@zhuma4/cli 4.0.0-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -0
- package/dist/commands/config.d.ts +3 -0
- package/dist/commands/config.d.ts.map +1 -0
- package/dist/commands/config.js +18 -0
- package/dist/commands/config.js.map +1 -0
- package/dist/commands/init.d.ts +3 -0
- package/dist/commands/init.d.ts.map +1 -0
- package/dist/commands/init.js +11 -0
- package/dist/commands/init.js.map +1 -0
- package/dist/commands/scan.d.ts +3 -0
- package/dist/commands/scan.d.ts.map +1 -0
- package/dist/commands/scan.js +96 -0
- package/dist/commands/scan.js.map +1 -0
- package/dist/commands/scan_appid.d.ts +20 -0
- package/dist/commands/scan_appid.d.ts.map +1 -0
- package/dist/commands/scan_appid.js +301 -0
- package/dist/commands/scan_appid.js.map +1 -0
- package/dist/commands/scan_manifest.d.ts +13 -0
- package/dist/commands/scan_manifest.d.ts.map +1 -0
- package/dist/commands/scan_manifest.js +103 -0
- package/dist/commands/scan_manifest.js.map +1 -0
- package/dist/engine/api-submit.d.ts +16 -0
- package/dist/engine/api-submit.d.ts.map +1 -0
- package/dist/engine/api-submit.js +66 -0
- package/dist/engine/api-submit.js.map +1 -0
- package/dist/engine/batch_scan.d.ts +36 -0
- package/dist/engine/batch_scan.d.ts.map +1 -0
- package/dist/engine/batch_scan.js +192 -0
- package/dist/engine/batch_scan.js.map +1 -0
- package/dist/engine/config.d.ts +12 -0
- package/dist/engine/config.d.ts.map +1 -0
- package/dist/engine/config.js +27 -0
- package/dist/engine/config.js.map +1 -0
- package/dist/engine/errors.d.ts +36 -0
- package/dist/engine/errors.d.ts.map +1 -0
- package/dist/engine/errors.js +99 -0
- package/dist/engine/errors.js.map +1 -0
- package/dist/engine/filter.d.ts +13 -0
- package/dist/engine/filter.d.ts.map +1 -0
- package/dist/engine/filter.js +64 -0
- package/dist/engine/filter.js.map +1 -0
- package/dist/engine/finding_classifier.d.ts +108 -0
- package/dist/engine/finding_classifier.d.ts.map +1 -0
- package/dist/engine/finding_classifier.js +440 -0
- package/dist/engine/finding_classifier.js.map +1 -0
- package/dist/engine/incremental/engine.d.ts +25 -0
- package/dist/engine/incremental/engine.d.ts.map +1 -0
- package/dist/engine/incremental/engine.js +337 -0
- package/dist/engine/incremental/engine.js.map +1 -0
- package/dist/engine/incremental/git-diff.d.ts +19 -0
- package/dist/engine/incremental/git-diff.d.ts.map +1 -0
- package/dist/engine/incremental/git-diff.js +175 -0
- package/dist/engine/incremental/git-diff.js.map +1 -0
- package/dist/engine/incremental/types.d.ts +33 -0
- package/dist/engine/incremental/types.d.ts.map +1 -0
- package/dist/engine/incremental/types.js +11 -0
- package/dist/engine/incremental/types.js.map +1 -0
- package/dist/engine/manifest_scanner.d.ts +48 -0
- package/dist/engine/manifest_scanner.d.ts.map +1 -0
- package/dist/engine/manifest_scanner.js +599 -0
- package/dist/engine/manifest_scanner.js.map +1 -0
- package/dist/engine/project.d.ts +22 -0
- package/dist/engine/project.d.ts.map +1 -0
- package/dist/engine/project.js +279 -0
- package/dist/engine/project.js.map +1 -0
- package/dist/engine/sarif.d.ts +13 -0
- package/dist/engine/sarif.d.ts.map +1 -0
- package/dist/engine/sarif.js +44 -0
- package/dist/engine/sarif.js.map +1 -0
- package/dist/engine/sca-integration.d.ts +36 -0
- package/dist/engine/sca-integration.d.ts.map +1 -0
- package/dist/engine/sca-integration.js +91 -0
- package/dist/engine/sca-integration.js.map +1 -0
- package/dist/engine/scanner.d.ts +18 -0
- package/dist/engine/scanner.d.ts.map +1 -0
- package/dist/engine/scanner.js +138 -0
- package/dist/engine/scanner.js.map +1 -0
- package/dist/index.d.ts +13 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +41 -0
- package/dist/index.js.map +1 -0
- package/dist/report/render.d.ts +23 -0
- package/dist/report/render.d.ts.map +1 -0
- package/dist/report/render.js +335 -0
- package/dist/report/render.js.map +1 -0
- package/package.json +41 -0
- package/rules/android/mobile-cleartext-traffic.yaml +46 -0
- package/rules/android/mobile-component-security.yaml +107 -0
- package/rules/android/mobile-crypto-weakness.yaml +139 -0
- package/rules/android/mobile-cwe-1021-tapjacking.yaml +81 -0
- package/rules/android/mobile-cwe-114-dynamic-dex-loading.yaml +41 -0
- package/rules/android/mobile-cwe-200-clipboard-data-leak.yaml +66 -0
- package/rules/android/mobile-cwe-200-debug-builds.yaml +111 -0
- package/rules/android/mobile-cwe-200-log-sensitive-data.yaml +61 -0
- package/rules/android/mobile-cwe-200-webview-debugging.yaml +56 -0
- package/rules/android/mobile-cwe-200-webview-universal-access.yaml +30 -0
- package/rules/android/mobile-cwe-200-window-flags.yaml +96 -0
- package/rules/android/mobile-cwe-22-content-provider-openfile.yaml +73 -0
- package/rules/android/mobile-cwe-22-path-traversal.yaml +86 -0
- package/rules/android/mobile-cwe-287-biometric-weakness.yaml +102 -0
- package/rules/android/mobile-cwe-295-cert-pinning-missing.yaml +78 -0
- package/rules/android/mobile-cwe-295-webview-ssl-bypass.yaml +104 -0
- package/rules/android/mobile-cwe-312-cleartext-storage.yaml +109 -0
- package/rules/android/mobile-cwe-319-cleartext-communication.yaml +84 -0
- package/rules/android/mobile-cwe-321-hardcoded-crypto-keys.yaml +132 -0
- package/rules/android/mobile-cwe-326-short-rsa.yaml +108 -0
- package/rules/android/mobile-cwe-327-rc4-3des.yaml +107 -0
- package/rules/android/mobile-cwe-329-cbc-padding-oracle.yaml +76 -0
- package/rules/android/mobile-cwe-470-reflection-injection.yaml +39 -0
- package/rules/android/mobile-cwe-489-root-detection-weak.yaml +125 -0
- package/rules/android/mobile-cwe-489-stetho-debug.yaml +107 -0
- package/rules/android/mobile-cwe-502-insecure-deserialization.yaml +76 -0
- package/rules/android/mobile-cwe-552-world-readable-files.yaml +63 -0
- package/rules/android/mobile-cwe-749-webview-java-objects.yaml +78 -0
- package/rules/android/mobile-cwe-749-webview-jsbridge.yaml +57 -0
- package/rules/android/mobile-cwe-749-webview-loadurl-injection.yaml +80 -0
- package/rules/android/mobile-cwe-78-command-injection.yaml +77 -0
- package/rules/android/mobile-cwe-780-rsa-no-oaep.yaml +80 -0
- package/rules/android/mobile-cwe-79-webview-setdata.yaml +78 -0
- package/rules/android/mobile-cwe-79-webview-xss.yaml +65 -0
- package/rules/android/mobile-cwe-798-hardcoded-credentials.yaml +108 -0
- package/rules/android/mobile-cwe-89-sql-injection.yaml +100 -0
- package/rules/android/mobile-cwe-927-implicit-intent.yaml +121 -0
- package/rules/android/mobile-cwe-927-ipc-file-provider.yaml +102 -0
- package/rules/android/mobile-cwe-939-deeplink-validation.yaml +76 -0
- package/rules/android/mobile-sdk-google-firebase-open.yaml +117 -0
- package/rules/android/mobile-sdk-tencent-tpns-config-leak.yaml +131 -0
- package/rules/android/mobile-secrets-storage.yaml +136 -0
- package/rules/android/mobile-webview-security.yaml +88 -0
- package/rules/common/cwe-200-sensitive-data-exposure.yaml +61 -0
- package/rules/common/cwe-22-path-traversal.yaml +47 -0
- package/rules/common/cwe-295-ssl-bypass.yaml +217 -0
- package/rules/common/cwe-295-ssl-verification-disabled.yaml +64 -0
- package/rules/common/cwe-306-missing-authentication.yaml +44 -0
- package/rules/common/cwe-326-weak-key-size.yaml +107 -0
- package/rules/common/cwe-327-weak-crypto.yaml +177 -0
- package/rules/common/cwe-328-weak-hash.yaml +96 -0
- package/rules/common/cwe-329-cbc-mode.yaml +26 -0
- package/rules/common/cwe-352-csrf.yaml +23 -0
- package/rules/common/cwe-434-unrestricted-file-upload.yaml +41 -0
- package/rules/common/cwe-502-insecure-deserialization.yaml +44 -0
- package/rules/common/cwe-601-url-redirect.yaml +110 -0
- package/rules/common/cwe-611-xxe.yaml +70 -0
- package/rules/common/cwe-732-incorrect-permission.yaml +49 -0
- package/rules/common/cwe-770-resource-exhaustion.yaml +44 -0
- package/rules/common/cwe-78-os-command-injection.yaml +43 -0
- package/rules/common/cwe-787-out-of-bounds-write.yaml +37 -0
- package/rules/common/cwe-79-xss.yaml +51 -0
- package/rules/common/cwe-862-missing-authorization.yaml +40 -0
- package/rules/common/cwe-89-sqli.yaml +89 -0
- package/rules/common/cwe-918-ssrf.yaml +45 -0
- package/rules/common/cwe-94-code-injection.yaml +59 -0
- package/rules/common/zm-go-cwe22-path-traversal-fs.yaml +117 -0
- package/rules/common/zm-go-cwe22-path-traversal.yaml +103 -0
- package/rules/common/zm-go-cwe307-brute-force.yaml +129 -0
- package/rules/common/zm-go-cwe326-weak-crypto.yaml +124 -0
- package/rules/common/zm-go-cwe327-weak-cipher.yaml +152 -0
- package/rules/common/zm-go-cwe384-session-fixation.yaml +128 -0
- package/rules/common/zm-go-cwe502-deserialization.yaml +120 -0
- package/rules/common/zm-go-cwe78-command-injection.yaml +95 -0
- package/rules/common/zm-go-cwe79-xss.yaml +104 -0
- package/rules/common/zm-go-cwe798-hardcoded-creds.yaml +153 -0
- package/rules/common/zm-go-cwe89-sqli.yaml +89 -0
- package/rules/common/zm-go-cwe918-ssrf.yaml +117 -0
- package/rules/common/zm-java-cwe117-log-injection.yaml +83 -0
- package/rules/common/zm-java-cwe117-logforging.yaml +153 -0
- package/rules/common/zm-java-cwe200-actuator-exposure.yaml +8 -0
- package/rules/common/zm-java-cwe200-info-disclosure.yaml +91 -0
- package/rules/common/zm-java-cwe22-file-depth.yaml +135 -0
- package/rules/common/zm-java-cwe22-path-traversal-spring.yaml +81 -0
- package/rules/common/zm-java-cwe284-missing-auth-spring.yaml +131 -0
- package/rules/common/zm-java-cwe295-webview-ssl.yaml +123 -0
- package/rules/common/zm-java-cwe327-weakcrypto.yaml +197 -0
- package/rules/common/zm-java-cwe347-jwt.yaml +30 -0
- package/rules/common/zm-java-cwe352-csrf-depth.yaml +107 -0
- package/rules/common/zm-java-cwe352-csrf-disabled.yaml +15 -0
- package/rules/common/zm-java-cwe501-trust-boundary.yaml +124 -0
- package/rules/common/zm-java-cwe502-deserial-depth.yaml +128 -0
- package/rules/common/zm-java-cwe502-fastjson.yaml +137 -0
- package/rules/common/zm-java-cwe502-gadget.yaml +158 -0
- package/rules/common/zm-java-cwe502-jndi-injection.yaml +91 -0
- package/rules/common/zm-java-cwe502-shiro.yaml +108 -0
- package/rules/common/zm-java-cwe601-url-redirect-spring.yaml +85 -0
- package/rules/common/zm-java-cwe611-xxe-enhanced.yaml +80 -0
- package/rules/common/zm-java-cwe611-xxe-transformer.yaml +85 -0
- package/rules/common/zm-java-cwe639-idor.yaml +123 -0
- package/rules/common/zm-java-cwe79-xss-depth.yaml +98 -0
- package/rules/common/zm-java-cwe862-authz-depth.yaml +127 -0
- package/rules/common/zm-java-cwe915-mass-assignment.yaml +16 -0
- package/rules/common/zm-java-cwe917-expression-injection.yaml +120 -0
- package/rules/common/zm-java-cwe918-resttemplate.yaml +67 -0
- package/rules/common/zm-java-cwe918-ssrf-depth.yaml +103 -0
- package/rules/common/zm-java-cwe918-ssrf-resttemplate.yaml +77 -0
- package/rules/common/zm-java-cwe918-webclient.yaml +44 -0
- package/rules/common/zm-java-cwe94-ognl.yaml +66 -0
- package/rules/common/zm-java-cwe94-spel-injection.yaml +85 -0
- package/rules/common/zm-java-cwe94-spel.yaml +112 -0
- package/rules/common/zm-java-cwe94-ssti.yaml +22 -0
- package/rules/common/zm-java-cwe942-cors.yaml +15 -0
- package/rules/common/zm-js-cwe1321-prototype-pollution.yaml +61 -0
- package/rules/common/zm-js-cwe200-info-disclosure.yaml +95 -0
- package/rules/common/zm-js-cwe22-path-traversal-fs.yaml +113 -0
- package/rules/common/zm-js-cwe22-pathtraversal.yaml +111 -0
- package/rules/common/zm-js-cwe307-brute-force.yaml +136 -0
- package/rules/common/zm-js-cwe345-postmessage.yaml +75 -0
- package/rules/common/zm-js-cwe347-jwt-weak.yaml +95 -0
- package/rules/common/zm-js-cwe352-csrf.yaml +52 -0
- package/rules/common/zm-js-cwe384-session-fixation.yaml +132 -0
- package/rules/common/zm-js-cwe502-deserialization.yaml +119 -0
- package/rules/common/zm-js-cwe611-xxe.yaml +108 -0
- package/rules/common/zm-js-cwe639-idor.yaml +122 -0
- package/rules/common/zm-js-cwe693-helmet-missing.yaml +46 -0
- package/rules/common/zm-js-cwe78-exec.yaml +37 -0
- package/rules/common/zm-js-cwe78-spawn.yaml +37 -0
- package/rules/common/zm-js-cwe79-domxss.yaml +84 -0
- package/rules/common/zm-js-cwe79-react-xss.yaml +18 -0
- package/rules/common/zm-js-cwe79-xss-ejs.yaml +70 -0
- package/rules/common/zm-js-cwe89-sqli.yaml +153 -0
- package/rules/common/zm-js-cwe915-mass-assignment.yaml +111 -0
- package/rules/common/zm-js-cwe918-ssrf-fetch.yaml +134 -0
- package/rules/common/zm-js-cwe918-ssrf.yaml +132 -0
- package/rules/common/zm-js-cwe94-template-injection.yaml +130 -0
- package/rules/common/zm-js-cwe942-cors.yaml +49 -0
- package/rules/common/zm-js-cwe943-nosql-injection.yaml +52 -0
- package/rules/common/zm-js-cwe95-eval.yaml +59 -0
- package/rules/common/zm-js-cwe95-function-ctor.yaml +31 -0
- package/rules/common/zm-py-cwe22-path-traversal.yaml +86 -0
- package/rules/common/zm-py-cwe327-weak-crypto.yaml +103 -0
- package/rules/common/zm-py-cwe502-pickle.yaml +92 -0
- package/rules/common/zm-py-cwe611-xxe.yaml +100 -0
- package/rules/common/zm-py-cwe78-command-injection.yaml +121 -0
- package/rules/common/zm-py-cwe79-xss.yaml +123 -0
- package/rules/common/zm-py-cwe798-hardcoded-creds.yaml +86 -0
- package/rules/common/zm-py-cwe89-sqli.yaml +59 -0
- package/rules/common/zm-py-cwe918-ssrf.yaml +123 -0
- package/rules/common/zm-py-cwe94-ssti.yaml +87 -0
- package/rules/common/zm-py-cwe943-nosql-injection.yaml +123 -0
- package/rules/iac/ansible/zm-ansible-cwe269-privilege-escalation.yaml +63 -0
- package/rules/iac/ansible/zm-ansible-cwe78-command-injection.yaml +67 -0
- package/rules/iac/ansible/zm-ansible-cwe798-hardcoded-creds.yaml +93 -0
- package/rules/iac/terraform/zm-tf-cwe200-s3-bucket-public.yaml +100 -0
- package/rules/iac/terraform/zm-tf-cwe284-sg-wide-open.yaml +88 -0
- package/rules/iac/terraform/zm-tf-cwe311-iam-wildcard.yaml +83 -0
- package/rules/iac/terraform/zm-tf-cwe319-rds-public.yaml +72 -0
- package/rules/iac/terraform/zm-tf-cwe798-hardcoded-creds.yaml +102 -0
- package/rules/iac/zm-docker-cwe250-root-user.yaml +50 -0
- package/rules/iac/zm-docker-cwe400-resource-limit.yaml +92 -0
- package/rules/iac/zm-docker-security.yaml +104 -0
- package/rules/iac/zm-k8s-cwe200-service-account.yaml +83 -0
- package/rules/iac/zm-k8s-cwe250-privileged.yaml +56 -0
- package/rules/iac/zm-k8s-security.yaml +79 -0
- package/rules/rules_index.yaml.off +477 -0
- package/rules/semgrep-registry/anonymous-ldap-bind.yaml +34 -0
- package/rules/semgrep-registry/bad-hexa-conversion.yaml +32 -0
- package/rules/semgrep-registry/blowfish-insufficient-key-size.yaml +39 -0
- package/rules/semgrep-registry/cbc-padding-oracle.yaml +38 -0
- package/rules/semgrep-registry/command-injection-formatted-runtime-call.yaml +90 -0
- package/rules/semgrep-registry/command-injection-process-builder.yaml +148 -0
- package/rules/semgrep-registry/cookie-missing-httponly.yaml +38 -0
- package/rules/semgrep-registry/cookie-missing-secure-flag.yaml +38 -0
- package/rules/semgrep-registry/crlf-injection-logs.yaml +86 -0
- package/rules/semgrep-registry/dangerous-groovy-shell.yaml +46 -0
- package/rules/semgrep-registry/el-injection.yaml +137 -0
- package/rules/semgrep-registry/formatted-sql-string.yaml +95 -0
- package/rules/semgrep-registry/http-response-splitting.yaml +44 -0
- package/rules/semgrep-registry/index.txt +1 -0
- package/rules/semgrep-registry/insecure-smtp-connection.yaml +34 -0
- package/rules/semgrep-registry/java-reverse-shell.yaml +43 -0
- package/rules/semgrep-registry/jdbc-sql-formatted-string.yaml +120 -0
- package/rules/semgrep-registry/ldap-entry-poisoning.yaml +41 -0
- package/rules/semgrep-registry/ldap-injection.yaml +82 -0
- package/rules/semgrep-registry/md5-used-as-password.yaml +44 -0
- package/rules/semgrep-registry/object-deserialization.yaml +34 -0
- package/rules/semgrep-registry/ognl-injection.yaml +839 -0
- package/rules/semgrep-registry/overly-permissive-file-permission.yaml +49 -0
- package/rules/semgrep-registry/permissive-cors.yaml +77 -0
- package/rules/semgrep-registry/script-engine-injection.yaml +66 -0
- package/rules/semgrep-registry/tainted-cmd-from-http-request.yaml +74 -0
- package/rules/semgrep-registry/tainted-env-from-http-request.yaml +46 -0
- package/rules/semgrep-registry/tainted-ldapi-from-http-request.yaml +42 -0
- package/rules/semgrep-registry/tainted-session-from-http-request.yaml +70 -0
- package/rules/semgrep-registry/tainted-xpath-from-http-request.yaml +38 -0
- package/rules/semgrep-registry/unsafe-reflection.yaml +39 -0
- package/rules/semgrep-registry/unvalidated-redirect.yaml +127 -0
- package/rules/semgrep-registry/url-rewriting.yaml +82 -0
- package/rules/semgrep-registry/weak-ssl-context.yaml +34 -0
- package/rules/semgrep-registry/xml-decoder.yaml +53 -0
- package/rules/semgrep-registry/xssrequestwrapper-is-insecure.yaml +40 -0
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: url-rewriting
|
|
3
|
+
message: >-
|
|
4
|
+
URL rewriting has significant security risks.
|
|
5
|
+
Since session ID appears in the URL, it may be easily seen by third parties.
|
|
6
|
+
metadata:
|
|
7
|
+
cwe:
|
|
8
|
+
- 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
|
|
9
|
+
owasp:
|
|
10
|
+
- A01:2021 - Broken Access Control
|
|
11
|
+
- A01:2025 - Broken Access Control
|
|
12
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING
|
|
13
|
+
category: security
|
|
14
|
+
technology:
|
|
15
|
+
- java
|
|
16
|
+
references:
|
|
17
|
+
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
|
|
18
|
+
cwe2021-top25: true
|
|
19
|
+
subcategory:
|
|
20
|
+
- vuln
|
|
21
|
+
likelihood: LOW
|
|
22
|
+
impact: MEDIUM
|
|
23
|
+
confidence: LOW
|
|
24
|
+
severity: WARNING
|
|
25
|
+
languages: [java]
|
|
26
|
+
pattern-either:
|
|
27
|
+
- pattern: |
|
|
28
|
+
$X $METHOD(...,HttpServletResponse $RES,...) {
|
|
29
|
+
...
|
|
30
|
+
$RES.encodeURL(...);
|
|
31
|
+
...
|
|
32
|
+
}
|
|
33
|
+
- pattern: |
|
|
34
|
+
$X $METHOD(...,HttpServletResponse $RES,...) {
|
|
35
|
+
...
|
|
36
|
+
$RES.encodeUrl(...);
|
|
37
|
+
...
|
|
38
|
+
}
|
|
39
|
+
- pattern: |
|
|
40
|
+
$X $METHOD(...,HttpServletResponse $RES,...) {
|
|
41
|
+
...
|
|
42
|
+
$RES.encodeRedirectURL(...);
|
|
43
|
+
...
|
|
44
|
+
}
|
|
45
|
+
- pattern: |
|
|
46
|
+
$X $METHOD(...,HttpServletResponse $RES,...) {
|
|
47
|
+
...
|
|
48
|
+
$RES.encodeRedirectUrl(...);
|
|
49
|
+
...
|
|
50
|
+
}
|
|
51
|
+
- pattern: |
|
|
52
|
+
$X $METHOD(...) {
|
|
53
|
+
...
|
|
54
|
+
HttpServletResponse $RES = ...;
|
|
55
|
+
...
|
|
56
|
+
$RES.encodeURL(...);
|
|
57
|
+
...
|
|
58
|
+
}
|
|
59
|
+
- pattern: |
|
|
60
|
+
$X $METHOD(...) {
|
|
61
|
+
...
|
|
62
|
+
HttpServletResponse $RES = ...;
|
|
63
|
+
...
|
|
64
|
+
$RES.encodeUrl(...);
|
|
65
|
+
...
|
|
66
|
+
}
|
|
67
|
+
- pattern: |
|
|
68
|
+
$X $METHOD(...) {
|
|
69
|
+
...
|
|
70
|
+
HttpServletResponse $RES = ...;
|
|
71
|
+
...
|
|
72
|
+
$RES.encodeRedirectURL(...);
|
|
73
|
+
...
|
|
74
|
+
}
|
|
75
|
+
- pattern: |-
|
|
76
|
+
$X $METHOD(...) {
|
|
77
|
+
...
|
|
78
|
+
HttpServletResponse $RES = ...;
|
|
79
|
+
...
|
|
80
|
+
$RES.encodeRedirectUrl(...);
|
|
81
|
+
...
|
|
82
|
+
}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: weak-ssl-context
|
|
3
|
+
metadata:
|
|
4
|
+
cwe:
|
|
5
|
+
- 'CWE-326: Inadequate Encryption Strength'
|
|
6
|
+
owasp:
|
|
7
|
+
- A03:2017 - Sensitive Data Exposure
|
|
8
|
+
- A02:2021 - Cryptographic Failures
|
|
9
|
+
- A04:2025 - Cryptographic Failures
|
|
10
|
+
source_rule_url: https://find-sec-bugs.github.io/bugs.htm#SSL_CONTEXT
|
|
11
|
+
references:
|
|
12
|
+
- https://tools.ietf.org/html/rfc7568
|
|
13
|
+
- https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html
|
|
14
|
+
category: security
|
|
15
|
+
technology:
|
|
16
|
+
- java
|
|
17
|
+
subcategory:
|
|
18
|
+
- audit
|
|
19
|
+
likelihood: LOW
|
|
20
|
+
impact: MEDIUM
|
|
21
|
+
confidence: HIGH
|
|
22
|
+
message: >-
|
|
23
|
+
An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions
|
|
24
|
+
are considered weak encryption and are deprecated.
|
|
25
|
+
Use SSLContext.getInstance("TLSv1.2") for the best security.
|
|
26
|
+
severity: WARNING
|
|
27
|
+
languages: [java]
|
|
28
|
+
patterns:
|
|
29
|
+
- pattern-not: SSLContext.getInstance("TLSv1.3")
|
|
30
|
+
- pattern-not: SSLContext.getInstance("TLSv1.2")
|
|
31
|
+
- pattern: SSLContext.getInstance("...")
|
|
32
|
+
fix-regex:
|
|
33
|
+
regex: (.*?)\.getInstance\(.*?\)
|
|
34
|
+
replacement: \1.getInstance("TLSv1.2")
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: xml-decoder
|
|
3
|
+
message: >-
|
|
4
|
+
XMLDecoder should not be used to parse untrusted data.
|
|
5
|
+
Deserializing user input can lead to arbitrary code execution.
|
|
6
|
+
Use an alternative and explicitly disable external entities.
|
|
7
|
+
See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
|
|
8
|
+
for alternatives and vulnerability prevention.
|
|
9
|
+
metadata:
|
|
10
|
+
cwe:
|
|
11
|
+
- 'CWE-611: Improper Restriction of XML External Entity Reference'
|
|
12
|
+
owasp:
|
|
13
|
+
- A04:2017 - XML External Entities (XXE)
|
|
14
|
+
- A05:2021 - Security Misconfiguration
|
|
15
|
+
- A02:2025 - Security Misconfiguration
|
|
16
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XML_DECODER
|
|
17
|
+
references:
|
|
18
|
+
- https://semgrep.dev/blog/2022/xml-security-in-java
|
|
19
|
+
- https://semgrep.dev/docs/cheat-sheets/java-xxe/
|
|
20
|
+
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
|
|
21
|
+
category: security
|
|
22
|
+
technology:
|
|
23
|
+
- java
|
|
24
|
+
cwe2022-top25: true
|
|
25
|
+
cwe2021-top25: true
|
|
26
|
+
subcategory:
|
|
27
|
+
- audit
|
|
28
|
+
likelihood: LOW
|
|
29
|
+
impact: HIGH
|
|
30
|
+
confidence: LOW
|
|
31
|
+
severity: WARNING
|
|
32
|
+
languages: [java]
|
|
33
|
+
patterns:
|
|
34
|
+
- pattern: |
|
|
35
|
+
$X $METHOD(...) {
|
|
36
|
+
...
|
|
37
|
+
new XMLDecoder(...);
|
|
38
|
+
...
|
|
39
|
+
}
|
|
40
|
+
- pattern-not: |
|
|
41
|
+
$X $METHOD(...) {
|
|
42
|
+
...
|
|
43
|
+
new XMLDecoder("...");
|
|
44
|
+
...
|
|
45
|
+
}
|
|
46
|
+
- pattern-not: |-
|
|
47
|
+
$X $METHOD(...) {
|
|
48
|
+
...
|
|
49
|
+
String $STR = "...";
|
|
50
|
+
...
|
|
51
|
+
new XMLDecoder($STR);
|
|
52
|
+
...
|
|
53
|
+
}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
- id: xssrequestwrapper-is-insecure
|
|
3
|
+
metadata:
|
|
4
|
+
owasp:
|
|
5
|
+
- A07:2017 - Cross-Site Scripting (XSS)
|
|
6
|
+
- A03:2021 - Injection
|
|
7
|
+
- A05:2025 - Injection
|
|
8
|
+
cwe:
|
|
9
|
+
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
|
|
10
|
+
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER
|
|
11
|
+
category: security
|
|
12
|
+
technology:
|
|
13
|
+
- java
|
|
14
|
+
references:
|
|
15
|
+
- https://owasp.org/Top10/A03_2021-Injection
|
|
16
|
+
cwe2022-top25: true
|
|
17
|
+
cwe2021-top25: true
|
|
18
|
+
subcategory:
|
|
19
|
+
- audit
|
|
20
|
+
likelihood: LOW
|
|
21
|
+
impact: MEDIUM
|
|
22
|
+
confidence: LOW
|
|
23
|
+
message: >-
|
|
24
|
+
It looks like you're using an implementation of XSSRequestWrapper from dzone.
|
|
25
|
+
(https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html)
|
|
26
|
+
The XSS filtering in this code is not secure and can be bypassed by malicious
|
|
27
|
+
actors.
|
|
28
|
+
It is recommended to use a stack that automatically escapes in your view or templates
|
|
29
|
+
instead of filtering yourself.
|
|
30
|
+
severity: WARNING
|
|
31
|
+
languages:
|
|
32
|
+
- java
|
|
33
|
+
pattern-either:
|
|
34
|
+
- pattern: |
|
|
35
|
+
class XSSRequestWrapper extends HttpServletRequestWrapper {
|
|
36
|
+
...
|
|
37
|
+
}
|
|
38
|
+
- pattern: |-
|
|
39
|
+
$P = $X.compile("</script>", $X.CASE_INSENSITIVE);
|
|
40
|
+
$V = $P.matcher(...).replaceAll("");
|