@zhuma4/cli 4.0.0-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -0
- package/dist/commands/config.d.ts +3 -0
- package/dist/commands/config.d.ts.map +1 -0
- package/dist/commands/config.js +18 -0
- package/dist/commands/config.js.map +1 -0
- package/dist/commands/init.d.ts +3 -0
- package/dist/commands/init.d.ts.map +1 -0
- package/dist/commands/init.js +11 -0
- package/dist/commands/init.js.map +1 -0
- package/dist/commands/scan.d.ts +3 -0
- package/dist/commands/scan.d.ts.map +1 -0
- package/dist/commands/scan.js +96 -0
- package/dist/commands/scan.js.map +1 -0
- package/dist/commands/scan_appid.d.ts +20 -0
- package/dist/commands/scan_appid.d.ts.map +1 -0
- package/dist/commands/scan_appid.js +301 -0
- package/dist/commands/scan_appid.js.map +1 -0
- package/dist/commands/scan_manifest.d.ts +13 -0
- package/dist/commands/scan_manifest.d.ts.map +1 -0
- package/dist/commands/scan_manifest.js +103 -0
- package/dist/commands/scan_manifest.js.map +1 -0
- package/dist/engine/api-submit.d.ts +16 -0
- package/dist/engine/api-submit.d.ts.map +1 -0
- package/dist/engine/api-submit.js +66 -0
- package/dist/engine/api-submit.js.map +1 -0
- package/dist/engine/batch_scan.d.ts +36 -0
- package/dist/engine/batch_scan.d.ts.map +1 -0
- package/dist/engine/batch_scan.js +192 -0
- package/dist/engine/batch_scan.js.map +1 -0
- package/dist/engine/config.d.ts +12 -0
- package/dist/engine/config.d.ts.map +1 -0
- package/dist/engine/config.js +27 -0
- package/dist/engine/config.js.map +1 -0
- package/dist/engine/errors.d.ts +36 -0
- package/dist/engine/errors.d.ts.map +1 -0
- package/dist/engine/errors.js +99 -0
- package/dist/engine/errors.js.map +1 -0
- package/dist/engine/filter.d.ts +13 -0
- package/dist/engine/filter.d.ts.map +1 -0
- package/dist/engine/filter.js +64 -0
- package/dist/engine/filter.js.map +1 -0
- package/dist/engine/finding_classifier.d.ts +108 -0
- package/dist/engine/finding_classifier.d.ts.map +1 -0
- package/dist/engine/finding_classifier.js +440 -0
- package/dist/engine/finding_classifier.js.map +1 -0
- package/dist/engine/incremental/engine.d.ts +25 -0
- package/dist/engine/incremental/engine.d.ts.map +1 -0
- package/dist/engine/incremental/engine.js +337 -0
- package/dist/engine/incremental/engine.js.map +1 -0
- package/dist/engine/incremental/git-diff.d.ts +19 -0
- package/dist/engine/incremental/git-diff.d.ts.map +1 -0
- package/dist/engine/incremental/git-diff.js +175 -0
- package/dist/engine/incremental/git-diff.js.map +1 -0
- package/dist/engine/incremental/types.d.ts +33 -0
- package/dist/engine/incremental/types.d.ts.map +1 -0
- package/dist/engine/incremental/types.js +11 -0
- package/dist/engine/incremental/types.js.map +1 -0
- package/dist/engine/manifest_scanner.d.ts +48 -0
- package/dist/engine/manifest_scanner.d.ts.map +1 -0
- package/dist/engine/manifest_scanner.js +599 -0
- package/dist/engine/manifest_scanner.js.map +1 -0
- package/dist/engine/project.d.ts +22 -0
- package/dist/engine/project.d.ts.map +1 -0
- package/dist/engine/project.js +279 -0
- package/dist/engine/project.js.map +1 -0
- package/dist/engine/sarif.d.ts +13 -0
- package/dist/engine/sarif.d.ts.map +1 -0
- package/dist/engine/sarif.js +44 -0
- package/dist/engine/sarif.js.map +1 -0
- package/dist/engine/sca-integration.d.ts +36 -0
- package/dist/engine/sca-integration.d.ts.map +1 -0
- package/dist/engine/sca-integration.js +91 -0
- package/dist/engine/sca-integration.js.map +1 -0
- package/dist/engine/scanner.d.ts +18 -0
- package/dist/engine/scanner.d.ts.map +1 -0
- package/dist/engine/scanner.js +138 -0
- package/dist/engine/scanner.js.map +1 -0
- package/dist/index.d.ts +13 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +41 -0
- package/dist/index.js.map +1 -0
- package/dist/report/render.d.ts +23 -0
- package/dist/report/render.d.ts.map +1 -0
- package/dist/report/render.js +335 -0
- package/dist/report/render.js.map +1 -0
- package/package.json +41 -0
- package/rules/android/mobile-cleartext-traffic.yaml +46 -0
- package/rules/android/mobile-component-security.yaml +107 -0
- package/rules/android/mobile-crypto-weakness.yaml +139 -0
- package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
- package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
- package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
- package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
- package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
- package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
- package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
- package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
- package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
- package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
- package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
- package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
- package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
- package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
- package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
- package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
- package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
- package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
- package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
- package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
- package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
- package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
- package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
- package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
- package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
- package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
- package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
- package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
- package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
- package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
- package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
- package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
- package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
- package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
- package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
- package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
- package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
- package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
- package/rules/android/mobile-secrets-storage.yaml +136 -0
- package/rules/android/mobile-webview-security.yaml +88 -0
- package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
- package/rules/common/cwe-22-path-traversal.yaml +47 -0
- package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
- package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
- package/rules/common/cwe-306-missing-authentication.yaml +44 -0
- package/rules/common/cwe-326-weak-key-size.yaml +107 -0
- package/rules/common/cwe-327-weak-crypto.yaml +177 -0
- package/rules/common/cwe-328-weak-hash.yaml +96 -0
- package/rules/common/cwe-329-cbc-mode.yaml +26 -0
- package/rules/common/cwe-352-csrf.yaml +23 -0
- package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
- package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
- package/rules/common/cwe-601-url-redirect.yaml +110 -0
- package/rules/common/cwe-611-xxe.yaml +70 -0
- package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
- package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
- package/rules/common/cwe-78-os-command-injection.yaml +43 -0
- package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
- package/rules/common/cwe-79-xss.yaml +51 -0
- package/rules/common/cwe-862-missing-authorization.yaml +40 -0
- package/rules/common/cwe-89-sqli.yaml +89 -0
- package/rules/common/cwe-918-ssrf.yaml +45 -0
- package/rules/common/cwe-94-code-injection.yaml +59 -0
- package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
- package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
- package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
- package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
- package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
- package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
- package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
- package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
- package/rules/common/zm-go-cwe79-xss.yaml +104 -0
- package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
- package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
- package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
- package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
- package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
- package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
- package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
- package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
- package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
- package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
- package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
- package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
- package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
- package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
- package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
- package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
- package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
- package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
- package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
- package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
- package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
- package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
- package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
- package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
- package/rules/common/zm-java-cwe639-idor.yaml +123 -0
- package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
- package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
- package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
- package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
- package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
- package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
- package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
- package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
- package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
- package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
- package/rules/common/zm-java-cwe94-spel.yaml +112 -0
- package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
- package/rules/common/zm-java-cwe942-cors.yaml +15 -0
- package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
- package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
- package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
- package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
- package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
- package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
- package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
- package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
- package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
- package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
- package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
- package/rules/common/zm-js-cwe639-idor.yaml +122 -0
- package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
- package/rules/common/zm-js-cwe78-exec.yaml +37 -0
- package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
- package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
- package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
- package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
- package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
- package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
- package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
- package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
- package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
- package/rules/common/zm-js-cwe942-cors.yaml +49 -0
- package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
- package/rules/common/zm-js-cwe95-eval.yaml +59 -0
- package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
- package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
- package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
- package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
- package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
- package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
- package/rules/common/zm-py-cwe79-xss.yaml +123 -0
- package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
- package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
- package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
- package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
- package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
- package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
- package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
- package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
- package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
- package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
- package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
- package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
- package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
- package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
- package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
- package/rules/iac/zm-docker-security.yaml +104 -0
- package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
- package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
- package/rules/iac/zm-k8s-security.yaml +79 -0
- package/rules/rules_index.yaml.off +477 -0
- package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
- package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
- package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
- package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
- package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
- package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
- package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
- package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
- package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
- package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
- package/rules/semgrep-registry/el-injection.yaml +137 -0
- package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
- package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
- package/rules/semgrep-registry/index.txt +1 -0
- package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
- package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
- package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
- package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
- package/rules/semgrep-registry/ldap-injection.yaml +82 -0
- package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
- package/rules/semgrep-registry/object-deserialization.yaml +34 -0
- package/rules/semgrep-registry/ognl-injection.yaml +839 -0
- package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
- package/rules/semgrep-registry/permissive-cors.yaml +77 -0
- package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
- package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
- package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
- package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
- package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
- package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
- package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
- package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
- package/rules/semgrep-registry/url-rewriting.yaml +82 -0
- package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
- package/rules/semgrep-registry/xml-decoder.yaml +53 -0
- package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0
|
@@ -0,0 +1,148 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: command-injection-process-builder
|
|
3
|
+
pattern-either:
|
|
4
|
+
- patterns:
|
|
5
|
+
- pattern: |
|
|
6
|
+
new ProcessBuilder($CMD,...)
|
|
7
|
+
- pattern-not-inside: |
|
|
8
|
+
$CMD = "...";
|
|
9
|
+
...
|
|
10
|
+
- pattern-not-inside: |
|
|
11
|
+
$CMD = Arrays.asList("...",...);
|
|
12
|
+
...
|
|
13
|
+
- pattern-not-inside: |
|
|
14
|
+
$CMD = new String[]{"...",...};
|
|
15
|
+
...
|
|
16
|
+
- pattern-not: |
|
|
17
|
+
new ProcessBuilder("...",...)
|
|
18
|
+
- pattern-not: |
|
|
19
|
+
new ProcessBuilder(new String[]{"...",...},...)
|
|
20
|
+
- pattern-not: |
|
|
21
|
+
new ProcessBuilder(Arrays.asList("...",...),...)
|
|
22
|
+
- patterns:
|
|
23
|
+
- pattern: |
|
|
24
|
+
$PB.command($CMD,...)
|
|
25
|
+
- pattern-inside: |
|
|
26
|
+
$TYPE $PB = new ProcessBuilder(...);
|
|
27
|
+
...
|
|
28
|
+
- pattern-not-inside: |
|
|
29
|
+
$CMD = "...";
|
|
30
|
+
...
|
|
31
|
+
- pattern-not-inside: |
|
|
32
|
+
$CMD = Arrays.asList("...",...);
|
|
33
|
+
...
|
|
34
|
+
- pattern-not-inside: |
|
|
35
|
+
$CMD = new String[]{"...",...};
|
|
36
|
+
...
|
|
37
|
+
- pattern-not: |
|
|
38
|
+
$PB.command("...",...)
|
|
39
|
+
- pattern-not: |
|
|
40
|
+
$PB.command(new String[]{"...",...},...)
|
|
41
|
+
- pattern-not: |
|
|
42
|
+
$PB.command(Arrays.asList("...",...),...)
|
|
43
|
+
- patterns:
|
|
44
|
+
- pattern-either:
|
|
45
|
+
- pattern: |
|
|
46
|
+
new ProcessBuilder("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...)
|
|
47
|
+
- pattern: |
|
|
48
|
+
new ProcessBuilder("cmd","/c",$ARG,...)
|
|
49
|
+
- pattern: |
|
|
50
|
+
new ProcessBuilder(Arrays.asList("cmd","/c",$ARG,...),...)
|
|
51
|
+
- pattern: |
|
|
52
|
+
new ProcessBuilder(new String[]{"cmd","/c",$ARG,...},...)
|
|
53
|
+
- patterns:
|
|
54
|
+
- pattern-either:
|
|
55
|
+
- pattern: |
|
|
56
|
+
new ProcessBuilder($CMD,"/c",$ARG,...)
|
|
57
|
+
- pattern: |
|
|
58
|
+
new ProcessBuilder(Arrays.asList($CMD,"/c",$ARG,...),...)
|
|
59
|
+
- pattern: |
|
|
60
|
+
new ProcessBuilder(new String[]{$CMD,"/c",$ARG,...},...)
|
|
61
|
+
- pattern-inside: |
|
|
62
|
+
$CMD = "cmd";
|
|
63
|
+
...
|
|
64
|
+
- pattern-not-inside: |
|
|
65
|
+
$ARG = "...";
|
|
66
|
+
...
|
|
67
|
+
- pattern-not: |
|
|
68
|
+
new ProcessBuilder("...","...","...",...)
|
|
69
|
+
- pattern-not: |
|
|
70
|
+
new ProcessBuilder(new String[]{"...","...","...",...},...)
|
|
71
|
+
- pattern-not: |
|
|
72
|
+
new ProcessBuilder(Arrays.asList("...","...","...",...),...)
|
|
73
|
+
- patterns:
|
|
74
|
+
- pattern-either:
|
|
75
|
+
- pattern: |
|
|
76
|
+
$PB.command("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...)
|
|
77
|
+
- pattern: |
|
|
78
|
+
$PB.command("cmd","/c",$ARG,...)
|
|
79
|
+
- pattern: |
|
|
80
|
+
$PB.command(Arrays.asList("=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...),...)
|
|
81
|
+
- pattern: |
|
|
82
|
+
$PB.command(Arrays.asList("cmd","/c",$ARG,...),...)
|
|
83
|
+
- pattern: |
|
|
84
|
+
$PB.command(new String[]{"=~/(sh|bash|ksh|csh|tcsh|zsh)/","-c",$ARG,...},...)
|
|
85
|
+
- pattern: |
|
|
86
|
+
$PB.command(new String[]{"cmd","/c",$ARG,...},...)
|
|
87
|
+
- patterns:
|
|
88
|
+
- pattern-either:
|
|
89
|
+
- pattern: |
|
|
90
|
+
$PB.command($CMD,"-c",$ARG,...)
|
|
91
|
+
- pattern: |
|
|
92
|
+
$PB.command(Arrays.asList($CMD,"-c",$ARG,...),...)
|
|
93
|
+
- pattern: |
|
|
94
|
+
$PB.command(new String[]{$CMD,"-c",$ARG,...},...)
|
|
95
|
+
- pattern-inside: |
|
|
96
|
+
$CMD = "=~/(sh|bash|ksh|csh|tcsh|zsh)/";
|
|
97
|
+
...
|
|
98
|
+
- patterns:
|
|
99
|
+
- pattern-either:
|
|
100
|
+
- pattern: |
|
|
101
|
+
$PB.command($CMD,"/c",$ARG,...)
|
|
102
|
+
- pattern: |
|
|
103
|
+
$PB.command(Arrays.asList($CMD,"/c",$ARG,...),...)
|
|
104
|
+
- pattern: |
|
|
105
|
+
$PB.command(new String[]{$CMD,"/c",$ARG,...},...)
|
|
106
|
+
- pattern-inside: |
|
|
107
|
+
$CMD = "cmd";
|
|
108
|
+
...
|
|
109
|
+
- pattern-inside: |
|
|
110
|
+
$TYPE $PB = new ProcessBuilder(...);
|
|
111
|
+
...
|
|
112
|
+
- pattern-not-inside: |
|
|
113
|
+
$ARG = "...";
|
|
114
|
+
...
|
|
115
|
+
- pattern-not: |
|
|
116
|
+
$PB.command("...","...","...",...)
|
|
117
|
+
- pattern-not: |
|
|
118
|
+
$PB.command(new String[]{"...","...","...",...},...)
|
|
119
|
+
- pattern-not: |
|
|
120
|
+
$PB.command(Arrays.asList("...","...","...",...),...)
|
|
121
|
+
message: >-
|
|
122
|
+
A formatted or concatenated string was detected as input to a ProcessBuilder call.
|
|
123
|
+
This is dangerous if a variable is controlled by user input and could result in
|
|
124
|
+
a
|
|
125
|
+
command injection. Ensure your variables are not controlled by users or sufficiently
|
|
126
|
+
sanitized.
|
|
127
|
+
metadata:
|
|
128
|
+
cwe:
|
|
129
|
+
- "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
|
|
130
|
+
owasp:
|
|
131
|
+
- A01:2017 - Injection
|
|
132
|
+
- A03:2021 - Injection
|
|
133
|
+
- A05:2025 - Injection
|
|
134
|
+
category: security
|
|
135
|
+
technology:
|
|
136
|
+
- java
|
|
137
|
+
references:
|
|
138
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
139
|
+
cwe2022-top25: true
|
|
140
|
+
cwe2021-top25: true
|
|
141
|
+
subcategory:
|
|
142
|
+
- audit
|
|
143
|
+
likelihood: LOW
|
|
144
|
+
impact: HIGH
|
|
145
|
+
confidence: LOW
|
|
146
|
+
severity: ERROR
|
|
147
|
+
languages:
|
|
148
|
+
- java
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: cookie-missing-httponly
|
|
3
|
+
metadata:
|
|
4
|
+
cwe:
|
|
5
|
+
- "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
|
|
6
|
+
owasp:
|
|
7
|
+
- A05:2021 - Security Misconfiguration
|
|
8
|
+
- A02:2025 - Security Misconfiguration
|
|
9
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE
|
|
10
|
+
asvs:
|
|
11
|
+
section: 'V3: Session Management Verification Requirements'
|
|
12
|
+
control_id: 3.4.2 Missing Cookie Attribute
|
|
13
|
+
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management
|
|
14
|
+
version: '4'
|
|
15
|
+
category: security
|
|
16
|
+
technology:
|
|
17
|
+
- java
|
|
18
|
+
references:
|
|
19
|
+
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
|
|
20
|
+
subcategory:
|
|
21
|
+
- audit
|
|
22
|
+
likelihood: LOW
|
|
23
|
+
impact: LOW
|
|
24
|
+
confidence: LOW
|
|
25
|
+
message: >-
|
|
26
|
+
A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag
|
|
27
|
+
for cookies instructs the browser to forbid client-side scripts from reading the
|
|
28
|
+
cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'
|
|
29
|
+
severity: WARNING
|
|
30
|
+
languages: [java]
|
|
31
|
+
patterns:
|
|
32
|
+
- pattern-not-inside: $COOKIE.setValue(""); ...
|
|
33
|
+
- pattern-either:
|
|
34
|
+
- pattern: $COOKIE.setHttpOnly(false);
|
|
35
|
+
- patterns:
|
|
36
|
+
- pattern-not-inside: $COOKIE.setHttpOnly(...); ...
|
|
37
|
+
- pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ...
|
|
38
|
+
- pattern: $RESPONSE.addCookie($COOKIE);
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: cookie-missing-secure-flag
|
|
3
|
+
metadata:
|
|
4
|
+
cwe:
|
|
5
|
+
- "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
|
|
6
|
+
owasp:
|
|
7
|
+
- A05:2021 - Security Misconfiguration
|
|
8
|
+
- A02:2025 - Security Misconfiguration
|
|
9
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE
|
|
10
|
+
asvs:
|
|
11
|
+
section: 'V3: Session Management Verification Requirements'
|
|
12
|
+
control_id: 3.4.1 Missing Cookie Attribute
|
|
13
|
+
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v34-cookie-based-session-management
|
|
14
|
+
version: '4'
|
|
15
|
+
category: security
|
|
16
|
+
technology:
|
|
17
|
+
- java
|
|
18
|
+
references:
|
|
19
|
+
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
|
|
20
|
+
subcategory:
|
|
21
|
+
- audit
|
|
22
|
+
likelihood: LOW
|
|
23
|
+
impact: LOW
|
|
24
|
+
confidence: LOW
|
|
25
|
+
message: >-
|
|
26
|
+
A cookie was detected without setting the 'secure' flag. The 'secure' flag
|
|
27
|
+
for cookies prevents the client from transmitting the cookie over insecure
|
|
28
|
+
channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'
|
|
29
|
+
severity: WARNING
|
|
30
|
+
languages: [java]
|
|
31
|
+
patterns:
|
|
32
|
+
- pattern-not-inside: $COOKIE.setValue(""); ...
|
|
33
|
+
- pattern-either:
|
|
34
|
+
- pattern: $COOKIE.setSecure(false);
|
|
35
|
+
- patterns:
|
|
36
|
+
- pattern-not-inside: $COOKIE.setSecure(...); ...
|
|
37
|
+
- pattern-not-inside: $COOKIE = ResponseCookie.from(...). ...; ...
|
|
38
|
+
- pattern: $RESPONSE.addCookie($COOKIE);
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: crlf-injection-logs
|
|
3
|
+
message: >-
|
|
4
|
+
When data from an untrusted source is put into a logger and not neutralized correctly,
|
|
5
|
+
an attacker could forge log entries or include malicious content.
|
|
6
|
+
metadata:
|
|
7
|
+
cwe:
|
|
8
|
+
- "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"
|
|
9
|
+
owasp:
|
|
10
|
+
- A03:2021 - Injection
|
|
11
|
+
- A05:2025 - Injection
|
|
12
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS
|
|
13
|
+
category: security
|
|
14
|
+
technology:
|
|
15
|
+
- java
|
|
16
|
+
references:
|
|
17
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
18
|
+
subcategory:
|
|
19
|
+
- vuln
|
|
20
|
+
likelihood: LOW
|
|
21
|
+
impact: MEDIUM
|
|
22
|
+
confidence: MEDIUM
|
|
23
|
+
severity: WARNING
|
|
24
|
+
languages: [java]
|
|
25
|
+
patterns:
|
|
26
|
+
# Enumerate possible enclosing scopes that define request and logger
|
|
27
|
+
- pattern-either:
|
|
28
|
+
# Logger is defined as a field on a class
|
|
29
|
+
- patterns:
|
|
30
|
+
- pattern-inside: |
|
|
31
|
+
class $CLASS {
|
|
32
|
+
...
|
|
33
|
+
Logger $LOG = ...;
|
|
34
|
+
...
|
|
35
|
+
}
|
|
36
|
+
- pattern-either:
|
|
37
|
+
- pattern-inside: |
|
|
38
|
+
$X $METHOD(...,HttpServletRequest $REQ,...) {
|
|
39
|
+
...
|
|
40
|
+
}
|
|
41
|
+
- pattern-inside: |
|
|
42
|
+
$X $METHOD(...,ServletRequest $REQ,...) {
|
|
43
|
+
...
|
|
44
|
+
}
|
|
45
|
+
- pattern-inside: |
|
|
46
|
+
$X $METHOD(...) {
|
|
47
|
+
...
|
|
48
|
+
HttpServletRequest $REQ = ...;
|
|
49
|
+
...
|
|
50
|
+
}
|
|
51
|
+
- pattern-inside: |
|
|
52
|
+
$X $METHOD(...) {
|
|
53
|
+
...
|
|
54
|
+
ServletRequest $REQ = ...;
|
|
55
|
+
...
|
|
56
|
+
}
|
|
57
|
+
- pattern-inside: |
|
|
58
|
+
$X $METHOD(...) {
|
|
59
|
+
...
|
|
60
|
+
Logger $LOG = ...;
|
|
61
|
+
...
|
|
62
|
+
HttpServletRequest $REQ = ...;
|
|
63
|
+
...
|
|
64
|
+
}
|
|
65
|
+
- pattern-inside: |
|
|
66
|
+
$X $METHOD(...) {
|
|
67
|
+
...
|
|
68
|
+
Logger $LOG = ...;
|
|
69
|
+
...
|
|
70
|
+
ServletRequest $REQ = ...;
|
|
71
|
+
...
|
|
72
|
+
}
|
|
73
|
+
- pattern-either:
|
|
74
|
+
# Enumerate possible injection sites
|
|
75
|
+
- pattern: |
|
|
76
|
+
String $VAL = $REQ.getParameter(...);
|
|
77
|
+
...
|
|
78
|
+
$LOG.$LEVEL(<... $VAL ...>);
|
|
79
|
+
- pattern: |
|
|
80
|
+
String $VAL = $REQ.getParameter(...);
|
|
81
|
+
...
|
|
82
|
+
$LOG.log($LEVEL,<... $VAL ...>);
|
|
83
|
+
- pattern: |
|
|
84
|
+
$LOG.$LEVEL(<... $REQ.getParameter(...) ...>);
|
|
85
|
+
- pattern: |
|
|
86
|
+
$LOG.log($LEVEL,<... $REQ.getParameter(...) ...>);
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: dangerous-groovy-shell
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern-either:
|
|
5
|
+
- pattern: |
|
|
6
|
+
$SHELL.parse(...)
|
|
7
|
+
- pattern: |
|
|
8
|
+
$SHELL.evaluate(...)
|
|
9
|
+
- pattern: |
|
|
10
|
+
$SHELL.parseClass(...)
|
|
11
|
+
- pattern-either:
|
|
12
|
+
- pattern-inside: |
|
|
13
|
+
groovy.lang.GroovyShell $SHELL = ...;
|
|
14
|
+
...
|
|
15
|
+
- pattern-inside: |
|
|
16
|
+
groovy.lang.GroovyClassLoader $SHELL = ...;
|
|
17
|
+
...
|
|
18
|
+
- pattern-not: |
|
|
19
|
+
$SHELL.parse("...",...)
|
|
20
|
+
- pattern-not: |
|
|
21
|
+
$SHELL.evaluate("...",...)
|
|
22
|
+
- pattern-not: |
|
|
23
|
+
$SHELL.parseClass("...",...)
|
|
24
|
+
message: >-
|
|
25
|
+
A expression is built with a dynamic value. The source of the value(s) should
|
|
26
|
+
be verified to avoid that unfiltered values fall into this risky code evaluation.
|
|
27
|
+
metadata:
|
|
28
|
+
cwe:
|
|
29
|
+
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
|
|
30
|
+
owasp:
|
|
31
|
+
- A03:2021 - Injection
|
|
32
|
+
- A05:2025 - Injection
|
|
33
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL
|
|
34
|
+
category: security
|
|
35
|
+
technology:
|
|
36
|
+
- groovy
|
|
37
|
+
references:
|
|
38
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
39
|
+
cwe2022-top25: true
|
|
40
|
+
subcategory:
|
|
41
|
+
- audit
|
|
42
|
+
likelihood: LOW
|
|
43
|
+
impact: LOW
|
|
44
|
+
confidence: LOW
|
|
45
|
+
languages: [java]
|
|
46
|
+
severity: WARNING
|
|
@@ -0,0 +1,137 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: el-injection
|
|
3
|
+
metadata:
|
|
4
|
+
cwe:
|
|
5
|
+
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
|
|
6
|
+
owasp:
|
|
7
|
+
- A03:2021 - Injection
|
|
8
|
+
- A05:2025 - Injection
|
|
9
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION
|
|
10
|
+
category: security
|
|
11
|
+
technology:
|
|
12
|
+
- java
|
|
13
|
+
references:
|
|
14
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
15
|
+
cwe2022-top25: true
|
|
16
|
+
subcategory:
|
|
17
|
+
- audit
|
|
18
|
+
likelihood: LOW
|
|
19
|
+
impact: HIGH
|
|
20
|
+
confidence: LOW
|
|
21
|
+
message: >-
|
|
22
|
+
An expression is built with a dynamic value. The source of the value(s) should
|
|
23
|
+
be verified to avoid that unfiltered values fall into this risky code evaluation.
|
|
24
|
+
severity: WARNING
|
|
25
|
+
languages: [java]
|
|
26
|
+
patterns:
|
|
27
|
+
- pattern-either:
|
|
28
|
+
- pattern: |
|
|
29
|
+
class $CLASS {
|
|
30
|
+
...
|
|
31
|
+
ExpressionFactory $EF;
|
|
32
|
+
...
|
|
33
|
+
$X $METHOD(...) {
|
|
34
|
+
...
|
|
35
|
+
$EF.createValueExpression($CTX,$INPUT,...);
|
|
36
|
+
...
|
|
37
|
+
}
|
|
38
|
+
...
|
|
39
|
+
}
|
|
40
|
+
- pattern: |
|
|
41
|
+
class $CLASS {
|
|
42
|
+
...
|
|
43
|
+
ExpressionFactory $EF = ...;
|
|
44
|
+
...
|
|
45
|
+
$X $METHOD(...) {
|
|
46
|
+
...
|
|
47
|
+
$EF.createValueExpression($CTX,$INPUT,...);
|
|
48
|
+
...
|
|
49
|
+
}
|
|
50
|
+
...
|
|
51
|
+
}
|
|
52
|
+
- pattern: |
|
|
53
|
+
$X $METHOD(...) {
|
|
54
|
+
...
|
|
55
|
+
ExpressionFactory $EF = ...;
|
|
56
|
+
...
|
|
57
|
+
$EF.createValueExpression($CTX,$INPUT,...);
|
|
58
|
+
...
|
|
59
|
+
}
|
|
60
|
+
- pattern: |
|
|
61
|
+
$X $METHOD(...,ExpressionFactory $EF,...) {
|
|
62
|
+
...
|
|
63
|
+
$EF.createValueExpression($CTX,$INPUT,...);
|
|
64
|
+
...
|
|
65
|
+
}
|
|
66
|
+
- pattern: |
|
|
67
|
+
class $CLASS {
|
|
68
|
+
...
|
|
69
|
+
ExpressionFactory $EF;
|
|
70
|
+
...
|
|
71
|
+
$X $METHOD(...) {
|
|
72
|
+
...
|
|
73
|
+
$EF.createMethodExpression($CTX,$INPUT,...);
|
|
74
|
+
...
|
|
75
|
+
}
|
|
76
|
+
...
|
|
77
|
+
}
|
|
78
|
+
- pattern: |
|
|
79
|
+
class $CLASS {
|
|
80
|
+
...
|
|
81
|
+
ExpressionFactory $EF = ...;
|
|
82
|
+
...
|
|
83
|
+
$X $METHOD(...) {
|
|
84
|
+
...
|
|
85
|
+
$EF.createMethodExpression($CTX,$INPUT,...);
|
|
86
|
+
...
|
|
87
|
+
}
|
|
88
|
+
...
|
|
89
|
+
}
|
|
90
|
+
- pattern: |
|
|
91
|
+
$X $METHOD(...) {
|
|
92
|
+
...
|
|
93
|
+
ExpressionFactory $EF = ...;
|
|
94
|
+
...
|
|
95
|
+
$EF.createMethodExpression($CTX,$INPUT,...);
|
|
96
|
+
...
|
|
97
|
+
}
|
|
98
|
+
- pattern: |
|
|
99
|
+
$X $METHOD(...,ExpressionFactory $EF,...) {
|
|
100
|
+
...
|
|
101
|
+
$EF.createMethodExpression($CTX,$INPUT,...);
|
|
102
|
+
...
|
|
103
|
+
}
|
|
104
|
+
- pattern: |
|
|
105
|
+
$X $METHOD(String $INPUT, ...) {
|
|
106
|
+
...
|
|
107
|
+
$OBJECT.buildConstraintViolationWithTemplate($INPUT, ...);
|
|
108
|
+
...
|
|
109
|
+
}
|
|
110
|
+
- pattern-not: |
|
|
111
|
+
$X $METHOD(...) {
|
|
112
|
+
...
|
|
113
|
+
$EF.createValueExpression($CTX,"...",...);
|
|
114
|
+
...
|
|
115
|
+
}
|
|
116
|
+
- pattern-not: |
|
|
117
|
+
$X $METHOD(...) {
|
|
118
|
+
...
|
|
119
|
+
String $S = "...";
|
|
120
|
+
...
|
|
121
|
+
$EF.createValueExpression($CTX,$S,...);
|
|
122
|
+
...
|
|
123
|
+
}
|
|
124
|
+
- pattern-not: |
|
|
125
|
+
$X $METHOD(...) {
|
|
126
|
+
...
|
|
127
|
+
$EF.createMethodExpression($CTX,"...",...);
|
|
128
|
+
...
|
|
129
|
+
}
|
|
130
|
+
- pattern-not: |
|
|
131
|
+
$X $METHOD(...) {
|
|
132
|
+
...
|
|
133
|
+
String $S = "...";
|
|
134
|
+
...
|
|
135
|
+
$EF.createMethodExpression($CTX,$S,...);
|
|
136
|
+
...
|
|
137
|
+
}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: formatted-sql-string
|
|
3
|
+
metadata:
|
|
4
|
+
cwe:
|
|
5
|
+
- "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
|
|
6
|
+
owasp:
|
|
7
|
+
- A01:2017 - Injection
|
|
8
|
+
- A03:2021 - Injection
|
|
9
|
+
- A05:2025 - Injection
|
|
10
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION
|
|
11
|
+
asvs:
|
|
12
|
+
section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
|
|
13
|
+
control_id: 5.3.5 Injection
|
|
14
|
+
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
|
|
15
|
+
version: '4'
|
|
16
|
+
references:
|
|
17
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
|
|
18
|
+
- https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps
|
|
19
|
+
- https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement
|
|
20
|
+
category: security
|
|
21
|
+
technology:
|
|
22
|
+
- java
|
|
23
|
+
cwe2022-top25: true
|
|
24
|
+
cwe2021-top25: true
|
|
25
|
+
subcategory:
|
|
26
|
+
- vuln
|
|
27
|
+
likelihood: HIGH
|
|
28
|
+
impact: MEDIUM
|
|
29
|
+
confidence: MEDIUM
|
|
30
|
+
options:
|
|
31
|
+
taint_assume_safe_numbers: true
|
|
32
|
+
taint_assume_safe_booleans: true
|
|
33
|
+
message: >-
|
|
34
|
+
Detected a formatted string in a SQL statement. This could lead to SQL
|
|
35
|
+
injection if variables in the SQL statement are not properly sanitized.
|
|
36
|
+
Use a prepared statements (java.sql.PreparedStatement) instead. You
|
|
37
|
+
can obtain a PreparedStatement using 'connection.prepareStatement'.
|
|
38
|
+
mode: taint
|
|
39
|
+
pattern-sources:
|
|
40
|
+
- patterns:
|
|
41
|
+
- pattern-either:
|
|
42
|
+
- pattern: |
|
|
43
|
+
(HttpServletRequest $REQ)
|
|
44
|
+
- patterns:
|
|
45
|
+
- pattern-inside: |
|
|
46
|
+
$ANNOT $FUNC (..., $INPUT, ...) {
|
|
47
|
+
...
|
|
48
|
+
}
|
|
49
|
+
- pattern: (String $INPUT)
|
|
50
|
+
- focus-metavariable: $INPUT
|
|
51
|
+
label: INPUT
|
|
52
|
+
- patterns:
|
|
53
|
+
- pattern-either:
|
|
54
|
+
- pattern: $X + $INPUT
|
|
55
|
+
- pattern: $X += $INPUT
|
|
56
|
+
- pattern: String.format(..., $INPUT, ...)
|
|
57
|
+
- pattern: String.join(..., $INPUT, ...)
|
|
58
|
+
- pattern: (String $STR).concat($INPUT)
|
|
59
|
+
- pattern: $INPUT.concat(...)
|
|
60
|
+
- patterns:
|
|
61
|
+
- pattern-either:
|
|
62
|
+
- pattern: $STRB.append($INPUT)
|
|
63
|
+
- pattern: new $STRB(..., $INPUT, ...)
|
|
64
|
+
- metavariable-type:
|
|
65
|
+
metavariable: $STRB
|
|
66
|
+
type: StringBuilder
|
|
67
|
+
label: CONCAT
|
|
68
|
+
requires: INPUT
|
|
69
|
+
pattern-propagators:
|
|
70
|
+
- pattern: (StringBuffer $S).append($X)
|
|
71
|
+
from: $X
|
|
72
|
+
to: $S
|
|
73
|
+
- pattern: (StringBuilder $S).append($X)
|
|
74
|
+
from: $X
|
|
75
|
+
to: $S
|
|
76
|
+
pattern-sinks:
|
|
77
|
+
- patterns:
|
|
78
|
+
- pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE *$/" ...>)
|
|
79
|
+
- pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE %s$/" ...>)
|
|
80
|
+
- pattern-either:
|
|
81
|
+
- pattern: (Statement $S).$SQLFUNC(...)
|
|
82
|
+
- pattern: (PreparedStatement $P).$SQLFUNC(...)
|
|
83
|
+
- pattern: (Connection $C).createStatement(...).$SQLFUNC(...)
|
|
84
|
+
- pattern: (Connection $C).prepareStatement(...).$SQLFUNC(...)
|
|
85
|
+
- pattern: (EntityManager $EM).$SQLFUNC(...)
|
|
86
|
+
- metavariable-regex:
|
|
87
|
+
metavariable: $SQLFUNC
|
|
88
|
+
regex: execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare
|
|
89
|
+
requires: CONCAT
|
|
90
|
+
pattern-sanitizers:
|
|
91
|
+
- patterns:
|
|
92
|
+
- pattern: (CriteriaBuilder $CB).$ANY(...)
|
|
93
|
+
severity: ERROR
|
|
94
|
+
languages:
|
|
95
|
+
- java
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: http-response-splitting
|
|
3
|
+
metadata:
|
|
4
|
+
cwe:
|
|
5
|
+
- "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"
|
|
6
|
+
owasp:
|
|
7
|
+
- A03:2021 - Injection
|
|
8
|
+
- A05:2025 - Injection
|
|
9
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING
|
|
10
|
+
references:
|
|
11
|
+
- https://www.owasp.org/index.php/HTTP_Response_Splitting
|
|
12
|
+
category: security
|
|
13
|
+
technology:
|
|
14
|
+
- java
|
|
15
|
+
subcategory:
|
|
16
|
+
- vuln
|
|
17
|
+
likelihood: MEDIUM
|
|
18
|
+
impact: MEDIUM
|
|
19
|
+
confidence: MEDIUM
|
|
20
|
+
message: >-
|
|
21
|
+
Older Java application servers are vulnerable to HTTP response splitting, which
|
|
22
|
+
may occur if an HTTP
|
|
23
|
+
request can be injected with CRLF characters. This finding is reported for completeness;
|
|
24
|
+
it is recommended
|
|
25
|
+
to ensure your environment is not affected by testing this yourself.
|
|
26
|
+
severity: INFO
|
|
27
|
+
languages:
|
|
28
|
+
- java
|
|
29
|
+
pattern-either:
|
|
30
|
+
- pattern: |
|
|
31
|
+
$VAR = $REQ.getParameter(...);
|
|
32
|
+
...
|
|
33
|
+
$COOKIE = new Cookie(..., $VAR, ...);
|
|
34
|
+
...
|
|
35
|
+
$RESP.addCookie($COOKIE, ...);
|
|
36
|
+
- patterns:
|
|
37
|
+
- pattern-inside: |
|
|
38
|
+
$RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) {
|
|
39
|
+
...
|
|
40
|
+
}
|
|
41
|
+
- pattern: |
|
|
42
|
+
$COOKIE = new Cookie(..., $VAR, ...);
|
|
43
|
+
...
|
|
44
|
+
$RESP.addCookie($COOKIE, ...);
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
770
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: insecure-smtp-connection
|
|
3
|
+
metadata:
|
|
4
|
+
cwe:
|
|
5
|
+
- 'CWE-297: Improper Validation of Certificate with Host Mismatch'
|
|
6
|
+
owasp:
|
|
7
|
+
- A07:2021 - Identification and Authentication Failures
|
|
8
|
+
- A07:2025 - Authentication Failures
|
|
9
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL
|
|
10
|
+
category: security
|
|
11
|
+
technology:
|
|
12
|
+
- java
|
|
13
|
+
references:
|
|
14
|
+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
|
|
15
|
+
subcategory:
|
|
16
|
+
- vuln
|
|
17
|
+
likelihood: LOW
|
|
18
|
+
impact: MEDIUM
|
|
19
|
+
confidence: MEDIUM
|
|
20
|
+
message: >-
|
|
21
|
+
Insecure SMTP connection detected. This connection will trust any SSL certificate.
|
|
22
|
+
Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.
|
|
23
|
+
severity: WARNING
|
|
24
|
+
patterns:
|
|
25
|
+
- pattern-not-inside: |
|
|
26
|
+
$EMAIL.setSSLCheckServerIdentity(true);
|
|
27
|
+
...
|
|
28
|
+
- pattern-inside: |
|
|
29
|
+
$EMAIL = new SimpleEmail(...);
|
|
30
|
+
...
|
|
31
|
+
- pattern: |-
|
|
32
|
+
$EMAIL.send(...);
|
|
33
|
+
languages:
|
|
34
|
+
- java
|