npm - @zhuma4/cli - Versions diffs - 4.0.0-alpha.1 → 4.3.0 - Mend

@zhuma4/cli 4.0.0-alpha.1 → 4.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1128) hide show

package/rules/community-merged/cwe-400/decompression_bomb.yaml ADDED Viewed

@@ -0,0 +1,63 @@
+# Source: semgrep-community | Cluster: go-400
+rules:
+- id: potential-dos-via-decompression-bomb
+  message: >-
+    Detected a possible denial-of-service via a zip bomb attack. By limiting the max
+    bytes read, you can mitigate this attack.
+    `io.CopyN()` can specify a size.
+  severity: WARNING
+  languages: [go]
+  patterns:
+  - pattern-either:
+    - pattern: io.Copy(...)
+    - pattern: io.CopyBuffer(...)
+  - pattern-either:
+    - pattern-inside: |
+        gzip.NewReader(...)
+        ...
+    - pattern-inside: |
+        zlib.NewReader(...)
+        ...
+    - pattern-inside: |
+        zlib.NewReaderDict(...)
+        ...
+    - pattern-inside: |
+        bzip2.NewReader(...)
+        ...
+    - pattern-inside: |
+        flate.NewReader(...)
+        ...
+    - pattern-inside: |
+        flate.NewReaderDict(...)
+        ...
+    - pattern-inside: |
+        lzw.NewReader(...)
+        ...
+    - pattern-inside: |
+        tar.NewReader(...)
+        ...
+    - pattern-inside: |
+        zip.NewReader(...)
+        ...
+    - pattern-inside: |
+        zip.OpenReader(...)
+        ...
+  fix-regex:
+    regex: (.*)(Copy|CopyBuffer)\((.*?),(.*?)(\)|,.*\))
+    replacement: \1CopyN(\3, \4, 1024*1024*256)
+  metadata:
+    cwe:
+    - 'CWE-400: Uncontrolled Resource Consumption'
+    source-rule-url: https://github.com/securego/gosec
+    references:
+    - https://golang.org/pkg/io/#CopyN
+    - https://github.com/securego/gosec/blob/master/rules/decompression-bomb.go
+    category: security
+    technology:
+    - go
+    confidence: LOW
+    cwe2022-top25: true
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM

package/rules/community-merged/cwe-436/shared-url-struct-mutation.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+# Source: semgrep-community | Cluster: go-436
+rules:
+- id: shared-url-struct-mutation
+  message: >-
+    Shared URL struct may have been accidentally mutated. Ensure that
+    this behavior is intended.
+  languages: [go]
+  severity: WARNING
+  patterns:
+  - pattern-inside: |
+      import "net/url"
+      ...
+  - pattern-not-inside: |
+      ... = url.Parse(...)
+      ...
+  - pattern-not-inside: |
+      ... = url.ParseRequestURI(...)
+      ...
+  - pattern-not-inside: |
+      ... = url.URL{...}
+      ...
+  - pattern-not-inside: |
+      var $URL *$X.URL
+      ...
+  - pattern-either:
+      - pattern: $URL.RawQuery = ...
+      - pattern: $URL.Path = ...
+      - pattern: $URL.RawPath = ...
+      - pattern: $URL.Fragment = ...
+      - pattern: $URL.RawFragment = ...
+      - pattern: $URL.Scheme = ...
+      - pattern: $URL.Opaque = ...
+      - pattern: $URL.Host = ...
+      - pattern: $URL.User = ...
+  - metavariable-pattern:
+      metavariable: $URL
+      patterns:
+        - pattern-not: $X.$Y
+        - pattern-not: $X[...]
+  metadata:
+    cwe:
+    - "CWE-436: Interpretation Conflict"
+    category: security
+    subcategory:
+    - audit
+    technology:
+      - go
+    confidence: LOW
+    likelihood: LOW
+    impact: LOW
+    references:
+      - https://github.com/golang/go/issues/63777

package/rules/community-merged/cwe-451/x-frame-options-misconfiguration.yaml ADDED Viewed

@@ -0,0 +1,74 @@
+# Source: semgrep-community | Cluster: javascript-451
+rules:
+- id: x-frame-options-misconfiguration
+  message: >-
+    By letting user input control `X-Frame-Options` header,
+    there is a risk that software does not properly verify whether or not a browser should be allowed
+    to render a page in
+    an `iframe`.
+  metadata:
+    references:
+    - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    owasp:
+    - A04:2021 - Insecure Design
+    - A06:2025 - Insecure Design
+    cwe:
+    - 'CWE-451: User Interface (UI) Misrepresentation of Critical Information'
+    category: security
+    technology:
+    - express
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages:
+  - javascript
+  - typescript
+  severity: WARNING
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern-inside: function ... ($REQ, $RES) {...}
+      - pattern-inside: function ... ($REQ, $RES, $NEXT) {...}
+      - patterns:
+        - pattern-either:
+          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES) {...})
+          - pattern-inside: $APP.$METHOD(..., function $FUNC($REQ, $RES, $NEXT) {...})
+        - metavariable-regex:
+            metavariable: $METHOD
+            regex: ^(get|post|put|head|delete|options)$
+    - pattern-either:
+      - pattern: $REQ.query
+      - pattern: $REQ.body
+      - pattern: $REQ.params
+      - pattern: $REQ.cookies
+      - pattern: $REQ.headers
+  - patterns:
+    - pattern-either:
+      - pattern-inside: |
+          ({ $REQ }: Request,$RES: Response, $NEXT: NextFunction) =>
+          {...}
+      - pattern-inside: |
+          ({ $REQ }: Request,$RES: Response) => {...}
+    - focus-metavariable: $REQ
+    - pattern-either:
+      - pattern: params
+      - pattern: query
+      - pattern: cookies
+      - pattern: headers
+      - pattern: body
+  pattern-sinks:
+  - patterns:
+    - pattern-either:
+      - pattern: $RES.set($HEADER, ...)
+      - pattern: $RES.header($HEADER, ...)
+      - pattern: $RES.setHeader($HEADER, ...)
+      - pattern: |
+          $RES.set({$HEADER: ...}, ...)
+      - pattern: |
+          $RES.writeHead($STATUS, {$HEADER: ...}, ...)
+    - metavariable-regex:
+        metavariable: $HEADER
+        regex: .*(X-Frame-Options|x-frame-options).*

package/rules/community-merged/cwe-454/tainted-env-from-http-request.yaml ADDED Viewed

@@ -0,0 +1,47 @@
+# Source: semgrep-community | Cluster: java-454
+rules:
+- id: tainted-env-from-http-request
+  message: >-
+    Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.
+    Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument.
+    `exec({"command", "arg1", "arg2"})`.
+  languages: [java]
+  severity: ERROR
+  mode: taint
+  pattern-sources:
+  - patterns:
+    - pattern-either:
+      - pattern: |
+          (HttpServletRequest $REQ)
+      - patterns:   # this pattern is a hack to get the rule to recognize `map` as tainted source when `cookie.getValue(user_input)` is used.
+        - pattern-inside: |
+            (javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);
+            ...
+            for (javax.servlet.http.Cookie $COOKIE: $COOKIES) {
+              ...
+            }
+        - pattern: |
+            $COOKIE.getValue(...)
+  pattern-sinks:
+       - patterns:
+           - pattern: (java.lang.Runtime $R).exec($CMD, $ENV_ARGS, ...);
+           - focus-metavariable: $ENV_ARGS
+  metadata:
+    category: security
+    technology:
+    - java
+    cwe:
+    - "CWE-454: External Initialization of Trusted Variables or Data Stores"
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    cwe2022-top25: false
+    cwe2021-top25: false
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM

package/rules/community-merged/cwe-470/unsafe-reflect-by-name.yaml ADDED Viewed

@@ -0,0 +1,44 @@
+# Source: semgrep-community | Cluster: go-470
+rules:
+- id: unsafe-reflect-by-name
+  patterns:
+  - pattern-either:
+    - pattern: |
+        $SMTH.MethodByName($NAME,...)
+    - pattern: |
+        $SMTH.FieldByName($NAME,...)
+  - pattern-not: |
+      $SMTH.MethodByName("...",...)
+  - pattern-not: |
+      $SMTH.FieldByName("...",...)
+  - pattern-inside: |
+      import "reflect"
+      ...
+  message: >-
+    If an attacker can supply values that the application then uses to determine which
+    method or field to invoke,
+    the potential exists for the attacker to create control flow paths through the
+    application
+    that were not intended by the application developers.
+    This attack vector may allow the attacker to bypass authentication or access control
+    checks
+    or otherwise cause the application to behave in an unexpected manner.
+  metadata:
+    cwe:
+    - "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    category: security
+    technology:
+    - go
+    confidence: LOW
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  severity: WARNING
+  languages:
+  - go

package/rules/community-merged/cwe-470/unsafe-reflection.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+# Source: semgrep-community | Cluster: java-470
+rules:
+- id: unsafe-reflection
+  patterns:
+  - pattern: |
+      Class.forName($CLASS,...)
+  - pattern-not: |
+      Class.forName("...",...)
+  - pattern-not-inside: |
+      $CLASS = "...";
+      ...
+  message: >-
+    If an attacker can supply values that the application then uses to determine which
+    class to instantiate or which method to invoke,
+    the potential exists for the attacker to create control flow paths through the
+    application
+    that were not intended by the application developers.
+    This attack vector may allow the attacker to bypass authentication or access control
+    checks
+    or otherwise cause the application to behave in an unexpected manner.
+  metadata:
+    cwe:
+    - "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
+    owasp:
+    - A03:2021 - Injection
+    - A05:2025 - Injection
+    source-rule-url: https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection
+    category: security
+    technology:
+    - java
+    references:
+    - https://owasp.org/Top10/A03_2021-Injection
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+    confidence: LOW
+  severity: WARNING
+  languages:
+  - java

package/rules/community-merged/cwe-477/mongodb.yaml ADDED Viewed

@@ -0,0 +1,27 @@
+# Source: semgrep-community | Cluster: python-477
+rules:
+- id: mongo-client-bad-auth
+  pattern: |
+    pymongo.MongoClient(..., authMechanism='MONGODB-CR')
+  message: >-
+    Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB
+    4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).
+  fix-regex:
+    regex: MONGODB-CR
+    replacement: SCRAM-SHA-256
+  severity: WARNING
+  languages:
+  - python
+  metadata:
+    cwe:
+    - 'CWE-477: Use of Obsolete Function'
+    category: security
+    technology:
+    - pymongo
+    references:
+    - https://cwe.mitre.org/data/definitions/477.html
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: LOW
+    confidence: MEDIUM

package/rules/community-merged/cwe-489/debug-enabled.yaml ADDED Viewed

@@ -0,0 +1,29 @@
+# Source: semgrep-community | Cluster: python-489
+rules:
+- id: debug-enabled
+  patterns:
+  - pattern-inside: |
+      import flask
+      ...
+  - pattern: $APP.run(..., debug=True, ...)
+  message: >-
+    Detected Flask app with debug=True. Do not deploy to production with this flag enabled
+    as it will leak sensitive information. Instead, consider using Flask configuration
+    variables or setting 'debug' using system environment variables.
+  metadata:
+    cwe:
+    - 'CWE-489: Active Debug Code'
+    owasp: 'A06:2017 - Security Misconfiguration'
+    references:
+    - https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/
+    category: security
+    technology:
+    - flask
+    subcategory:
+    - vuln
+    likelihood: HIGH
+    impact: MEDIUM
+    confidence: HIGH
+  severity: WARNING
+  languages:
+  - python

package/rules/community-merged/cwe-489/debug-template-tag.yaml ADDED Viewed

@@ -0,0 +1,31 @@
+# Source: semgrep-community | Cluster: python-489
+rules:
+- id: debug-template-tag
+  languages:
+    - regex
+  severity: WARNING
+  message: >-
+    Detected a debug template tag in a Django template. This dumps
+    debugging information to the page when debug mode is enabled.
+    Showing debug information to users is dangerous because it may
+    reveal information about your environment that malicious actors
+    can use to gain access to the system. Remove the debug tag.
+  pattern-regex: ({% debug %})
+  paths:
+    include:
+      - '*.html'
+  metadata:
+    owasp: 'A06:2017 - Security Misconfiguration'
+    cwe:
+    - 'CWE-489: Active Debug Code'
+    references:
+    - https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug
+    - https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page
+    category: security
+    technology:
+    - django
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW

package/rules/community-merged/cwe-489/pprof.yaml ADDED Viewed

@@ -0,0 +1,41 @@
+# Source: semgrep-community | Cluster: go-489
+rules:
+- id: pprof-debug-exposure
+  metadata:
+    cwe:
+    - 'CWE-489: Active Debug Code'
+    owasp: 'A06:2017 - Security Misconfiguration'
+    source-rule-url: https://github.com/securego/gosec#available-rules
+    references:
+    - https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/
+    category: security
+    technology:
+    - go
+    confidence: LOW
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: LOW
+  message: >-
+    The profiling 'pprof' endpoint is automatically exposed on /debug/pprof.
+    This could leak information about the server.
+    Instead, use `import "net/http/pprof"`. See
+    https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/
+    for more information and mitigation.
+  languages: [go]
+  severity: WARNING
+  patterns:
+  - pattern-inside: |
+      import _ "net/http/pprof"
+      ...
+  - pattern-inside: |
+      func $ANY(...) {
+        ...
+      }
+  - pattern-not-inside: |
+      $MUX = http.NewServeMux(...)
+      ...
+      http.ListenAndServe($ADDR, $MUX)
+  - pattern-not: http.ListenAndServe("=~/^localhost.*/", ...)
+  - pattern-not: http.ListenAndServe("=~/^127[.]0[.]0[.]1.*/", ...)
+  - pattern: http.ListenAndServe(...)

package/rules/community-merged/cwe-521/password-empty-string.yaml ADDED Viewed

@@ -0,0 +1,40 @@
+# Source: semgrep-community | Cluster: python-521
+rules:
+- id: password-empty-string
+  message: >-
+    '$VAR' is the empty string and is being used to set the password on '$MODEL'.
+    If you meant to set an unusable password, set the password to None or call
+    'set_unusable_password()'.
+  metadata:
+    cwe:
+    - 'CWE-521: Weak Password Requirements'
+    owasp:
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    references:
+    - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password
+    category: security
+    technology:
+    - django
+    subcategory:
+    - vuln
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: MEDIUM
+  patterns:
+  - pattern-either:
+    - pattern: |
+        $MODEL.set_password($EMPTY)
+        ...
+        $MODEL.save()
+    - pattern: |
+        $VAR = $EMPTY
+        ...
+        $MODEL.set_password($VAR)
+        ...
+        $MODEL.save()
+  - metavariable-regex:
+      metavariable: $EMPTY
+      regex: (\'\'|\"\")
+  languages: [python]
+  severity: ERROR

package/rules/community-merged/cwe-521/use-none-for-password-default.yaml ADDED Viewed

@@ -0,0 +1,43 @@
+# Source: semgrep-community | Cluster: python-521
+rules:
+- id: use-none-for-password-default
+  message: >-
+    '$VAR' is using the empty string as its default and is being used to set
+    the password on '$MODEL'. If you meant to set an unusable password, set
+    the default value to 'None' or call 'set_unusable_password()'.
+  metadata:
+    cwe:
+    - 'CWE-521: Weak Password Requirements'
+    owasp:
+    - A07:2021 - Identification and Authentication Failures
+    - A07:2025 - Authentication Failures
+    references:
+    - https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password
+    category: security
+    technology:
+    - django
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: MEDIUM
+    confidence: MEDIUM
+  languages: [python]
+  severity: ERROR
+  patterns:
+    - pattern-either:
+        - pattern: |
+            $VAR = request.$W.get($X, $EMPTY)
+            ...
+            $MODEL.set_password($VAR)
+            ...
+            $MODEL.save(...)
+        - pattern: |
+            def $F(..., $VAR=$EMPTY, ...):
+              ...
+              $MODEL.set_password($VAR)
+    - metavariable-pattern:
+        metavariable: $EMPTY
+        pattern: '""'
+    - focus-metavariable: $EMPTY
+  fix: |
+    None