From d3f9ec85a0b4fb9a4ca1487ca25149888a6090da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jun 2024 22:15:01 +0000 Subject: [PATCH 1/4] Bump urllib3 from 2.0.7 to 2.2.2 Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.7 to 2.2.2. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/2.0.7...2.2.2) --- updated-dependencies: - dependency-name: urllib3 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 06a5695d39..55076b4c69 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -288,11 +288,12 @@ }, "urllib3": { "hashes": [ - "sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d", - "sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19" + "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472", + "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168" ], + "index": "pypi", "markers": "python_version >= '3.8'", - "version": "==2.2.1" + "version": "==2.2.2" } }, "develop": { From 7d5e6ceba12eaa0c3a3148764c2677f607685cfa Mon Sep 17 00:00:00 2001 From: Rahul Zhade Date: Mon, 17 Jun 2024 20:20:14 -0400 Subject: [PATCH 2/4] Fix typos in SSRF query messages --- java/spring/security/injection/tainted-url-host.yaml | 4 ++-- php/lang/security/injection/tainted-url-host.yaml | 4 ++-- python/django/security/injection/tainted-url-host.yaml | 4 ++-- python/flask/security/injection/tainted-url-host.yaml | 4 ++-- ruby/rails/security/injection/tainted-url-host.yaml | 2 +- scala/lang/security/audit/dispatch-ssrf.yaml | 4 ++-- scala/lang/security/audit/io-source-ssrf.yaml | 4 ++-- scala/lang/security/audit/scalaj-http-ssrf.yaml | 6 +++--- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/java/spring/security/injection/tainted-url-host.yaml b/java/spring/security/injection/tainted-url-host.yaml index 38baaa1a9e..0ff2242187 100644 --- a/java/spring/security/injection/tainted-url-host.yaml +++ b/java/spring/security/injection/tainted-url-host.yaml @@ -8,9 +8,9 @@ rules: This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal - servers or other resources that the server runnig this code can access. + servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow - arbitrary hosts. Instead, create an allowlist for approved hosts hardcode + arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters. options: interfile: true diff --git a/php/lang/security/injection/tainted-url-host.yaml b/php/lang/security/injection/tainted-url-host.yaml index dc0ce64586..2ca6a7736c 100644 --- a/php/lang/security/injection/tainted-url-host.yaml +++ b/php/lang/security/injection/tainted-url-host.yaml @@ -8,10 +8,10 @@ rules: to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. + They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist - for approved hosts hardcode + for approved hosts, or hardcode the correct host. metadata: cwe: diff --git a/python/django/security/injection/tainted-url-host.yaml b/python/django/security/injection/tainted-url-host.yaml index aff26c0918..462b55947c 100644 --- a/python/django/security/injection/tainted-url-host.yaml +++ b/python/django/security/injection/tainted-url-host.yaml @@ -5,8 +5,8 @@ rules: message: User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other - resources that the server runnig this code can access. (This is called server-side request forgery, - or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the + resources that the server running this code can access. (This is called server-side request forgery, + or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: diff --git a/python/flask/security/injection/tainted-url-host.yaml b/python/flask/security/injection/tainted-url-host.yaml index 4c5f18e4e0..15d9e0b91e 100644 --- a/python/flask/security/injection/tainted-url-host.yaml +++ b/python/flask/security/injection/tainted-url-host.yaml @@ -7,9 +7,9 @@ rules: This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other - resources that the server runnig this code can access. (This is called + resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. - Instead, create an allowlist for approved hosts hardcode the correct host. + Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: - 'CWE-918: Server-Side Request Forgery (SSRF)' diff --git a/ruby/rails/security/injection/tainted-url-host.yaml b/ruby/rails/security/injection/tainted-url-host.yaml index aa1a340088..6e48ac8203 100644 --- a/ruby/rails/security/injection/tainted-url-host.yaml +++ b/ruby/rails/security/injection/tainted-url-host.yaml @@ -7,7 +7,7 @@ rules: This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources - that the server runnig this code can access. (This is called server-side + that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Use the `ssrf_filter` gem and guard the url construction with `SsrfFilter(...)`, or create an allowlist for approved hosts. diff --git a/scala/lang/security/audit/dispatch-ssrf.yaml b/scala/lang/security/audit/dispatch-ssrf.yaml index 4cc9fc600a..92085d8ba6 100644 --- a/scala/lang/security/audit/dispatch-ssrf.yaml +++ b/scala/lang/security/audit/dispatch-ssrf.yaml @@ -18,8 +18,8 @@ rules: A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. - Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct + They could also probe internal servers or other resources that the server running this code can access. + Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: diff --git a/scala/lang/security/audit/io-source-ssrf.yaml b/scala/lang/security/audit/io-source-ssrf.yaml index c13212a02a..7f8dc4d367 100644 --- a/scala/lang/security/audit/io-source-ssrf.yaml +++ b/scala/lang/security/audit/io-source-ssrf.yaml @@ -20,8 +20,8 @@ rules: A parameter being passed directly into `fromURL` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. - Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct + They could also probe internal servers or other resources that the server running this code can access. + Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: diff --git a/scala/lang/security/audit/scalaj-http-ssrf.yaml b/scala/lang/security/audit/scalaj-http-ssrf.yaml index ae56bd8aa1..04f93c0978 100644 --- a/scala/lang/security/audit/scalaj-http-ssrf.yaml +++ b/scala/lang/security/audit/scalaj-http-ssrf.yaml @@ -15,11 +15,11 @@ rules: ... } message: >- - A parameter being passed directly into `Http` most likely lead to SSRF. + A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. - Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct + They could also probe internal servers or other resources that the server running this code can access. + Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host. metadata: cwe: From ae48945028d4461dbf8a1ec507201140a3186dd1 Mon Sep 17 00:00:00 2001 From: "Security Research (r2c-argo)" Date: Tue, 18 Jun 2024 00:32:49 +0000 Subject: [PATCH 3/4] Merge Gitleaks rules 2024-06-18 # 00:32 --- generic/secrets/gitleaks/harness-api-key.yaml | 26 +++++++++++++++++++ .../gitleaks/telegram-bot-api-token.yaml | 2 +- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 generic/secrets/gitleaks/harness-api-key.yaml diff --git a/generic/secrets/gitleaks/harness-api-key.yaml b/generic/secrets/gitleaks/harness-api-key.yaml new file mode 100644 index 0000000000..c668ea9573 --- /dev/null +++ b/generic/secrets/gitleaks/harness-api-key.yaml @@ -0,0 +1,26 @@ +rules: +- id: harness-api-key + message: A gitleaks harness-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). + languages: + - regex + severity: INFO + metadata: + likelihood: LOW + impact: MEDIUM + confidence: LOW + category: security + cwe: + - "CWE-798: Use of Hard-coded Credentials" + cwe2021-top25: true + cwe2022-top25: true + owasp: + - A07:2021 - Identification and Authentication Failures + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules + subcategory: + - vuln + technology: + - gitleaks + patterns: + - pattern-regex: ((?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}) diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml index 4755a79308..a9edae9d57 100644 --- a/generic/secrets/gitleaks/telegram-bot-api-token.yaml +++ b/generic/secrets/gitleaks/telegram-bot-api-token.yaml @@ -23,4 +23,4 @@ rules: technology: - gitleaks patterns: - - pattern-regex: (?i)(?:^|\b|bot)([0-9]{5,16}:A[a-z0-9_\-]{34})(?:$|\b[^_\-]) + - pattern-regex: (?i:(?:telegr)(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$) From f40ba79cdbf1644280143f4a93e2437cff5d1b45 Mon Sep 17 00:00:00 2001 From: Claudio Date: Tue, 18 Jun 2024 16:30:05 +0200 Subject: [PATCH 4/4] Improve Golang math-random-used (#3403) * Improve Golang math-random-used * Update math_random.go * Update math_random.fixed.go --------- Co-authored-by: Pieter De Cremer (Semgrep) --- go/lang/security/audit/crypto/math_random.fixed.go | 6 ++++++ go/lang/security/audit/crypto/math_random.go | 6 ++++++ go/lang/security/audit/crypto/math_random.yaml | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/go/lang/security/audit/crypto/math_random.fixed.go b/go/lang/security/audit/crypto/math_random.fixed.go index 86518d96ba..66f18e4272 100644 --- a/go/lang/security/audit/crypto/math_random.fixed.go +++ b/go/lang/security/audit/crypto/math_random.fixed.go @@ -4,6 +4,12 @@ import ( "crypto/rand" // ruleid: math-random-used mrand "crypto/rand" + // ruleid: math-random-used + mrand "crypto/rand" + // ruleid: math-random-used + mrand "crypto/rand" + // ok: math-random-used + mrand "math/rand/something" ) func main() { diff --git a/go/lang/security/audit/crypto/math_random.go b/go/lang/security/audit/crypto/math_random.go index 68ce54c8f1..7192833e2b 100644 --- a/go/lang/security/audit/crypto/math_random.go +++ b/go/lang/security/audit/crypto/math_random.go @@ -4,6 +4,12 @@ import ( "crypto/rand" // ruleid: math-random-used mrand "math/rand" + // ruleid: math-random-used + mrand "math/rand/v2" + // ruleid: math-random-used + mrand "math/rand/v222" + // ok: math-random-used + mrand "math/rand/something" ) func main() { diff --git a/go/lang/security/audit/crypto/math_random.yaml b/go/lang/security/audit/crypto/math_random.yaml index a82c69c47c..feef38161b 100644 --- a/go/lang/security/audit/crypto/math_random.yaml +++ b/go/lang/security/audit/crypto/math_random.yaml @@ -26,7 +26,7 @@ rules: import "$MATH" - metavariable-regex: metavariable: $MATH - regex: ^(math/rand)$ + regex: ^(math/rand(\/v[0-9]+)*)$ - pattern-either: - pattern-inside: | ...