@zhuma4/cli 4.0.0-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -0
- package/dist/commands/config.d.ts +3 -0
- package/dist/commands/config.d.ts.map +1 -0
- package/dist/commands/config.js +18 -0
- package/dist/commands/config.js.map +1 -0
- package/dist/commands/init.d.ts +3 -0
- package/dist/commands/init.d.ts.map +1 -0
- package/dist/commands/init.js +11 -0
- package/dist/commands/init.js.map +1 -0
- package/dist/commands/scan.d.ts +3 -0
- package/dist/commands/scan.d.ts.map +1 -0
- package/dist/commands/scan.js +96 -0
- package/dist/commands/scan.js.map +1 -0
- package/dist/commands/scan_appid.d.ts +20 -0
- package/dist/commands/scan_appid.d.ts.map +1 -0
- package/dist/commands/scan_appid.js +301 -0
- package/dist/commands/scan_appid.js.map +1 -0
- package/dist/commands/scan_manifest.d.ts +13 -0
- package/dist/commands/scan_manifest.d.ts.map +1 -0
- package/dist/commands/scan_manifest.js +103 -0
- package/dist/commands/scan_manifest.js.map +1 -0
- package/dist/engine/api-submit.d.ts +16 -0
- package/dist/engine/api-submit.d.ts.map +1 -0
- package/dist/engine/api-submit.js +66 -0
- package/dist/engine/api-submit.js.map +1 -0
- package/dist/engine/batch_scan.d.ts +36 -0
- package/dist/engine/batch_scan.d.ts.map +1 -0
- package/dist/engine/batch_scan.js +192 -0
- package/dist/engine/batch_scan.js.map +1 -0
- package/dist/engine/config.d.ts +12 -0
- package/dist/engine/config.d.ts.map +1 -0
- package/dist/engine/config.js +27 -0
- package/dist/engine/config.js.map +1 -0
- package/dist/engine/errors.d.ts +36 -0
- package/dist/engine/errors.d.ts.map +1 -0
- package/dist/engine/errors.js +99 -0
- package/dist/engine/errors.js.map +1 -0
- package/dist/engine/filter.d.ts +13 -0
- package/dist/engine/filter.d.ts.map +1 -0
- package/dist/engine/filter.js +64 -0
- package/dist/engine/filter.js.map +1 -0
- package/dist/engine/finding_classifier.d.ts +108 -0
- package/dist/engine/finding_classifier.d.ts.map +1 -0
- package/dist/engine/finding_classifier.js +440 -0
- package/dist/engine/finding_classifier.js.map +1 -0
- package/dist/engine/incremental/engine.d.ts +25 -0
- package/dist/engine/incremental/engine.d.ts.map +1 -0
- package/dist/engine/incremental/engine.js +337 -0
- package/dist/engine/incremental/engine.js.map +1 -0
- package/dist/engine/incremental/git-diff.d.ts +19 -0
- package/dist/engine/incremental/git-diff.d.ts.map +1 -0
- package/dist/engine/incremental/git-diff.js +175 -0
- package/dist/engine/incremental/git-diff.js.map +1 -0
- package/dist/engine/incremental/types.d.ts +33 -0
- package/dist/engine/incremental/types.d.ts.map +1 -0
- package/dist/engine/incremental/types.js +11 -0
- package/dist/engine/incremental/types.js.map +1 -0
- package/dist/engine/manifest_scanner.d.ts +48 -0
- package/dist/engine/manifest_scanner.d.ts.map +1 -0
- package/dist/engine/manifest_scanner.js +599 -0
- package/dist/engine/manifest_scanner.js.map +1 -0
- package/dist/engine/project.d.ts +22 -0
- package/dist/engine/project.d.ts.map +1 -0
- package/dist/engine/project.js +279 -0
- package/dist/engine/project.js.map +1 -0
- package/dist/engine/sarif.d.ts +13 -0
- package/dist/engine/sarif.d.ts.map +1 -0
- package/dist/engine/sarif.js +44 -0
- package/dist/engine/sarif.js.map +1 -0
- package/dist/engine/sca-integration.d.ts +36 -0
- package/dist/engine/sca-integration.d.ts.map +1 -0
- package/dist/engine/sca-integration.js +91 -0
- package/dist/engine/sca-integration.js.map +1 -0
- package/dist/engine/scanner.d.ts +18 -0
- package/dist/engine/scanner.d.ts.map +1 -0
- package/dist/engine/scanner.js +138 -0
- package/dist/engine/scanner.js.map +1 -0
- package/dist/index.d.ts +13 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +41 -0
- package/dist/index.js.map +1 -0
- package/dist/report/render.d.ts +23 -0
- package/dist/report/render.d.ts.map +1 -0
- package/dist/report/render.js +335 -0
- package/dist/report/render.js.map +1 -0
- package/package.json +41 -0
- package/rules/android/mobile-cleartext-traffic.yaml +46 -0
- package/rules/android/mobile-component-security.yaml +107 -0
- package/rules/android/mobile-crypto-weakness.yaml +139 -0
- package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
- package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
- package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
- package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
- package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
- package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
- package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
- package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
- package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
- package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
- package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
- package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
- package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
- package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
- package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
- package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
- package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
- package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
- package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
- package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
- package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
- package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
- package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
- package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
- package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
- package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
- package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
- package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
- package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
- package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
- package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
- package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
- package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
- package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
- package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
- package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
- package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
- package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
- package/rules/android/mobile-secrets-storage.yaml +136 -0
- package/rules/android/mobile-webview-security.yaml +88 -0
- package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
- package/rules/common/cwe-22-path-traversal.yaml +47 -0
- package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
- package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
- package/rules/common/cwe-306-missing-authentication.yaml +44 -0
- package/rules/common/cwe-326-weak-key-size.yaml +107 -0
- package/rules/common/cwe-327-weak-crypto.yaml +177 -0
- package/rules/common/cwe-328-weak-hash.yaml +96 -0
- package/rules/common/cwe-329-cbc-mode.yaml +26 -0
- package/rules/common/cwe-352-csrf.yaml +23 -0
- package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
- package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
- package/rules/common/cwe-601-url-redirect.yaml +110 -0
- package/rules/common/cwe-611-xxe.yaml +70 -0
- package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
- package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
- package/rules/common/cwe-78-os-command-injection.yaml +43 -0
- package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
- package/rules/common/cwe-79-xss.yaml +51 -0
- package/rules/common/cwe-862-missing-authorization.yaml +40 -0
- package/rules/common/cwe-89-sqli.yaml +89 -0
- package/rules/common/cwe-918-ssrf.yaml +45 -0
- package/rules/common/cwe-94-code-injection.yaml +59 -0
- package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
- package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
- package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
- package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
- package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
- package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
- package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
- package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
- package/rules/common/zm-go-cwe79-xss.yaml +104 -0
- package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
- package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
- package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
- package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
- package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
- package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
- package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
- package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
- package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
- package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
- package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
- package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
- package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
- package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
- package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
- package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
- package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
- package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
- package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
- package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
- package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
- package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
- package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
- package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
- package/rules/common/zm-java-cwe639-idor.yaml +123 -0
- package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
- package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
- package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
- package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
- package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
- package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
- package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
- package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
- package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
- package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
- package/rules/common/zm-java-cwe94-spel.yaml +112 -0
- package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
- package/rules/common/zm-java-cwe942-cors.yaml +15 -0
- package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
- package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
- package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
- package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
- package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
- package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
- package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
- package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
- package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
- package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
- package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
- package/rules/common/zm-js-cwe639-idor.yaml +122 -0
- package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
- package/rules/common/zm-js-cwe78-exec.yaml +37 -0
- package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
- package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
- package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
- package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
- package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
- package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
- package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
- package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
- package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
- package/rules/common/zm-js-cwe942-cors.yaml +49 -0
- package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
- package/rules/common/zm-js-cwe95-eval.yaml +59 -0
- package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
- package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
- package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
- package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
- package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
- package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
- package/rules/common/zm-py-cwe79-xss.yaml +123 -0
- package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
- package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
- package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
- package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
- package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
- package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
- package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
- package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
- package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
- package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
- package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
- package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
- package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
- package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
- package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
- package/rules/iac/zm-docker-security.yaml +104 -0
- package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
- package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
- package/rules/iac/zm-k8s-security.yaml +79 -0
- package/rules/rules_index.yaml.off +477 -0
- package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
- package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
- package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
- package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
- package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
- package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
- package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
- package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
- package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
- package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
- package/rules/semgrep-registry/el-injection.yaml +137 -0
- package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
- package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
- package/rules/semgrep-registry/index.txt +1 -0
- package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
- package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
- package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
- package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
- package/rules/semgrep-registry/ldap-injection.yaml +82 -0
- package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
- package/rules/semgrep-registry/object-deserialization.yaml +34 -0
- package/rules/semgrep-registry/ognl-injection.yaml +839 -0
- package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
- package/rules/semgrep-registry/permissive-cors.yaml +77 -0
- package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
- package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
- package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
- package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
- package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
- package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
- package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
- package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
- package/rules/semgrep-registry/url-rewriting.yaml +82 -0
- package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
- package/rules/semgrep-registry/xml-decoder.yaml +53 -0
- package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: overly-permissive-file-permission
|
|
3
|
+
message: >-
|
|
4
|
+
Detected file permissions that are overly permissive (read, write, and execute).
|
|
5
|
+
It is generally a bad practices to set overly permissive file permission such
|
|
6
|
+
as read+write+exec for all users.
|
|
7
|
+
If the file affected is a configuration, a binary, a script or sensitive data,
|
|
8
|
+
it can lead to privilege escalation or information leakage.
|
|
9
|
+
Instead, follow the principle of least privilege and give users only the
|
|
10
|
+
permissions they need.
|
|
11
|
+
severity: WARNING
|
|
12
|
+
languages: [java]
|
|
13
|
+
metadata:
|
|
14
|
+
cwe:
|
|
15
|
+
- 'CWE-276: Incorrect Default Permissions'
|
|
16
|
+
owasp:
|
|
17
|
+
- A01:2021 - Broken Access Control
|
|
18
|
+
- A01:2025 - Broken Access Control
|
|
19
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION
|
|
20
|
+
category: security
|
|
21
|
+
technology:
|
|
22
|
+
- java
|
|
23
|
+
references:
|
|
24
|
+
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
|
|
25
|
+
cwe2022-top25: true
|
|
26
|
+
cwe2021-top25: true
|
|
27
|
+
subcategory:
|
|
28
|
+
- audit
|
|
29
|
+
likelihood: LOW
|
|
30
|
+
impact: MEDIUM
|
|
31
|
+
confidence: LOW
|
|
32
|
+
pattern-either:
|
|
33
|
+
- pattern: java.nio.file.Files.setPosixFilePermissions($FILE, java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/"));
|
|
34
|
+
- pattern: |
|
|
35
|
+
$TYPE $P = java.nio.file.attribute.PosixFilePermissions.fromString("=~/(^......r..$)|(^.......w.$)|(^........x$)/");
|
|
36
|
+
...
|
|
37
|
+
java.nio.file.Files.setPosixFilePermissions($FILE, $P);
|
|
38
|
+
- pattern: |
|
|
39
|
+
$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_READ);
|
|
40
|
+
...
|
|
41
|
+
java.nio.file.Files.setPosixFilePermissions($FILE, $P);
|
|
42
|
+
- pattern: |
|
|
43
|
+
$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_WRITE);
|
|
44
|
+
...
|
|
45
|
+
java.nio.file.Files.setPosixFilePermissions($FILE, $P);
|
|
46
|
+
- pattern: |-
|
|
47
|
+
$P.add(java.nio.file.attribute.PosixFilePermission.OTHERS_EXECUTE);
|
|
48
|
+
...
|
|
49
|
+
java.nio.file.Files.setPosixFilePermissions($FILE, $P);
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: permissive-cors
|
|
3
|
+
message: >-
|
|
4
|
+
https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS
|
|
5
|
+
Permissive CORS policy will allow a malicious application to communicate with
|
|
6
|
+
the victim application in an inappropriate way, leading to spoofing, data theft,
|
|
7
|
+
relay and other attacks.
|
|
8
|
+
metadata:
|
|
9
|
+
cwe:
|
|
10
|
+
- 'CWE-183: Permissive List of Allowed Inputs'
|
|
11
|
+
asvs:
|
|
12
|
+
section: 'V14: Configuration Verification Requirements'
|
|
13
|
+
control_id: 14.4.8 Permissive CORS
|
|
14
|
+
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v144-http-security-headers-requirements
|
|
15
|
+
version: '4'
|
|
16
|
+
category: security
|
|
17
|
+
technology:
|
|
18
|
+
- java
|
|
19
|
+
owasp:
|
|
20
|
+
- A04:2021 - Insecure Design
|
|
21
|
+
- A06:2025 - Insecure Design
|
|
22
|
+
references:
|
|
23
|
+
- https://owasp.org/Top10/A04_2021-Insecure_Design
|
|
24
|
+
subcategory:
|
|
25
|
+
- audit
|
|
26
|
+
likelihood: LOW
|
|
27
|
+
impact: LOW
|
|
28
|
+
confidence: LOW
|
|
29
|
+
severity: WARNING
|
|
30
|
+
languages: [java]
|
|
31
|
+
pattern-either:
|
|
32
|
+
- pattern: |
|
|
33
|
+
HttpServletResponse $RES = ...;
|
|
34
|
+
...
|
|
35
|
+
$RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
36
|
+
- pattern: |
|
|
37
|
+
HttpServletResponse $RES = ...;
|
|
38
|
+
...
|
|
39
|
+
$RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
40
|
+
- pattern: |
|
|
41
|
+
ServerHttpResponse $RES = ...;
|
|
42
|
+
...
|
|
43
|
+
$RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
44
|
+
- pattern: |
|
|
45
|
+
HttpHeaders $HEADERS = ...;
|
|
46
|
+
...
|
|
47
|
+
$HEADERS.set("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
48
|
+
- pattern: |
|
|
49
|
+
ServerWebExchange $SWE = ...;
|
|
50
|
+
...
|
|
51
|
+
$SWE.getResponse().getHeaders().add("Access-Control-Allow-Origin", "*");
|
|
52
|
+
- pattern: |
|
|
53
|
+
$X $METHOD(...,HttpServletResponse $RES,...) {
|
|
54
|
+
...
|
|
55
|
+
$RES.addHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
56
|
+
...
|
|
57
|
+
}
|
|
58
|
+
- pattern: |
|
|
59
|
+
$X $METHOD(...,HttpServletResponse $RES,...) {
|
|
60
|
+
...
|
|
61
|
+
$RES.setHeader("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
62
|
+
...
|
|
63
|
+
}
|
|
64
|
+
- pattern: |
|
|
65
|
+
$X $METHOD(...,ServerHttpResponse $RES,...) {
|
|
66
|
+
...
|
|
67
|
+
$RES.getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
68
|
+
...
|
|
69
|
+
}
|
|
70
|
+
- pattern: |
|
|
71
|
+
$X $METHOD(...,ServerWebExchange $SWE,...) {
|
|
72
|
+
...
|
|
73
|
+
$SWE.getResponse().getHeaders().add("=~/access-control-allow-origin/i", "=~/^\*|null$/i");
|
|
74
|
+
...
|
|
75
|
+
}
|
|
76
|
+
- pattern: ResponseEntity.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i")
|
|
77
|
+
- pattern: ServerResponse.$RES().header("=~/access-control-allow-origin/i", "=~/^\*|null$/i")
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: script-engine-injection
|
|
3
|
+
message: >-
|
|
4
|
+
Detected potential code injection using ScriptEngine. Ensure
|
|
5
|
+
user-controlled data cannot enter '.eval()', otherwise, this is
|
|
6
|
+
a code injection vulnerability.
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
|
|
10
|
+
owasp:
|
|
11
|
+
- A03:2021 - Injection
|
|
12
|
+
- A05:2025 - Injection
|
|
13
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION
|
|
14
|
+
category: security
|
|
15
|
+
technology:
|
|
16
|
+
- java
|
|
17
|
+
references:
|
|
18
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
19
|
+
cwe2022-top25: true
|
|
20
|
+
subcategory:
|
|
21
|
+
- audit
|
|
22
|
+
likelihood: LOW
|
|
23
|
+
impact: LOW
|
|
24
|
+
confidence: LOW
|
|
25
|
+
severity: WARNING
|
|
26
|
+
languages: [java]
|
|
27
|
+
patterns:
|
|
28
|
+
- pattern-either:
|
|
29
|
+
- pattern-inside: |
|
|
30
|
+
class $CLASS {
|
|
31
|
+
...
|
|
32
|
+
ScriptEngine $SE;
|
|
33
|
+
...
|
|
34
|
+
}
|
|
35
|
+
- pattern-inside: |
|
|
36
|
+
class $CLASS {
|
|
37
|
+
...
|
|
38
|
+
ScriptEngine $SE = ...;
|
|
39
|
+
...
|
|
40
|
+
}
|
|
41
|
+
- pattern-inside: |
|
|
42
|
+
$X $METHOD(...) {
|
|
43
|
+
...
|
|
44
|
+
ScriptEngine $SE = ...;
|
|
45
|
+
...
|
|
46
|
+
}
|
|
47
|
+
- pattern: |
|
|
48
|
+
$X $METHOD(...) {
|
|
49
|
+
...
|
|
50
|
+
$SE.eval(...);
|
|
51
|
+
...
|
|
52
|
+
}
|
|
53
|
+
- pattern-not: |
|
|
54
|
+
$X $METHOD(...) {
|
|
55
|
+
...
|
|
56
|
+
$SE.eval("...");
|
|
57
|
+
...
|
|
58
|
+
}
|
|
59
|
+
- pattern-not: |
|
|
60
|
+
$X $METHOD(...) {
|
|
61
|
+
...
|
|
62
|
+
String $S = "...";
|
|
63
|
+
...
|
|
64
|
+
$SE.eval($S);
|
|
65
|
+
...
|
|
66
|
+
}
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: tainted-cmd-from-http-request
|
|
3
|
+
message: >-
|
|
4
|
+
Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could
|
|
5
|
+
lead to command injection if variables passed into the exec commands are not properly sanitized. Instead,
|
|
6
|
+
avoid using these OS commands with user-supplied input, or, if you must use these commands, use a
|
|
7
|
+
whitelist of specific values.
|
|
8
|
+
languages: [java]
|
|
9
|
+
severity: ERROR
|
|
10
|
+
mode: taint
|
|
11
|
+
pattern-sources:
|
|
12
|
+
- patterns:
|
|
13
|
+
- pattern-either:
|
|
14
|
+
- pattern: |
|
|
15
|
+
(HttpServletRequest $REQ)
|
|
16
|
+
- patterns: # this pattern is a hack to get the rule to recognize `map` as tainted source when `cookie.getValue(user_input)` is used.
|
|
17
|
+
- pattern-inside: |
|
|
18
|
+
(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);
|
|
19
|
+
...
|
|
20
|
+
for (javax.servlet.http.Cookie $COOKIE: $COOKIES) {
|
|
21
|
+
...
|
|
22
|
+
}
|
|
23
|
+
- pattern: |
|
|
24
|
+
$COOKIE.getValue(...)
|
|
25
|
+
pattern-sinks:
|
|
26
|
+
- patterns:
|
|
27
|
+
- pattern-either:
|
|
28
|
+
- pattern: |
|
|
29
|
+
(ProcessBuilder $PB) = ...;
|
|
30
|
+
- patterns:
|
|
31
|
+
- pattern: |
|
|
32
|
+
(Process $P) = ...;
|
|
33
|
+
- pattern-not: |
|
|
34
|
+
(Process $P) = (java.lang.Runtime $R).exec(...);
|
|
35
|
+
- patterns:
|
|
36
|
+
- pattern: (java.lang.Runtime $R).exec($CMD, ...);
|
|
37
|
+
- focus-metavariable: $CMD
|
|
38
|
+
- patterns:
|
|
39
|
+
- pattern-either:
|
|
40
|
+
- pattern-inside: |
|
|
41
|
+
(java.util.List<$TYPE> $ARGLIST) = ...;
|
|
42
|
+
...
|
|
43
|
+
(ProcessBuilder $PB) = ...;
|
|
44
|
+
...
|
|
45
|
+
$PB.command($ARGLIST);
|
|
46
|
+
- pattern-inside: |
|
|
47
|
+
(java.util.List<$TYPE> $ARGLIST) = ...;
|
|
48
|
+
...
|
|
49
|
+
(ProcessBuilder $PB) = ...;
|
|
50
|
+
- pattern-inside: |
|
|
51
|
+
(java.util.List<$TYPE> $ARGLIST) = ...;
|
|
52
|
+
...
|
|
53
|
+
(Process $P) = ...;
|
|
54
|
+
- pattern: |
|
|
55
|
+
$ARGLIST.add(...);
|
|
56
|
+
metadata:
|
|
57
|
+
category: security
|
|
58
|
+
technology:
|
|
59
|
+
- java
|
|
60
|
+
cwe:
|
|
61
|
+
- "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
|
|
62
|
+
owasp:
|
|
63
|
+
- A01:2017 - Injection
|
|
64
|
+
- A03:2021 - Injection
|
|
65
|
+
- A05:2025 - Injection
|
|
66
|
+
references:
|
|
67
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
68
|
+
cwe2022-top25: true
|
|
69
|
+
cwe2021-top25: true
|
|
70
|
+
subcategory:
|
|
71
|
+
- vuln
|
|
72
|
+
likelihood: MEDIUM
|
|
73
|
+
impact: MEDIUM
|
|
74
|
+
confidence: MEDIUM
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: tainted-env-from-http-request
|
|
3
|
+
message: >-
|
|
4
|
+
Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.
|
|
5
|
+
Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument.
|
|
6
|
+
`exec({"command", "arg1", "arg2"})`.
|
|
7
|
+
languages: [java]
|
|
8
|
+
severity: ERROR
|
|
9
|
+
mode: taint
|
|
10
|
+
pattern-sources:
|
|
11
|
+
- patterns:
|
|
12
|
+
- pattern-either:
|
|
13
|
+
- pattern: |
|
|
14
|
+
(HttpServletRequest $REQ)
|
|
15
|
+
- patterns: # this pattern is a hack to get the rule to recognize `map` as tainted source when `cookie.getValue(user_input)` is used.
|
|
16
|
+
- pattern-inside: |
|
|
17
|
+
(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);
|
|
18
|
+
...
|
|
19
|
+
for (javax.servlet.http.Cookie $COOKIE: $COOKIES) {
|
|
20
|
+
...
|
|
21
|
+
}
|
|
22
|
+
- pattern: |
|
|
23
|
+
$COOKIE.getValue(...)
|
|
24
|
+
pattern-sinks:
|
|
25
|
+
- patterns:
|
|
26
|
+
- pattern: (java.lang.Runtime $R).exec($CMD, $ENV_ARGS, ...);
|
|
27
|
+
- focus-metavariable: $ENV_ARGS
|
|
28
|
+
metadata:
|
|
29
|
+
category: security
|
|
30
|
+
technology:
|
|
31
|
+
- java
|
|
32
|
+
cwe:
|
|
33
|
+
- "CWE-454: External Initialization of Trusted Variables or Data Stores"
|
|
34
|
+
owasp:
|
|
35
|
+
- A01:2017 - Injection
|
|
36
|
+
- A03:2021 - Injection
|
|
37
|
+
- A05:2025 - Injection
|
|
38
|
+
references:
|
|
39
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
40
|
+
cwe2022-top25: false
|
|
41
|
+
cwe2021-top25: false
|
|
42
|
+
subcategory:
|
|
43
|
+
- vuln
|
|
44
|
+
likelihood: MEDIUM
|
|
45
|
+
impact: MEDIUM
|
|
46
|
+
confidence: MEDIUM
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: tainted-ldapi-from-http-request
|
|
3
|
+
message: >-
|
|
4
|
+
Detected input from a HTTPServletRequest going into an LDAP query.
|
|
5
|
+
This could lead to LDAP injection if the input is not properly sanitized,
|
|
6
|
+
which could result in attackers modifying objects in the LDAP tree structure.
|
|
7
|
+
Ensure data passed to an LDAP query is not controllable or properly sanitize
|
|
8
|
+
the data.
|
|
9
|
+
metadata:
|
|
10
|
+
cwe:
|
|
11
|
+
- "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
|
|
12
|
+
owasp:
|
|
13
|
+
- A01:2017 - Injection
|
|
14
|
+
- A03:2021 - Injection
|
|
15
|
+
- A05:2025 - Injection
|
|
16
|
+
references:
|
|
17
|
+
- https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection
|
|
18
|
+
category: security
|
|
19
|
+
technology:
|
|
20
|
+
- java
|
|
21
|
+
subcategory:
|
|
22
|
+
- vuln
|
|
23
|
+
impact: MEDIUM
|
|
24
|
+
likelihood: MEDIUM
|
|
25
|
+
confidence: MEDIUM
|
|
26
|
+
severity: WARNING
|
|
27
|
+
languages: [java]
|
|
28
|
+
mode: taint
|
|
29
|
+
pattern-sources:
|
|
30
|
+
- patterns:
|
|
31
|
+
- pattern: (HttpServletRequest $REQ)
|
|
32
|
+
pattern-sinks:
|
|
33
|
+
- patterns:
|
|
34
|
+
- pattern-either:
|
|
35
|
+
- pattern: |
|
|
36
|
+
(javax.naming.directory.InitialDirContext $IDC).search(...)
|
|
37
|
+
- pattern: |
|
|
38
|
+
(javax.naming.directory.DirContext $CTX).search(...)
|
|
39
|
+
- pattern-not: |
|
|
40
|
+
(javax.naming.directory.InitialDirContext $IDC).search($Y, "...", ...)
|
|
41
|
+
- pattern-not: |
|
|
42
|
+
(javax.naming.directory.DirContext $CTX).search($Y, "...", ...)
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: tainted-session-from-http-request
|
|
3
|
+
message: >-
|
|
4
|
+
Detected input from a HTTPServletRequest going into a session command, like `setAttribute`.
|
|
5
|
+
User input into such a command could lead to an attacker inputting malicious code into your session
|
|
6
|
+
parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust
|
|
7
|
+
boundary violation.
|
|
8
|
+
This could lead to programmers trusting unvalidated data.
|
|
9
|
+
Instead, thoroughly sanitize user input before passing it
|
|
10
|
+
into such function calls.
|
|
11
|
+
languages: [java]
|
|
12
|
+
severity: WARNING
|
|
13
|
+
mode: taint
|
|
14
|
+
pattern-sources:
|
|
15
|
+
- patterns:
|
|
16
|
+
- pattern-either:
|
|
17
|
+
- patterns:
|
|
18
|
+
- pattern: |
|
|
19
|
+
(HttpServletRequest $REQ).$FUNC(...)
|
|
20
|
+
- pattern-not: |
|
|
21
|
+
(HttpServletRequest $REQ).getSession()
|
|
22
|
+
- patterns: # this pattern is a hack to get the rule to recognize `map` as tainted source when `cookie. getValue(user_input)` is used.
|
|
23
|
+
- pattern-inside: |
|
|
24
|
+
(javax.servlet.http.Cookie[] $COOKIES) = (HttpServletRequest $REQ).getCookies(...);
|
|
25
|
+
...
|
|
26
|
+
for (javax.servlet.http.Cookie $COOKIE: $COOKIES) {
|
|
27
|
+
...
|
|
28
|
+
}
|
|
29
|
+
- pattern: |
|
|
30
|
+
$COOKIE.getValue(...)
|
|
31
|
+
- patterns: # use this pattern to catch cases where tainted array values are assigned to a variable (not caught by taint)
|
|
32
|
+
- pattern-inside: |
|
|
33
|
+
$TYPE[] $VALS = (HttpServletRequest $REQ).$GETFUNC(... );
|
|
34
|
+
...
|
|
35
|
+
- pattern: |
|
|
36
|
+
$PARAM = $VALS[$INDEX];
|
|
37
|
+
- patterns: # use this pattern to catch cases where request headers are later decoded
|
|
38
|
+
- pattern-inside: |
|
|
39
|
+
$HEADERS = (HttpServletRequest $REQ).getHeaders(...);
|
|
40
|
+
...
|
|
41
|
+
$PARAM = $HEADERS.$FUNC(...);
|
|
42
|
+
...
|
|
43
|
+
- pattern: |
|
|
44
|
+
java.net.URLDecoder.decode($PARAM, ...)
|
|
45
|
+
pattern-sinks:
|
|
46
|
+
- patterns:
|
|
47
|
+
- pattern: (HttpServletRequest $REQ).getSession().$FUNC($NAME, $VALUE);
|
|
48
|
+
- metavariable-regex:
|
|
49
|
+
metavariable: $FUNC
|
|
50
|
+
regex: ^(putValue|setAttribute)$
|
|
51
|
+
- focus-metavariable: $VALUE
|
|
52
|
+
options:
|
|
53
|
+
interfile: true
|
|
54
|
+
metadata:
|
|
55
|
+
category: security
|
|
56
|
+
technology:
|
|
57
|
+
- java
|
|
58
|
+
cwe:
|
|
59
|
+
- 'CWE-501: Trust Boundary Violation'
|
|
60
|
+
owasp:
|
|
61
|
+
- A04:2021 - Insecure Design
|
|
62
|
+
- A06:2025 - Insecure Design
|
|
63
|
+
references:
|
|
64
|
+
- https://owasp.org/Top10/A04_2021-Insecure_Design
|
|
65
|
+
subcategory:
|
|
66
|
+
- vuln
|
|
67
|
+
impact: MEDIUM
|
|
68
|
+
likelihood: MEDIUM
|
|
69
|
+
confidence: MEDIUM
|
|
70
|
+
interfile: true
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: tainted-xpath-from-http-request
|
|
3
|
+
message: >-
|
|
4
|
+
Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could
|
|
5
|
+
lead to xpath injection if variables passed into the evaluate or compile commands are not properly
|
|
6
|
+
sanitized.
|
|
7
|
+
Xpath injection could lead to unauthorized access to sensitive information in XML documents.
|
|
8
|
+
Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.
|
|
9
|
+
languages: [java]
|
|
10
|
+
severity: WARNING
|
|
11
|
+
mode: taint
|
|
12
|
+
pattern-sources:
|
|
13
|
+
- patterns:
|
|
14
|
+
- pattern: |
|
|
15
|
+
(HttpServletRequest $REQ).$FUNC(...)
|
|
16
|
+
pattern-sinks:
|
|
17
|
+
- patterns:
|
|
18
|
+
- pattern-either:
|
|
19
|
+
- pattern: |
|
|
20
|
+
(javax.xml.xpath.XPath $XP).evaluate(...)
|
|
21
|
+
- pattern: |
|
|
22
|
+
(javax.xml.xpath.XPath $XP).compile(...).evaluate(...)
|
|
23
|
+
metadata:
|
|
24
|
+
category: security
|
|
25
|
+
technology:
|
|
26
|
+
- java
|
|
27
|
+
cwe:
|
|
28
|
+
- "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')"
|
|
29
|
+
owasp:
|
|
30
|
+
- A03:2021 - Injection
|
|
31
|
+
- A05:2025 - Injection
|
|
32
|
+
references:
|
|
33
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
34
|
+
subcategory:
|
|
35
|
+
- vuln
|
|
36
|
+
likelihood: HIGH
|
|
37
|
+
impact: MEDIUM
|
|
38
|
+
confidence: MEDIUM
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: unsafe-reflection
|
|
3
|
+
patterns:
|
|
4
|
+
- pattern: |
|
|
5
|
+
Class.forName($CLASS,...)
|
|
6
|
+
- pattern-not: |
|
|
7
|
+
Class.forName("...",...)
|
|
8
|
+
- pattern-not-inside: |
|
|
9
|
+
$CLASS = "...";
|
|
10
|
+
...
|
|
11
|
+
message: >-
|
|
12
|
+
If an attacker can supply values that the application then uses to determine which
|
|
13
|
+
class to instantiate or which method to invoke,
|
|
14
|
+
the potential exists for the attacker to create control flow paths through the
|
|
15
|
+
application
|
|
16
|
+
that were not intended by the application developers.
|
|
17
|
+
This attack vector may allow the attacker to bypass authentication or access control
|
|
18
|
+
checks
|
|
19
|
+
or otherwise cause the application to behave in an unexpected manner.
|
|
20
|
+
metadata:
|
|
21
|
+
cwe:
|
|
22
|
+
- "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"
|
|
23
|
+
owasp:
|
|
24
|
+
- A03:2021 - Injection
|
|
25
|
+
- A05:2025 - Injection
|
|
26
|
+
source-rule-url: https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection
|
|
27
|
+
category: security
|
|
28
|
+
technology:
|
|
29
|
+
- java
|
|
30
|
+
references:
|
|
31
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
32
|
+
subcategory:
|
|
33
|
+
- audit
|
|
34
|
+
likelihood: LOW
|
|
35
|
+
impact: LOW
|
|
36
|
+
confidence: LOW
|
|
37
|
+
severity: WARNING
|
|
38
|
+
languages:
|
|
39
|
+
- java
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: unvalidated-redirect
|
|
3
|
+
message: >-
|
|
4
|
+
Application redirects to a destination URL specified by a user-supplied
|
|
5
|
+
parameter that is not validated. This could direct users to malicious locations.
|
|
6
|
+
Consider using an allowlist to validate URLs.
|
|
7
|
+
metadata:
|
|
8
|
+
cwe:
|
|
9
|
+
- "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
|
|
10
|
+
owasp:
|
|
11
|
+
- A01:2021 - Broken Access Control
|
|
12
|
+
- A01:2025 - Broken Access Control
|
|
13
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT
|
|
14
|
+
asvs:
|
|
15
|
+
section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
|
|
16
|
+
control_id: 5.1.5 Open Redirect
|
|
17
|
+
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements
|
|
18
|
+
version: '4'
|
|
19
|
+
category: security
|
|
20
|
+
technology:
|
|
21
|
+
- java
|
|
22
|
+
references:
|
|
23
|
+
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
|
|
24
|
+
subcategory:
|
|
25
|
+
- vuln
|
|
26
|
+
impact: LOW
|
|
27
|
+
likelihood: MEDIUM
|
|
28
|
+
confidence: MEDIUM
|
|
29
|
+
severity: WARNING
|
|
30
|
+
languages: [java]
|
|
31
|
+
pattern-either:
|
|
32
|
+
- pattern: |
|
|
33
|
+
$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {
|
|
34
|
+
...
|
|
35
|
+
$RES.sendRedirect($URL);
|
|
36
|
+
...
|
|
37
|
+
}
|
|
38
|
+
- pattern: |
|
|
39
|
+
$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {
|
|
40
|
+
...
|
|
41
|
+
$RES.sendRedirect($URL);
|
|
42
|
+
...
|
|
43
|
+
}
|
|
44
|
+
- pattern: |
|
|
45
|
+
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {
|
|
46
|
+
...
|
|
47
|
+
String $URL = $REQ.getParameter(...);
|
|
48
|
+
...
|
|
49
|
+
$RES.sendRedirect($URL);
|
|
50
|
+
...
|
|
51
|
+
}
|
|
52
|
+
- pattern: |
|
|
53
|
+
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {
|
|
54
|
+
...
|
|
55
|
+
String $URL = $REQ.getParameter(...);
|
|
56
|
+
...
|
|
57
|
+
$RES.sendRedirect($URL);
|
|
58
|
+
...
|
|
59
|
+
}
|
|
60
|
+
- pattern: |
|
|
61
|
+
$X $METHOD(...,String $URL,...) {
|
|
62
|
+
...
|
|
63
|
+
HttpServletResponse $RES = ...;
|
|
64
|
+
...
|
|
65
|
+
$RES.sendRedirect($URL);
|
|
66
|
+
...
|
|
67
|
+
}
|
|
68
|
+
- pattern: |
|
|
69
|
+
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {
|
|
70
|
+
...
|
|
71
|
+
$RES.sendRedirect($REQ.getParameter(...));
|
|
72
|
+
...
|
|
73
|
+
}
|
|
74
|
+
- pattern: |
|
|
75
|
+
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {
|
|
76
|
+
...
|
|
77
|
+
$RES.sendRedirect($REQ.getParameter(...));
|
|
78
|
+
...
|
|
79
|
+
}
|
|
80
|
+
- pattern: |
|
|
81
|
+
$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {
|
|
82
|
+
...
|
|
83
|
+
$RES.addHeader("Location",$URL);
|
|
84
|
+
...
|
|
85
|
+
}
|
|
86
|
+
- pattern: |
|
|
87
|
+
$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {
|
|
88
|
+
...
|
|
89
|
+
$RES.addHeader("Location",$URL);
|
|
90
|
+
...
|
|
91
|
+
}
|
|
92
|
+
- pattern: |
|
|
93
|
+
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {
|
|
94
|
+
...
|
|
95
|
+
String $URL = $REQ.getParameter(...);
|
|
96
|
+
...
|
|
97
|
+
$RES.addHeader("Location",$URL);
|
|
98
|
+
...
|
|
99
|
+
}
|
|
100
|
+
- pattern: |
|
|
101
|
+
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {
|
|
102
|
+
...
|
|
103
|
+
String $URL = $REQ.getParameter(...);
|
|
104
|
+
...
|
|
105
|
+
$RES.addHeader("Location",$URL);
|
|
106
|
+
...
|
|
107
|
+
}
|
|
108
|
+
- pattern: |
|
|
109
|
+
$X $METHOD(...,String $URL,...) {
|
|
110
|
+
...
|
|
111
|
+
HttpServletResponse $RES = ...;
|
|
112
|
+
...
|
|
113
|
+
$RES.addHeader("Location",$URL);
|
|
114
|
+
...
|
|
115
|
+
}
|
|
116
|
+
- pattern: |
|
|
117
|
+
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse $RES,...) {
|
|
118
|
+
...
|
|
119
|
+
$RES.addHeader("Location",$REQ.getParameter(...));
|
|
120
|
+
...
|
|
121
|
+
}
|
|
122
|
+
- pattern: |-
|
|
123
|
+
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest $REQ,...) {
|
|
124
|
+
...
|
|
125
|
+
$RES.addHeader("Location",$REQ.getParameter(...));
|
|
126
|
+
...
|
|
127
|
+
}
|