df5899690511c2"}, - {file = "frozenlist-1.4.0-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:556de4430ce324c836789fa4560ca62d1591d2538b8ceb0b4f68fb7b2384a27a"}, - {file = "frozenlist-1.4.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:7645a8e814a3ee34a89c4a372011dcd817964ce8cb273c8ed6119d706e9613e3"}, - {file = "frozenlist-1.4.0-cp39-cp39-win32.whl", hash = "sha256:19488c57c12d4e8095a922f328df3f179c820c212940a498623ed39160bc3c2f"}, - {file = "frozenlist-1.4.0-cp39-cp39-win_amd64.whl", hash = "sha256:6221d84d463fb110bdd7619b69cb43878a11d51cbb9394ae3105d082d5199167"}, - {file = "frozenlist-1.4.0.tar.gz", hash = "sha256:09163bdf0b2907454042edb19f887c6d33806adc71fbd54afc14908bfdc22251"}, -] - -[[package]] -name = "h11" -version = "0.14.0" -description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1" -optional = false -python-versions = ">=3.7" -files = [ - {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"}, - {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"}, -] - -[[package]] -name = "httpcore" -version = "0.16.3" -description = "A minimal low-level HTTP client." -optional = false -python-versions = ">=3.7" -files = [ - {file = "httpcore-0.16.3-py3-none-any.whl", hash = "sha256:da1fb708784a938aa084bde4feb8317056c55037247c787bd7e19eb2c2949dc0"}, - {file = "httpcore-0.16.3.tar.gz", hash = "sha256:c5d6f04e2fc530f39e0c077e6a30caa53f1451096120f1f38b954afd0b17c0cb"}, -] - -[package.dependencies] -anyio = ">=3.0,<5.0" -certifi = "*" -h11 = ">=0.13,<0.15" -sniffio = "==1.*" - -[package.extras] -http2 = ["h2 (>=3,<5)"] -socks = ["socksio (==1.*)"] - -[[package]] -name = "httpx" -version = "0.23.3" -description = "The next generation HTTP client." -optional = false -python-versions = ">=3.7" -files = [ - {file = "httpx-0.23.3-py3-none-any.whl", hash = "sha256:a211fcce9b1254ea24f0cd6af9869b3d29aba40154e947d2a07bb499b3e310d6"}, - {file = "httpx-0.23.3.tar.gz", hash = "sha256:9818458eb565bb54898ccb9b8b251a28785dd4a55afbc23d0eb410754fe7d0f9"}, -] - -[package.dependencies] -certifi = "*" -httpcore = ">=0.15.0,<0.17.0" -rfc3986 = {version = ">=1.3,<2", extras = ["idna2008"]} -sniffio = "*" - -[package.extras] -brotli = ["brotli", "brotlicffi"] -cli = ["click (==8.*)", "pygments (==2.*)", "rich (>=10,<13)"] -http2 = ["h2 (>=3,<5)"] -socks = ["socksio (==1.*)"] - -[[package]] -name = "idna" -version = "3.4" -description = "Internationalized Domain Names in Applications (IDNA)" -optional = false -python-versions = ">=3.5" -files = [ - {file = "idna-3.4-py3-none-any.whl", hash = "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2"}, - {file = "idna-3.4.tar.gz", hash = "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4"}, -] - -[[package]] -name = "multidict" -version = "6.0.4" -description = "multidict implementation" -optional = false -python-versions = ">=3.7" -files = [ - {file = "multidict-6.0.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0b1a97283e0c85772d613878028fec909f003993e1007eafa715b24b377cb9b8"}, - {file = "multidict-6.0.4-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:eeb6dcc05e911516ae3d1f207d4b0520d07f54484c49dfc294d6e7d63b734171"}, - {file = "multidict-6.0.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:d6d635d5209b82a3492508cf5b365f3446afb65ae7ebd755e70e18f287b0adf7"}, - {file = "multidict-6.0.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c048099e4c9e9d615545e2001d3d8a4380bd403e1a0578734e0d31703d1b0c0b"}, - {file = "multidict-6.0.4-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ea20853c6dbbb53ed34cb4d080382169b6f4554d394015f1bef35e881bf83547"}, - {file = "multidict-6.0.4-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:16d232d4e5396c2efbbf4f6d4df89bfa905eb0d4dc5b3549d872ab898451f569"}, - {file = "multidict-6.0.4-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:36c63aaa167f6c6b04ef2c85704e93af16c11d20de1d133e39de6a0e84582a93"}, - {file = "multidict-6.0.4-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:64bdf1086b6043bf519869678f5f2757f473dee970d7abf6da91ec00acb9cb98"}, - {file = "multidict-6.0.4-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:43644e38f42e3af682690876cff722d301ac585c5b9e1eacc013b7a3f7b696a0"}, - {file = "multidict-6.0.4-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:7582a1d1030e15422262de9f58711774e02fa80df0d1578995c76214f6954988"}, - {file = "multidict-6.0.4-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:ddff9c4e225a63a5afab9dd15590432c22e8057e1a9a13d28ed128ecf047bbdc"}, - {file = "multidict-6.0.4-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:ee2a1ece51b9b9e7752e742cfb661d2a29e7bcdba2d27e66e28a99f1890e4fa0"}, - {file = "multidict-6.0.4-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:a2e4369eb3d47d2034032a26c7a80fcb21a2cb22e1173d761a162f11e562caa5"}, - {file = "multidict-6.0.4-cp310-cp310-win32.whl", hash = "sha256:574b7eae1ab267e5f8285f0fe881f17efe4b98c39a40858247720935b893bba8"}, - {file = "multidict-6.0.4-cp310-cp310-win_amd64.whl", hash = "sha256:4dcbb0906e38440fa3e325df2359ac6cb043df8e58c965bb45f4e406ecb162cc"}, - {file = "multidict-6.0.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:0dfad7a5a1e39c53ed00d2dd0c2e36aed4650936dc18fd9a1826a5ae1cad6f03"}, - {file = "multidict-6.0.4-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:64da238a09d6039e3bd39bb3aee9c21a5e34f28bfa5aa22518581f910ff94af3"}, - {file = "multidict-6.0.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:ff959bee35038c4624250473988b24f846cbeb2c6639de3602c073f10410ceba"}, - {file = "multidict-6.0.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:01a3a55bd90018c9c080fbb0b9f4891db37d148a0a18722b42f94694f8b6d4c9"}, - {file = "multidict-6.0.4-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c5cb09abb18c1ea940fb99360ea0396f34d46566f157122c92dfa069d3e0e982"}, - {file = "multidict-6.0.4-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:666daae833559deb2d609afa4490b85830ab0dfca811a98b70a205621a6109fe"}, - {file = "multidict-6.0.4-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:11bdf3f5e1518b24530b8241529d2050014c884cf18b6fc69c0c2b30ca248710"}, - {file = "multidict-6.0.4-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7d18748f2d30f94f498e852c67d61261c643b349b9d2a581131725595c45ec6c"}, - {file = "multidict-6.0.4-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:458f37be2d9e4c95e2d8866a851663cbc76e865b78395090786f6cd9b3bbf4f4"}, - {file = "multidict-6.0.4-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:b1a2eeedcead3a41694130495593a559a668f382eee0727352b9a41e1c45759a"}, - {file = "multidict-6.0.4-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:7d6ae9d593ef8641544d6263c7fa6408cc90370c8cb2bbb65f8d43e5b0351d9c"}, - {file = "multidict-6.0.4-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:5979b5632c3e3534e42ca6ff856bb24b2e3071b37861c2c727ce220d80eee9ed"}, - {file = "multidict-6.0.4-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:dcfe792765fab89c365123c81046ad4103fcabbc4f56d1c1997e6715e8015461"}, - {file = "multidict-6.0.4-cp311-cp311-win32.whl", hash = "sha256:3601a3cece3819534b11d4efc1eb76047488fddd0c85a3948099d5da4d504636"}, - {file = "multidict-6.0.4-cp311-cp311-win_amd64.whl", hash = "sha256:81a4f0b34bd92df3da93315c6a59034df95866014ac08535fc819f043bfd51f0"}, - {file = "multidict-6.0.4-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:67040058f37a2a51ed8ea8f6b0e6ee5bd78ca67f169ce6122f3e2ec80dfe9b78"}, - {file = "multidict-6.0.4-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:853888594621e6604c978ce2a0444a1e6e70c8d253ab65ba11657659dcc9100f"}, - {file = "multidict-6.0.4-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:39ff62e7d0f26c248b15e364517a72932a611a9b75f35b45be078d81bdb86603"}, - {file = "multidict-6.0.4-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:af048912e045a2dc732847d33821a9d84ba553f5c5f028adbd364dd4765092ac"}, - {file = "multidict-6.0.4-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b1e8b901e607795ec06c9e42530788c45ac21ef3aaa11dbd0c69de543bfb79a9"}, - {file = "multidict-6.0.4-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:62501642008a8b9871ddfccbf83e4222cf8ac0d5aeedf73da36153ef2ec222d2"}, - {file = "multidict-6.0.4-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:99b76c052e9f1bc0721f7541e5e8c05db3941eb9ebe7b8553c625ef88d6eefde"}, - {file = "multidict-6.0.4-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:509eac6cf09c794aa27bcacfd4d62c885cce62bef7b2c3e8b2e49d365b5003fe"}, - {file = "multidict-6.0.4-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:21a12c4eb6ddc9952c415f24eef97e3e55ba3af61f67c7bc388dcdec1404a067"}, - {file = "multidict-6.0.4-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:5cad9430ab3e2e4fa4a2ef4450f548768400a2ac635841bc2a56a2052cdbeb87"}, - {file = "multidict-6.0.4-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:ab55edc2e84460694295f401215f4a58597f8f7c9466faec545093045476327d"}, - {file = "multidict-6.0.4-cp37-cp37m-win32.whl", hash = "sha256:5a4dcf02b908c3b8b17a45fb0f15b695bf117a67b76b7ad18b73cf8e92608775"}, - {file = "multidict-6.0.4-cp37-cp37m-win_amd64.whl", hash = "sha256:6ed5f161328b7df384d71b07317f4d8656434e34591f20552c7bcef27b0ab88e"}, - {file = "multidict-6.0.4-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:5fc1b16f586f049820c5c5b17bb4ee7583092fa0d1c4e28b5239181ff9532e0c"}, - {file = "multidict-6.0.4-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1502e24330eb681bdaa3eb70d6358e818e8e8f908a22a1851dfd4e15bc2f8161"}, - {file = "multidict-6.0.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:b692f419760c0e65d060959df05f2a531945af31fda0c8a3b3195d4efd06de11"}, - {file = "multidict-6.0.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:45e1ecb0379bfaab5eef059f50115b54571acfbe422a14f668fc8c27ba410e7e"}, - {file = "multidict-6.0.4-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ddd3915998d93fbcd2566ddf9cf62cdb35c9e093075f862935573d265cf8f65d"}, - {file = "multidict-6.0.4-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:59d43b61c59d82f2effb39a93c48b845efe23a3852d201ed2d24ba830d0b4cf2"}, - {file = "multidict-6.0.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cc8e1d0c705233c5dd0c5e6460fbad7827d5d36f310a0fadfd45cc3029762258"}, - {file = "multidict-6.0.4-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d6aa0418fcc838522256761b3415822626f866758ee0bc6632c9486b179d0b52"}, - {file = "multidict-6.0.4-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:6748717bb10339c4760c1e63da040f5f29f5ed6e59d76daee30305894069a660"}, - {file = "multidict-6.0.4-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:4d1a3d7ef5e96b1c9e92f973e43aa5e5b96c659c9bc3124acbbd81b0b9c8a951"}, - {file = "multidict-6.0.4-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:4372381634485bec7e46718edc71528024fcdc6f835baefe517b34a33c731d60"}, - {file = "multidict-6.0.4-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:fc35cb4676846ef752816d5be2193a1e8367b4c1397b74a565a9d0389c433a1d"}, - {file = "multidict-6.0.4-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:4b9d9e4e2b37daddb5c23ea33a3417901fa7c7b3dee2d855f63ee67a0b21e5b1"}, - {file = "multidict-6.0.4-cp38-cp38-win32.whl", hash = "sha256:e41b7e2b59679edfa309e8db64fdf22399eec4b0b24694e1b2104fb789207779"}, - {file = "multidict-6.0.4-cp38-cp38-win_amd64.whl", hash = "sha256:d6c254ba6e45d8e72739281ebc46ea5eb5f101234f3ce171f0e9f5cc86991480"}, - {file = "multidict-6.0.4-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:16ab77bbeb596e14212e7bab8429f24c1579234a3a462105cda4a66904998664"}, - {file = "multidict-6.0.4-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:bc779e9e6f7fda81b3f9aa58e3a6091d49ad528b11ed19f6621408806204ad35"}, - {file = "multidict-6.0.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4ceef517eca3e03c1cceb22030a3e39cb399ac86bff4e426d4fc6ae49052cc60"}, - {file = "multidict-6.0.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:281af09f488903fde97923c7744bb001a9b23b039a909460d0f14edc7bf59706"}, - {file = "multidict-6.0.4-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:52f2dffc8acaba9a2f27174c41c9e57f60b907bb9f096b36b1a1f3be71c6284d"}, - {file = "multidict-6.0.4-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b41156839806aecb3641f3208c0dafd3ac7775b9c4c422d82ee2a45c34ba81ca"}, - {file = "multidict-6.0.4-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d5e3fc56f88cc98ef8139255cf8cd63eb2c586531e43310ff859d6bb3a6b51f1"}, - {file = "multidict-6.0.4-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8316a77808c501004802f9beebde51c9f857054a0c871bd6da8280e718444449"}, - {file = "multidict-6.0.4-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:f70b98cd94886b49d91170ef23ec5c0e8ebb6f242d734ed7ed677b24d50c82cf"}, - {file = "multidict-6.0.4-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:bf6774e60d67a9efe02b3616fee22441d86fab4c6d335f9d2051d19d90a40063"}, - {file = "multidict-6.0.4-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:e69924bfcdda39b722ef4d9aa762b2dd38e4632b3641b1d9a57ca9cd18f2f83a"}, - {file = "multidict-6.0.4-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:6b181d8c23da913d4ff585afd1155a0e1194c0b50c54fcfe286f70cdaf2b7176"}, - {file = "multidict-6.0.4-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:52509b5be062d9eafc8170e53026fbc54cf3b32759a23d07fd935fb04fc22d95"}, - {file = "multidict-6.0.4-cp39-cp39-win32.whl", hash = "sha256:27c523fbfbdfd19c6867af7346332b62b586eed663887392cff78d614f9ec313"}, - {file = "multidict-6.0.4-cp39-cp39-win_amd64.whl", hash = "sha256:33029f5734336aa0d4c0384525da0387ef89148dc7191aae00ca5fb23d7aafc2"}, - {file = "multidict-6.0.4.tar.gz", hash = "sha256:3666906492efb76453c0e7b97f2cf459b0682e7402c0489a95484965dbc1da49"}, -] - -[[package]] -name = "rfc3986" -version = "1.5.0" -description = "Validating URI References per RFC 3986" -optional = false -python-versions = "*" -files = [ - {file = "rfc3986-1.5.0-py2.py3-none-any.whl", hash = "sha256:a86d6e1f5b1dc238b218b012df0aa79409667bb209e58da56d0b94704e712a97"}, - {file = "rfc3986-1.5.0.tar.gz", hash = "sha256:270aaf10d87d0d4e095063c65bf3ddbc6ee3d0b226328ce21e036f946e421835"}, -] - -[package.dependencies] -idna = {version = "*", optional = true, markers = "extra == \"idna2008\""} - -[package.extras] -idna2008 = ["idna"] - -[[package]] -name = "sniffio" -version = "1.3.0" -description = "Sniff out which async library your code is running under" -optional = false -python-versions = ">=3.7" -files = [ - {file = "sniffio-1.3.0-py3-none-any.whl", hash = "sha256:eecefdce1e5bbfb7ad2eeaabf7c1eeb404d7757c379bd1f7e5cce9d8bf425384"}, - {file = "sniffio-1.3.0.tar.gz", hash = "sha256:e60305c5e5d314f5389259b7f22aaa33d8f7dee49763119234af3755c55b9101"}, -] - -[[package]] -name = "yarl" -version = "1.9.2" -description = "Yet another URL library" -optional = false -python-versions = ">=3.7" -files = [ - {file = "yarl-1.9.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:8c2ad583743d16ddbdf6bb14b5cd76bf43b0d0006e918809d5d4ddf7bde8dd82"}, - {file = "yarl-1.9.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:82aa6264b36c50acfb2424ad5ca537a2060ab6de158a5bd2a72a032cc75b9eb8"}, - {file = "yarl-1.9.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c0c77533b5ed4bcc38e943178ccae29b9bcf48ffd1063f5821192f23a1bd27b9"}, - {file = "yarl-1.9.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ee4afac41415d52d53a9833ebae7e32b344be72835bbb589018c9e938045a560"}, - {file = "yarl-1.9.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9bf345c3a4f5ba7f766430f97f9cc1320786f19584acc7086491f45524a551ac"}, - {file = "yarl-1.9.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2a96c19c52ff442a808c105901d0bdfd2e28575b3d5f82e2f5fd67e20dc5f4ea"}, - {file = "yarl-1.9.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:891c0e3ec5ec881541f6c5113d8df0315ce5440e244a716b95f2525b7b9f3608"}, - {file = "yarl-1.9.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c3a53ba34a636a256d767c086ceb111358876e1fb6b50dfc4d3f4951d40133d5"}, - {file = "yarl-1.9.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:566185e8ebc0898b11f8026447eacd02e46226716229cea8db37496c8cdd26e0"}, - {file = "yarl-1.9.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:2b0738fb871812722a0ac2154be1f049c6223b9f6f22eec352996b69775b36d4"}, - {file = "yarl-1.9.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:32f1d071b3f362c80f1a7d322bfd7b2d11e33d2adf395cc1dd4df36c9c243095"}, - {file = "yarl-1.9.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:e9fdc7ac0d42bc3ea78818557fab03af6181e076a2944f43c38684b4b6bed8e3"}, - {file = "yarl-1.9.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:56ff08ab5df8429901ebdc5d15941b59f6253393cb5da07b4170beefcf1b2528"}, - {file = "yarl-1.9.2-cp310-cp310-win32.whl", hash = "sha256:8ea48e0a2f931064469bdabca50c2f578b565fc446f302a79ba6cc0ee7f384d3"}, - {file = "yarl-1.9.2-cp310-cp310-win_amd64.whl", hash = "sha256:50f33040f3836e912ed16d212f6cc1efb3231a8a60526a407aeb66c1c1956dde"}, - {file = "yarl-1.9.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:646d663eb2232d7909e6601f1a9107e66f9791f290a1b3dc7057818fe44fc2b6"}, - {file = "yarl-1.9.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:aff634b15beff8902d1f918012fc2a42e0dbae6f469fce134c8a0dc51ca423bb"}, - {file = "yarl-1.9.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a83503934c6273806aed765035716216cc9ab4e0364f7f066227e1aaea90b8d0"}, - {file = "yarl-1.9.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b25322201585c69abc7b0e89e72790469f7dad90d26754717f3310bfe30331c2"}, - {file = "yarl-1.9.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:22a94666751778629f1ec4280b08eb11815783c63f52092a5953faf73be24191"}, - {file = "yarl-1.9.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8ec53a0ea2a80c5cd1ab397925f94bff59222aa3cf9c6da938ce05c9ec20428d"}, - {file = "yarl-1.9.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:159d81f22d7a43e6eabc36d7194cb53f2f15f498dbbfa8edc8a3239350f59fe7"}, - {file = "yarl-1.9.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:832b7e711027c114d79dffb92576acd1bd2decc467dec60e1cac96912602d0e6"}, - {file = "yarl-1.9.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:95d2ecefbcf4e744ea952d073c6922e72ee650ffc79028eb1e320e732898d7e8"}, - {file = "yarl-1.9.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:d4e2c6d555e77b37288eaf45b8f60f0737c9efa3452c6c44626a5455aeb250b9"}, - {file = "yarl-1.9.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:783185c75c12a017cc345015ea359cc801c3b29a2966c2655cd12b233bf5a2be"}, - {file = "yarl-1.9.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:b8cc1863402472f16c600e3e93d542b7e7542a540f95c30afd472e8e549fc3f7"}, - {file = "yarl-1.9.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:822b30a0f22e588b32d3120f6d41e4ed021806418b4c9f0bc3048b8c8cb3f92a"}, - {file = "yarl-1.9.2-cp311-cp311-win32.whl", hash = "sha256:a60347f234c2212a9f0361955007fcf4033a75bf600a33c88a0a8e91af77c0e8"}, - {file = "yarl-1.9.2-cp311-cp311-win_amd64.whl", hash = "sha256:be6b3fdec5c62f2a67cb3f8c6dbf56bbf3f61c0f046f84645cd1ca73532ea051"}, - {file = "yarl-1.9.2-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:38a3928ae37558bc1b559f67410df446d1fbfa87318b124bf5032c31e3447b74"}, - {file = "yarl-1.9.2-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ac9bb4c5ce3975aeac288cfcb5061ce60e0d14d92209e780c93954076c7c4367"}, - {file = "yarl-1.9.2-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3da8a678ca8b96c8606bbb8bfacd99a12ad5dd288bc6f7979baddd62f71c63ef"}, - {file = "yarl-1.9.2-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:13414591ff516e04fcdee8dc051c13fd3db13b673c7a4cb1350e6b2ad9639ad3"}, - {file = "yarl-1.9.2-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bf74d08542c3a9ea97bb8f343d4fcbd4d8f91bba5ec9d5d7f792dbe727f88938"}, - {file = "yarl-1.9.2-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6e7221580dc1db478464cfeef9b03b95c5852cc22894e418562997df0d074ccc"}, - {file = "yarl-1.9.2-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:494053246b119b041960ddcd20fd76224149cfea8ed8777b687358727911dd33"}, - {file = "yarl-1.9.2-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:52a25809fcbecfc63ac9ba0c0fb586f90837f5425edfd1ec9f3372b119585e45"}, - {file = "yarl-1.9.2-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:e65610c5792870d45d7b68c677681376fcf9cc1c289f23e8e8b39c1485384185"}, - {file = "yarl-1.9.2-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:1b1bba902cba32cdec51fca038fd53f8beee88b77efc373968d1ed021024cc04"}, - {file = "yarl-1.9.2-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:662e6016409828ee910f5d9602a2729a8a57d74b163c89a837de3fea050c7582"}, - {file = "yarl-1.9.2-cp37-cp37m-win32.whl", hash = "sha256:f364d3480bffd3aa566e886587eaca7c8c04d74f6e8933f3f2c996b7f09bee1b"}, - {file = "yarl-1.9.2-cp37-cp37m-win_amd64.whl", hash = "sha256:6a5883464143ab3ae9ba68daae8e7c5c95b969462bbe42e2464d60e7e2698368"}, - {file = "yarl-1.9.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:5610f80cf43b6202e2c33ba3ec2ee0a2884f8f423c8f4f62906731d876ef4fac"}, - {file = "yarl-1.9.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:b9a4e67ad7b646cd6f0938c7ebfd60e481b7410f574c560e455e938d2da8e0f4"}, - {file = "yarl-1.9.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:83fcc480d7549ccebe9415d96d9263e2d4226798c37ebd18c930fce43dfb9574"}, - {file = "yarl-1.9.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5fcd436ea16fee7d4207c045b1e340020e58a2597301cfbcfdbe5abd2356c2fb"}, - {file = "yarl-1.9.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:84e0b1599334b1e1478db01b756e55937d4614f8654311eb26012091be109d59"}, - {file = "yarl-1.9.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3458a24e4ea3fd8930e934c129b676c27452e4ebda80fbe47b56d8c6c7a63a9e"}, - {file = "yarl-1.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:838162460b3a08987546e881a2bfa573960bb559dfa739e7800ceeec92e64417"}, - {file = "yarl-1.9.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f4e2d08f07a3d7d3e12549052eb5ad3eab1c349c53ac51c209a0e5991bbada78"}, - {file = "yarl-1.9.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:de119f56f3c5f0e2fb4dee508531a32b069a5f2c6e827b272d1e0ff5ac040333"}, - {file = "yarl-1.9.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:149ddea5abf329752ea5051b61bd6c1d979e13fbf122d3a1f9f0c8be6cb6f63c"}, - {file = "yarl-1.9.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:674ca19cbee4a82c9f54e0d1eee28116e63bc6fd1e96c43031d11cbab8b2afd5"}, - {file = "yarl-1.9.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:9b3152f2f5677b997ae6c804b73da05a39daa6a9e85a512e0e6823d81cdad7cc"}, - {file = "yarl-1.9.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:5415d5a4b080dc9612b1b63cba008db84e908b95848369aa1da3686ae27b6d2b"}, - {file = "yarl-1.9.2-cp38-cp38-win32.whl", hash = "sha256:f7a3d8146575e08c29ed1cd287068e6d02f1c7bdff8970db96683b9591b86ee7"}, - {file = "yarl-1.9.2-cp38-cp38-win_amd64.whl", hash = "sha256:63c48f6cef34e6319a74c727376e95626f84ea091f92c0250a98e53e62c77c72"}, - {file = "yarl-1.9.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:75df5ef94c3fdc393c6b19d80e6ef1ecc9ae2f4263c09cacb178d871c02a5ba9"}, - {file = "yarl-1.9.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:c027a6e96ef77d401d8d5a5c8d6bc478e8042f1e448272e8d9752cb0aff8b5c8"}, - {file = "yarl-1.9.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:f3b078dbe227f79be488ffcfc7a9edb3409d018e0952cf13f15fd6512847f3f7"}, - {file = "yarl-1.9.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:59723a029760079b7d991a401386390c4be5bfec1e7dd83e25a6a0881859e716"}, - {file = "yarl-1.9.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b03917871bf859a81ccb180c9a2e6c1e04d2f6a51d953e6a5cdd70c93d4e5a2a"}, - {file = "yarl-1.9.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c1012fa63eb6c032f3ce5d2171c267992ae0c00b9e164efe4d73db818465fac3"}, - {file = "yarl-1.9.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a74dcbfe780e62f4b5a062714576f16c2f3493a0394e555ab141bf0d746bb955"}, - {file = "yarl-1.9.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8c56986609b057b4839968ba901944af91b8e92f1725d1a2d77cbac6972b9ed1"}, - {file = "yarl-1.9.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:2c315df3293cd521033533d242d15eab26583360b58f7ee5d9565f15fee1bef4"}, - {file = "yarl-1.9.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:b7232f8dfbd225d57340e441d8caf8652a6acd06b389ea2d3222b8bc89cbfca6"}, - {file = "yarl-1.9.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:53338749febd28935d55b41bf0bcc79d634881195a39f6b2f767870b72514caf"}, - {file = "yarl-1.9.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:066c163aec9d3d073dc9ffe5dd3ad05069bcb03fcaab8d221290ba99f9f69ee3"}, - {file = "yarl-1.9.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:8288d7cd28f8119b07dd49b7230d6b4562f9b61ee9a4ab02221060d21136be80"}, - {file = "yarl-1.9.2-cp39-cp39-win32.whl", hash = "sha256:b124e2a6d223b65ba8768d5706d103280914d61f5cae3afbc50fc3dfcc016623"}, - {file = "yarl-1.9.2-cp39-cp39-win_amd64.whl", hash = "sha256:61016e7d582bc46a5378ffdd02cd0314fb8ba52f40f9cf4d9a5e7dbef88dee18"}, - {file = "yarl-1.9.2.tar.gz", hash = "sha256:04ab9d4b9f587c06d801c2abfe9317b77cdf996c65a90d5e84ecc45010823571"}, -] - -[package.dependencies] -idna = ">=2.0" -multidict = ">=4.0" - -[metadata] -lock-version = "2.0" -python-versions = "^3.10" -content-hash = "e66e5653a9c293b93db440f4acb673260ecb76059beba5391256d5f26569a30c" diff --git a/.github/rulerascal/pyproject.toml b/.github/rulerascal/pyproject.toml deleted file mode 100644 index 841f0ee33a..0000000000 --- a/.github/rulerascal/pyproject.toml +++ /dev/null @@ -1,15 +0,0 @@ -[tool.poetry] -name = "rulerascal" -version = "0.1.0" -description = "" -authors = ["Bence Nagy "] -readme = "README.md" - -[tool.poetry.dependencies] -python = "^3.10" -aiogpt = "^0.0.6" -httpx = "^0.23.1" - -[build-system] -requires = ["poetry-core"] -build-backend = "poetry.core.masonry.api" From f3127c2abd318cf998490eb3d511b32594480e79 Mon Sep 17 00:00:00 2001 From: pabloest Date: Fri, 3 May 2024 08:08:55 -0700 Subject: [PATCH 65/89] Update README to fix bugs, add links, and update structure --- README.md | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 2e33554bd7..2e3b7c5681 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,34 @@ # semgrep-rules -[![powered by semgrep](https://img.shields.io/badge/powered%20by-semgrep-1B2F3D?labelColor=lightgrey&link=https://semgrep.live/&style=flat-square&logo=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAA0AAAAOCAYAAAD0f5bSAAAABmJLR0QA/gD+AP+cH+QUAAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH5AYMEy0l8dkqrQAAAvFJREFUKBUB5gIZ/QEAAP8BAAAAAAMG6AD9+hn/GzA//wD//wAAAAD+AAAAAgABAQDl0MEBAwbmAf36GQAAAAAAAQEC9QH//gv/Gi1GFQEC+OoAAAAAAAAAAAABAQAA//8AAAAAAAAAAAD//ggX5tO66gID9AEBFSRxAgYLzRQAAADpAAAAAP7+/gDl0cMPAAAA+wAAAPkbLz39AgICAAAAAAAAAAAs+vU12AEbLz4bAAAA5P8AAAAA//4A5NDDEwEBAO///wABAQEAAP//ABwcMD7hAQEBAAAAAAAAAAAaAgAAAOAAAAAAAQEBAOXRwxUAAADw//8AAgAAAAD//wAAAAAA5OXRwhcAAQEAAAAAAAAAAOICAAAABP3+/gDjzsAT//8A7gAAAAEAAAD+AAAA/wAAAAAAAAAA//8A7ePOwA/+/v4AAAAABAIAAAAAAAAAAAAAAO8AAAABAAAAAAAAAAIAAAABAAAAAAAAAAgAAAD/AAAA8wAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA8AAAAEAAAA/gAAAP8AAAADAAAA/gAAAP8AAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAA7wAAAPsAAAARAAAABAAAAP4AAAAAAAAAAgAAABYAAAAAAAAAAAIAAAD8AwICAB0yQP78/v4GAAAA/wAAAPAAAAD9AAAA/wAAAPr9//8aHTJA6AICAgAAAAD8AgAAADIAAAAAAP//AB4wPvgAAAARAQEA/gEBAP4BAQABAAAAGB0vPeIA//8AAAAAAAAAABAC+vUz1QAAAA8AAAAAAwMDABwwPu3//wAe//8AAv//ABAcMD7lAwMDAAAAAAAAAAAG+vU0+QEBAvUB//4L/xotRhUBAvjqAAAAAAAAAAAAAQEAAP//AAAAAAAAAAAA//4IF+bTuuoCA/QBAQAA/wEAAAAAAwboAP36Gf8bMD//AP//AAAAAP4AAAACAAEBAOXQwQEDBuYB/foZAAAAAAD4I6qbK3+1zQAAAABJRU5ErkJggg==)](https://semgrep.dev/) -[![Semgrep community slack](https://img.shields.io/badge/slack-join-green?style=flat-square)](https://go.semgrep.dev/slack) +[![powered by semgrep](https://img.shields.io/badge/powered%20by%20semgrep-2ACFA6)](https://semgrep.dev/) + +Join Semgrep community Slack + -| branch | using semgrep docker image | test status | -| ------------ | ------------------------ | -------------------- | -| `develop` | `returntocorp/semgrep:develop` | [![semgrep-rules-test-develop](https://github.com/returntocorp/semgrep-rules/workflows/semgrep-develop/badge.svg)](https://github.com/returntocorp/semgrep-rules/actions?query=workflow%3Asemgrep-develop+branch%3Adevelop) | +Welcome! This repository is the standard library for open source [Semgrep](https://semgrep.dev/) rules. -Welcome! This repository is the standard library for [Semgrep](https://semgrep.dev/) rules. There are many more rules available in the [Semgrep Registry](https://semgrep.dev/explore) written by [Semgrep, Inc.](https://semgrep.dev/) and other contributors. The [Semgrep Registry](https://semgrep.dev/explore) includes rules from this repository and additional rules that are accessible within [Semgrep Cloud Platform](https://semgrep.dev/pricing). If there is a specific rule you are looking for, see the [Semgrep registry search](https://semgrep.dev/r). To contribute, find details about contributing in the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. +In addition to rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) also includes proprietary rules that enable interfile and interprocedural analsis, called [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules). -## Using Semgrep rules repository +- Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). +- Use rules: Scan your code with these rules through the [Semgrep AppSec Platform](https://semgrep.dev/login) +- Contribute to rules: see the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. -Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep App. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). +## Using the Semgrep rules repository + +Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep AppSec Platform. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). To write your own Semgrep rules, see the [Semgrep tutorial](https://semgrep.dev/learn) and [documentation on writing rules](https://semgrep.dev/docs/writing-rules/overview/). + +## Writing Semgrep rules + +See Semgrep documentation on [writing rules](https://semgrep.dev/docs/writing-rules/overview/), including: + +- Pattern syntax, describing what Semgrep patterns can do in detail, and provides example use cases of the ellipsis operator, metavariables. +- Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators. + +You can also learn how to write rules using the [interactive, example-based Semgrep rule tutorial](https://semgrep.dev/learn). ## Contributing -We welcome Semgrep rule contributions directly to this repository! When you submit your contribution to the `semgrep-rules` repository we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE). +We welcome Semgrep rule contributions directly to this repository! When submitting your contribution to this repository, we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE). Note: To contribute, review the **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** documentation. @@ -29,8 +42,7 @@ Join [Slack](https://go.semgrep.dev/slack) for the fastest answers to your quest ### GitHub action to run tests -If you fork this repository or create your own, you can add a special [semgrep --rules-test](https://github.com/marketplace/actions/semgrep-rules-test) GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml). +If you fork this repository or create your own, you can add a GitHub Action to your workflow that will automatically test your rules using the latest version of Semgrep. See our [semgrep-rules-test example](https://github.com/returntocorp/semgrep-rules/blob/develop/.github/workflows/semgrep-rules-test.yml). ### Rulesets From 5d829bc23fb79f9011c948d06e64467bd790d9ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 May 2024 21:42:24 +0000 Subject: [PATCH 66/89] Bump tqdm from 4.66.1 to 4.66.3 Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.66.1 to 4.66.3. - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](https://github.com/tqdm/tqdm/compare/v4.66.1...v4.66.3) --- updated-dependencies: - dependency-name: tqdm dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index e8bb09e9b3..891842ad7a 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -279,11 +279,12 @@ }, "tqdm": { "hashes": [ - "sha256:d302b3c5b53d47bce91fea46679d9c3c6508cf6332229aa1e7d8653723793386", - "sha256:d88e651f9db8d8551a62556d3cff9e3034274ca5d66e93197cf2490e2dcb69c7" + "sha256:23097a41eba115ba99ecae40d06444c15d1c0c698d527a01c6c8bd1c5d0647e5", + "sha256:4f41d54107ff9a223dca80b53efe4fb654c67efaba7f47bada3ee9d50e05bd53" ], + "index": "pypi", "markers": "python_version >= '3.7'", - "version": "==4.66.1" + "version": "==4.66.3" }, "urllib3": { "hashes": [ From c686c81cd97f1506274c82fed65a3260e8f63a71 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:50:55 -0700 Subject: [PATCH 67/89] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e3b7c5681..d468e52ff8 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Welcome! This repository is the standard library for open source [Semgrep](https://semgrep.dev/) rules. -In addition to rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) also includes proprietary rules that enable interfile and interprocedural analsis, called [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules). +In addition to the rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) offers proprietary [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules) that enable interfile and interprocedural analysis. - Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). - Use rules: Scan your code with these rules through the [Semgrep AppSec Platform](https://semgrep.dev/login) From c383ba08384a210bd1a36c15398213402d27f055 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:02 -0700 Subject: [PATCH 68/89] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d468e52ff8..ee34c81fc6 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Welcome! This repository is the standard library for open source [Semgrep](https In addition to the rules in this repository, the [Semgrep Registry](https://semgrep.dev/explore) offers proprietary [Pro rules](https://semgrep.dev/products/semgrep-code/pro-rules) that enable interfile and interprocedural analysis. - Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). -- Use rules: Scan your code with these rules through the [Semgrep AppSec Platform](https://semgrep.dev/login) +- Use rules: Scan your code with these rules through [Semgrep AppSec Platform](https://semgrep.dev/login) - Contribute to rules: see the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. ## Using the Semgrep rules repository From ea482e362dc76d31b1f1e149747836291d36cad5 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:13 -0700 Subject: [PATCH 69/89] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ee34c81fc6..8c924f5c11 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ In addition to the rules in this repository, the [Semgrep Registry](https://semg - Find rules: search for open source and Pro rules through the [Semgrep registry search](https://semgrep.dev/r). - Use rules: Scan your code with these rules through [Semgrep AppSec Platform](https://semgrep.dev/login) -- Contribute to rules: see the [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) documentation. +- Contribute to rules: see [Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/) for more information. ## Using the Semgrep rules repository From b140c42eba836daea2d6c74e67fdda6399e3bf44 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:32 -0700 Subject: [PATCH 70/89] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8c924f5c11..f6aab501d1 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ In addition to the rules in this repository, the [Semgrep Registry](https://semg ## Using the Semgrep rules repository -Run existing and custom Semgrep rules locally with the Semgrep command line interface (Semgrep CLI) or continuously with Semgrep in CI while using Semgrep AppSec Platform. To start using Semgrep rules, see [Semgrep tutorial](https://semgrep.dev/learn), [Getting started with Semgrep CLI](https://semgrep.dev/docs/getting-started/), and [Getting started with Semgrep App](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). To write your own Semgrep rules, see the [Semgrep tutorial](https://semgrep.dev/learn) and [documentation on writing rules](https://semgrep.dev/docs/writing-rules/overview/). +To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://semgrep.dev/learn) and [Writing rules](https://semgrep.dev/docs/writing-rules/overview/). Then, run existing and custom Semgrep rules locally with the [Semgrep command line interface (Semgrep CLI)](https://semgrep.dev/docs/getting-started/) or [continuously with Semgrep in CI while using Semgrep AppSec Platform](https://semgrep.dev/docs/semgrep-app/getting-started-with-semgrep-app/). ## Writing Semgrep rules From 6bf22a092d4cb8eff1fc10e880f130b8b859cf80 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:51:41 -0700 Subject: [PATCH 71/89] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f6aab501d1..9f48a84b8a 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://sem See Semgrep documentation on [writing rules](https://semgrep.dev/docs/writing-rules/overview/), including: -- Pattern syntax, describing what Semgrep patterns can do in detail, and provides example use cases of the ellipsis operator, metavariables. +- Pattern syntax, describing what Semgrep patterns can do in detail, and example use cases of the ellipsis operator, metavariables. - Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators. You can also learn how to write rules using the [interactive, example-based Semgrep rule tutorial](https://semgrep.dev/learn). From 529a62dbf3a4331dcca3653b7406a870e7f44226 Mon Sep 17 00:00:00 2001 From: Pablo Estrada Date: Mon, 6 May 2024 08:52:47 -0700 Subject: [PATCH 72/89] Update README.md Co-authored-by: Katie Horne --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9f48a84b8a..3500e141b8 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ To start writing and using Semgrep rules, see [Learn Semgrep syntax](https://sem ## Writing Semgrep rules -See Semgrep documentation on [writing rules](https://semgrep.dev/docs/writing-rules/overview/), including: +See [Writing rules](https://semgrep.dev/docs/writing-rules/overview/) for information including: - Pattern syntax, describing what Semgrep patterns can do in detail, and example use cases of the ellipsis operator, metavariables. - Rule syntax, describing Semgrep YAML rule files, which can have multiple patterns, detailed output messages, and autofixes. The syntax allows the composition of individual patterns with boolean operators. From 76b27f88b5d2d3d0bef9791a92ad58e450cd719c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 May 2024 20:44:32 +0000 Subject: [PATCH 73/89] Bump jinja2 from 3.1.3 to 3.1.4 Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/pallets/jinja/releases) - [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst) - [Commits](https://github.com/pallets/jinja/compare/3.1.3...3.1.4) --- updated-dependencies: - dependency-name: jinja2 dependency-type: direct:development ... Signed-off-by: dependabot[bot] --- Pipfile | 2 +- Pipfile.lock | 130 +++++++++++++++++++++++++-------------------------- 2 files changed, 66 insertions(+), 66 deletions(-) diff --git a/Pipfile b/Pipfile index a7a292cc8c..3367bca2db 100644 --- a/Pipfile +++ b/Pipfile @@ -4,7 +4,7 @@ url = "https://pypi.org/simple" verify_ssl = true [dev-packages] -jinja2 = "~=3.1.3" +jinja2 = "~=3.1.4" pytest = "*" semgrep = "*" pyyaml = "*" diff --git a/Pipfile.lock b/Pipfile.lock index e8bb09e9b3..59d10f4809 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "762f3c7cbb0a3ecd999e7b644a02421c6132ab10439b5eb9a2531519c86351b9" + "sha256": "d1c4d570ba8e1837ab876d9ac9bbd71c2463c3ca16501a5bb380c8ead66baa40" }, "pipfile-spec": 6, "requires": { @@ -434,12 +434,12 @@ }, "jinja2": { "hashes": [ - "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa", - "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90" + "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369", + "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d" ], "index": "pypi", "markers": "python_version >= '3.7'", - "version": "==3.1.3" + "version": "==3.1.4" }, "jsonschema": { "hashes": [ @@ -450,69 +450,69 @@ }, "markupsafe": { "hashes": [ - "sha256:05fb21170423db021895e1ea1e1f3ab3adb85d1c2333cbc2310f2a26bc77272e", - "sha256:0a4e4a1aff6c7ac4cd55792abf96c915634c2b97e3cc1c7129578aa68ebd754e", - "sha256:10bbfe99883db80bdbaff2dcf681dfc6533a614f700da1287707e8a5d78a8431", - "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686", - "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c", - "sha256:1577735524cdad32f9f694208aa75e422adba74f1baee7551620e43a3141f559", - "sha256:1b40069d487e7edb2676d3fbdb2b0829ffa2cd63a2ec26c4938b2d34391b4ecc", - "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb", - "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939", - "sha256:282c2cb35b5b673bbcadb33a585408104df04f14b2d9b01d4c345a3b92861c2c", - "sha256:2c1b19b3aaacc6e57b7e25710ff571c24d6c3613a45e905b1fde04d691b98ee0", - "sha256:2ef12179d3a291be237280175b542c07a36e7f60718296278d8593d21ca937d4", - "sha256:338ae27d6b8745585f87218a3f23f1512dbf52c26c28e322dbe54bcede54ccb9", - "sha256:3c0fae6c3be832a0a0473ac912810b2877c8cb9d76ca48de1ed31e1c68386575", - "sha256:3fd4abcb888d15a94f32b75d8fd18ee162ca0c064f35b11134be77050296d6ba", - "sha256:42de32b22b6b804f42c5d98be4f7e5e977ecdd9ee9b660fda1a3edf03b11792d", - "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd", - "sha256:504b320cd4b7eff6f968eddf81127112db685e81f7e36e75f9f84f0df46041c3", - "sha256:525808b8019e36eb524b8c68acdd63a37e75714eac50e988180b169d64480a00", - "sha256:56d9f2ecac662ca1611d183feb03a3fa4406469dafe241673d521dd5ae92a155", - "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac", - "sha256:65c1a9bcdadc6c28eecee2c119465aebff8f7a584dd719facdd9e825ec61ab52", - "sha256:68e78619a61ecf91e76aa3e6e8e33fc4894a2bebe93410754bd28fce0a8a4f9f", - "sha256:69c0f17e9f5a7afdf2cc9fb2d1ce6aabdb3bafb7f38017c0b77862bcec2bbad8", - "sha256:6b2b56950d93e41f33b4223ead100ea0fe11f8e6ee5f641eb753ce4b77a7042b", - "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007", - "sha256:787003c0ddb00500e49a10f2844fac87aa6ce977b90b0feaaf9de23c22508b24", - "sha256:7ef3cb2ebbf91e330e3bb937efada0edd9003683db6b57bb108c4001f37a02ea", - "sha256:8023faf4e01efadfa183e863fefde0046de576c6f14659e8782065bcece22198", - "sha256:8758846a7e80910096950b67071243da3e5a20ed2546e6392603c096778d48e0", - "sha256:8afafd99945ead6e075b973fefa56379c5b5c53fd8937dad92c662da5d8fd5ee", - "sha256:8c41976a29d078bb235fea9b2ecd3da465df42a562910f9022f1a03107bd02be", - "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2", - "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1", - "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707", - "sha256:962f82a3086483f5e5f64dbad880d31038b698494799b097bc59c2edf392fce6", - "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c", - "sha256:9dcdfd0eaf283af041973bff14a2e143b8bd64e069f4c383416ecd79a81aab58", - "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823", - "sha256:aa7bd130efab1c280bed0f45501b7c8795f9fdbeb02e965371bbef3523627779", - "sha256:ab4a0df41e7c16a1392727727e7998a467472d0ad65f3ad5e6e765015df08636", - "sha256:ad9e82fb8f09ade1c3e1b996a6337afac2b8b9e365f926f5a61aacc71adc5b3c", - "sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad", - "sha256:b076b6226fb84157e3f7c971a47ff3a679d837cf338547532ab866c57930dbee", - "sha256:b7ff0f54cb4ff66dd38bebd335a38e2c22c41a8ee45aa608efc890ac3e3931bc", - "sha256:bfce63a9e7834b12b87c64d6b155fdd9b3b96191b6bd334bf37db7ff1fe457f2", - "sha256:c011a4149cfbcf9f03994ec2edffcb8b1dc2d2aede7ca243746df97a5d41ce48", - "sha256:c9c804664ebe8f83a211cace637506669e7890fec1b4195b505c214e50dd4eb7", - "sha256:ca379055a47383d02a5400cb0d110cef0a776fc644cda797db0c5696cfd7e18e", - "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b", - "sha256:cd0f502fe016460680cd20aaa5a76d241d6f35a1c3350c474bac1273803893fa", - "sha256:ceb01949af7121f9fc39f7d27f91be8546f3fb112c608bc4029aef0bab86a2a5", - "sha256:d080e0a5eb2529460b30190fcfcc4199bd7f827663f858a226a81bc27beaa97e", - "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb", - "sha256:df0be2b576a7abbf737b1575f048c23fb1d769f267ec4358296f31c2479db8f9", - "sha256:e09031c87a1e51556fdcb46e5bd4f59dfb743061cf93c4d6831bf894f125eb57", - "sha256:e4dd52d80b8c83fdce44e12478ad2e85c64ea965e75d66dbeafb0a3e77308fcc", - "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc", - "sha256:fec21693218efe39aa7f8599346e90c705afa52c5b31ae019b2e57e8f6542bb2", - "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11" + "sha256:00e046b6dd71aa03a41079792f8473dc494d564611a8f89bbbd7cb93295ebdcf", + "sha256:075202fa5b72c86ad32dc7d0b56024ebdbcf2048c0ba09f1cde31bfdd57bcfff", + "sha256:0e397ac966fdf721b2c528cf028494e86172b4feba51d65f81ffd65c63798f3f", + "sha256:17b950fccb810b3293638215058e432159d2b71005c74371d784862b7e4683f3", + "sha256:1f3fbcb7ef1f16e48246f704ab79d79da8a46891e2da03f8783a5b6fa41a9532", + "sha256:2174c595a0d73a3080ca3257b40096db99799265e1c27cc5a610743acd86d62f", + "sha256:2b7c57a4dfc4f16f7142221afe5ba4e093e09e728ca65c51f5620c9aaeb9a617", + "sha256:2d2d793e36e230fd32babe143b04cec8a8b3eb8a3122d2aceb4a371e6b09b8df", + "sha256:30b600cf0a7ac9234b2638fbc0fb6158ba5bdcdf46aeb631ead21248b9affbc4", + "sha256:397081c1a0bfb5124355710fe79478cdbeb39626492b15d399526ae53422b906", + "sha256:3a57fdd7ce31c7ff06cdfbf31dafa96cc533c21e443d57f5b1ecc6cdc668ec7f", + "sha256:3c6b973f22eb18a789b1460b4b91bf04ae3f0c4234a0a6aa6b0a92f6f7b951d4", + "sha256:3e53af139f8579a6d5f7b76549125f0d94d7e630761a2111bc431fd820e163b8", + "sha256:4096e9de5c6fdf43fb4f04c26fb114f61ef0bf2e5604b6ee3019d51b69e8c371", + "sha256:4275d846e41ecefa46e2015117a9f491e57a71ddd59bbead77e904dc02b1bed2", + "sha256:4c31f53cdae6ecfa91a77820e8b151dba54ab528ba65dfd235c80b086d68a465", + "sha256:4f11aa001c540f62c6166c7726f71f7573b52c68c31f014c25cc7901deea0b52", + "sha256:5049256f536511ee3f7e1b3f87d1d1209d327e818e6ae1365e8653d7e3abb6a6", + "sha256:58c98fee265677f63a4385256a6d7683ab1832f3ddd1e66fe948d5880c21a169", + "sha256:598e3276b64aff0e7b3451b72e94fa3c238d452e7ddcd893c3ab324717456bad", + "sha256:5b7b716f97b52c5a14bffdf688f971b2d5ef4029127f1ad7a513973cfd818df2", + "sha256:5dedb4db619ba5a2787a94d877bc8ffc0566f92a01c0ef214865e54ecc9ee5e0", + "sha256:619bc166c4f2de5caa5a633b8b7326fbe98e0ccbfacabd87268a2b15ff73a029", + "sha256:629ddd2ca402ae6dbedfceeba9c46d5f7b2a61d9749597d4307f943ef198fc1f", + "sha256:656f7526c69fac7f600bd1f400991cc282b417d17539a1b228617081106feb4a", + "sha256:6ec585f69cec0aa07d945b20805be741395e28ac1627333b1c5b0105962ffced", + "sha256:72b6be590cc35924b02c78ef34b467da4ba07e4e0f0454a2c5907f473fc50ce5", + "sha256:7502934a33b54030eaf1194c21c692a534196063db72176b0c4028e140f8f32c", + "sha256:7a68b554d356a91cce1236aa7682dc01df0edba8d043fd1ce607c49dd3c1edcf", + "sha256:7b2e5a267c855eea6b4283940daa6e88a285f5f2a67f2220203786dfa59b37e9", + "sha256:823b65d8706e32ad2df51ed89496147a42a2a6e01c13cfb6ffb8b1e92bc910bb", + "sha256:8590b4ae07a35970728874632fed7bd57b26b0102df2d2b233b6d9d82f6c62ad", + "sha256:8dd717634f5a044f860435c1d8c16a270ddf0ef8588d4887037c5028b859b0c3", + "sha256:8dec4936e9c3100156f8a2dc89c4b88d5c435175ff03413b443469c7c8c5f4d1", + "sha256:97cafb1f3cbcd3fd2b6fbfb99ae11cdb14deea0736fc2b0952ee177f2b813a46", + "sha256:a17a92de5231666cfbe003f0e4b9b3a7ae3afb1ec2845aadc2bacc93ff85febc", + "sha256:a549b9c31bec33820e885335b451286e2969a2d9e24879f83fe904a5ce59d70a", + "sha256:ac07bad82163452a6884fe8fa0963fb98c2346ba78d779ec06bd7a6262132aee", + "sha256:ae2ad8ae6ebee9d2d94b17fb62763125f3f374c25618198f40cbb8b525411900", + "sha256:b91c037585eba9095565a3556f611e3cbfaa42ca1e865f7b8015fe5c7336d5a5", + "sha256:bc1667f8b83f48511b94671e0e441401371dfd0f0a795c7daa4a3cd1dde55bea", + "sha256:bec0a414d016ac1a18862a519e54b2fd0fc8bbfd6890376898a6c0891dd82e9f", + "sha256:bf50cd79a75d181c9181df03572cdce0fbb75cc353bc350712073108cba98de5", + "sha256:bff1b4290a66b490a2f4719358c0cdcd9bafb6b8f061e45c7a2460866bf50c2e", + "sha256:c061bb86a71b42465156a3ee7bd58c8c2ceacdbeb95d05a99893e08b8467359a", + "sha256:c8b29db45f8fe46ad280a7294f5c3ec36dbac9491f2d1c17345be8e69cc5928f", + "sha256:ce409136744f6521e39fd8e2a24c53fa18ad67aa5bc7c2cf83645cce5b5c4e50", + "sha256:d050b3361367a06d752db6ead6e7edeb0009be66bc3bae0ee9d97fb326badc2a", + "sha256:d283d37a890ba4c1ae73ffadf8046435c76e7bc2247bbb63c00bd1a709c6544b", + "sha256:d9fad5155d72433c921b782e58892377c44bd6252b5af2f67f16b194987338a4", + "sha256:daa4ee5a243f0f20d528d939d06670a298dd39b1ad5f8a72a4275124a7819eff", + "sha256:db0b55e0f3cc0be60c1f19efdde9a637c32740486004f20d1cff53c3c0ece4d2", + "sha256:e61659ba32cf2cf1481e575d0462554625196a1f2fc06a1c777d3f48e8865d46", + "sha256:ea3d8a3d18833cf4304cd2fc9cbb1efe188ca9b5efef2bdac7adc20594a0e46b", + "sha256:ec6a563cff360b50eed26f13adc43e61bc0c04d94b8be985e6fb24b81f6dcfdf", + "sha256:f5dfb42c4604dddc8e4305050aa6deb084540643ed5804d7455b5df8fe16f5e5", + "sha256:fa173ec60341d6bb97a89f5ea19c85c5643c1e7dedebc22f5181eb73573142c5", + "sha256:fa9db3f79de01457b03d4f01b34cf91bc0048eb2c3846ff26f66687c2f6d16ab", + "sha256:fce659a462a1be54d2ffcacea5e3ba2d74daa74f30f5f143fe0c58636e355fdd", + "sha256:ffee1f21e5ef0d712f9033568f8344d5da8cc2869dbd08d87c84656e6a2d2f68" ], "markers": "python_version >= '3.7'", - "version": "==2.1.3" + "version": "==2.1.5" }, "packaging": { "hashes": [ From b6d791baa972433ebbbdd19f66645509dfd83e85 Mon Sep 17 00:00:00 2001 From: Anton Abashkin Date: Tue, 7 May 2024 17:23:20 +0800 Subject: [PATCH 74/89] Add rule use-of-basic-authentication (OpenAPI Spec) (#3370) * Add rule use-of-basic-authentication (OpenAPI) * Update: Restricted to version 3. Version 2 uses 'securityDefinitions' instead of 'components/securitySchemes' --------- Co-authored-by: Vasilii Ermilov --- .../use-of-basic-authentication.test.yaml | 36 ++++++++++++++++ .../security/use-of-basic-authentication.yaml | 41 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 yaml/openapi/security/use-of-basic-authentication.test.yaml create mode 100644 yaml/openapi/security/use-of-basic-authentication.yaml diff --git a/yaml/openapi/security/use-of-basic-authentication.test.yaml b/yaml/openapi/security/use-of-basic-authentication.test.yaml new file mode 100644 index 0000000000..63b30365e3 --- /dev/null +++ b/yaml/openapi/security/use-of-basic-authentication.test.yaml @@ -0,0 +1,36 @@ +openapi: 3.1.0 +info: + title: Example API + description: Example API + version: 1.0.0 + +servers: + - url: https://api.example.com/ + +paths: + /test/{param}: + get: + operationId: test + parameters: + - name: param + in: path + required: true + description: test + schema: + type: string + +security: + - basicAuth: [] + - apiKeyAuth: [] + +components: + securitySchemes: + basicAuth: + # ruleid: use-of-basic-authentication + type: http + scheme: basic + apiKeyAuth: + # ok: use-of-basic-authentication + type: apiKey + in: header + name: X-API-Key diff --git a/yaml/openapi/security/use-of-basic-authentication.yaml b/yaml/openapi/security/use-of-basic-authentication.yaml new file mode 100644 index 0000000000..befbd9eb23 --- /dev/null +++ b/yaml/openapi/security/use-of-basic-authentication.yaml @@ -0,0 +1,41 @@ +rules: + - id: use-of-basic-authentication + languages: [yaml] + message: >- + Basic authentication is considered weak and should be avoided. + Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + $SCHEME: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + type: http + ... + scheme: basic + metadata: + category: security + subcategory: vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-287: Improper Authentication' + owasp: + - 'A04:2021 Insecure Design' + - 'A07:2021 Identification and Authentication Failures' + references: + - https://cwe.mitre.org/data/definitions/287.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ + \ No newline at end of file From 40079b93dc152e30ff1791b3de6fb825cd2daf7d Mon Sep 17 00:00:00 2001 From: Vasilii Date: Wed, 8 May 2024 15:53:32 +0900 Subject: [PATCH 75/89] update metadata for JS tainted-sql-string rule --- javascript/express/security/injection/tainted-sql-string.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/javascript/express/security/injection/tainted-sql-string.yaml b/javascript/express/security/injection/tainted-sql-string.yaml index e5d078f933..6f16c720ab 100644 --- a/javascript/express/security/injection/tainted-sql-string.yaml +++ b/javascript/express/security/injection/tainted-sql-string.yaml @@ -10,10 +10,10 @@ rules: protect your queries. metadata: owasp: - - A07:2017 - Cross-Site Scripting (XSS) + - A01:2017 - Injection - A03:2021 - Injection cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" references: - https://owasp.org/www-community/attacks/SQL_Injection category: security From 995826581dc1350917d7848aecd356fcad6505df Mon Sep 17 00:00:00 2001 From: "semgrep-dev-pr-bot[bot]" <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 17:08:12 +0900 Subject: [PATCH 76/89] New Published Rules - 1512543916_personal_org.missing-self-transfer-check-ercx (#3373) * add 1512543916_personal_org/missing-self-transfer-check-ercx.yaml * add 1512543916_personal_org/missing-self-transfer-check-ercx.sol * move missing-self-transfer-check-ercx to solidity folder * move missing-self-transfer-check-ercx to solidity folder --------- Co-authored-by: MarkLee131 <1512543916@qq.com> Co-authored-by: Vasilii --- .../missing-self-transfer-check-ercx.sol | 90 +++++++++++++++++++ .../missing-self-transfer-check-ercx.yaml | 43 +++++++++ 2 files changed, 133 insertions(+) create mode 100644 solidity/security/missing-self-transfer-check-ercx.sol create mode 100644 solidity/security/missing-self-transfer-check-ercx.yaml diff --git a/solidity/security/missing-self-transfer-check-ercx.sol b/solidity/security/missing-self-transfer-check-ercx.sol new file mode 100644 index 0000000000..d3d1c50206 --- /dev/null +++ b/solidity/security/missing-self-transfer-check-ercx.sol @@ -0,0 +1,90 @@ +function _update(address from, address to, uint256 value, bool mint) internal virtual { + uint256 fromBalance = _balances[from]; + uint256 toBalance = _balances[to]; + if (fromBalance < value) { + revert ERC20InsufficientBalance(from, fromBalance, value); + } + + //No need to adjust balances when transfer is to self, prevent self NFT-grind + + unchecked { + // Overflow not possible: value <= fromBalance <= totalSupply. + // ruleid: missing-self-transfer-check-ercx + _balances[from] = fromBalance - value; + // ruleid: missing-self-transfer-check-ercx + _balances[to] = toBalance + value; + + + if(mint) { + // Skip burn for certain addresses to save gas + bool wlf = whitelist[from]; + if (!wlf) { + uint256 tokens_to_burn = (fromBalance / tokensPerNFT) - ((fromBalance - value) / tokensPerNFT); + if(tokens_to_burn > 0) + _burnBatch(from, tokens_to_burn); + } + + // Skip minting for certain addresses to save gas + if (!whitelist[to]) { + if(easyLaunch == 1 && wlf && from == owner()) { + //auto-initialize first (assumed) LP + whitelist[to] = true; + easyLaunch = 2; + } else { + uint256 tokens_to_mint = ((toBalance + value) / tokensPerNFT) - (toBalance / tokensPerNFT); + if(tokens_to_mint > 0) + _mintWithoutCheck(to, tokens_to_mint); + } + } + } + } + + emit Transfer(from, to, value); +} + + +function _update(address from, address to, uint256 value, bool mint) internal virtual { + uint256 fromBalance = _balances[from]; + uint256 toBalance = _balances[to]; + if (fromBalance < value) { + revert ERC20InsufficientBalance(from, fromBalance, value); + } + + //No need to adjust balances when transfer is to self, prevent self NFT-grind + if (from != to) { + unchecked { + // Overflow not possible: value <= fromBalance <= totalSupply. + //ok: missing-self-transfer-check-ercx + _balances[from] = fromBalance - value; + + // Overflow not possible: balance + value is at most totalSupply, which we know fits into a uint256. + //ok: missing-self-transfer-check-ercx + _balances[to] = toBalance + value; + } + + if(mint) { + // Skip burn for certain addresses to save gas + bool wlf = whitelist[from]; + if (!wlf) { + uint256 tokens_to_burn = (fromBalance / tokensPerNFT) - ((fromBalance - value) / tokensPerNFT); + if(tokens_to_burn > 0) + _burnBatch(from, tokens_to_burn); + } + + // Skip minting for certain addresses to save gas + if (!whitelist[to]) { + if(easyLaunch == 1 && wlf && from == owner()) { + //auto-initialize first (assumed) LP + whitelist[to] = true; + easyLaunch = 2; + } else { + uint256 tokens_to_mint = ((toBalance + value) / tokensPerNFT) - (toBalance / tokensPerNFT); + if(tokens_to_mint > 0) + _mintWithoutCheck(to, tokens_to_mint); + } + } + } + } + + emit Transfer(from, to, value); +} diff --git a/solidity/security/missing-self-transfer-check-ercx.yaml b/solidity/security/missing-self-transfer-check-ercx.yaml new file mode 100644 index 0000000000..017d499125 --- /dev/null +++ b/solidity/security/missing-self-transfer-check-ercx.yaml @@ -0,0 +1,43 @@ +rules: +- id: missing-self-transfer-check-ercx + languages: + - solidity + message: >- + Missing check for 'from' and 'to' being the same before updating balances + could lead to incorrect balance manipulation on self-transfers. + Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers. + severity: ERROR + metadata: + category: security + technology: + - blockchain + - solidity + cwe: 'CWE-682: Incorrect Calculation' + subcategory: + - vuln + confidence: HIGH + likelihood: HIGH + impact: HIGH + owasp: + - A7:2021 Identification and Authentication Failures + references: + - https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities + - https://x.com/shoucccc/status/1757777764646859121 + patterns: + - pattern-either: + - pattern: | + _balances[$FROM] = $FROM_BALANCE - value; + - pattern: | + _balances[$TO] = $TO_BALANCE + value; + - pattern-not-inside: | + if ($FROM != $TO) { + ... + _balances[$FROM] = $FROM_BALANCE - value; + ... + _balances[$TO] = $TO_BALANCE + value; + ... + } + - pattern-inside: | + function _update(address $FROM, address $TO, uint256 value, bool mint) internal virtual { + ... + } From 0502383d08d39e95bc5d6983df376d2c3b825e00 Mon Sep 17 00:00:00 2001 From: "semgrep-dev-pr-bot[bot]" <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 18:37:35 +0900 Subject: [PATCH 77/89] New Published Rules - federicobellini.session-cookie-samesitenone (#3361) * add federicobellini/session-cookie-samesitenone.yaml * add federicobellini/session-cookie-samesitenone.go * move session-cookie-samesitenone rule to go/gorilla folder --------- Co-authored-by: semgrep.dev Co-authored-by: Vasilii --- .../audit/session-cookie-samesitenone.go | 40 +++++++++++++++++++ .../audit/session-cookie-samesitenone.yaml | 36 +++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 go/gorilla/security/audit/session-cookie-samesitenone.go create mode 100644 go/gorilla/security/audit/session-cookie-samesitenone.yaml diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.go b/go/gorilla/security/audit/session-cookie-samesitenone.go new file mode 100644 index 0000000000..56b52c7906 --- /dev/null +++ b/go/gorilla/security/audit/session-cookie-samesitenone.go @@ -0,0 +1,40 @@ +package main + +import ( + "net/http" + "github.com/gorilla/sessions" +) + +var store = sessions.NewCookieStore([]byte("")) + +func setSessionWithSameSiteNone(w http.ResponseWriter, r *http.Request) { + session, _ := store.Get(r, "session-name") + // ruleid: session-cookie-samesitenone + session.Options = &sessions.Options{ + Path: "/", + MaxAge: 3600, + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteNoneMode, + } + session.Save(r, w) +} + +func setSessionWithSameSiteStrict(w http.ResponseWriter, r *http.Request) { + session, _ := store.Get(r, "session-name") + // ok: session-cookie-samesitenone + session.Options = &sessions.Options{ + Path: "/", + MaxAge: 3600, + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteStrictMode, + } + session.Save(r, w) +} + +func main() { + http.HandleFunc("/set-none", setSessionWithSameSiteNone) + http.HandleFunc("/set-strict", setSessionWithSameSiteStrict) + http.ListenAndServe(":8080", nil) +} diff --git a/go/gorilla/security/audit/session-cookie-samesitenone.yaml b/go/gorilla/security/audit/session-cookie-samesitenone.yaml new file mode 100644 index 0000000000..bcec859903 --- /dev/null +++ b/go/gorilla/security/audit/session-cookie-samesitenone.yaml @@ -0,0 +1,36 @@ +rules: +- id: session-cookie-samesitenone + patterns: + - pattern-inside: | + &sessions.Options{ + ..., + SameSite: http.SameSiteNoneMode, + ..., + } + - pattern: | + &sessions.Options{ + ..., + } + message: Found SameSiteNoneMode setting in Gorilla session options. Consider setting + SameSite to Lax, Strict or Default for enhanced security. + metadata: + cwe: + - 'CWE-1275: Sensitive Cookie with Improper SameSite Attribute' + owasp: + - A05:2021 - Security Misconfiguration + references: + - https://pkg.go.dev/github.com/gorilla/sessions#Options + category: security + technology: + - gorilla + confidence: MEDIUM + subcategory: + - audit + likelihood: LOW + impact: LOW + fix-regex: + regex: (SameSite\s*:\s+)http.SameSiteNoneMode + replacement: \1http.SameSiteDefaultMode + severity: WARNING + languages: + - go From 7d2773e2118694c294a0f379d2ac83826d133649 Mon Sep 17 00:00:00 2001 From: Vasilii Ermilov Date: Thu, 9 May 2024 10:58:52 +0900 Subject: [PATCH 78/89] Fix metadata for use-of-basic-authentication rule (#3378) --- yaml/openapi/security/use-of-basic-authentication.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yaml/openapi/security/use-of-basic-authentication.yaml b/yaml/openapi/security/use-of-basic-authentication.yaml index befbd9eb23..eb95190a77 100644 --- a/yaml/openapi/security/use-of-basic-authentication.yaml +++ b/yaml/openapi/security/use-of-basic-authentication.yaml @@ -24,7 +24,8 @@ rules: scheme: basic metadata: category: security - subcategory: vuln + subcategory: + - vuln technology: - openapi likelihood: MEDIUM From 9bc127c0cd63e679e0a208289b20706509d86330 Mon Sep 17 00:00:00 2001 From: Anton Abashkin Date: Thu, 9 May 2024 10:13:46 +0800 Subject: [PATCH 79/89] Add rule API key in query parameter (OpenAPI Spec) (#3375) * Add rule API key in query parameter (OpenAPI Spec) * Update api-key-in-query-parameter.yaml --------- Co-authored-by: Vasilii Ermilov --- .../api-key-in-query-parameter.test.yaml | 37 +++++++++++++++ .../security/api-key-in-query-parameter.yaml | 45 +++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 yaml/openapi/security/api-key-in-query-parameter.test.yaml create mode 100644 yaml/openapi/security/api-key-in-query-parameter.yaml diff --git a/yaml/openapi/security/api-key-in-query-parameter.test.yaml b/yaml/openapi/security/api-key-in-query-parameter.test.yaml new file mode 100644 index 0000000000..22c2df921e --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.test.yaml @@ -0,0 +1,37 @@ +openapi: 3.1.0 +info: + title: Example API + description: Example API + version: 1.0.0 + +servers: + - url: https://api.example.com/ + +paths: + /test/{param}: + get: + operationId: test + parameters: + - name: param + in: path + required: true + description: test + schema: + type: string + +security: + - apiKeyAuthQuery: [] + - apiKeyAuthHeader: [] + +components: + securitySchemes: + # ruleid: api-key-in-query-parameter + apiKeyAuthQuery: + type: apiKey + in: query + name: api_key + # ok: api-key-in-query-parameter + apiKeyAuthHeader: + type: apiKey + in: header + name: X-API-Key diff --git a/yaml/openapi/security/api-key-in-query-parameter.yaml b/yaml/openapi/security/api-key-in-query-parameter.yaml new file mode 100644 index 0000000000..673c01b8bb --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.yaml @@ -0,0 +1,45 @@ +rules: + - id: api-key-in-query-parameter + languages: [yaml] + message: >- + The $SECURITY_SCHEME security scheme passes an API key in a query parameter. + API keys should not be passed as query parameters in security schemes. + Pass the API key in the header or body. + If using a query parameter is necessary, ensure that the API key is tightly scoped and short lived. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + $SECURITY_SCHEME: + ... + type: apiKey + ... + in: query + + metadata: + category: security + subcategory: + - vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-598: Use of GET Request Method With Sensitive Query Strings' + owasp: + - 'A04:2021 Insecure Design' + - 'A07:2021 Identification and Authentication Failures' + references: + - https://datatracker.ietf.org/doc/html/rfc6749 + - https://cwe.mitre.org/data/definitions/598.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ From 48f6e91b0b6548965f2ddb163b384d7b5a2f8770 Mon Sep 17 00:00:00 2001 From: amitfurman <111306242+amitfurman@users.noreply.github.com> Date: Thu, 9 May 2024 05:27:55 +0300 Subject: [PATCH 80/89] Update webservice-ssrf.yaml (#3380) I corrected the word runnig to running in the message(: Co-authored-by: Vasilii Ermilov --- scala/play/security/webservice-ssrf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scala/play/security/webservice-ssrf.yaml b/scala/play/security/webservice-ssrf.yaml index 1d9c19aa9a..93423165d7 100644 --- a/scala/play/security/webservice-ssrf.yaml +++ b/scala/play/security/webservice-ssrf.yaml @@ -27,7 +27,7 @@ rules: A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. + They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host. metadata: From 4c5bd64dddf7164b574997b8c09532f0eba19c37 Mon Sep 17 00:00:00 2001 From: "semgrep-dev-pr-bot[bot]" <63393893+semgrep-dev-pr-bot[bot]@users.noreply.github.com> Date: Thu, 9 May 2024 03:05:44 +0000 Subject: [PATCH 81/89] New Published Rules - p0_security.direct-response-write-copy (#3382) * add p0_security/direct-response-write-copy.yaml * add p0_security/direct-response-write-copy.jsx * move direct-response-write rule to xss folder * update direct-response-write metadata --------- Co-authored-by: Nathan Brahms Co-authored-by: Vasilii --- .../security/audit/xss/direct-response-write.js | 9 +++++++++ .../audit/xss/direct-response-write.yaml | 16 ++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/javascript/express/security/audit/xss/direct-response-write.js b/javascript/express/security/audit/xss/direct-response-write.js index 3898522ff5..f0718cd16f 100644 --- a/javascript/express/security/audit/xss/direct-response-write.js +++ b/javascript/express/security/audit/xss/direct-response-write.js @@ -132,6 +132,15 @@ app.get('/xss', function (req, res) { res.write('Response
' + html); }); +const jsonRouter = express.Router(); +jsonRouter.use(express.json()); +jsonRouter.get('/noxss-json', function (req, res) { + var name = req.query.name; + // ok: direct-response-write + res.write({ name }); +}); +app.use(jsonRouter); + // For https://github.com/returntocorp/semgrep-rules/issues/2872 app.post( "/:id", diff --git a/javascript/express/security/audit/xss/direct-response-write.yaml b/javascript/express/security/audit/xss/direct-response-write.yaml index 370edab86c..25959b5687 100644 --- a/javascript/express/security/audit/xss/direct-response-write.yaml +++ b/javascript/express/security/audit/xss/direct-response-write.yaml @@ -1,10 +1,9 @@ rules: - id: direct-response-write message: >- - Detected directly writing to a Response object from user-defined input. This bypasses - any HTML escaping and may expose your application to a Cross-Site-scripting - (XSS) vulnerability. Instead, use 'resp.render()' to render - safely escaped HTML. + Detected directly writing to a Response object from user-defined input. + This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting + (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. options: interfile: true metadata: @@ -15,7 +14,8 @@ rules: - A07:2017 - Cross-Site Scripting (XSS) - A03:2021 - Injection cwe: - - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + - 'CWE-79: Improper Neutralization of Input During Web Page Generation (''Cross-site + Scripting'')' category: security technology: - express @@ -26,6 +26,9 @@ rules: likelihood: MEDIUM impact: MEDIUM confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cross-Site-Scripting (XSS) languages: - javascript - typescript @@ -112,6 +115,7 @@ rules: - pattern: $RES.send($ARG) - pattern-not: $RES. ... .set('...'). ... .send($ARG) - pattern-not: $RES. ... .type('...'). ... .send($ARG) + - pattern-not-inside: $RES.$METHOD({ ... }) - focus-metavariable: $ARG pattern-sanitizers: - patterns: @@ -222,7 +226,7 @@ rules: - metavariable-regex: metavariable: $F regex: (?!.*text/html) - - patterns: + - patterns: - pattern-inside: | $X = [...]; ... From d54acff270c39354f5e97318df153cab5324b514 Mon Sep 17 00:00:00 2001 From: Becojo Date: Thu, 16 May 2024 15:34:45 -0400 Subject: [PATCH 82/89] add python.twilio.security.twiml-injection --- python/twilio/security/twiml-injection.py | 88 ++++++++++++++++++++++ python/twilio/security/twiml-injection.yml | 45 +++++++++++ 2 files changed, 133 insertions(+) create mode 100644 python/twilio/security/twiml-injection.py create mode 100644 python/twilio/security/twiml-injection.yml diff --git a/python/twilio/security/twiml-injection.py b/python/twilio/security/twiml-injection.py new file mode 100644 index 0000000000..6bd9577e99 --- /dev/null +++ b/python/twilio/security/twiml-injection.py @@ -0,0 +1,88 @@ +from twilio.rest import Client +import html +from xml.sax.saxutils import escape + +client = Client("accountSid", "authToken") +XML = "{}" + + +def fstring(to: str, msg: str) -> None: + client.calls.create( + # ruleid: twiml-injection + twiml=f"{msg}", + to=to, + from_="555-555-5555", + ) + + +def format_const(to: str, msg: str) -> None: + twiml = XML.format(msg) + client.calls.create( + # ruleid: twiml-injection + twiml=twiml, + to=to, + from_="555-555-5555", + ) + + +def percent(to: str, msg: str) -> None: + client.calls.create( + # ruleid: twiml-injection + twiml="%s" % msg, + to=to, + from_="555-555-5555", + ) + + +def format(to: str, msg: str) -> None: + client.calls.create( + # ruleid: twiml-injection + twiml="{}".format(msg), + to=to, + from_="555-555-5555", + ) + + +def concat(to: str, msg: str) -> None: + client.calls.create( + # ruleid: twiml-injection + twiml="" + msg + "", + to=to, + from_="555-555-5555", + ) + + +def safe(to: str, msg: str) -> None: + client.calls.create( + # ok: twiml-injection + twiml="nsec", + to=to, + from_="555-555-5555", + ) + + +def also_safe(to: str, msg: str) -> None: + client.calls.create( + # ok: twiml-injection + twiml="nsec", + to=to, + from_=f"{1+2}34-323-1234", + ) + + +def html_escape(to: str, msg: str) -> None: + client.calls.create( + # ok: twiml-injection + twiml="" + html.escape(msg) + "", + to=to, + from_="555-555-5555", + ) + + +def xml_escape(to: str, msg: str) -> None: + client.calls.create( + # ok: twiml-injection + twiml="" + escape(msg) + "", + to=to, + from_="555-555-5555", + ) diff --git a/python/twilio/security/twiml-injection.yml b/python/twilio/security/twiml-injection.yml new file mode 100644 index 0000000000..babdd6a530 --- /dev/null +++ b/python/twilio/security/twiml-injection.yml @@ -0,0 +1,45 @@ +rules: + - id: twiml-injection + languages: [python] + severity: WARNING + message: >- + Using non-constant TwiML (Twilio Markup Language) argument when creating a + Twilio conversation could allow the injection of additional TwiML commands + metadata: + cwe: + - "CWE-91: XML Injection" + owasp: + - "A03:2021 - Injection" + category: security + technology: [--no-technology--] + confidence: MEDIUM + likelihood: HIGH + impact: MEDIUM + subcategory: vuln + references: + - https://codeberg.org/fennix/funjection + mode: taint + pattern-sources: + - pattern: | + f"..." + - pattern: | + "..." % ... + - pattern: | + "...".format(...) + + - patterns: + - pattern: $ARG + - pattern-inside: | + def $F(..., $ARG, ...): + ... + + pattern-sanitizers: + - pattern: xml.sax.saxutils.escape(...) + - pattern: html.escape(...) + + pattern-sinks: + - patterns: + - pattern: | + $CLIENT.calls.create(..., twiml=$SINK, ...) + + - focus-metavariable: $SINK From e1eabc653f80755fba24138059e0f96536414c1c Mon Sep 17 00:00:00 2001 From: "Pieter De Cremer (Semgrep)" Date: Fri, 17 May 2024 13:03:28 +0200 Subject: [PATCH 83/89] Update api-key-in-query-parameter.yaml (#3384) --- yaml/openapi/security/api-key-in-query-parameter.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yaml/openapi/security/api-key-in-query-parameter.yaml b/yaml/openapi/security/api-key-in-query-parameter.yaml index 673c01b8bb..cf29bf030a 100644 --- a/yaml/openapi/security/api-key-in-query-parameter.yaml +++ b/yaml/openapi/security/api-key-in-query-parameter.yaml @@ -6,7 +6,7 @@ rules: API keys should not be passed as query parameters in security schemes. Pass the API key in the header or body. If using a query parameter is necessary, ensure that the API key is tightly scoped and short lived. - severity: ERROR + severity: WARNING patterns: - pattern-inside: | openapi: $VERSION @@ -33,7 +33,7 @@ rules: - openapi likelihood: MEDIUM impact: HIGH - confidence: HIGH + confidence: LOW cwe: 'CWE-598: Use of GET Request Method With Sensitive Query Strings' owasp: - 'A04:2021 Insecure Design' From f4b63d53728515b8af24bb6dd5b11eb015f23871 Mon Sep 17 00:00:00 2001 From: rustfix <155627174+rustfix@users.noreply.github.com> Date: Mon, 20 May 2024 16:25:09 +0800 Subject: [PATCH 84/89] chore: fix some typos in comments (#3354) Signed-off-by: rustfix <771054535@qq.com> Co-authored-by: Claudio --- solidity/security/msg-value-multicall.sol | 14 +++++++------- stats/matrixify.py | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/solidity/security/msg-value-multicall.sol b/solidity/security/msg-value-multicall.sol index a2a5d5fece..65cd254e6d 100644 --- a/solidity/security/msg-value-multicall.sol +++ b/solidity/security/msg-value-multicall.sol @@ -101,7 +101,7 @@ contract DutchAuction is IMisoMarket, MISOAccessControls, BoringBatchable, SafeT /// @notice Address that manages auction approvals. address public pointList; - /// @notice The commited amount of accounts. + /// @notice The committed amount of accounts. mapping(address => uint256) public commitments; /// @notice Amount of tokens to claim per address. mapping(address => uint256) public claimed; @@ -148,8 +148,8 @@ contract DutchAuction is IMisoMarket, MISOAccessControls, BoringBatchable, SafeT address _pointList, address payable _wallet ) public { - require(_startTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not miliseconds"); - require(_endTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not miliseconds"); + require(_startTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not milliseconds"); + require(_endTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not milliseconds"); require(_startTime >= block.timestamp, "DutchAuction: start time is before current time"); require(_endTime > _startTime, "DutchAuction: end time must be older than start price"); require(_totalTokens > 0,"DutchAuction: total tokens must be greater than zero"); @@ -247,7 +247,7 @@ contract DutchAuction is IMisoMarket, MISOAccessControls, BoringBatchable, SafeT * @dev Attribution to the awesome delta.financial contracts */ function marketParticipationAgreement() public pure returns (string memory) { - return "I understand that I'm interacting with a smart contract. I understand that tokens commited are subject to the token issuer and local laws where applicable. I reviewed code of the smart contract and understand it fully. I agree to not hold developers or other people associated with the project liable for any losses or misunderstandings"; + return "I understand that I'm interacting with a smart contract. I understand that tokens committed are subject to the token issuer and local laws where applicable. I reviewed code of the smart contract and understand it fully. I agree to not hold developers or other people associated with the project liable for any losses or misunderstandings"; } /** * @dev Not using modifiers is a purposeful choice for code readability. @@ -352,7 +352,7 @@ contract DutchAuction is IMisoMarket, MISOAccessControls, BoringBatchable, SafeT /** * @notice Calculates total amount of tokens committed at current auction price. - * @return Number of tokens commited. + * @return Number of tokens committed. */ function totalTokensCommitted() public view returns (uint256) { return uint256(marketStatus.commitmentsTotal).mul(1e18).div(clearingPrice()); @@ -572,8 +572,8 @@ contract DutchAuction is IMisoMarket, MISOAccessControls, BoringBatchable, SafeT */ function setAuctionTime(uint256 _startTime, uint256 _endTime) external { require(hasAdminRole(msg.sender)); - require(_startTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not miliseconds"); - require(_endTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not miliseconds"); + require(_startTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not milliseconds"); + require(_endTime < 10000000000, "DutchAuction: enter an unix timestamp in seconds, not milliseconds"); require(_startTime >= block.timestamp, "DutchAuction: start time is before current time"); require(_endTime > _startTime, "DutchAuction: end time must be older than start time"); require(marketStatus.commitmentsTotal == 0, "DutchAuction: auction cannot have already started"); diff --git a/stats/matrixify.py b/stats/matrixify.py index a82ca7f92f..7eed28d449 100755 --- a/stats/matrixify.py +++ b/stats/matrixify.py @@ -78,7 +78,7 @@ def get_technology(rule: Dict[str, Any]) -> List[str]: return [""] # Sometimes, the language as defined within the ArchList will be something that's not in the dict -# So, the filepath seems like the only reliable way to get the lanaguage +# So, the filepath seems like the only reliable way to get the language def get_lang(path: str) -> str: return path.split(os.path.sep)[1].strip() #archlist = ArchList(rule.get('languages', [])).get(0, "") From 80137c293239e75380f1bdf40e90463a58e5d562 Mon Sep 17 00:00:00 2001 From: "Federico G. Schwindt" Date: Mon, 20 May 2024 15:05:49 +0100 Subject: [PATCH 85/89] Update LICENSE Update semgrep-rules GH url. --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 1a0b04a759..14dc405fed 100644 --- a/LICENSE +++ b/LICENSE @@ -6,6 +6,6 @@ Without limiting other conditions in the License, the grant of rights under the For purposes of the foregoing, “Sell” means practicing any or all of the rights granted to you under the License to provide to third parties, for a fee or other consideration (including without limitation fees for hosting or consulting/ support services related to the Software), a product or service whose value derives, entirely or substantially, from the functionality of the Software. Any license notice or attribution required by the License must also include this Commons Clause License Condition notice. -Software: semgrep-rules (https://github.com/returntocorp/semgrep-rules) +Software: semgrep-rules (https://github.com/semgrep/semgrep-rules) License: LGPL 2.1 (GNU Lesser General Public License, Version 2.1) Licensor: Semgrep, Inc. (https://semgrep.dev) From ad4e643b2d8936d5eb0c53b44b34280bb111f3a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 May 2024 05:27:51 +0000 Subject: [PATCH 86/89] --- updated-dependencies: - dependency-name: requests dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 207 +++++++++++++++++++++++++-------------------------- 1 file changed, 103 insertions(+), 104 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 3b4275666c..06a5695d39 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -26,107 +26,107 @@ }, "certifi": { "hashes": [ - "sha256:539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082", - "sha256:92d6037539857d8206b8f6ae472e8b77db8058fec5937a1ef3f54304089edbb9" + "sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f", + "sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1" ], "markers": "python_version >= '3.6'", - "version": "==2023.7.22" + "version": "==2024.2.2" }, "charset-normalizer": { "hashes": [ - "sha256:02673e456dc5ab13659f85196c534dc596d4ef260e4d86e856c3b2773ce09843", - "sha256:02af06682e3590ab952599fbadac535ede5d60d78848e555aa58d0c0abbde786", - "sha256:03680bb39035fbcffe828eae9c3f8afc0428c91d38e7d61aa992ef7a59fb120e", - "sha256:0570d21da019941634a531444364f2482e8db0b3425fcd5ac0c36565a64142c8", - "sha256:09c77f964f351a7369cc343911e0df63e762e42bac24cd7d18525961c81754f4", - "sha256:0d3d5b7db9ed8a2b11a774db2bbea7ba1884430a205dbd54a32d61d7c2a190fa", - "sha256:1063da2c85b95f2d1a430f1c33b55c9c17ffaf5e612e10aeaad641c55a9e2b9d", - "sha256:12ebea541c44fdc88ccb794a13fe861cc5e35d64ed689513a5c03d05b53b7c82", - "sha256:153e7b6e724761741e0974fc4dcd406d35ba70b92bfe3fedcb497226c93b9da7", - "sha256:15b26ddf78d57f1d143bdf32e820fd8935d36abe8a25eb9ec0b5a71c82eb3895", - "sha256:1872d01ac8c618a8da634e232f24793883d6e456a66593135aeafe3784b0848d", - "sha256:187d18082694a29005ba2944c882344b6748d5be69e3a89bf3cc9d878e548d5a", - "sha256:1b2919306936ac6efb3aed1fbf81039f7087ddadb3160882a57ee2ff74fd2382", - "sha256:232ac332403e37e4a03d209a3f92ed9071f7d3dbda70e2a5e9cff1c4ba9f0678", - "sha256:23e8565ab7ff33218530bc817922fae827420f143479b753104ab801145b1d5b", - "sha256:24817cb02cbef7cd499f7c9a2735286b4782bd47a5b3516a0e84c50eab44b98e", - "sha256:249c6470a2b60935bafd1d1d13cd613f8cd8388d53461c67397ee6a0f5dce741", - "sha256:24a91a981f185721542a0b7c92e9054b7ab4fea0508a795846bc5b0abf8118d4", - "sha256:2502dd2a736c879c0f0d3e2161e74d9907231e25d35794584b1ca5284e43f596", - "sha256:250c9eb0f4600361dd80d46112213dff2286231d92d3e52af1e5a6083d10cad9", - "sha256:278c296c6f96fa686d74eb449ea1697f3c03dc28b75f873b65b5201806346a69", - "sha256:2935ffc78db9645cb2086c2f8f4cfd23d9b73cc0dc80334bc30aac6f03f68f8c", - "sha256:2f4a0033ce9a76e391542c182f0d48d084855b5fcba5010f707c8e8c34663d77", - "sha256:30a85aed0b864ac88309b7d94be09f6046c834ef60762a8833b660139cfbad13", - "sha256:380c4bde80bce25c6e4f77b19386f5ec9db230df9f2f2ac1e5ad7af2caa70459", - "sha256:3ae38d325b512f63f8da31f826e6cb6c367336f95e418137286ba362925c877e", - "sha256:3b447982ad46348c02cb90d230b75ac34e9886273df3a93eec0539308a6296d7", - "sha256:3debd1150027933210c2fc321527c2299118aa929c2f5a0a80ab6953e3bd1908", - "sha256:4162918ef3098851fcd8a628bf9b6a98d10c380725df9e04caf5ca6dd48c847a", - "sha256:468d2a840567b13a590e67dd276c570f8de00ed767ecc611994c301d0f8c014f", - "sha256:4cc152c5dd831641e995764f9f0b6589519f6f5123258ccaca8c6d34572fefa8", - "sha256:542da1178c1c6af8873e143910e2269add130a299c9106eef2594e15dae5e482", - "sha256:557b21a44ceac6c6b9773bc65aa1b4cc3e248a5ad2f5b914b91579a32e22204d", - "sha256:5707a746c6083a3a74b46b3a631d78d129edab06195a92a8ece755aac25a3f3d", - "sha256:588245972aca710b5b68802c8cad9edaa98589b1b42ad2b53accd6910dad3545", - "sha256:5adf257bd58c1b8632046bbe43ee38c04e1038e9d37de9c57a94d6bd6ce5da34", - "sha256:619d1c96099be5823db34fe89e2582b336b5b074a7f47f819d6b3a57ff7bdb86", - "sha256:63563193aec44bce707e0c5ca64ff69fa72ed7cf34ce6e11d5127555756fd2f6", - "sha256:67b8cc9574bb518ec76dc8e705d4c39ae78bb96237cb533edac149352c1f39fe", - "sha256:6a685067d05e46641d5d1623d7c7fdf15a357546cbb2f71b0ebde91b175ffc3e", - "sha256:70f1d09c0d7748b73290b29219e854b3207aea922f839437870d8cc2168e31cc", - "sha256:750b446b2ffce1739e8578576092179160f6d26bd5e23eb1789c4d64d5af7dc7", - "sha256:7966951325782121e67c81299a031f4c115615e68046f79b85856b86ebffc4cd", - "sha256:7b8b8bf1189b3ba9b8de5c8db4d541b406611a71a955bbbd7385bbc45fcb786c", - "sha256:7f5d10bae5d78e4551b7be7a9b29643a95aded9d0f602aa2ba584f0388e7a557", - "sha256:805dfea4ca10411a5296bcc75638017215a93ffb584c9e344731eef0dcfb026a", - "sha256:81bf654678e575403736b85ba3a7867e31c2c30a69bc57fe88e3ace52fb17b89", - "sha256:82eb849f085624f6a607538ee7b83a6d8126df6d2f7d3b319cb837b289123078", - "sha256:85a32721ddde63c9df9ebb0d2045b9691d9750cb139c161c80e500d210f5e26e", - "sha256:86d1f65ac145e2c9ed71d8ffb1905e9bba3a91ae29ba55b4c46ae6fc31d7c0d4", - "sha256:86f63face3a527284f7bb8a9d4f78988e3c06823f7bea2bd6f0e0e9298ca0403", - "sha256:8eaf82f0eccd1505cf39a45a6bd0a8cf1c70dcfc30dba338207a969d91b965c0", - "sha256:93aa7eef6ee71c629b51ef873991d6911b906d7312c6e8e99790c0f33c576f89", - "sha256:96c2b49eb6a72c0e4991d62406e365d87067ca14c1a729a870d22354e6f68115", - "sha256:9cf3126b85822c4e53aa28c7ec9869b924d6fcfb76e77a45c44b83d91afd74f9", - "sha256:9fe359b2e3a7729010060fbca442ca225280c16e923b37db0e955ac2a2b72a05", - "sha256:a0ac5e7015a5920cfce654c06618ec40c33e12801711da6b4258af59a8eff00a", - "sha256:a3f93dab657839dfa61025056606600a11d0b696d79386f974e459a3fbc568ec", - "sha256:a4b71f4d1765639372a3b32d2638197f5cd5221b19531f9245fcc9ee62d38f56", - "sha256:aae32c93e0f64469f74ccc730a7cb21c7610af3a775157e50bbd38f816536b38", - "sha256:aaf7b34c5bc56b38c931a54f7952f1ff0ae77a2e82496583b247f7c969eb1479", - "sha256:abecce40dfebbfa6abf8e324e1860092eeca6f7375c8c4e655a8afb61af58f2c", - "sha256:abf0d9f45ea5fb95051c8bfe43cb40cda383772f7e5023a83cc481ca2604d74e", - "sha256:ac71b2977fb90c35d41c9453116e283fac47bb9096ad917b8819ca8b943abecd", - "sha256:ada214c6fa40f8d800e575de6b91a40d0548139e5dc457d2ebb61470abf50186", - "sha256:b09719a17a2301178fac4470d54b1680b18a5048b481cb8890e1ef820cb80455", - "sha256:b1121de0e9d6e6ca08289583d7491e7fcb18a439305b34a30b20d8215922d43c", - "sha256:b3b2316b25644b23b54a6f6401074cebcecd1244c0b8e80111c9a3f1c8e83d65", - "sha256:b3d9b48ee6e3967b7901c052b670c7dda6deb812c309439adaffdec55c6d7b78", - "sha256:b5bcf60a228acae568e9911f410f9d9e0d43197d030ae5799e20dca8df588287", - "sha256:b8f3307af845803fb0b060ab76cf6dd3a13adc15b6b451f54281d25911eb92df", - "sha256:c2af80fb58f0f24b3f3adcb9148e6203fa67dd3f61c4af146ecad033024dde43", - "sha256:c350354efb159b8767a6244c166f66e67506e06c8924ed74669b2c70bc8735b1", - "sha256:c5a74c359b2d47d26cdbbc7845e9662d6b08a1e915eb015d044729e92e7050b7", - "sha256:c71f16da1ed8949774ef79f4a0260d28b83b3a50c6576f8f4f0288d109777989", - "sha256:d47ecf253780c90ee181d4d871cd655a789da937454045b17b5798da9393901a", - "sha256:d7eff0f27edc5afa9e405f7165f85a6d782d308f3b6b9d96016c010597958e63", - "sha256:d97d85fa63f315a8bdaba2af9a6a686e0eceab77b3089af45133252618e70884", - "sha256:db756e48f9c5c607b5e33dd36b1d5872d0422e960145b08ab0ec7fd420e9d649", - "sha256:dc45229747b67ffc441b3de2f3ae5e62877a282ea828a5bdb67883c4ee4a8810", - "sha256:e0fc42822278451bc13a2e8626cf2218ba570f27856b536e00cfa53099724828", - "sha256:e39c7eb31e3f5b1f88caff88bcff1b7f8334975b46f6ac6e9fc725d829bc35d4", - "sha256:e46cd37076971c1040fc8c41273a8b3e2c624ce4f2be3f5dfcb7a430c1d3acc2", - "sha256:e5c1502d4ace69a179305abb3f0bb6141cbe4714bc9b31d427329a95acfc8bdd", - "sha256:edfe077ab09442d4ef3c52cb1f9dab89bff02f4524afc0acf2d46be17dc479f5", - "sha256:effe5406c9bd748a871dbcaf3ac69167c38d72db8c9baf3ff954c344f31c4cbe", - "sha256:f0d1e3732768fecb052d90d62b220af62ead5748ac51ef61e7b32c266cac9293", - "sha256:f5969baeaea61c97efa706b9b107dcba02784b1601c74ac84f2a532ea079403e", - "sha256:f8888e31e3a85943743f8fc15e71536bda1c81d5aa36d014a3c0c44481d7db6e", - "sha256:fc52b79d83a3fe3a360902d3f5d79073a993597d48114c29485e9431092905d8" + "sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027", + "sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087", + "sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786", + "sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8", + "sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09", + "sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185", + "sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574", + "sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e", + "sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519", + "sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898", + "sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269", + "sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3", + "sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f", + "sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6", + "sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8", + "sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a", + "sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73", + "sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc", + "sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714", + "sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2", + "sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc", + "sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce", + "sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d", + "sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e", + "sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6", + "sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269", + "sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96", + "sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d", + "sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a", + "sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4", + "sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77", + "sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d", + "sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0", + "sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed", + "sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068", + "sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac", + "sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25", + "sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8", + "sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab", + "sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26", + "sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2", + "sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db", + "sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f", + "sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5", + "sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99", + "sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c", + "sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d", + "sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811", + "sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa", + "sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a", + "sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03", + "sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b", + "sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04", + "sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c", + "sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001", + "sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458", + "sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389", + "sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99", + "sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985", + "sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537", + "sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238", + "sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f", + "sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d", + "sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796", + "sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a", + "sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143", + "sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8", + "sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c", + "sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5", + "sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5", + "sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711", + "sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4", + "sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6", + "sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c", + "sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7", + "sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4", + "sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b", + "sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae", + "sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12", + "sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c", + "sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae", + "sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8", + "sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887", + "sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b", + "sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4", + "sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f", + "sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5", + "sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33", + "sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519", + "sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561" ], "markers": "python_full_version >= '3.7.0'", - "version": "==3.3.0" + "version": "==3.3.2" }, "colorama": { "hashes": [ @@ -141,7 +141,6 @@ "sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc", "sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0" ], - "index": "pypi", "markers": "python_version >= '3.5'", "version": "==3.7" }, @@ -195,11 +194,12 @@ }, "requests": { "hashes": [ - "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f", - "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1" + "sha256:f2c3881dddb70d056c5bd7600a4fae312b2a300e39be6a118d30b90bd27262b5", + "sha256:fa5490319474c82ef1d2c9bc459d3652e3ae4ef4c4ebdd18a21145a47ca4b6b8" ], - "markers": "python_version >= '3.7'", - "version": "==2.31.0" + "index": "pypi", + "markers": "python_version >= '3.8'", + "version": "==2.32.0" }, "ruamel.yaml": { "hashes": [ @@ -288,12 +288,11 @@ }, "urllib3": { "hashes": [ - "sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84", - "sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e" + "sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d", + "sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19" ], - "index": "pypi", - "markers": "python_version >= '3.7'", - "version": "==2.0.7" + "markers": "python_version >= '3.8'", + "version": "==2.2.1" } }, "develop": { From 880fc3f341cd6c22c4e9830e799270bcdb750bca Mon Sep 17 00:00:00 2001 From: becojo <172889+becojo@users.noreply.github.com> Date: Mon, 27 May 2024 09:40:24 -0400 Subject: [PATCH 87/89] add technologies --- python/twilio/security/twiml-injection.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python/twilio/security/twiml-injection.yml b/python/twilio/security/twiml-injection.yml index babdd6a530..7f63099166 100644 --- a/python/twilio/security/twiml-injection.yml +++ b/python/twilio/security/twiml-injection.yml @@ -11,7 +11,10 @@ rules: owasp: - "A03:2021 - Injection" category: security - technology: [--no-technology--] + technology: + - python + - twilio + - twiml confidence: MEDIUM likelihood: HIGH impact: MEDIUM From 201647e9042cb0e7e0f35e253a31f1e9e4c62280 Mon Sep 17 00:00:00 2001 From: "r2c-argo[bot]" <89167470+r2c-argo[bot]@users.noreply.github.com> Date: Fri, 7 Jun 2024 09:10:29 +0200 Subject: [PATCH 88/89] Merge Gitleaks rules 2024-06-07 # 00:30 (#3395) Co-authored-by: Security Research (r2c-argo) --- .../gitleaks/facebook-access-token.yaml | 2 +- .../gitleaks/intra42-client-secret.yaml | 26 +++++++++++++++++++ .../gitleaks/new-relic-insert-key.yaml | 26 +++++++++++++++++++ .../gitleaks/telegram-bot-api-token.yaml | 2 +- 4 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 generic/secrets/gitleaks/intra42-client-secret.yaml create mode 100644 generic/secrets/gitleaks/new-relic-insert-key.yaml diff --git a/generic/secrets/gitleaks/facebook-access-token.yaml b/generic/secrets/gitleaks/facebook-access-token.yaml index 2a1a657f83..2344c7643e 100644 --- a/generic/secrets/gitleaks/facebook-access-token.yaml +++ b/generic/secrets/gitleaks/facebook-access-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)\b(\d{15,16}\|[0-9a-z\-_]{27})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern-regex: (?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/intra42-client-secret.yaml b/generic/secrets/gitleaks/intra42-client-secret.yaml new file mode 100644 index 0000000000..08a2cc575d --- /dev/null +++ b/generic/secrets/gitleaks/intra42-client-secret.yaml @@ -0,0 +1,26 @@ +rules: +- id: intra42-client-secret + message: A gitleaks intra42-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)\b(s-s4t2(?:ud|af)-[abcdef0123456789]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/new-relic-insert-key.yaml b/generic/secrets/gitleaks/new-relic-insert-key.yaml new file mode 100644 index 0000000000..42f411f528 --- /dev/null +++ b/generic/secrets/gitleaks/new-relic-insert-key.yaml @@ -0,0 +1,26 @@ +rules: +- id: new-relic-insert-key + message: A gitleaks new-relic-insert-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRII-[a-z0-9-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml index a94d287ca6..4755a79308 100644 --- a/generic/secrets/gitleaks/telegram-bot-api-token.yaml +++ b/generic/secrets/gitleaks/telegram-bot-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(?:^|[^0-9])([0-9]{5,16}:A[a-zA-Z0-9_\-]{34})(?:$|[^a-zA-Z0-9_\-]) + - pattern-regex: (?i)(?:^|\b|bot)([0-9]{5,16}:A[a-z0-9_\-]{34})(?:$|\b[^_\-]) From ad49c15e1dca0f4fa3e31e18bb7c5207dea9bf6a Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 11 Jun 2024 21:06:02 +0200 Subject: [PATCH 89/89] Update rails rule with skip_before_action (#3398) * Update rails rule with skip_before_action * Update check-before-filter.rb --- ruby/rails/security/brakeman/check-before-filter.rb | 10 +++++++++- ruby/rails/security/brakeman/check-before-filter.yaml | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ruby/rails/security/brakeman/check-before-filter.rb b/ruby/rails/security/brakeman/check-before-filter.rb index cd397eba07..ad22bdf56f 100644 --- a/ruby/rails/security/brakeman/check-before-filter.rb +++ b/ruby/rails/security/brakeman/check-before-filter.rb @@ -3,9 +3,13 @@ class BadController < ApplicationController # ruleid: check-before-filter skip_before_filter :login_required, :except => :do_admin_stuff # ruleid: check-before-filter + skip_before_action :login_required, :except => :do_admin_stuff + # ruleid: check-before-filter skip_filter :authenticate_user!, :except => :do_admin_stuff # ruleid: check-before-filter skip_before_filter :require_user, :except => [:do_admin_stuff, :do_other_stuff] + # ruleid: check-before-filter + skip_before_action :require_user, :except => [:do_admin_stuff, :do_other_stuff] def do_admin_stuff #do some stuff @@ -21,9 +25,13 @@ class GoodController < ApplicationController # ok: check-before-filter skip_before_filter :login_required, :only => :do_anonymous_stuff # ok: check-before-filter + skip_before_action :login_required, :only => :do_anonymous_stuff + # ok: check-before-filter skip_filter :authenticate_user!, :only => :do_anonymous_stuff # ok: check-before-filter skip_before_filter :require_user, :only => [:do_anonymous_stuff, :do_nocontext_stuff] + # ok: check-before-filter + skip_before_action :require_user, :only => [:do_anonymous_stuff, :do_nocontext_stuff] def do_admin_stuff #do some stuff @@ -36,4 +44,4 @@ def do_anonymous_stuff def do_nocontext_stuff # do some stuff end -end \ No newline at end of file +end diff --git a/ruby/rails/security/brakeman/check-before-filter.yaml b/ruby/rails/security/brakeman/check-before-filter.yaml index dfc59f57f5..15fe88121c 100644 --- a/ruby/rails/security/brakeman/check-before-filter.yaml +++ b/ruby/rails/security/brakeman/check-before-filter.yaml @@ -7,6 +7,8 @@ rules: skip_filter ..., :except => $ARGS - pattern: | skip_before_filter ..., :except => $ARGS + - pattern: | + skip_before_action ..., :except => $ARGS message: 'Disabled-by-default Rails controller checks make it much easier to introduce access control mistakes. Prefer an allowlist approach with `:only => [...]` rather than `except: => [...]`' languages: